On the Danger of Private Blockchains(When PoW can be Harmful to Applications with Termination Constraints)

Vincent Gramoli

1

Roadmap• PoW Private Blockchain

• Dependent Transactions

• Termination in PoW blockchain

• Blockchain anomaly

• Difference with 51%-attack

• Analysis and bank example

2

PoW Private Chain

1

2

3

3

Public chain (permissionless)

Fully private chain (permissioned)

Consortium private chain (permissioned)

https://blog.ethereum.org/2015/08/07/on-public-and-private-blockchains/

PoW Private Chain• Distributed:

• participants may belong to diff. institutions

• conflicting interests

• Asynchronous communication:

• No bound on the delay of messages

• Use of internet for inter-institutions comm.

4

5

PoW Private Chain

Problem: can we have dependent transactions?

6

Problem: Dependent TxBob transfers money to Carole (t2) only if it received money from Alice (t1)

7

Alice Bob CaroleBob

t1 t2

⇒Can we guarantee to Bob that t1 is committed (or that consensus is reached)?

Monte Carlo Consensus [Aspnes, PODC’12]

1

2

3

8

Termination: all non-faulty processes decide on a block at index i

Probabilistic agreement: clients must decide on the same block at index i with probability at least d

Validity: Every chosen block is somebody’s mined block

PoW Termination• In PoW blockchains:

• transactions are included in blocks

• blocks are appended to a chain (starting with a genesis block everyone knows)

• In the Ethereum PoW blockchain v1.3.6+:

• a transaction included in a block b is committed whenever b is the head of a branch of at least 12 blocks

• Other versions, blockchains, applications consider 6, 256…

9

PoW Termination

Let’s define termination in the context of a general PoW blockchain:

• Decided block: Given a blockchain with parameter k, a block at index i is “decided” when the chain depth reaches i+k

• Committed transaction: A transaction is “committed” if it belongs to a decided block

10

PoW Termination

11

genesis block decided block undecided block

0 1 i i+1 i+k-1 i+k

blockchain depth = i+k

Result: no we can’t

12

The Blockchain Anomaly (BA)[Natoli and Gramoli 2016]

• Let t1 be a committed transaction while t2 is not yet invoked

• For any parameter k≥0, there exists an execution where a transaction t2 can be committed before t1

13

14

Ethereum settings:1 Gbps network3 nodes1 client issuing tx2 clients/miners

- 64-core AMD 1 thread

- 12-core Intel 24 threads

geth v1.4.0⇒ In all cases t2ended up being committed before t1

The Blockchain Anomaly (BA) [Natoli and Gramoli 2016]

Impact: Double-Spending

15

An attacker can exploit the Blockchain anomaly by simply:

1. issuing a transaction t1 where he buys goods for coin c

2. building a branch that does not include t1 but include t2 that buys goods with c

3. waiting for t1 to be committed and goods shipped

4. proposing the branch without t1 but with t2

Result: t2 gets reordered before t1 and c is double-spent

BA ≠ 51% Attack

16

Ethereum uses the GHOST protocol [Sompolinsky and Zohar 2015] to decide blocks

BA ≠ 51% Attack

17

Consider a communication graph G=<V,E>

BA ≠ 51% Attack

18

Consider a communication graph G=<V,E>

Let G1 and G2 be two subgraphs of G with the same mining power separated by E3 such that E = E1 ∪ E2 ∪ E3

E3

G2=<V2,E2>

G1=<V1,E1>

BA ≠ 51% Attack

19

Let an attacker delays links E3 during delay 𝜏.

Then the two subgraphs end up with trees of similar weights X1 and X2

E3

G2

G1

BA ≠ 51% Attack

20

The attacker has only to mine |X1-X2|+1 blocks

in a subtree that does not contains t1 ⇒ Blockchain anomaly

E3

G2

G1

Analysis

21

Analysis

22

As there is no other strategy than brute force to solve the crypto-puzzle, each subgraph performs, during delay 𝜏, a series of n independent Bernoulli trials returning:

• 1 with probability p = (1-𝜌)t/(2d) and

• 0 otherwise

The numbers X1 and X2 of blocks have a binomial distribution with mean:

…where is the 𝜌t is the mining power of the attacker.

Analysis

23

We can upper-bound the deviation of the number of blocks mined Xi (i∈{1,2}) from their mean using Chernoff bounds [Motwani and P. Raghavan 1995] by

Let 𝛥=|X1-X2| be the difference of the number of blocks mined in each subgraph

Analysis

24

Observe that the probability that these random variables are within a ±δμc is lower than the probability that their difference 𝛥 is upper-bounded by 2δμc, hence:

and Bernoulli inequality gives us:

Analysis

25

By choosing 𝛿 = 2𝜌/(1-𝜌) we obtain that the expectation of the number of blocks mined by the malicious miner μm is strictly greater than 𝛥 with probability:

With communication delay we obtain:

Example with Banks

26

Consider an Ethereum/GHOST private chain with difficulty 30MH…

Example with Banks

27

Consider an Ethereum/GHOST private chain with difficulty 30MH and a mining power of 20MH/s.

~20MH/s

Example with Banks

28

Consider an Ethereum/GHOST private chain with difficulty 30MH and a mining power of 20MH/s.

Assume the attacker has 12% of the mining power, i.e., 2.4MH/s, so he can mine, in expectation, 96 blocks during 20 minutes…

12%

Example with Banks

29

Consider an Ethereum/GHOST private chain with difficulty 30MH and a mining power of 20MH/s.

Assume the attacker has 12% of the mining power, i.e., 2.4MH/s, so he can mine, in expectation, 96 blocks during 20 minutes and that he can select E3 such that each subgraph has a mining power of 8.8MH/s.

E3

G2

G1

Example with Banks

30

Consider an Ethereum/GHOST private chain with difficulty 30MH and a mining power of 20MH/s.

Assume the attacker has 12% of the mining power, i.e., 2.4MH/s, so he can mine, in expectation, 96 blocks during 20 minutes and that he can select E3 such that each subgraph has a mining power of 8.8MH/s.

Let us select 𝛿=95/(2µc)⋍0.13 for the difference 𝛥 to be lower than 96, which happens with probability

P[𝛥<96] > 52%

Avoiding the anomaly?

31

Smart contracts could help encoding t1⇒t2 dependence

By checking “on-chain” that t1 occurred, before issuing t2…

Conclusion• Blockchain systems provide guarantees not well-

understood

• This may lead to dramatic anomalies (and then double-spending attack)

• Even with an attacker owning less than a quarter of the mining power

• We need a theory of blockchain to precisely specify these dangers

32

References• [Birman et al., TR’10] K. Birman, D. Malkhi, and R. van Renesse.

Virtually synchronous methodology for dynamic service replication, Microsoft Research, Tech. Rep. MSR-TR-2010-151, 2010.

• [Aspnes, PODC’12] Faster randomized consensus with an oblivious adversary, PODC 2012, p.1-8.

• [Sompolinsky and Zohar FC’2015] Y. Sompolinsky and A. Zohar. Secure high-rate transaction processing in bitcoin. 19th International Conference on Financial Cryptography and Data Security, 2015, pp. 507–527.

• [Natoli and Gramoli 2016] The Blockchain Anomaly. arXiv:1605.05438, May 2016.

33

See you in Sydney

34