1 Introduction
Nakamoto consensus [20], the elegant blockchain protocol that underpins many cryptocurrencies, achieves consensus in a setting where nodes can join and leave the system without getting permission from a centralized authority. Instead of depending on the identity of nodes, it achieves consensus by incorporating computational puzzles called proofofwork [9] (also known as mining) and using a simple longestchain protocol.^{1}^{1}1We use ”longest chain” to mean the one with the most proofofwork given difficulty adjustments, not necessarily the one with the most blocks, though without considering difficulty adjustments they are the same. Nodes in a network maintain a local copy of an appendonly ledger and gossip messages to add to the ledger, collecting many into a block. A block consists of the set of records to add, a pointer to the previous block in the node’s local copy of the ledger, and a nonce, which is evidence the node has done proofofwork, or solved a computational puzzle of sufficient difficulty, dependent on the block. The node then broadcasts its local chain to the network. Honest nodes choose a chain they see with the most proofofwork to continue building upon.
Previous work defined correctness and liveness in proofofwork protocols (also referred to as the Bitcoin backbone) using three properties: commonprefix, chainquality, and chaingrowth [12, 15, 22]. Informally, commonprefix indicates that any two honest nodes share a common prefix of blocks, chaingrowth is the rate at which the common prefix grows over time, and chainquality represents the fraction of blocks created by honest nodes in a chain. In previous work, achieving these properties critically relied on the setting of the difficulty factor in the computational puzzles. We express this as
, the probability that any node will solve the puzzle in a given round. Previous work analyzing Nakamoto consensus has shown that for consistency and liveness
should be very small in relation to the expected network delay and the number of nodes [12, 22]. For example, mining difficulty in Bitcoin is set so that the network is only expected to find a puzzle solution roughly once every ten minutes.Requiring a small increases block time, removing a parameter for improving transaction throughput. One way to compensate is by increasing block size, which could result in burstier network traffic and longer transaction confirmation times for users. Newer chains which do not use proofofwork seem to favor short block times, probably because users value a fast first block confirmation: in EOS, blocks are proposed every 500 milliseconds [10] and Algorand aims to achieve block finality in 2.5 seconds [19], whereas in Bitcoin blocks only come out every ten minutes.
Common belief is that larger fundamentally constrains chain growth (i.e., the growth of the common prefix), even in the absence of an adversary, due to the potential of increased forking: nodes will find puzzle solutions (and thus blocks) at the same time; because of the delay in hearing about other nodes’ chains nodes will build on different chains, delaying agreement. Another common conjecture, explicitly mentioned in [12], is that the choice of symmetrybreaking strategies, or ways honest nodes choose among multiple longest chains, is not relevant to correctness.
In this paper, we show that these common beliefs are incorrect. In particular, we show that when is beyond the wellstudied region even the simple strategy of choosing among chains of equal length randomly fosters chain growth, especially in the absence of adversaries.
Contributions. In this work, we formally analyze Nakamoto consensus under a wide range of including large . We confirm previous (informal) analysis that Nakamoto consensus requires small in the presence of adversaries, but show that surprisingly, it does not in a setting without adversaries, even if (all nodes mine blocks every round) with a minor change in nodes’ symmetrybreaking strategy. Previous work assumed the requirement of convergence opportunities, a period when only one honest node mines a block, in order to achieve consistency [22, 18]; we show that in fact convergence opportunities are not required for commonprefix and chain growth. With an additional backwardscompatible modification to Nakamoto consensus, we can derive a bound on the chain growth for a wider range of (including large ) in a setting with adversaries. Our key idea in this modification is to introduce a verifiable delay function [5] to prevent the adversaries from extending a chain by multiple blocks in a round. Our analysis is based on a new application of a wellknown technique, coalescing random walks. To our knowledge this is the first application of coalescing random walks to analyze the commonprefix and chain quality of Bitcoin and other proofofwork protocols. We thoroughly analyze Nakamoto consensus with the uniformlyatrandom symmetrybreaking strategy and discuss different symmetrybreaking strategies including firstseen, lexicographicallyfirst, and globalrandomcoin.
In summary, our contributions are as follows:

A new approach for analyzing the confirmation time of the Bitcoin protocol under the uniformlyatrandom symmetrybreaking strategy in the adversarialfree setting via coalescing random walks. Our analysis works for a new region of , and shows that previous works’ requirement for convergence opportunities was unneeded.

New notions of adversarial advantages and coalescing opportunities to provide a more general analysis of commonprefix and chain growth in Nakamoto consensus in the presence of adversaries.
Related Work. Proofsofwork were first put forth by Dwork and Naor [9]. Garay, Kiayias, and Leonardas [12] provided the first thorough analysis of Nakamoto’s protocol in a synchronous static setting, introducing the ideas of commonprefix, chain quality and chain growth. Later work [15] extended the analysis to a variable difficulty function. Pass, Seeman, and shelat [22] extended the idea of commonprefix to future selfconsistency, and provided an analysis of Nakamoto consensus in the semisynchronous setting with an adaptive adversary. Several additional papers used this notion of future selfconsistency [18, 30]. [22, 18] relied on convergence opportunities, or rounds where only one node mines a block, to analyze chain growth. In this work we show that convergence opportunities are not required for chain growth, and relying on them underestimates chain growth with high ; in the adversaryfree setting we show chain growth even with (no convergence opportunities; all nodes mine a block every round). Other work considered the tradeoffs between chain growth and chain quality [24, 22, 17, 15, 29]; however, to the best of our knowledge, none of these works considered different symmetry breaking strategies to enable faster chain growth while maintaining chain quality. In our paper, we thoroughly explore this domain. Another line of work [11, 27] considers how the uniformlyatrandom symmetry breaking strategy affects incentivecompatible selfish mining attacks; our analysis applies to general attacks.
Random walks have been used to analyze the probability of consistency violations in proofsofstake protocols [3]; ours is the first work that uses coalescing random walks to analyze the commonprefix and chain quality of Bitcoin and other proofofwork protocols.
2 Model and Definitions
In this section, we present the specific model we use and briefly describe the Bitcoin cryptosystem. We follow the formalization presented in [15, 18, 22].
Network and Computation Model. Following previous work [12, 15, 14, 22, 26, 30], we consider a synchronous network where nodes send messages in synchronous rounds, i.e., ; equivalently, there is a global clock and the time is slotted into equal duration rounds. Each node has identical computing power. Notably, the synchronous rounds assumption is significantly more relaxed than assuming .^{2}^{2}2In fact, the analysis based on Poisson race [21, 2] essentially assumes all mined blocks can be ordered in a globally consistent way, i.e., , which does not hold in our synchronous network model. Our model operates in the permissionless setting. This means that any miner can join (or leave) the protocol execution without getting permission from a centralized or distributed authority. For ease of exposition, we assume the number of participants remains . Our results can be easily generalized to handle perturbation in the population size by a stochastic dominance argument as long as the population size does not deviate too far from , and the proportion of Byzantine participants does not increase due to the perturbation.
Adversary Model. Throughout this paper, we assume that all Byzantine nodes are controlled by a probabilistic polynomial time (PPT) adversary that can coordinate the behavior of all such nodes. operates in PPT which means they have access to random coins but can only use polynomial time to perform computations. At any time during the run of the protocol, can corrupt up to nodes at any point in time where is a parameter that is an input to the protocol. The corrupted nodes remain corrupted for the remainder of the protocol. Finally, cannot modify or delete the messages sent by honest nodes, but can read all messages sent over the network and arbitrarily order the messages received by any honest nodes.
2.1 Bitcoin Cryptosystem
A blockchain protocol is a stateful algorithm wherein each node maintains a local version of the blockchain . Each honest node runs its own homogeneous version of the blockchain protocol. Nodes receive messages from the environment , where is the security parameter chosen based on the population size . The environment is responsible for all the external factors related to a protocol’s execution. For example, it provides the value of to the nodes. Detailed description of the environment can be found in [22].
The protocol begins by having the environment initialize nodes. The protocol proceeds in synchronous rounds; at each round , each node receives a message from . In each round, an honest node attempts to mine a block containing its message to add to its local chain. We provide formal definitions of the Bitcoin cryptosystem below.
Blocks and Blockchains
A blockchain for some is a chain of blocks. Here is a predetermined genesis block that all chains
must build from.
A block , for , is a triple
where are three binary strings of arbitrary length.
Specifically, is used to indicate this block’s
predecessor, is the text of the block containing the
message (e.g. transactions) and other metadata, and is a nonce chosen by a node.
ProofsofWork
The Bitcoin cryptosystem crucially uses nonces
as proofsofwork for determining whether a block can
be legally added to a chain.^{3}^{3}3Note that in practice, the nonce is effectively concatenated with a miner’s public key (included in the coinbase transaction) to ensure unique queries.
The public key does not need to be verified.
Importantly, this means that the miner can just generate a
pair on their local computer without the need to
verify that identity with a thirdparty authority.
Proofofwork (PoW) is rigorously defined in previous work [12, 15, 14, 22, 26, 30] based on the use of the random oracle model.
Definition 1 (Random Oracle Model).
A random oracle on input outputs a value selected uniformly at random from if has never been queried before. Otherwise, it returns the previous value returned when was queried last.
Definition 2 (Bitcoin PoW).
All nodes access a common random oracle . We say a node successfully performs a PoW with proof if .
Definition 3 (Valid Chain).
A blockchain is valid with respect to a given puzzle difficulty level if the following hold: (1) and for ; and (2) for .
Longest Chain Rule
The length of a valid chain is the number of blocks it contains. We refer to the local version of the blockchain kept by node as the local chain at node , denoted by . In each round , node tries to mine a block via solving a PoW puzzle with the specified difficulty . If a block is successfully mined, then node extends its local chain with this block and broadcasts its updated local chain to all other nodes in the network, which will be delivered at each node at the beginning of the next round. At the beginning of the next round, before working on PoW, node updates its local chain to be the longest chain it has seen. If there are many longest chains, node chooses one of them uniformly at random.
For ease of exposition, henceforth, is referred to the local chain at the end of a round; is the local chain of node at the end of round . Equivalent to using the difficulty parameter , one can instead consider . The notion of used in lieu of has been considered in [12, 15, 14, 18, 22, 26] to simplify notation. Henceforth, we will quantify the algorithm performance in terms of rather than and .
We use the phrase with overwhelming probability throughout this paper. With overwhelming probability is defined as with probability at least for any constant . We use the phrase with all but negligible probability in to mean that the probability is upper bounded by some negligible function on (defined in Definition 4).
Definition 4 (Negligible Probability).
A function is negligible if for every polynomial , there exists an such that for all integers , it holds that . We denote such a function by . An event that occurs with negligible probability occurs with probability .
2.1.1 Properties of the Protocol
In this paper, we will analyze the Nakamoto consensus in terms of two characteristics (generalized from definitions in [12, 18, 30]). The common prefix is defined as a subchain that is a common prefix of the local chains of all honest nodes at the end of a round. The two properties maximal common prefix and maximal inconsistency are defined intuitively as: the maximal prefix that is the same across all honest chains and the maximal number of blocks in any honest chain that is not shared by all other honest chains, respectively.
Property 5 (Maximal commonprefix and maximal inconsistency).
Given a collection of chains that are kept by honest nodes, the maximal commonprefix of chain set , denoted by , is defined as the longest commonprefix of chains . The maximal inconsistency of , denoted by , is defined as
(1) 
where is the subchain of after removing the prefix and denotes the length of the chain, i.e., the number of blocks in the chain.
3 Fundamental Limitations of Existing Approaches
To the best of our knowledge, existing work assumes extremely small . In fact, the seemingly mild honest majority assumption in [13, 23] also implicitly assumes small .
Proposition 6.
If the honest majority assumption in [13] holds, then .
A formal statement of the honest majority assumption and the proof of Proposition 6 can be found in Appendix B. Note that the upper bound in this proposition is only a necessary condition. Having satisfy this condition does not guarantee protocol correctness.
Remark 7.
To the best of our knowledge, most of the existing analyses focus on bounding the number of “convergence opportunities”, which for is defined as the number of rounds in which exactly one honest node mines a block, and for general , it is defined as the global block mining pattern that consists of (i) a period of rounds where no honest node mines a block, (ii) followed by a round where a single honest player mines a block, (iii) and, finally, another rounds of silence from the honest nodes [22, 18]. Obviously, guaranteeing sufficiently many convergence opportunities necessarily requires to be small; in the extreme case when there will be no convergence opportunities at all. An important insight from our results is that convergence opportunities are not necessary for commonprefix growth. This is illustrated Fig. 1 which depicts the chain growth when there are 4 honest nodes and . Each node mines a block every round and each is associated with a color.
In particular, blocks are mined by the pink node, blocks are mined by the blue node, etc. In each round, each node chooses one of the existing longest chains uniformly at random to extend. As shown in Fig. 1, there are no convergence opportunities in any of these 8 rounds and the four nodes never choose the same chain to extend. However, instead of the trivial common prefix (the genesis block) the longest chains at the end of round 8 (the four chains ending with blocks 32, 29, 30, and 31, respectively) share the common prefix In general, as we show in Section 4, even for the extreme case when , the common prefix of the longest chains still grows as time goes by.
4 UniformlyatRandom SymmetryBreaking Strategy
Bitcoin uses the firstseen symmetrybreaking strategy; nodes will only switch to a new chain with more proofofwork than their current longest chain. In this section, we investigate the power of the uniformlyatrandom symmetrybreaking strategy, in which each honest node chooses one of its received longest chains uniformly at random to extend upon – independently of other nodes and independently across rounds. We choose to start with the uniformlyatrandom strategy because (1) it is easy to implement, especially in a distributed fashion, and (2) despite its simplicity, it is very powerful in fostering chain growth.
For ease of exposition, we first present our results in the adversaryfree setting (Sections 4.1 and 4.2) and then in the adversaryprone setting (Section 4.3).
4.1 Warmup: and AdversaryFree
Even the adversaryfree setting (i.e., ) is surprisingly nontrivial to analyze. Hence we build insights by first considering the simpler setting where as a warmup.
Theorem 8.
Suppose that and . Then for any given round index , in expectation, the local chains at the honest nodes share a common prefix of length .
Remark 9.
In Theorem 8, the expectation is taken w. r. t. the randomness in the symmetry breaking strategy. Theorem 8 says that large indeed boosts the growth of the common prefix among the local chains kept by the honest nodes, and that, though temporal forking exists among local chains kept by the honest nodes, such forking can be quickly resolved by repetitive symmetrybreaking across rounds.
The following definition and theorem are useful to see the intuitions of Theorem 8.
Definition 10 (Coalescing Random Walks [1]^{4}^{4}4The original definition given in [1] assumes no selfloops, but its analysis applies to the graphs with selfloops.).
In a coalescing random walk, a set of particles make independent random walks on a undirected graph with selfloops. Whenever one or more particles meet at a vertex, they unite to form a single particle, which then continues the random walk through the graph. We define the coalescence time, denoted by , to be the number of steps required before all particles merge into one particle.
In the proof of Theorem 8, we build up the connection between the longest chains and the backwards coalescing random walks on complete graphs, and show that the maximal inconsistency among longest chains turns out to be the same as the number of steps it takes random walks on the complete graph to coalesce into one. Finally, we use the existing results on coalescing random walks to conclude.
Main proof ideas of Theorem 8. We cast our proof insights via an example presented in Fig. 1. In this figure, there are four miners. For ease of exposition, we use the colors pink, yellow, green, and blue to represent each of the miners, respectively. As shown in Fig. 1, there are 4 longest chains at the end of round 8 and these chains share a maximal common prefix ending at block 15. The maximal inconsistency of these 4 longest chains is 4; that is, these 4 longest chains are NOT inconsistent with each other until the most recent 4 blocks of each chain. For expository convenience below, instead of using numbers to represent each of the blocks, we use the tuple to represent a block that is mined by a certain miner at round . The maximal inconsistency of the longest chains can be characterized by the coalescing time on complete graphs. To see this, let’s consider the four longest chains held by honest miners during round 8 backwards.
BackwardsChain : , which can be read as “block is attached to block which is further attached to block … attached to the genesis block . ”
BackwardsChain :
BackwardsChain : .
BackwardsChain :
Since and there is no adversary, the number of longest chains received by each honest node at each round is . Under our symmetrybreaking rule, in each round , each miner chooses which of the longest chains received at the beginning of round to extend on uniformlyatrandom. Thus, neither the previous history up to round nor the future block attachment choices after round affects the choice of the chain extension in round
. Reasoning heuristically
^{5}^{5}5Formally shown in the proof of Theorem 8 via introducing an auxiliary process., we can view each of the backwardschain as a random walk on a complete graph with vertex set . In particular, BackwardsChain can be viewed as a sample path of a random walk starting at the blue vertex, then moves to the pink vertex, then back to the blue vertex etc., and finally to the blue vertex. Similarly, BackwardsChains , and can be viewed as the sample paths of three random walks starting at the pink vertex, yellow vertex, and green vertex, respectively. These four random walks (starting at four different vertices) are not completely independent. For any pair of random walks, before they meet, they move on the graph independently of each other; whenever they meet, they move together henceforth. Concretely, backwardschains 2 and 3 meet at and these chains are identical starting from block ; this holds similarly for other pairs of backwards chains. Finally, these four backward chains all meet at the block and move together henceforth. Notably, this block is exactly the last block in the maximal common prefix of the four longest chains of round 8. Thus, the maximal inconsistency among the longest chains of round 8 is identical to the number of backwards steps it takes for all these four random walks to coalesce into one. This relation is not a coincidence. It can be shown (detailed in the proof of Theorem 8) that this identity holds for general . Formal proof of Theorem 8 can be found in Appendix C.4.2 General p: AdversaryFree
The analysis for general is significantly more challenging than that of in two ways: (1) we need to repeatedly apply coupling arguments; and (2) we need to characterize the coalescence time of a new notion of coalescing random walks (the lazy coalescing random walks), the latter of which could be of independent interest for a broader audience.
Theorem 12.
Suppose that . If , in expectation, at the end of round , the local chains at the nodes share a common prefix of length . If , in expectation, at the end of round , the local chains at the nodes share a common prefix of length .
Remark 13.
The expression of the common prefix length in Theorem 12 contains two terms with the first term (i.e., ) being the only term that involves . Intuitively, from this term, we can read out the common prefix length growth rate w.r.t. . The second term (which is expression in terms of BigO notation) can be interpreted as a quantification of the maximal inconsistency of the honest chains.
Now we further interpret these two terms via simplifying the expression using the inequalities .
(1) When , it is true that for large , which implies that , i.e., the common prefix grows at a speed . The maximal inconsistency bound is not tight.
Nevertheless, via a straightforward calculation, we know that the maximal inconsistency is .
(3) When , we have as . Thus the commonprefix grows at the speed
with maximal inconsistency for sufficiently large .
(4) When , it is true that as . The commonprefix grows at the speed of for sufficiently large and the maximal inconsistency is .
Overall, when gets larger, the commonprefix growth increases and the maximal inconsistency grows at a much slower rate.
The following definition and lemma are used in proving Theorem 12. This lemma could be of independent interest to a broader audience and its proof can be found in the appendix.
Definition 14 (Lazy coalescing random walk).
For any fixed , we say particles are lazy coalescing random walks if for each step: with probability , each particle stays at its current location; with probability , each particle moves to an adjacent vertex picked uniformly at random. If two or more particles meet at a location, they unite into a single particle and continue the procedure. The coalescence time is the same as that in Definition 10.
Lemma 15.
Suppose that is a complete graph of size (where ) with selfloops. For any , the coalescence time of the lazy coalescing random walks is .
Proof Sketch of Theorem 12. When , we can use Poisson approximation to approximate the distribution of number of blocks in each round. A straightforward calculation shows that the probability of having exactly one block in a round is . Thus, in expectation, the maximal inconsistency is . Henceforth, we restrict our attention to the setting where
and quantify the expected maximal inconsistency among the longest chains of round
. It is attempting to apply arguments similar to that in the proof of Theorem 8 and derive a bound on the maximal inconsistency via stochastic dominance. However, the obtained bound on the maximal inconsistency is which could be extremely loose for a wide range of . Nevertheless, based on the insights obtained in this coarse analysis, we can come up with a much finergrained analysis and obtain the bound in Theorem 12. Similar to the proof of the special case when , in our finegrained analysis for general , we couple the growth of the common prefix in Nakamoto protocols with the coalescing time random walks on complete graphs. The major differences from the proof of are: (1) instead of the standard coalescing random walks, we need to work with a lazy version of it, formally defined in Definition 14; (2) there is no fixed correspondence between a color and a node – in our proof of general , the correspondence is roundspecific rather than fixed throughout the entire dynamics; (3) there is no bijection between a sample path of the Nakamoto dynamics and that of the backwards coalescing random walks, thus, we need to rely on stochastic dominance to build up the connection of these two dynamics.4.3 General p: AdversaryProne
Throughout this section, we assume . In this subsection, we consider adversaryprone systems, i.e., . Simple concentration arguments show that when for any given , using vanilla Nakamoto consensus the chain quality could be near zero. To make larger feasible, we introduce a new assumption—Assumption 16—which we then remove in Section 5 by providing a construction that ensures Assumption 16 with all but negligible probability. Specifically, we use a cryptographic tool called a VDF to ensure that over a sufficiently long time window, the corrupt nodes can only collectively extend a chain by more than one block in a round with negligible probability.
Assumption 16.
In each round, a chain can be extended by at most 1 block.
To strengthen the protocol robustness, we make the additional minor modification requiring each honest node to selectively relay chains at the beginning of a round. Selective relay rule: At each honest node , for each iteration : Node looks at the chains it received in the previous round , and if any of them are longer than its own local longest chain, it not only chooses one of the longest chains to replace its local one, it also broadcasts it to other nodes before it begins mining in round .
As implied by our proof, this modification can reduce the maximal difference between the lengths of the longest chains kept by the honest nodes and by the corrupt nodes. Intuitively, if the adversary sends two chains of different lengths to two different groups of honest nodes, with the selective relay rule, only the longer chain would survive in this round. Notably, it is possible that none of them survive in this round. Even with the assurance guaranteed by Assumption 16, compared with the adversaryfree settings, the analysis for the adversaryprone setting is challenging. This is because the corrupt nodes could deviate from the specified symmetry breaking rule. For example, a corrupt node can choose not to extend its longest chain, or can choose from its set of longest chains in any way that provides advantage. In addition, a corrupt node can hide blocks it has mined from the honest nodes for as long as it wants, or from some subset of the honest nodes during a round.
For simplicity and for technical convenience, we assume that a corrupt node randomly chooses among longest chains that end with an honest block. This assumption is only imposed in the rare event when simultaneously both the adversary has no adversary advantage (see Definition 17) and only honest nodes mine blocks in the most recent nonempty round.
In contrast to the adversaryfree setting where the lengths of honest nodes’ local chains differ by at most 1, in the presence of an adversary, such difference could be large. To precisely bound this difference, we introduce a random process we call adversary advantage:
Definition 17 (Adversary advantage).
Let be the random process defined as

, and

for ,
Note that the random process is independent of the adversarial behaviors of the corrupt nodes. To make the discussion concrete, we introduce the following definition.
Definition 18.
The length of the longest chains kept by the honest nodes at round is defined as the length of the longest local chains kept by honest nodes at the end of round .
Lemma 19.
For any , at the end of round , the length of the longest chains kept by the adversary – henceforth referred to as an adversarial longest chain of round – is at most longer than the length of a chain kept by an honest node.
Proof of Lemma 19 can be found in Appendix E. From its proof, we can deduce an attacking strategy of the adversary that meets the upper bound in Lemma 19. The following lazy random walk, referred to as coalescing opportunities, is important in our analysis. It can also be used to quantify the chain quality.
Definition 20.
Let be the rounds in which at least one node mines a block with the understanding that . Let be a random walk defined as
Remark 21.
A couple of interesting facts on the coalescing opportunities dynamics are: Among the most recent blocks in a longest chain, there are at least blocks mined by the honest nodes. In addition, regardless of the behaviors of the adversary, for any two longest chains, there are at least block positions each of which has nonzero probability of being in the common prefix of these two chains.
Let and , i.e., (resp. ) is the probability for to move up (resp. down) by 1. We have
(2) 
It is easy to see that when , it holds that . For ease of exposition, let
Lemma 22.
With probability at least , it holds that .
Lemma 22 gives a high probability lower bound on the number of coalescing opportunities during nonempty rounds. Its proof can be found in Appendix E.
Theorem 23.
For any given and where , at the end of round , with probability at least
over the randomness in the block mining, the expected maximal inconsistency among a given pair of honest nodes is less than , where the expectation is taken over the randomness in the symmetry breaking.
Remark 24.
It is worth noting that , i.e., is a function of the fraction of honest nodes and the total mining power of the nodes in the system.
Suppose that for any given . Let
From Theorem 23, we know that with probability at least , the maximal inconsistency is less than . Roughly speaking, when gets smaller, mainly gets smaller.
Proof of Theorem 23.
We use to denote the number of blocks generated during round and associate each node with a distinct color in . If node mines a block during round , we use to denote this block. The genesis block is denoted as . Recall that the blocks mined during round are collectively referred to as the block layer . As the randomness in the block generation (i.e., puzzle solving of individual nodes) is independent of the adversarial behaviors of the corrupt nodes and is independent of which chain an honest node chooses to extend, we consider the auxiliary process wherein the nodes mine blocks for the first rounds, and then the corrupt nodes and honest nodes sequentially decide on block attachments. Let be the set of rounds such that for each . Let and be any two honest nodes whose chains at the end of round are denoted by and , respectively. For each of these chains, we can read off a sequence of colors
where and , respectively, are the lengths of chains and , is the color of the genesis block, for is the color of the –th block in and for is the color of the –th block in . If , without loss of generality, we consider the case that ; the other case can be handled similarly. We augment the color sequence to the length sequence as
by setting for where is a special color that never shows up in a real block. It is easy to see that and start to be inconsistent at their th block if and only if for each . Let such that for each it holds that

Only honest nodes successfully mined blocks;

.
For ease of exposition, we refer to each of as a coalescing opportunity. Recall that each of the honest nodes extends one of the longest chains it receives. By Lemma 19, we know that each of and contains a block generated during round . Let and be the blocks included in and , respectively. If is in the th position in , then is also in the th position in . For each , we denote the set of chains (including the forwarded chains) received by and at round , denoted by and . Since the adversary can hide chains to a selective group of honest nodes, and could be different. The probability of and extending the same chain at round is
(3) 
where the inequality follows from Lemma 33. By Lemma 22, we know that in the nonempty block layers that are most recent to round ,
holds with probability at least . In addition, it can be shown that for each of the ensured by Lemma 22 we have
For any , let be the number of blocks mined by the honest nodes during round such that . Using conditioning and Hoeffding’s inequality, the following holds with probability at least ,
which implies that . On average over the random symmetry breaking, it takes at most coalescing opportunities backwards for chains and to coalesce into one. Thus, we need .
∎
5 VDFBased Scheme
In this section, we present a scheme to ensure Assumption 16. The key cryptographic tool we use in the following scheme is the construction of the verifiable delay function, , which we define informally below. Please refer to [4] for the formal definition (also defined formally in the full version of our paper).
Definition 25 (Verifiable Delay Function (informal)).
Let be our security parameter. There exists a function with difficulty where the output (where ) cannot be computed in less than sequential computation steps, even provided parallel processors, with probability at least . The VDF output can be verified, quickly, in time.
We set the difficulty of the VDF to the duration of a round; in other words, the difficulty is set such that the VDF produces exactly one output at the end of each round. We amend default Nakamoto consensus by adding the following procedure. We believe this could be added in a backwardscompatible way to existing Nakamoto implementations, like Bitcoin. Backwardscompatibility is desirable in decentralized networks because it means that a majority of the network can upgrade to the new protocol and nonupgraded nodes can still verify blocks and execute transactions. Below we describe a scheme that, when added to Nakomoto consensus, assures Assumption 16. The proof of the following theorem is in the full version of our paper.
Theorem 26.
Assumption 16 is satisfied by our VDFbased scheme.
VDFScheme Overview. The VDFscheme works intuitively as follows. We number the rounds beginning with round . All nodes have the genesis block in their local chains in round and starting mining blocks in round . In round , the VDF output is computed using as the input. During each round , each node computes a VDF output, , (using ) for the current round where the input to is the output of the VDF, , from the previous round concatenated with the round number, . Both inputs are necessary; the output of the VDF from the previous round ensures that we cannot compute the VDF output for this round until we have obtained the output for the previous round, and the round number is necessary to ensure that the output is not used for a future round. Once the VDF output is computed, each honest node attempts to mine a block using the VDF output as part of the input to the mining attempt. This also ensures that the block generation rate of honest nodes is upper bounded by . Then, each node which successfully mines a block sends the new chain to all other nodes.
All honest nodes verify that each chain satisfies two conditions:

Let be the VDF outputs contained in blocks , respectively, of a chain (the genesis block does not contain a VDF output). Let be the rounds where were computed, respectively. Then, .

is the VDF output computed from round .
The honest nodes also check all proofs included in the chains, confirming that the VDF outputs are correctly computed and the blocks are correctly mined using the VDF outputs. An honest node discards any chain which does not pass verification.
Pseudocode. The precise pseudocode of our VDFbased scheme is given below. Using , each honest node performs the following:

Initially, all honest nodes use input at the start of the protocol to obtain output for round .

Let be the output of the VDF for round and .^{6}^{6}6Here, is the commonly used notation indicating concatenation between and . stores .

When mines a block , includes the output from the previous round in , ie. is mined with as part of the input.

Each node which successfully mines a block adds the mined block to its local chain. Then, it broadcasts its local chain to all other nodes.

For each longest chain received, each node verifies the following:

Let be the VDF outputs stored in each block in order starting with the first block and ending with the th block. Let be the rounds associated with the VDF output. Then, .

The th block in the chain (starting from the genesis block) is mined using from round .

The proofs of the VDF output and the mining output are correct, i.e. the block is correctly mined using the corresponding VDF output.


If receives a chain where more than one block in the chain is mined with the same (for any smaller than the current round), the node discards the chain.

At the end of round , sets and begins computing the next value using as input.
Due to space constraints, we do not include the proof of Theorem 26; please find the full proofs in the full version of our paper. However, the intuition for our proof is straightforward. Items 5a and 5b ensure that no chain accepted by an honest node contains more than one block per VDF output. Setting the difficulty of the VDF to the duration of the round ensures that at most one VDF output is produced during a round. Together, these two observations prove Theorem 26, namely, that any chain held by an honest node can be extended by at most one block each round.
6 Discussion
Validation and Communication Costs. A higher means a faster block rate and thus more blocks. The validation and bandwidth complexity of Nakamoto protocols are proportional to block size and the number of blocks that are mined, since each miner validates and then communicates every mined block to all other miners (in practice, nodes do not necessarily gossip shorter chains, and taking advantage of nodes’ memory overlap can help reduce block transfer size [8]). One needs to determine the optimal value of that trades off validation and bandwidth complexity and chain growth. This work expands the space of to consider.
Other SymmetryBreaking Strategies. Here we consider three other symmetrybreaking strategies with high . Firstseen is where all honest nodes take the first chain out of the longestlength chains they see, and lexicographicallyfirst is where honest nodes take the lexicographicallyfirst chain of the set of longest chains according to some predetermined ordering, for example alphabetically. Intuitively, the adversary can control the network and thus cause different honest nodes to see different chains of the same length first for firstseen, impacting commonprefix, or grind on blocks to always produce the lowest lexicographicallyordered chain for lexicographicallyfirst, impacting chainquality. A third strategy is to use a globalrandomcoin: Suppose that all nodes have access to a permutation oracle that returns a permutation sampled uniformly at random of a number of elements passed into it where any subset of elements obey the same partial ordering. With symmetrybreaking is trivial since all honest nodes will agree on the result of the coin flip. Furthermore, if the coin is fair, then the number of honest blocks added to the chain is proportional to the fraction of honest nodes. However, in reality, it is difficult and oftentimes infeasible to ensure such a strong guarantee.
Conclusion. In this work we show that unlike previously thought, convergence opportunities are not necessary to make chain progress. We use coalescing random walks to analyze the correctness of Nakamoto consensus under a regime of puzzle difficulty previously thought to be untenable, expanding the space of for protocol designers.
References

[1]
D. Aldous and J. Fill.
Reversible markov chains and random walks on graphs, 2002.
 [2] V. Bagaria, S. Kannan, D. Tse, G. Fanti, and P. Viswanath. Prism: Deconstructing the blockchain to approach physical limits. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 585–602, 2019.
 [3] E. Blum, A. Kiayias, C. Moore, S. Quader, and A. Russell. The Combinatorics of the LongestChain Rule: Linear Consistency for ProofofStake Blockchains, pages 1135–1154.
 [4] D. Boneh, J. Bonneau, B. Bünz, and B. Fisch. Verifiable delay functions. In Advances in Cryptology  CRYPTO 2018  38th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 1923, 2018, Proceedings, Part I, pages 757–788, 2018.
 [5] D. Boneh, J. Bonneau, B. Bünz, and B. Fisch. Verifiable delay functions. Cryptology ePrint Archive, Report 2018/601, 2018. https://eprint.iacr.org/2018/601.
 [6] C. Cooper, R. Elsasser, H. Ono, and T. Radzik. Coalescing random walks and voting on connected graphs. SIAM Journal on Discrete Mathematics, 27(4):1748–1758, 2013.
 [7] C. Cooper, A. Frieze, and T. Radzik. Multiple random walks in random regular graphs. SIAM Journal on Discrete Mathematics, 23(4):1738–1761, 2010.
 [8] M. Corallo. Compact block relay, 2016. https://github.com/bitcoin/bips/blob/master/bip0152.mediawiki.
 [9] C. Dwork and M. Naor. Pricing via processing or combatting junk mail. In Annual international cryptology conference, pages 139–147. Springer, 1992.
 [10] EOS. v2.0 consensus protocol, 2021. https://developers.eos.io/welcome/v2.0/protocol/consensus˙protocol.
 [11] I. Eyal and E. G. Sirer. Majority is not enough: Bitcoin mining is vulnerable. In International conference on financial cryptography and data security, pages 436–454. Springer, 2014.
 [12] J. Garay, A. Kiayias, and N. Leonardos. The bitcoin backbone protocol: Analysis and applications. In E. Oswald and M. Fischlin, editors, Advances in Cryptology  EUROCRYPT 2015, pages 281–310, Berlin, Heidelberg, 2015. Springer Berlin Heidelberg.
 [13] J. Garay, A. Kiayias, and N. Leonardos. The bitcoin backbone protocol: Analysis and applications. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 281–310. Springer, 2015.
 [14] J. Garay, A. Kiayias, and N. Leonardos. Full analysis of nakamoto consensus in boundeddelay networks. Cryptology ePrint Archive, Report 2020/277, 2020. https://eprint.iacr.org/2020/277.
 [15] J. A. Garay, A. Kiayias, and N. Leonardos. The bitcoin backbone protocol with chains of variable difficulty. In J. Katz and H. Shacham, editors, Advances in Cryptology  CRYPTO 2017  37th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 2024, 2017, Proceedings, Part I, volume 10401 of Lecture Notes in Computer Science, pages 291–323. Springer, 2017.
 [16] B. Hajek. Random processes for engineers. Cambridge university press, 2015.
 [17] A. Kiayias and G. Panagiotakos. Speedsecurity tradeoffs in blockchain protocols. IACR Cryptol. ePrint Arch., 2015:1019, 2015.
 [18] L. Kiffer, R. Rajaraman, and a. shelat. A better method to analyze blockchain consistency. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18, page 729–744, New York, NY, USA, 2018. Association for Computing Machinery.
 [19] S. Micali. Algorand 2021 performance, 2020. https://www.algorand.com/resources/blog/algorand2021performance.
 [20] S. Nakamoto. Bitcoin: A peertopeer electronic cash system, 2009.
 [21] S. Nakamoto et al. Bitcoin: A peertopeer electronic cash system.(2008), 2008.
 [22] R. Pass, L. Seeman, and A. Shelat. Analysis of the blockchain protocol in asynchronous networks. In J.S. Coron and J. B. Nielsen, editors, Advances in Cryptology – EUROCRYPT 2017, pages 643–673, Cham, 2017. Springer International Publishing.
 [23] R. Pass, L. Seeman, and A. Shelat. Analysis of the blockchain protocol in asynchronous networks. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 643–673. Springer, 2017.
 [24] R. Pass and E. Shi. Fruitchains: A fair blockchain. In Proceedings of the ACM Symposium on Principles of Distributed Computing, PODC ’17, page 315–324, New York, NY, USA, 2017. Association for Computing Machinery.
 [25] K. Pietrzak. Simple Verifiable Delay Functions. In A. Blum, editor, 10th Innovations in Theoretical Computer Science Conference (ITCS 2019), volume 124 of Leibniz International Proceedings in Informatics (LIPIcs), pages 60:1–60:15, Dagstuhl, Germany, 2018. Schloss Dagstuhl–LeibnizZentrum fuer Informatik.
 [26] L. Ren. Analysis of nakamoto consensus. IACR Cryptol. ePrint Arch., 2019:943, 2019.
 [27] A. Sapirshtein, Y. Sompolinsky, and A. Zohar. Optimal selfish mining strategies in bitcoin. In International Conference on Financial Cryptography and Data Security, pages 515–532. Springer, 2016.
 [28] B. Wesolowski. Efficient Verifiable Delay Functions (extended version). Journal of Cryptology, Sept. 2020.
 [29] R. Zhang and B. Preneel. Lay down the common metrics: Evaluating proofofwork consensus protocols’ security. In 2019 IEEE Symposium on Security and Privacy (SP), pages 175–192, 2019.
 [30] J. Zhao, J. Tang, Z. Li, H. Wang, K. Lam, and K. Xue. An analysis of blockchain consistency in asynchronous networks: Deriving a neat bound. In 40th IEEE International Conference on Distributed Computing Systems, ICDCS 2020, Singapore, November 29  December 1, 2020, pages 179–189. IEEE, 2020.
Appendix A Additional Definitions
a.1 VDFs
The formal definition of VDFs is presented below.
Definition 27 (Verifiable Delay Functions [4]).
A VDF is a triple of algorithms that perform the following:

: The algorithm takes as input a security parameter and a desired difficulty level and produces public parameters consisting of an evaluation key and a verification key . is polynomial time with respect to and is subexponentiallysized in terms of . The public parameters specify an input space and an output space . is efficiently sampleable. If secret randomness is used in , a trusted setup might be necessary.

: takes an input (in the sample space of inputs) and the evaluation key and produces an output (in the sample space of outputs) and a (possibly empty) proof . may use random bits to generate but not to compute . runs in parallel time even when given processors for all pp generated by and .

: is a deterministic algorithm that takes the verification key , an input , the output , and proof and outputs or depending on whether was correctly computed from via . runs in time .
Furthermore, must satisfy the following properties:

Correctness A VDF is correct if for all , parameters , and all , if , then .

Soundness A VDF is sound if for all algorithms that run in time

Sequentiality A VDF is sequential if no adversary with a pair of randomized algorithms , which runs in total time , and , which runs in parallel time on at most processors, can win the following game with probability greater than :
wins the game if and .
a.2 Tail Bounds
We use the following variant of Hoeffding’s inequality.
Theorem 28 (Hoeffding’s inequality).
Let be
independent, identically distributed random variables drawn from a Bernoulli distribution with parameter
, . If , then , , anda.3 The Bitcoin Blockchain System
In this section, for completeness, we provide a highlevel overview of the Bitcoin Blockchain System. The below is mainly to serve as a reminder of the Bitcoin protocol for those unfamiliar with it.
HighLevel Description.
The nodes in the system represent miners in the Bitcoin cryptosystem who mine blocks filled with requests from clients. Clients represent payers who would like to fulfill some transactions. The client issues a writerequest whenever it wants to send a transaction to a miner. The miner then attempts to mine a block containing the value of the transaction. Specifically, the following set of steps occur:

The payer submits a writerequest to the system with a valid transaction as the write “value” they want to add to the public ledger.

Every honest miner :

has a which contains a collection of multicast transactions received by this miner. Notably, due to issues such as network failures and messages delay, the kept by different miners might not be identical, and

keeps a local valid blockchain .


In each round, each of the miners:

Blockify its local (i.e., creates a block of appropriate size that contains a subset of the transactions in ) and removes those blockified transactions from .

Try to add this new block to its local chain .

If the miner successfully extends its local chain, it multicasts the updated chain to other miners.

Wait to receive multicasted chains from others and update its local chain to be the chain that is the longest among the received chains and its current local chain. If there are multiple longest chains, use a symmetry breaking mechanism to choose one of them as its new local chain.

In the Bitcoin system, oftentimes, the symmetry is broken in an arbitrary manner, i.e., if there is a tie, an honest node chooses an arbitrary longest chain (e.g. the chain it received first). In an adversarial setting, this symmetrybreaking strategy could potentially lead to honest nodes choosing different chains frequently. It turns out that this symmetrybreaking rule, with high probability, can guarantee safety as long as it is sufficiently hard to successfully mine a block. However, this is not the case when the probability of successfully mining a block is large. In fact, for such instances, it is important to consider specific symmetrybreaking strategies and how they affect the system.
Appendix B Honest Majority Assumption
The honest majority assumption in the seminal [13] is presented below for completeness. For ease of comparison, we use the same notation as that in [13] Let be the probability at least one honest node succeeds in finding a proofofwork (pow) in a round. In [13], the notion of the advantage of honest participants is used, denoted by . It is used to bound . In particular, is chosen so that always holds.
Assumption 29 (Honest Majority Assumption [13]).
Given an , , and , the maximal number of corrupted nodes satisfies:

, and

.
Notably, by definition of , the second bullet in Assumption 29 always holds. Hence, for fixed , , and , the real constraint on is the relation assumed in the first bullet of Assumption 29.
Proof of Proposition 6.
By Assumption 29, it holds that
(4) 
As , (4) implies that . Let denote the probability at least one honest node succeeds in finding a pow in a round. We have . So
Equivalently,
for arbitrary base of log as long as the base is . By Taylor expansion, we have
where the last inequality follows from the fact that .
∎
On Remark 7: To see the claim in Remark 7, consider the boundary case where – the honest nodes barely make it to be the majority of the system. In this case, the upper bound of in Proposition 6 is
Thus, in expectation, it takes at least rounds for the honest nodes to mine a block collectively. Such a low block generating speed makes it unlikely to have multiple longest chains unless the network delay is very serious. This observation also justifies why the choice of symmetry breaking rules does not matter much in [13, 23].
This observation holds not only for the boundary case when but also for more general . For ease of illustration, let’s consider the sequence of for with . Without loss of generality, assume that is an integer for all under consideration. For a system with up to corrupted nodes, the upper bound in Proposition 6 lies in between
Comments
There are no comments yet.