Personalized Difficulty Adjustment for Countering the Double-Spending Attack in Proof-of-Work Consensus Protocols

07/09/2018 ∙ by Chi-Ning Chou, et al. ∙ National Taiwan University 0

Bitcoin is the first secure decentralized electronic currency system. However, it is known to be inefficient due to its proof-of-work (PoW) consensus algorithm and has the potential hazard of double spending. In this paper, we aim to reduce the probability of double spending by decreasing the probability of consecutive winning. We first formalize a PoW-based decentralized secure network model in order to present a quantitative analysis. Next, to resolve the risk of double spending, we propose the personalized difficulty adjustment (PDA) mechanism which modifies the difficulty of each participant such that those who win more blocks in the past few rounds have a smaller probability to win in the next round. To analyze the performance of the PDA mechanism, we observe that the system can be modeled by a high-order Markov chain. Finally, we show that PDA effectively decreases the probability of consecutive winning and results in a more trustworthy PoW-based system.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

In 2008, Satoshi Nakamoto [1] published a breakthrough decentralized cryptosystem called Bitcoin, which ushered in an era of fully distributed trust network. Ten years have passed since its publication and Bitcoin is indeed a successful electronic currency. Many papers have been published for Bitcoin applications [2], however, very few are ever materialized. We believe that there are two main reasons for this phenomenon: the intrinsic overhead of the Bitcoin construction and the security hazards [3] [4] such as double spending.

The intrinsic overhead of Bitcoin lies in two parts of the system: the information propagation and the proof-of-work mechanism. The former is strongly related to the synchronization and consensus issue. Karame et al. [5] [6] initiated the study of fast payment in order to accelerate the transaction confirmation in Bitcoin and found out that the double spending probability is non-negligible. Bamert et al. [7] proposed securing fast payments, which improved the previous studies. They showed that under their construction the double spending probability diminishes to less than 0.088%. Stathakopoulou et al. [8] introduced a faster Bitcoin network based on the pipeline. They showed that increasing the locality of connectivity among each node can accelerate the information propagation. By implementing a Content Distribution Network, they achieved 60.6% average speed up. From these works, we see that resolving the intrinsic overhead by accelerating the information propagation has limited performance.

As a result, we tried to fix the intrinsic overhead of Bitcoin network, or the PoW-based network, by proposing a new difficulty adjustment mechanism. The main focus is to strengthen the power of PoW so that it can guarantee stronger security.

I-a Proof-of-Work (PoW)

In a PoW system, every participant has the right to be the verifier, but with a different probability. The probability to be selected as a verifier depends on how much he or she has devoted to the system. That is, the more one contributes to the system, the higher probability he or she has to be selected as a verifier. The mechanism to evaluate the amount of devotion is the so-called proof-of-work. Practically speaking, each participant keeps computing hash values of the header of a block. And the first one who finds a small enough hash value will be regarded as the verifier for the current block.

I-B Double Spending

However, there is a potential hazard that the verifier is an attacker. Attackers might modify the transaction record and benefit themselves. In [1], Satoshi referred to this kind of situation as double spending in which the verifier spends the same money twice, which is definitely not allowed to happen in a trusted system.

The original double spending scenario in [1] considers the possibility that some attackers in Bitcoin system build their own blockchain instead of mining on the main chain. The attackers build a private blockchain that is longer than the public chain. Thus, other participants in the system will adopt the longer one, which in this case is the attackers’ private blockchain. The attackers produce some fake transactions in its private blockchain, usually by removing the records of their spendings so as to spend that money again in the future. Once these fake transactions such as a double spending one, merge into the main blockchain, the trust of the system will break down.

I-C High-order Markov Chain

Raftery [9] proposed the Mixture Transition Distribution model (MTD) in 1985 which models the high-order Markov chain with a lag coefficient. Later, Berchtold and Raftery [10] generalized the idea into multi-matrix MTD, infinite-lag MTD, spatial MTD, etc., which can be used in various applications. In 2005, Ching et.al. [11] [12] relaxed the constraints in MTD model and yielded a more general results. Recently, Li and Ng [13]

used probability tensor to model the high-order Markov chain, and found some sufficient conditions for the existence and uniqueness of stationary distribution.

However, these previous works are not quite the same as what we focus here. They generalized the Markov property into high-order Markov chain, which conditions on more than one past states, and emphasized on the stationary distribution or asymptotic behaviors of a single state. Here, we not only utilize the high-order Markov property but also obtain the stationary distribution or asymptotic behaviors of a sequence of states. In other words, the event we care about is a period of time or state, not a single snapshot.

In personalized difficulty adjustment PoW system, what we concern is the double spending events in the scenario of consecutive winning by the same party. This paper presents the model to minimize the likelihood of spending the same coin twice and its corresponding results in Gcoin [14][15].

Ii Model

We use a general stochastic process to model the PoW system and construct the personalized difficulty adjustment PoW system step by step. We start from the traditional PoW system in Section II-A, then we introduce the concept of personalized difficulty adjustment in Section II-B and give an example of difficulty function in Section II-C.

Ii-a Traditional PoW system

First, note that the system is basically a discrete system. Namely, the system is composed of a sequence of blocks, and it’s sufficient for us to use the index of each box to order the configurations in the system. In the following construction, we use the small letter to denote the order index of the block we are at.

Next, there are participants in the system competing for solving hash values. Each of them intrinsically has his own computing power, denoted as , where refers to the index of the participant and is the block index. Besides the computing power, there is a time-varying parameter recording the difficulty of the system. We denote the difficulty for competing block as , with computing power and difficulty . It is sufficient to model the traditional PoW system with a two-tuple stochastic process as follows.

Definition 1 (traditional PoW system).

A traditional PoW system is a 2-tuple

where is the computing power of player and is the difficulty of the system at the block respectively.

At block , participant has computing power and is assigned with difficulty . Each of the participants then keeps computing hash function until one of them finds a valid hash value. The probability of participant to win at block is proportional to . This observation is formally stated in Theorem 1 and is proved in Appendix A.

Ii-B Personalized Difficulty Adjustment (PDA) PoW System

To simplify the problem, we assume all the nodes in PoW networks have the same computing power. A PDA PoW system modifies the dynamic parameter of itself according to the recent outcomes in the system. For example, in this system [Figure  1], the difficulty index of each player will be configured according to the past winners in recent blocks. Suppose player A wins 4 blocks in the past 6 blocks, then his difficulty will be higher than player B who only wins 1 block in that period. Intuitively, we can think of the scenario as a dynamic stochastic process in which the transition mechanism will depend on a period of past results.

Fig. 1: Example of personalized difficulty adjustment.

To formalize a PDA PoW system, there are three elements we need to add into the system: the winning history, the number of past blocks we concern, and the difficulty function.

The winning history records who wins the block from the beginning till current block denoted as , where denotes the winner at the th block. Next, we denote the number of past history as . That is to say, if we are at block , then we are going to consider the winner at blocks . The difficulty function is specified by from the past winning history to a difficulty assignment for every player. Thus, we define PDA PoW system as follows:

Definition 2 (personalized difficulty adjustment proof-of-work system).

A PDA PoW system with participants (players) is a 5-tuple

where

  • denotes the computing power of player at block . For simplicity, if not specified, we assume the computing power of each player is a constant and remains all the same. Intuitively, we can think of computing power as internal power.

  • denotes the difficulty of player at block . Intuitively, we can think of difficulty as external power.

  • denotes who wins at block .

  • is the number of blocks we look into the past.

  • is the difficulty function that looks into past blocks.

The process is actually overdetermined. The difficulty are recursively defined by the winning history , the number of blocks we look in the past and the difficulty function . Similarly, we denote the probability of the th player to compute for block as . And for convenience, we denote the recent histories as -history.

The probability of winning matters the most. With some probability argument, we can derive a simple relation between winning probability, difficulty, and computing power stated in the following theorem.

Theorem 1.

The winning probability of player at block is proportional to the winning probability divided by the difficulty. That is, . The proof is left in Appendix A.

Intuitively, Theorem 1 tells us that the winning probability of each player is proportional to the ratio of computing power and the assigned difficulty. As a result, once this ratio is approximately the same for all participants, then the winning probability will close to uniform.

With Theorem 1, we calculate the winning probability for player at block by dividing its ratio with the summation of all ratio . And Theorem 1 tells us the winning probability is proportional to the ratio of computing power and difficulty. Thus, it’s convenient for us to analyze the whole system.

Ii-C Difficulty function

Definition 3 (difficulty function).

A difficulty function that considers past blocks is a mapping from past history

to a difficulty vector for

players: .

Also, with Theorem 1, we assume for simplicity.

Example II.1 (-exponential non-ordered difficulty function).

Denote the winning times of player in the past blocks from current block as . An -exponential non-ordered difficulty function maps

Suppose we take and every player has the same computing power. If the 3-history right now is , then the winning times of each player is:

The difficulty for each player at block is:

The winning probability for each player at block is:

p.s. we denote as

This example shows the intuition of exponential non-ordered difficulty function: the winning probability at block is proportional to .

Iii Rate of consecutive winning

Now we want to examine how well the PDA mechanism prevents us from consecutive winning.

We define the scenario we care about.

  • Setting: A PDA PoW system with players: . Assume the computing power is constant for each player, i.e. .

  • Goal: We want to know the probability of player 1 consecutively winning for time, i.e. .

First, we consider the case with no difficulty function (or we choose the exponential non-ordered difficulty function).

Iii-a No difficulty function

As the winning probability for each player at a single block is all the same: , the probability of player to consecutively win blocks is . From another point of view, we can think of this as a no-difficulty-case as the winning probability of each block is i.i.d while, in other cases the winning probability of each block is correlated.

Iii-B Arbitrary difficulty function

And then we consider choosing an arbitrary difficulty function . However, since the winning probability of each block is correlated, we can not simply utilize the i.i.d. property to calculate the goal: . Instead, joint probability of consecutive blocks should be considered as:

We find out that system obeys high-order Markov chain, or k-th order Markov property.

Definition 4 (high-order Markov chain).

The idea of high-order Markov chain is as follows.

The transition probability of a stochastic process is only conditioned on the previous events. Formally, suppose is a -th order Markov chain over state space , then for and ,

Therefore, we can directly encode the winning probability into a transition matrix as we regard each possible history as a state. Formally speaking, we define the state space of the Markov chain as , where is the state space and is the transition probability function.

  • : the history.

  • : suppose then

    where is the difficulty for player conditioned on history .

Let be the probability vector over denoting the probability of past history started from block . Then, the stationary distribution of past history is that satisfies . Or, equivalently, .

Iii-C exponential non-ordered difficulty function

Suppose we choose the exponential non-ordered difficulty function in a participants, past history PDA PoW system . Then, we get , where and

Here we calculate the probability of consecutive winning with the different number of past history and different difficulty functions. The number of participants is 5.

2 3 4 5
No difficulty 4e-2 8e-3 1.6e-3 3.2e-4
2-exponential non-ordered 2.34e-2 1.59e-3 6.14e-5 1.35e-6
5-exponential non-ordered 1.12e-2 1.64e-4 6.38e-7 6.74e-10
TABLE I: Probability of consecutive winning. .

Iii-D Calculation issue

We have discussed the probability of consecutive winning with different difficulty functions. And in Table I we show that the probability of consecutive winning drops down obviously as we increase the number of past history and the difficulty ratio .

However, once we increase the number of participants, the size of transition matrix drastically increases. For example, if we consider 4 past history, the number of states in the transition matrix of 5 participants is . As we consider 20 participants, the number will become , which hardly can be computed by a normal computer! As a result, once we create a new difficulty function and want to see its performance of preventing from consecutive winning, we cannot efficiently compute the results if there is a large number of participants with the above calculation model.

When looking deeper into the transition matrix, we can find out that there are so many 0’s. Namely, the matrix is extremely sparse.

Iv State reduction

While the number of states grows up, the outcomes are full of super-symmetry. We intuitively put them all together and reduce the number of outcomes, which will drastically reduce the computation.

Iv-a Abstract model

We find out that PDA PoW system and the basic dynamics share many similarities. However, some parameters in PDA PoW system change over time according to the outcome makes it more complicated. Therefore, we divide the system into two parts: The base rules and the parameters. Moreover, the parameters can also be categorized into fixed parameters and dynamic parameters.

The PDA PoW system has the base rules analogous to the basic mechanisms such as mining policies, proof of work, timestamps, etc. The parameters are the number of players, computing power, difficulty function, difficulty etc. We formalize the abstract model of PDA PoW system as follows:

Basic rules Mining policies, proof of work, timestamps.
Parameters Fixed Difficulty function, number of players*,
computing power.
Dynamic Difficulty.
TABLE II: Analogy in PDA PoW system.

We define the fixed and dynamic parameters respectively as follows:

Definition 5 (fixed parameters).

The fixed parameters of PDA PoW system, denoted as , is a 4-tuple

, where

  • : number of players.

  • : computing power of each player.

  • : number of history considered in the difficulty function.

  • : the personalized difficulty function.

Definition 6 (dynamic parameters).

The dynamic parameters of PDA PoW system on block , denoted as , is a 2-tuple

where

  • : the difficulty of each player of block .

  • : the winning history in the system.

Iv-B Framework

There are three steps in the reduction process:

  1. Reduce states.

  2. Transition matrix.

  3. Stationary distribution.

In the first step, Reduce states, we scan through all possible past configurations and generate reduced states. Next, Transition matrix, we construct the corresponding transition matrix according to the reduced state, the basic parameters of the system, and the decay parameter of the exponential non-ordered model. Finally, Stationary distribution, we use an iterative method to find the stationary distribution of reduced transition matrix and obtain the stationary probability of consecutive winning.

Iv-B1 Reduce states

We construct a mapping from the standard state space to the reduced state space based on the intuition in Section IV. Formally, we define the standard state space and reduced state space as follows:

Definition 7 (standard state space).

The standard state space of the PDA PoW system, denoted as , is the -Cartesian product over the player space.

which is the state space for -history.

Definition 8 (reduced state space).

The reduced state space of the PDA PoW system, denoted as , is a subset of defined as follow:

which is the reduced state space for -history.

Note that the first constraint regulates the number of the smaller index should not be less than the number of the larger index. And the second constraint regulates if two indices appear the same number of times, the smaller index should appear first.

After defining the standard state space and reduced state space, now we are going to construct a mapping between them. And this is trivial since we can directly get the mapping by the definition of reduced state space.

Definition 9 (Reduced mapping).

A reduced mapping from standard state space to reduced state space denoted as . , is defined as follow

Here, we give an example of a PDA PoW system. For general application, one should observe the structure in their system and find a good way to reduce the number of states.

Iv-B2 Transition matrix

In this step, we are going to formalize the transition function over the reduced state space, i.e., we apply the reduced mapping on the standard transition function. Suppose the standard transition function defined on standard probability space is . Then we define the reduced transition function as follows:

Definition 10 (reduced transition function).

Suppose is the standard transition function, then the reduced transition function, denoted as , is defined as

Iv-B3 Stationary distribution

To define the notion of stationary distribution in reduced state space, we need to specify the notion of the probability distribution over reduced stated space. We denote the space of probability distribution of reduced state space as

Note that we can view the stochastic process as another stochastic process of -history:

Moreover, we describe such stochastic process with random variables

where the support of is . As a result, the distribution of can be represented by probability distribution in . That is, .

Finally, we can define the stationary distribution of the stochastic process , … in the sense of -history as follows:

Definition 11 (reduced stationary distribution of -history).

Suppose , we say is a reduced stationary distribution of reduced transition function if

Iv-C Analysis

Table III shows the probability of consecutive winning with different system settings.

nk 1 2 3 4 5 6
1 1 1 1 1 1 1
2 0.5 0.19 5.56e-2 1.18e-2 1.80e-3 1.97e-4
3 0.34 7.30e-2 1.04e-2 9.41e-4 5.39e-5 1.94e-6
4 0.25 3.83e-2 3.52e-3 1.93e-4 6.25e-6 1.20e-7
5 0.20 2.35e-2 1.59e-3 6.14e-5 1.35e-6 1.70e-8
6 0.17 1.59e-2 8.46e-4 2.52e-5 4.17e-7 3.84e-9
7 0.14 1.45e-2 5.03e-4 1.21e-5 1.60e-7 1.14e-9
TABLE III: Probability of consecutive winning.

V Discussion

We have shown that the probability of consecutive winning is drastically decreased after using the personalized difficulty adjustment proof-of-work mechanism. See Table III. The likeliness of double spending is decreased as the result. In this section, we will first summarize the results and compare with other’s works. Then, discuss the major assumption, address identifiability, in this work. In the end, we will elaborate on some future works and open questions.

V-a Summary and comparison

In Table IV, we summarize the consecutive winning probability from different mechanisms. The first row is the consecutive winning probability computed from the program in [1] and the following two rows are the results from the PDA for PoW mechanism we have proposed.

Mechanism k 1 2 3
Bitcoin PoW 0.2046 0.0510 1.312e-2
PDA PoW: 2-exponential 0.1011 0.0054 1.560e-4
PDA PoW: 5-exponential 0.1030 0.0024 1.218e-5
Mechanism k 4 5 6
Bitcoin PoW 3.455e-3 9.137e-4 2.428e-4
PDA PoW: 2-exponential 1.214e-5 1.953e-8 8.447e-11
PDA PoW: 5-exponential 1.412e-8 3.660e-12 2.135e-16
TABLE IV: Summary: Attacker has 10% computing power.

Clearly, the consecutive winning probability of PDA mechanism decreases much faster than that of traditional PoW setting. However, the double spending criteria in two mechanisms are actually not exactly the same. The traditional PoW mechanism allows forking in their blockchain, so the double spending probability in their estimation will be a little higher than that under the address-identifiability assumption.

V-B Address identifiability

In the paper by Satoshi Nakamoto [1], he abandoned address identifiability in favor of complete anonymity. As a consequence, the traditional PoW system such as Bitcoin allows forking to happen in the blockchain and thus requires an analytical model that is different from our high-order Markov chain. In the analysis of our personalized difficulty setting, we adopt the address identifiability assumption so that the double spending probability will be smaller than that in traditional fork-style PoW system.

Vi Conclusion

In this paper, we solve the intrinsic overhead problem of proof-of-work-based blockchain by proposing a new PoW mechanism. We first formalize it as a voting system and then generalize it to a personalized difficulty adjustment system. The adjustment mechanism balances the winning distribution in the network because those who win a lot recently will less likely become the next verifier. Next, we use a high-order Markov chain to quantitatively model the PDA system. Finally, we show that the consecutive winning rate drastically decreases from 0.02% to 0.00000008% after adopting the exponential non-ordered difficulty function. As a result, PDA successfully decreases the probability of double spending by proposing a modified PoW protocol instead of the traditional approaches via information propagation.

However, the performance of accelerating the transaction confirmation is not fully examined, which is a potential future work. On the other hand, we would like to point out the possible breakdown of a balanced motivation system. Since we increase the difficulty for those who have won recently, they might decide to have a break after winning and thus damage the dynamics of the system. Related problems were studied by Rosenfeld [16] and Kroll et al. [17] under the traditional setting. Another future work is the analysis of the winning distribution under PDA mechanism. It is possible that the winning distribution under PDA may not incentivize some participants, thus the PoW process suffers sabotage. We are actively working on the analysis and its implications.

References

  • [1] Satoshi Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” Consulted, vol. 1, no. 2012.
  • [2] Ephraim Feig, “A framework for blockchain-based applications,” arXiv preprint arXiv:1803.00892, 2018.
  • [3] Marta Piekarska Harry Halpin, “Introduction to security and privacy on the blockchain,” in Symposium on Security and Privacy Workshops, 2017 IEEE European Symposium on. IEEE, 2017.
  • [4] Ayelet Sapirshtein, Yonatan Sompolinsky, and Aviv Zohar, “Optimal selfish mining strategies in bitcoin,” in Financial Cryptography and Data Security. 2017, pp. 515–532, Springer.
  • [5] Ghassan Karame, Elli Androulaki, and Srdjan Capkun, “Two bitcoins at the price of one? double-spending attacks on fast payments in bitcoin.,” IACR Cryptology ePrint Archive, vol. 2012.
  • [6] Ghassan O Karame, Elli Androulaki, Marc Roeschlin, Arthur Gervais, and Srdjan Čapkun, “Misbehavior in bitcoin: A study of double-spending and accountability,” ACM Transactions on Information and System Security (TISSEC), vol. 18, no. 1.
  • [7] Tobias Bamert, Christian Decker, Lennart Elsen, Roger Wattenhofer, and Samuel Welten, “Have a snack, pay with bitcoins,” in Peer-to-Peer Computing (P2P), 2013 IEEE Thirteenth International Conference on. IEEE, 2013, pp. 1–5.
  • [8] Chrysoula Stathakopoulou, “A faster bitcoin network,” 2015.
  • [9] Adrian E Raftery, “A model for high-order markov chains,” Journal of the Royal Statistical Society. Series B (Methodological), pp. 528–539, 1985.
  • [10] André Berchtold and Adrian E Raftery, “The mixture transition distribution model for high-order markov chains and non-gaussian time series,” Statistical Science, pp. 328–356, 2002.
  • [11] Waiki Ching, Michael K Ng, and Shuqin Zhang, “On computation with higher-order markov chains,” in Current Trends in High Performance Computing and Its Applications, pp. 15–24. Springer, 2005.
  • [12] Michael K Ng and WK Ching, Markov Chains: Models, Algorithms and Applications, Springer, 2006.
  • [13] Wen Li and Michael K Ng, “On the limiting probability distribution of a transition probability tensor,” Linear and Multilinear Algebra, vol. 62, no. 3.
  • [14] Jen-Hung Tseng, Yen-Chih Liao, Bin Chong, and Shih-Wei Liao, “Governance on the drug supply chain via gcoin blockchain,” International Journal of Environmental Research and Public Health, 2018.
  • [15] Shih-Wei Liao, Boyu Lin, and En-Ran Zhou, “Gcoin: wiki, code and whitepaper,” https://g-coin.org and github.com/OpenNetworking/gcoin-community/wiki/Gcoin-white-paper-English, 2014.
  • [16] Meni Rosenfeld, “Analysis of hashrate-based double spending,” arXiv preprint arXiv:1402.2009, 2014.
  • [17] Joshua A Kroll, Ian C Davey, and Edward W Felten, “The economics of bitcoin mining, or bitcoin in the presence of adversaries,” in Proceedings of WEIS, 2013, vol. 2013.

Appendix A Proof of Theorem 1

Computing power is the rate to calculate a hash value; difficulty here is the upper bound value the participant is required to solve. For participant i, we model the waiting time of solving the hash value for blocks as an exponential random variable with mean . Given and with respect to a block , the waiting time is

is the probability that

Therefore, the probability is proportional to .