on the danger of private blockchains · • [sompolinsky and zohar fc’2015] y. sompolinsky and a....
TRANSCRIPT
On the Danger of Private Blockchains(When PoW can be Harmful to Applications with Termination Constraints)
Vincent Gramoli
1
Roadmap• PoW Private Blockchain
• Dependent Transactions
• Termination in PoW blockchain
• Blockchain anomaly
• Difference with 51%-attack
• Analysis and bank example
2
PoW Private Chain
1
2
3
3
Public chain (permissionless)
Fully private chain (permissioned)
Consortium private chain (permissioned)
https://blog.ethereum.org/2015/08/07/on-public-and-private-blockchains/
PoW Private Chain• Distributed:
• participants may belong to diff. institutions
• conflicting interests
• Asynchronous communication:
• No bound on the delay of messages
• Use of internet for inter-institutions comm.
4
5
PoW Private Chain
Problem: can we have dependent transactions?
6
Problem: Dependent TxBob transfers money to Carole (t2) only if it received money from Alice (t1)
7
Alice Bob CaroleBob
t1 t2
⇒Can we guarantee to Bob that t1 is committed (or that consensus is reached)?
Monte Carlo Consensus [Aspnes, PODC’12]
1
2
3
8
Termination: all non-faulty processes decide on a block at index i
Probabilistic agreement: clients must decide on the same block at index i with probability at least d
Validity: Every chosen block is somebody’s mined block
PoW Termination• In PoW blockchains:
• transactions are included in blocks
• blocks are appended to a chain (starting with a genesis block everyone knows)
• In the Ethereum PoW blockchain v1.3.6+:
• a transaction included in a block b is committed whenever b is the head of a branch of at least 12 blocks
• Other versions, blockchains, applications consider 6, 256…
9
PoW Termination
Let’s define termination in the context of a general PoW blockchain:
• Decided block: Given a blockchain with parameter k, a block at index i is “decided” when the chain depth reaches i+k
• Committed transaction: A transaction is “committed” if it belongs to a decided block
10
PoW Termination
11
genesis block decided block undecided block
0 1 i i+1 i+k-1 i+k
blockchain depth = i+k
Result: no we can’t
12
The Blockchain Anomaly (BA)[Natoli and Gramoli 2016]
• Let t1 be a committed transaction while t2 is not yet invoked
• For any parameter k≥0, there exists an execution where a transaction t2 can be committed before t1
13
14
Ethereum settings:1 Gbps network3 nodes1 client issuing tx2 clients/miners
- 64-core AMD 1 thread
- 12-core Intel 24 threads
geth v1.4.0⇒ In all cases t2ended up being committed before t1
The Blockchain Anomaly (BA) [Natoli and Gramoli 2016]
Impact: Double-Spending
15
An attacker can exploit the Blockchain anomaly by simply:
1. issuing a transaction t1 where he buys goods for coin c
2. building a branch that does not include t1 but include t2 that buys goods with c
3. waiting for t1 to be committed and goods shipped
4. proposing the branch without t1 but with t2
Result: t2 gets reordered before t1 and c is double-spent
BA ≠ 51% Attack
16
Ethereum uses the GHOST protocol [Sompolinsky and Zohar 2015] to decide blocks
BA ≠ 51% Attack
17
Consider a communication graph G=<V,E>
BA ≠ 51% Attack
18
Consider a communication graph G=<V,E>
Let G1 and G2 be two subgraphs of G with the same mining power separated by E3 such that E = E1 ∪ E2 ∪ E3
E3
G2=<V2,E2>
G1=<V1,E1>
BA ≠ 51% Attack
19
Let an attacker delays links E3 during delay 𝜏.
Then the two subgraphs end up with trees of similar weights X1 and X2
E3
G2
G1
BA ≠ 51% Attack
20
The attacker has only to mine |X1-X2|+1 blocks
in a subtree that does not contains t1 ⇒ Blockchain anomaly
E3
G2
G1
Analysis
21
Analysis
22
As there is no other strategy than brute force to solve the crypto-puzzle, each subgraph performs, during delay 𝜏, a series of n independent Bernoulli trials returning:
• 1 with probability p = (1-𝜌)t/(2d) and
• 0 otherwise
The numbers X1 and X2 of blocks have a binomial distribution with mean:
…where is the 𝜌t is the mining power of the attacker.
Analysis
23
We can upper-bound the deviation of the number of blocks mined Xi (i∈{1,2}) from their mean using Chernoff bounds [Motwani and P. Raghavan 1995] by
Let 𝛥=|X1-X2| be the difference of the number of blocks mined in each subgraph
Analysis
24
Observe that the probability that these random variables are within a ±δμc is lower than the probability that their difference 𝛥 is upper-bounded by 2δμc, hence:
and Bernoulli inequality gives us:
Analysis
25
By choosing 𝛿 = 2𝜌/(1-𝜌) we obtain that the expectation of the number of blocks mined by the malicious miner μm is strictly greater than 𝛥 with probability:
With communication delay we obtain:
Example with Banks
26
Consider an Ethereum/GHOST private chain with difficulty 30MH…
Example with Banks
27
Consider an Ethereum/GHOST private chain with difficulty 30MH and a mining power of 20MH/s.
~20MH/s
Example with Banks
28
Consider an Ethereum/GHOST private chain with difficulty 30MH and a mining power of 20MH/s.
Assume the attacker has 12% of the mining power, i.e., 2.4MH/s, so he can mine, in expectation, 96 blocks during 20 minutes…
12%
Example with Banks
29
Consider an Ethereum/GHOST private chain with difficulty 30MH and a mining power of 20MH/s.
Assume the attacker has 12% of the mining power, i.e., 2.4MH/s, so he can mine, in expectation, 96 blocks during 20 minutes and that he can select E3 such that each subgraph has a mining power of 8.8MH/s.
E3
G2
G1
Example with Banks
30
Consider an Ethereum/GHOST private chain with difficulty 30MH and a mining power of 20MH/s.
Assume the attacker has 12% of the mining power, i.e., 2.4MH/s, so he can mine, in expectation, 96 blocks during 20 minutes and that he can select E3 such that each subgraph has a mining power of 8.8MH/s.
Let us select 𝛿=95/(2µc)⋍0.13 for the difference 𝛥 to be lower than 96, which happens with probability
P[𝛥<96] > 52%
Avoiding the anomaly?
31
Smart contracts could help encoding t1⇒t2 dependence
By checking “on-chain” that t1 occurred, before issuing t2…
Conclusion• Blockchain systems provide guarantees not well-
understood
• This may lead to dramatic anomalies (and then double-spending attack)
• Even with an attacker owning less than a quarter of the mining power
• We need a theory of blockchain to precisely specify these dangers
32
References• [Birman et al., TR’10] K. Birman, D. Malkhi, and R. van Renesse.
Virtually synchronous methodology for dynamic service replication, Microsoft Research, Tech. Rep. MSR-TR-2010-151, 2010.
• [Aspnes, PODC’12] Faster randomized consensus with an oblivious adversary, PODC 2012, p.1-8.
• [Sompolinsky and Zohar FC’2015] Y. Sompolinsky and A. Zohar. Secure high-rate transaction processing in bitcoin. 19th International Conference on Financial Cryptography and Data Security, 2015, pp. 507–527.
• [Natoli and Gramoli 2016] The Blockchain Anomaly. arXiv:1605.05438, May 2016.
33
See you in Sydney
34