Rationals vs Byzantines in Consensus-based Blockchains

02/21/2019 ∙ by Yackolley Amoussou-Guenou, et al. ∙ 0

In this paper we analyze from the game theory point of view Byzantine Fault Tolerant blockchains when processes exhibit rational or Byzantine behavior. Our work is the first to model the Byzantine-consensus based blockchains as a committee coordination game. Our first contribution is to offer a game-theoretical methodology to analyse equilibrium interactions between Byzantine and rational committee members in Byzantine Fault Tolerant blockchains. Byzantine processes seek to inflict maximum damage to the system, while rational processes best-respond to maximise their expected net gains. Our second contribution is to derive conditions under which consensus properties are satisfied or not in equilibrium. When the majority threshold is lower than the proportion of Byzantine processes, invalid blocks are accepted in equilibrium. When the majority threshold is large, equilibrium can involve coordination failures , in which no block is ever accepted. However, when the cost of accepting invalid blocks is large, there exists an equilibrium in which blocks are accepted iff they are valid.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Since the publication of Nakamoto’s white paper [bitcoin] proposing the Proof-of-Work protocol, Bitcoin, thousands of blockchains have been created. At the operational level, a blockchain maintains an evolving list of ordered blocks. Each block consists of one or more transactions that have been verified by the system members. POW blockchains, however, consume excessive amounts of energy. This motivated tremendous efforts to propose alternatives protocols.

Byzantine-consensus based blockchains offer an alternative which has the advantage of being economical and offering strong consistency garanties [ADLPT18]. In Byzantine-consensus based blockchains such as HoneyBadger, HotStuff or Tendermint [solidus, Tendermint18, PeerCensus, Bitcoin-NG, BizCoin, honeybadger16, hotstuff18] a subset of deterministically selected processes, executes an instance of PBFT-consensus to decide on the next block to append. These protocols strive to satisfy the following properties: Termination: every non-Byzantine process decides on a value (a block); Agreement: if there is a non-Byzantine process that decides a value , then all the non-byzantine processes decide ; Validity[redbelly17]: a decided value by any non-Byzantine process is valid, it satisfies the predefined predicate.

While Byzantine consensus [LSP82] is one of the best understood and formalized building blocks in distributed computing, blockchains systems revive this line of research in several respects: First, traditional Byzantine consensus has been analyzed only in systems where processes were either correct (verify their specification) or Byzantine (arbitrarily deviate from their specification). Blockchain systems bring on the scene a third type of player: rational players who take actions only if these actions increase their profits. Understanding the performance and limits of Byzantine-consensus based blockchains with rational players is the goal of the current work. Our focus on rational players is in line with analyses of blockchain systems conducted by economists. Economists, however, have not considered Byzantine participants yet. Thus, our work endeavours to combine and unify computer science and economics approaches. Second, traditional Byzantine consensus analyses have not studied the choice and consequences of the way in which participants are rewarded. In this work we address the case of rewarding only the participants to the consensus.

Our contribution.

Our contribution is twofold. First, we offer a methodology to analyse Byzantine consensus based blockchain protocols as a game between rational and Byzantine players. Two key aspects of the game, for rational players, are the cost of blocks verification and the cost of networking. Block verification is crucial since appending non verified blocks may have long term costs (e.g. double spending, collapse of the system etc.). Networking (participating to the agreement protocol by voting in favor of correct blocks) also has tremendous impact on system welfare: If participants don’t vote, this can block the system or lead to agreement on invalid blocks. Second, we derive conditions (on the majority threshold necessary for block acceptance, , and the proportion of Byzantine processes, ) under which rational players reach an equilibrium where the consensus properties are guaranteed. Our findings are as follows. When , invalid blocks are accepted, so that validity is not satisfied. When , while there exists an equilibrium in which validity and termination are satisfied, there also exists an equilibrium in which blocks are never accepted, so that termination is not satisfied. This points to a tension between validity (which requires that the threshold be large enough) and termination (which can be threatened when the threshold is high.)

Related work.

Blockchains can be roughly divided in consensus-less [bitcoin] and Byzantine consensus-based blockchains [BizCoin, PeerCensus, solidus, Bitcoin-NG, Tendermint18]. Byzantine Consensus-based blockchains have the advantage to guarantee strong consistency by running a Byzantine Fault Tolerant protocol [CL99]. In order to use a BFT protocol in an open setting, recent research has been devoted to either find secure mechanisms to select committees of fixed size over time (e.g. [Algorand17],[Ouroboros18]) and/or to propose incentives to promote participation [solidus]. Most of the proposals, however, assume participants as either honest or Byzantine, lacking to thoroughly explore the effect of rational participants. In this line of work, Solidus [solidus] is the first to consider rational processes by proposing an incentive-compatible BFT protocol for blockchains. Solidus introduces interesting incentive mechanisms, however, the paper lacks a game theoretic analysis of them.

While addressing a slightly different protocol, [MJMF18] is the closest work to ours. In this protocol multiple committees run in parallel to validate a non-intersecting set of transactions (a shard). A non-cooperative static game approach for the intra-committee protocol is taken leading to the result that rational agents can free-ride when rewards are equally shared. The main aspect of our analysis that is new and different from [MJMF18] is the following: we have a dynamic (not static) multi-round analysis, of a problem in which some participants are Byzantine and some blocks can be invalid (and costly for rational if accepted). In that context, there is a situation in which in equilibrium rational agents are pivotal, because if they do not check the block validity this will create the risk of having an invalid block accepted. It is because they are pivotal that they do not free ride. Moreover, we discuss equilibria in relation to formal consensus properties – Termination vs Validity –, which represents a novelty.

In the realm of consensus-less blockchains, as Bitcoin, many works used rational arguments to prove thresholds on the fraction of honest nodes needed to guarantee security properties [ES18, SSZ16]. These works establish very pessimistic thresholds while in practice Bitcoin works even if the honest majority assumption does not hold [BGMTZ18]. Following this observation, [BGMTZ18] proposes a rational analysis of Bitcoin based on the rational design protocol framework [GKMTZ13]. The proposed game, with respect to ours, is at an upper level of abstraction, proposing a two-player zero-sum game between the protocol designer and the adversary. Our game models instead the behavior of protocol participants, that can be rational, evolving in an environment with Byzantine processes. Moreover, our work targets consensus-based blockchain unlike [BGMTZ18].

With only rational players, [BBBC19] models Bitcoin as a coordination game. Similar to the work in [BBBC19], our analysis shows that the protocol in consensus-based blockchains is a coordination game. Additionally, we consider Byzantine players, and show that Termination can be violated when coordination failures occur. [Saleh19] uses a game theoretic approach to study consensus-less Proof-of-Stake Blockchains, and shows that the Nothing at Stake problem is mitigated because players with large stakes on the main chain prefer not to add blocks on forking branches, lest it should reduce the strength of the main chain, and thus the value of their stakes. The environment considered in [Saleh19] differs from ours, since the study in [Saleh19] does not consider consensus-based blockchains, nor Byzantine players.

2 Blockchain Consensus with Rational Players

2.1 System Model

We consider a system composed of a finite and ordered set , called committee, of synchronous sequential processes or players, namely where process is said to have index . In the following, we refer to process by it index, say process . Hereafter, the words “player” and “process” are taken to have the same meaning.

Communication.

We assume that each process evolves in rounds. A round consists of one or more phases, and each phase is divided into three sequential steps, in order: the send, the delivery and the compute step. We assume that the send step is atomically executed at the beginning of the phase and the compute step is atomically executed at the end of the phase. The phase has a fixed duration that allows collecting all the messages sent by the processes at the beginning of the phase during the delivery step. At the end of a phase a process exit from the current phase and starts the next one. The processes communicate by sending and receiving messages through a broadcast primitive. Messages are created with a digital signature, and we assume that digital signatures cannot be forged. When a process delivers a message, it knows the process that created the message. We assume that messages cannot be lost.

Processes Behavior.

In this paper we consider a variant of the BAR model [AACDMP05] where processes are either rational or Byzantine. Rational processes are self-interested and seek to maximize their expected utility. They will deviate from a prescribed (suggested) protocol if and only if doing so increases their expected utility. Their objective function must account for their costs (e.g., sending messages) and benefits (e.g., reward of a block) for participating in a system. In line with [AACDMP05], the objective of Byzantine processes is prevent the protocol from achieving its goal, and to reduce the rational processes utility, no matter the cost. We denote by the number of Byzantine processes in the network. We assume symmetric Byzantines, their behaviour is perceived identically by all non Byzantine processes. That is, a message sent by a Byzantine process and received by a non-Byzantine process in a given phase is received by all non-Byzantine processes in the same phase.

2.2 Byzantine Consensus based Blockchain

Consensus-based blockchains should satisfy the following consensus properties:

  • Termination: every non-Byzantine process decides on a value (a block);

  • Agreement: if there is a non-Byzantine process that decides a value , then all the non-byzantine processes decide ;

  • Validity[redbelly17]: a decided value by any non-Byzantine process is valid, it satisfies the predefined predicate.

Let us note that the above properties must hold also for systems prone to rational behavior.

To implement the above specification in Consensus-based blockchains, for each height of the blockchain, a Consensus instance is run inside a committee selected for the given height. In this paper we analyze a very general protocol, inspired by [solidus, Tendermint18, PeerCensus, Bitcoin-NG, BizCoin, honeybadger16, hotstuff18], a variant of PBFT. In this protocol, a proposer proposes a value, i.e. a block, and the other members of the committee will check the validity of the value. If the value is valid, then they will vote for it and will announce their vote through a message to the other members. Votes are collected and if a given threshold is reached, then the value is decided, otherwise a new proposer will propose another block and the procedure restarts.

In this work, we study a protocol (for rational players) which in some equilibria implements the consensus. For the sake of clarity, we first present a prescribed protocol, and then the actions of the rational processes. If a rational player does not deviate from a given prescribed protocol, we can consider it as a correct process.

The prescribed protocol.

The protocol proceeds in rounds. For sake of simplicity we consider the height of the blockchain passed as parameter to the protocol. Algorithm 1 presents the pseudo-code of the protocol.

[1] Current round number

PROPOSE() The proposer of the round generates a block, i.e. the value to be proposed broadcast  delivery from The process collects the proposal If the delivered proposal is valid, then the process sets a vote for it

VOTE() broadcast  If the proposal is valid, the process sends the vote for it to all the validators

delivery The process collects all the votes for the current height and round

exit The valid value is decided if the threshold is reached

Algorithm 1 Prescribed Protocol for a given height at any process

For each round a committee member is designated as the proposer for the round in a round robin fashion. The isProposer() function returns true only if the process is the proposer for the current round (line 7). The function, by taking as parameter the current height, only returns true if the proposer is part of the current committee, deterministically selected on the basis on the information contained in the blockchain up to (the actual selection mechanism is out of the scope of the paper). Each round is further divided in two phases: the PROPOSE and the VOTE phase.

During the PROPOSE phase, the proposer of the round uses the function createValidValue to generate a block. Because a valid block must include the identifier of the block in the blockchain, the height is passed as parameter (line 8). Once the block is created, a message broadcasting the proposal is sent (line 9). At line 10 the proposal is received through a delivery function. Each process checks if the proposal is a valid value (line 13). If so, the process sets its vote to the value (line 14).

During the VOTE phase, any process that set its vote to the current valid proposal sends a message (of type vote) to the other members of the committee (line 18). During the delivery step, sent messages are collected by any process. During the compute step each process verifies if a quorum of votes for the current proposal has been reached. Let us note that , the majority threshold is a parameter here, because it is the object of our study to establish the quorum in presence of rational and Byzantine processes. If the quorum is reached, if the process voted for the value and did not already decided for the current height, then it decides for the current proposal (line 23) and the protocol ends. If the quorum is not reached, then a new round starts (line 26).

Let us note that the protocol in an environment assuming only correct (altruistic) and symmetric Byzantine processes trivially implements consensus if , the number of Byzantine processes, is such that . If , on the other hand, the Termination property is not guaranteed. The scenario for that is that Byzantine validators might vote for a different value with respect to the one voted by correct processes or a nil value. In that case the correct process will not decide (line 22) and will move in the next round. The scenario can repeat forever.

Does not check the validity (line 21)

No Validity Information (line 6)

Not Send (line 24)

Send (lines 24 – 30)

Checks the validity (lines 21–23)

Not Valid

Not Send (line 24)

Send (lines 24 – 30)

Valid

Not Send (line 24)

Send (lines 24 – 30)
Figure 1: Decision tree of process

In the following we detail the pseudo-code for a rational processes shown in Algorithm 2. The rational process will try to maximize its payoff by choosing to undertake or not the actions defined in its action space. We consider the choice of : (i) proposing or not a valid block, (ii) checking or not the validity of a block and (iii) sending or not the vote for a proposed block. The decision tree for the process is shown in Figure 1.

Let us consider now rational processes. The rational process will try to maximize its payoff by choosing to undertake or not some actions, defined in Section 2.3. Intuitively, we consider the choice of : (i) proposing or not a valid block, (ii) checking or not the validity of a block and (iii) sending or not the vote for a proposed block. We consider that the actions of checking the validity of the block and the action of sending the message (of type vote) have a cost.

Protocol of the rational processes.

Rational processes choices are explicitly represented in the pseudo-code (Algorithm 2) by dedicated variables, namely, , , and , defined at lines . Each action, initialized to , can take values from the set . Those values are set by calling the functions , , and , respectively, returning the strategy for the process .

Strategy determines if the proposer chooses to produce a valid proposal or an invalid one (lines 12-16). In both cases the proposal is sent in broadcast (line 17).

Strategy determines if the receiving process chooses to check the validity of the proposal or not, which is a costly action. If the process chooses to check the validity (line 22), it will also update the knowledge it has about the validity of the proposal and it will pay a cost . If otherwise, the process keeps not knowing if the proposal is valid or not ( remains set to ). Note that this value remains set to even if the process is the proposer. This is because we assumed, without loss of generality, that checking validity has a cost and that the only way of checking validity is by executing the function.

[1] Current round number

PROPOSE() sets the action of proposing a valid block or an invalid one broadcast  delivery from sets the action of checking or not the validity of the proposal The execution of has a cost sets the action of sending the vote or not The process decides to send the vote, the proposal might be invalid

VOTE() broadcast  The execution of the broadcast has a cost

delivery The process collects all the votes for the current height and round

exit

Algorithm 2 Pseudo-code for a given height modelling the rational process ’s behavior

Note that, as defined in Section 2.3, strategy depends on the knowledge the process has about the validity of the proposal. The strategy determines if the process chooses to send its vote for the proposal or not (line 24-30). If the processes chooses to send a message for the proposal it will pay a cost .

Let us note that the rational player that did not check the validity of the block could decide an invalid value if more than other processes have done the same and the proposed block is invalid.

We now define the game that represent the protocol.

2.3 Byzantine-Rational Game

Recall that out of the players, are Byzantine, while are rational. Each player privately observes its own type, , which can be Byzantine () or rational ().111If player’s type was observable (i.e., if Byzantine processes were detectable in advance) there would be a trivial solution to preclude them from harming the system: forbidding their participation.

Action space.

As proposer, the player decides whether to propose a valid block or to propose an invalid block.

Then, at each round , each player first decides whether to check the block’s validity or not (at cost ), and second decides whether to send a message (at cost ) or not.

Information sets.

At the beginning of each round , the information set of the player, , includes the observation of the round number , the player’s own type , as well as the observation of what happened in previous rounds, namely (i) when the player decided to check validity, the knowledge of whether the block was valid or not, (ii) how many messages were sent, and (iii) whether a block was accepted or not. At round 1, only includes the player’s private information about its own type, .

Then, in each round , the player decides whether to check the validity of the current block. At this point, denoting by the block proposed at round , when the player does not decide to check validity is the null information set, while if the player decides to check, is equal to 1 if the block is valid and 0 otherwise. So, at this stage the player’s information set becomes

which is augmented with the validity information player has about , the proposed block.

Strategies.

At each round , the strategy of player is a mapping from its information set into its actions. If the agent is selected to propose the block, its choice is given by . Then, at the point at which the agent can decide to check block’s validity, its strategy is given by . Finally, after making that decision, the player must decide whether to send a message or not, and that decision is given by .

Reward and cost from adding blocks.

In this paper we study the case in which, when a block is accepted, only the processes which sent a message are rewarded (and receive ). In addition, we assume that when an invalid block is accepted, all rational players incur cost .

In this work we make the following assumption. The reward, , to the players when a block is accepted is larger than the cost of checking validity, , which in turn is larger than cost of sending, , a message. But the reward obtained when a block is accepted is smaller than the cost of accepting an invalid block, . That is, .

Objective of rational players.

Let be the endogenous round at which the game stops. If a block is accepted at round , then . Otherwise, if no block is accepted, . In the latter case, the termination property is not satisfied.

At the beginning of the first round, the expected gain of rational player is:

where denotes the indicator function, taking the value 1 if its argument is true, and 0 if it is false.

Then, at the beginning of round , if , the continuation payoff of the rational player with information set is

Objective of Byzantine players.

In the current paper we assume the following: Byzantine processes 1) as proposers, propose invalid blocks, and 2) when receiving a proposed block, check the blocks’ validity and send a message if and only if the block is invalid.

We conjecture, the above strategies will turn out to be the optimal strategies of the Byzantine players, minimizing in equilibrium.

Equilibrium concept.

Since we consider a dynamic game, with asymmetric information, the relevant equilibrium concept is Perfect Bayesian Equilibrium [FT91], intuitively defined as follows:

A Perfect Bayesian equilibrium is such that all players 1) choose actions maximizing their objective function, 2) rationally anticipate the strategies of the others, and 3) draw rational inferences from what they observe, using their expectations about the strategies of the others and Bayes law, whenever it applies.

A Perfect Bayesian Equilibrium (PBE) is a Nash equilibrium [Nash51]

, so players best-respond to one another. It imposes additional restrictions, to take into account the fact that the game is dynamic and that players can have private information, and therefore must draw rational inferences, from their observation of actions and outcomes. Rationality of inferences in PBE implies that (i) each player has rational expectations about the strategies of the others, and (ii) each player’s beliefs are consistent with Bayes law, when computing probabilities conditional on events that have strictly positive probability on the equilibrium path. Perfection in PBE implies that, at each node starting a subgame the players’ strategies form a Nash equilibrium of that subgame. In this context, to show that a strategy is optimal it is sufficient to show that it dominates any one-shot deviation

[Blackwell65].

Problem Definition

In this work, we explore the behavior of rational players that could not validate the block – because checking validity has a cost – and conditions (the majority threshold and proportion of Byzantine processes) under which rational players reach an equilibrium where consensus properties (defined in Section 2.2) are guaranteed. To do so, in Section 3, we study the equilibria that arise under different conditions.

3 Equilibria for Rational Players

3.1 Equilibrium when

When the number of Byzantine players is larger than the majority rule, i.e., , the validity property is not satisfied, since, when the first proposer is Byzantine, it proposes an invalid block, and that block is accepted, as all Byzantine players send messages in its favor. Against that backdrop, we characterize the strategies of the rational players and state the equilibrium outcome when .

If and , there exists a Perfect Bayesian equilibrium in which the strategy of a rational player at any round is the following:

  • As proposer, a rational player proposes a valid block.

  • When receiving a proposed block, the rational players do not check the block validity but send a message.

The first condition () implies that, when all rational players but one send a message, they meet the majority threshold , so the block is accepted. The second condition () implies that, when all Byzantine processes send a message, the block is accepted. Under these conditions, each rational player understands it is not pivotal: If the block is invalid, Byzantine players will send messages, so that the block will be accepted irrespective of the rational player’s own action. Moreover, if the block is valid, Byzantine players will not send messages, but all the other rational players will, so that the block will be accepted irrespective of the rational player’s action.

Thus rational players understand that they are not pivotal, and that whatever they do, given the equilibrium behavior of the other rational agents and of the Byzantine processes; all blocks will be accepted. Consequently, they have no interest in checking the validity of the block. The only relevant comparison for them is between their expected gain when they send a message

and their expected gain when they do not send a message . Since, by assumption, , rational players find it optimal to send a message. Finally note that, in the equilibrium of Proposition 3.1, a block is decided at round 1, so the termination property is satisfied, but, when the proposer is Byzantine, an invalid block is accepted, so the validity property is not satisfied.

Proof If a rational player is selected to be the proposer, he prefers to propose a valid block than to propose an invalid block. Indeed, if he proposes an invalid block, that block will be accepted (since the Byzantine players, on checking it and discovering it is invalid, will send a message). In that case the gain of the proposer is . If instead the rational player proposes a valid block, this block will be accepted and his gain will be . Now, turn to the actions of rational players who are not proposers. The equilibrium gain of these players is

If instead of playing the equilibrium strategy, a rational player does not send a message, its expected gain is , which by assumption () is lower than the equilibrium expected gain.

Another deviation is to check the block’s validity and send a message only if the block is valid, which brings expected gain equal to

This is lower than the equilibrium expected gain if

which holds since it is equivalent to

The other possible deviations are trivially dominated: Checking the block’s validity and sending a message only when the block is invalid, yields expected gain

which is lower than the equilibrium expected gain. Checking the block’s validity and sending a message only when the block is valid yields expected gain

again lower than the equilibrium expected gain. Checks the validity of the block and always sending a message yields

which is again dominated, as is also checking and not sending, which yields .

3.2 Equilibria when

When  and , there exists a Nash equilibrium in which rational players never check blocks’ validity nor send messages, so that no block is ever accepted.

Condition , in Proposition 3.2 implies that Byzantine players cannot reach the majority threshold on their own. This precludes accepting invalid blocks. So the validity property is satisfied. Unfortunately, the condition also implies there exists an equilibrium in which the termination property also fails to hold. The intuition is the following:

In Proposition 3.2, each rational player anticipates that no other player will send a message when the block is valid.222Byzantine players send messages but only when the block is invalid. In this context, each rational player knows that, if it were to send a message in favor of a valid block, it would be the only one to do so. Because the majority threshold is strictly larger than 1, the block would not be accepted. Therefore sending a message is a dominated action for the rational player. Thus, the equilibrium in Proposition 3.2 reflects that rational players’ actions are strategic complements and they must coordinate on sending messages in order to have valid blocks accepted. Proposition 3.2 shows that, in equilibrium, there can be a coordination failure, such that no block is ever accepted.333If , then, with , there exists a unique equilibrium, in which all processes check validity and send a message iff the block is valid. In that equilibrium validity and termination are satisfied. But this obtains only if there are no Byzantine processes. As soon as , if , Proposition 3.1 applies and validity is not satisfied.

Proof Consider a rational player who anticipates that other rational players will not send any message at any round. If it follow the equilibrium strategy and does not send an message, its gain is 0. This must be compared to the gain of the player if he deviates:

  • If it sends a message without checking its expected gain is

  • If it checks the block’s validity and sends a message only when the block is valid, its expected gain is

  • If it checks the block’s validity and sends a message only when the block is invalid, its expected gain is

  • If it checks the validity of the block and always sends a message, its expected gain is

  • If it checks and does not send a message, its gain is .

Clearly, the player is better off following the equilibrium strategy.

Note that the conditions of Proposition 3.2 imply that , i.e, there is a strict majority of rational players. Yet, the proposition shows that such majority is not enough to ensure both termination and validity.

While there exists an equilibrium in which termination does not obtain, this does not necessarily imply there is no equilibrium with termination and validity. To have termination and validity, it must be that, in equilibrium, sufficiently many rational players find it in their own interest to check the validity of the block and to send messages in support of valid blocks. The problem is that some players might be tempted to free-ride, and let the others bear the cost of checking. To avoid this situation, it must be that (at least some) rational players anticipate they are pivotal, i.e., if they fail to check block validity and send messages in support of valid blocks, this may derail the process at their own expense.

To make this point, we look for an equilibrium in which some rational players check the validity of the block and send a message if and only the block is valid, and this results in valid blocks being immediately accepted and invalid blocks being rejected. Before proving that such an equilibrium exists, we characterise the expected continuation payoff to which it would give rise.

Consider a candidate equilibrium in which some rational players check the validity of the block and send a message if and only the block is valid, while the other rational players send messages without checking validity, and this results in valid blocks being immediately accepted and invalid blocks being rejected. In such an equilibrium, if it exists, the expected continuation payoff, at round , of the rational players who are to check block validity is

while the expected continuation payoff, at round , of the rational players who are not to check block validity is

where ,   and both  and  satisfy property defined below.

A function  satisfies property , if .

In the candidate equilibrium, participants will reach a point at which the block is valid and all rational players send a message so that the block accepted. This gives rise to a payoff , the first part of . The second part of , , is the expected cost of checking block validity, where is the expected number of times the player expects to check validity before a block is accepted. Similarly, in , , is the expected cost of sending messages, where is the expected number of times the player expects to send messages before a block is accepted.

Proof We prove this Lemma in 2 parts:

  1. Proof of the first part of the proposition, concerning the rational players who are expected to check validity:

    At round , players know that all previous proposers were Byzantine and that there are now potential proposers, out of which only one is Byzantine and are rational. The expected gains of the rational players who are supposed to check are

    where the first term is the cost of checking validity, the second term corresponds to the case in which the current proposer is rational and proposes a valid block that is immediately accepted, and the third term corresponds to the case in which the proposer is Byzantine, the block is rejected, and we move to the next round, at which a valid block is finally accepted (without needing any further validity check). This equilibrium payoff simplifies to

    reflecting that eventually a valid block will be accepted, and that from round on the player will need to check validity only once. This equilibrium payoff implies that

    Now turn to round . If round is reached, the previous proposers were Byzantine. There remains potential proposers. Out of them a fraction

    is Byzantine, while the complementary fraction

    is rational. This fraction being the probability that the next proposer is rational.

    To prove the property stated in the Proposition by backward induction, we now prove that if this property is satisfied at round , that is if

    then it is satisfied at round .

    Suppose the rational player follows the equilibrium strategy of checking and sending iff the block is valid. Its expected gain from round on is

    where the first term is the cost of checking the block at round , the second term is the probability that the block is valid and accepted multiplied by the payoff in that case, and the third term is the probability that the block is invalid and rejected multiplied by the payoff in that case. Substituting the value of , using that the property is verified at round , the expected gain writes as

    That is

    which, using the definition of , is .

  2. Proof of the second part of the proposition, concerning the rational players who are just expected to send messages:

    Again, we prove that if the property is satisfied at round , i.e., , then it is satisfied at round . Suppose the rational player follows the equilibrium strategy of not checking blocks’ validity and always sending a message. Its expected gain from round on is

    where the first term is the cost of sending a message at round , the second term is the probability that the block is valid and accepted multiplied by the payoff in that case, and the third term is the probability that the block is invalid and rejected multiplied by the payoff in that case. Substituting the value of , the expected gain writes as

    That is

    which, using the definition of , is .

Relying on Lemma 3.2, we now establish that our candidate equilibrium is indeed an equilibrium. To do so denote the highest index of all Byzantine players by .

When  and , if the cost of accepting an invalid block is large enough, in the sense that

where

and

and if the reward is large enough relative to the costs in the sense that

there exists a Perfect Bayesian Nash equilibrium in which the strategy of rational players is the following:

  • As proposer, a rational player proposes a valid block.

  • At any round , when receiving a proposed block, (i) the rational players with index   check the block validity and send a message only if the block is valid, while (ii) the rational players with index  do not check the validity of the block but send a message.

  • If round  is reached, rational players send a message without checking if the block is valid. At this point the block is valid and accepted.

Hence, in equilibrium, termination occurs no later than at round .

On the equilibrium path, invalid blocks (proposed by Byzantine players) are rejected, while valid blocks (proposed by rational players) are accepted. This implies that, if round is reached, the players know that during all the previous () rounds the proposers were Byzantine (to draw this inference, the rational players use their anticipation that all participants play equilibrium strategies; hence the Perfect Bayesian nature of the equilibrium). Consequently, at round , the proposer must be rational, and all players anticipate the proposed block is valid. So, no rational player needs to check the validity of the block but all send a message, which brings them expected gain equal to . This is larger than their gain from deviating (e.g., by not sending a message or by checking the block.)

At previous rounds , players know that all previous proposers were Byzantine and that there remains Byzantine players with index strictly larger than (as above, this rational inference is a feature of the Perfect Bayesian equilibrium we characterize). Do the equilibrium strategies of the rational players preclude acceptance of an invalid block by Byzantine processes? To examine this point, consider the maximum possible number of messages that can be sent if the proposer is Byzantine. In equilibrium the players with indexes strictly larger than are to send a message without checking it. The worse case scenario (maximizing the number of messages sent when the block is invalid) is that none of these players are Byzantine. In that case, in equilibrium, the number of messages sent when the block is invalid is , so that we narrowly escape validation of the invalid block. In contrast, if one of the rational players deviated from equilibrium and sent a message without checking the block, in the worse case scenario, this would lead to accepting an invalid block. Thus, in that sense, the rational players with index strictly lower than are pivotal. Hence they check block validity, because, under the condition stated in the proposition, the cost of accepting an invalid block is so large that rational players do not want to run that risk.

Proof For clarity, we decompose the proof in 5 steps.

  1. The first step is to note that rational proposers strictly prefer to propose a valid block than an invalid one. This is because, when they follow their equilibrium strategy of proposing a valid block, it is accepted and the proposer gets while if they propose an invalid block, it is rejected, and we move to the next round, a which, in equilibrium, the player gets at most (and possibly less). Indeed, this player incurs the cost of checking validity at the next round, because the rational players who are not expected to check validity have indexes above , which are above , so that they do not get to propose blocks.

  2. The next step concerns the actions of the rational players when round is reached. At that round, all players know the proposer must be rational and the proposed block valid. In equilibrium no rational checks validity but all send a message. Any other action would be dominated.

  3. The third step concerns the most relevant deviation, in which a rational player expected to check block validity fails to do so. If at round a rational player supposed to check, deviates and sends a message without checking block validity, its expected continuation payoff is

    The first term is the payoff obtained by the deviating rational player if the current block is valid, and therefore immediately accepted. The second term is the payoff obtained by the deviating player when he was pivotal and triggered acceptance of an invalid block. To see this, consider the number of messages when the block is invalid, the rational player is deviating and the indexes of all the Byzantine players are strictly lower than : messages are sent by the Byzantine processes, 1 message is sent by the deviating rational agent, messages are sent by the rational players with index above than or equal to . The resulting total number of messages is and the block is accepted. The last term corresponds to the case in which the deviating rational player is not pivotal, and the invalid block is not accepted, so that we move to the next round.

    Substituting the value of from Lemma 3.2, the expected continuation value of the deviating player is

    Or

    The equilibrium condition is that this deviation payoff must be lower than the equilibrium continuation payoff of the player

    That is

    Note that

    since by the definition of this inequality is equivalent to

    which indeed holds. Thus we can write the equilibrium condition as

    as stated in the proposition.

  4. Other possible deviations for rational player supposed to check block’s validity are easier to rule out:

    First, the player could do nothing (neither check nor send). Relative to the equilibrium payoff, this deviation economises the cost of checking (). If the current proposer is Byzantine, the player then obtains the same payoff after a one shot deviation as on the equilibrium path (). If the current proposer is rational, the block gets accepted, but the player does not earn any reward. So the deviation is dominated if

    which holds under the condition, stated in the proposition, that .

    Second, the player could check the block validity, and then send a message irrespective of whether the block is valid or not. This would generate a lower payoff than the main deviation, shown above (in 3.) to be dominated.

    Third, the player could check validity but then send no message. When the current proposer is Byzantine, this one-shot deviation yields the same payoff as the equilibrium strategy. When the current proposer is rational, this deviation yields a payoff of , which is lower than the equilibrium payoff .

    Fourth, the player could check the block’s validity and send a message only if the block is invalid, which is trivially dominated.

  5. Finally turn to deviations of rational players supposed to send messages without checking blocks’ validity.

    First, consider the possibility to abstain from sending a message. This economises the costs , but, in case the block is valid and accepted, this implies the agent loses the reward . So, the deviation is dominated if

    which holds under the condition, stated in the proposition, that .

    Second, consider the possibility of checking validity and sending a message only for valid blocks. This deviation would imply the agent would have to incur the cost of checking (), but it would economise the cost of sending a message when the block is invalid. So the deviation is dominated if

    which holds because of our assumption that .

    Other deviations, such as checking validity but never sending messages, or checking validity and always sending messages, or checking validity and sending only if the block is invalid, are trivially dominated.

4 Conclusion and Future Work

In this paper we model PBFT-consensus based blockchains as a coordination game between rational and Byzantine processes. We derive the conditions (on the majority threshold and the proportion of Byzantine processes) under which consensus properties are guaranteed in equilibrium or not. In future work, we will extend the analysis to more general Byzantine strategies and rational agents preferences, costs and rewards.

References