Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
Thunderella: Blockchains with Optimistic Instant Confirmation Kapitel lesen Erstes Kapitel lesen

2018 | OriginalPaper | Buchkapitel

But Why Does It Work? A Rational Protocol Design Treatment of Bitcoin

verfasst von : Christian Badertscher, Juan Garay, Ueli Maurer, Daniel Tschudi, Vassilis Zikas

Erschienen in: Advances in Cryptology – EUROCRYPT 2018

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

An exciting recent line of work has focused on formally investigating the core cryptographic assumptions underlying the security of Bitcoin. In a nutshell, these works conclude that Bitcoin is secure if and only if the majority of the mining power is honest. Despite their great impact, however, these works do not address an incisive question asked by positivists and Bitcoin critics, which is fuelled by the fact that Bitcoin indeed works in reality: Why should the real-world system adhere to these assumptions?
In this work we employ the machinery from the Rational Protocol Design (RPD) framework by Garay et al. [FOCS 2013] to analyze Bitcoin and address questions such as the above. We show that under the natural class of incentives for the miners’ behavior—i.e., rewarding them for adding blocks to the blockchain but having them pay for mining—we can reserve the honest majority assumption as a fallback, or even, depending on the application, completely replace it by the assumption that the miners aim to maximize their revenue.
Our results underscore the appropriateness of RPD as a “rational cryptography” framework for analyzing Bitcoin. Along the way, we devise significant extensions to the original RPD machinery that broaden its applicability to cryptocurrencies, which may be of independent interest.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Thunderella: Blockchains with Optimistic Instant Confirmation
Nächstes Kapitel Ouroboros Praos: An Adaptively-Secure, Semi-synchronous Proof-of-Stake Blockchain
Fußnoten
1
We refer to forks of the Bitcoin chain itself, not to forks that spin-off a new currency.
 
2
This is often referred to as a Stackelberg game in the game theory literature [26].
 
3
Notice, however, the asymmetry: The designer needs to come up with a protocol based on speculation of what the adversary’s move will be, whereas the attacker plays after being informed about the actual designer’s move, i.e., about the protocol.
 
4
In fact, if we require this for any arbitrary utility function, then the two notions—attack-payoff security and malicious security—coincide.
 
5
In particular, a fork might be provoked by the attacker only if it is expected to increase his revenue.
 
6
It should be noted though that our analysis considers, similarly to [2, 13, 27], a fixed difficulty parameter. The extension to variable difficulty is left as future research.
 
7
For Bitcoin the minimum division is 1 satoshi = \(10^{-8}\) BTC, and there is typically a cap on fees [3].
 
8
Following standard UC convention, the protocol description includes its hybrids.
 
9
This class is finite for every given value of the security parameter, \(\varPi \), and \(\mathcal {A}_{} \).
 
10
In [11], by default \(u_\mathtt{D} =-u_\mathtt{A} \) as the game is zero-sum.
 
11
This fine-grained round model with one hash query was already used by Pass et al. [27]. The extension to a larger, constant upper bound of calculation queries per round as in [13] is straightforward for the results in this work.
 
12
Currently, for the Bitcoin network, this is 1/4 of the original reward (12.5 BTCs).
 
13
In [2], each block of the state includes the identifier of the miner who this block is attributed to.
 
14
Indeed, in the ideal simulation of the Bitcoin protocol presented in [2], there is no RO in the ideal world.
 
15
Recall that as argued in Sect. 2.1, these sets are non-empty provided \(\mathcal {C} _{\mathcal {A}_{}}\ne \emptyset \).
 
16
Recall that RPD sets \(u_\mathtt{A} (\varPi ,\mathcal {A}_{})=\infty \) if \(\mathcal {A}_{}\) cannot be simulated, i.e., if \(\mathcal {C} _{\mathcal {A}_{}}=\emptyset \).
 
17
Observe that since our ideal world is the \(\mathcal {G}_{\textsc {clock}} \)-hybrid synchronous world, the round structure is trivially extracted from the simulated ideal experiment by the protocol definition and the clock value. Furthermore, the adversary’s mining queries can be trivially extracted by its interaction with the black-box simulator.
 
18
Recall that we assume synchronous execution as in [2] where the environment gets to decide how many rounds it wishes to witness.
 
19
Note that although there is no RO in the ideal model of [2], whenever a miner would make such a query in the Bitcoin protocol, the corresponding dummy party sends a special maintain-ledger command to the Ledger functionality, making it possible for us to count the mining queries also in the ideal world.
 
20
By definition, these two properties combined specify when the adversary should be considered the recipient of the reward.
 
21
This can be thought of as a “rushing” strategy with respect to network delays.
 
22
I.e., \(\mathcal {A}_{\texttt {fr}} \) sets the delay of the corresponding transmissions to 0.
 
23
Recall the notation introduced in Sect. 2.2: n denotes the number of parties, \(\rho \) the fraction of corrupted parties, \(\alpha \) and \(\beta \) denote honest and dishonest mining power, respectively, and p is the probability of a fresh RO-query to return a correct PoW solution.
 
24
Recall from [2] that we model restrictions by using functionality wrappers. The above implemented restrictions correspond to the so-called flat model of Bitcoin, where each party gets one query to the random oracle per round and can send and receive one vector of messages in each round.
 
25
Note that this modeling aspect is not sensitive to the basic unit of measurement.
 
26
Note that we assume that only transactions submitted by the environment can yield fees, since the environment models “the application layer”. In particular, if the adversary creates a transaction on his own and includes it in his next mined block, then this should not assign him any payoff.
 
27
Recall that \(\texttt {CR}\) is the conversion of one cryptocurrency unit (e.g., one bitcoin) to one cost unit (e.g., one US dollar).
 
28
For example, the number of total Bitcoins is limited and the block-size is bounded.
 
Literatur
1.
2.
3.
4.
5.
6.
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136–145. IEEE Computer Society Press, October 2001
7.
Carlsten, M., Kalodner, H.A., Weinberg, S.M., Narayanan, A.: On the instability of bitcoin without the block reward. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 154–167. ACM Press, October 2016
8.
Eyal, I.: The miner’s dilemma. In: 2015 IEEE Symposium on Security and Privacy, pp. 89–103. IEEE Computer Society Press, May 2015
9.
10.
11.
Garay, J.A., Katz, J., Maurer, U., Tackmann, B., Zikas, V.: Rational protocol design: cryptography against incentive-driven adversaries. In: 54th FOCS, pp. 648–657. IEEE Computer Society Press, October 2013
12.
Garay, J.A., Katz, J., Tackmann, B., Zikas, V.: How fair is your protocol? A utility-based approach to protocol optimality. In: Georgiou, C., Spirakis, P.G. (eds.) 34th ACM PODC, pp. 281–290. ACM, July 2015
13.
14.
15.
Gervais, A., Karame, G.O., Wüst, K., Glykantzis, V., Ritzdorf, H., Capkun, S.: On the security and performance of proof of work blockchains. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 3–16. ACM Press, October 2016
16.
Goldreich, O.: Foundations of Cryptography: Volume 1, Basic Tools. Cambridge University Press, Cambridge (2003)MATH
17.
Gradwohl, R., Livne, N., Rosen, A.: Sequential rationality in cryptographic protocols. In: 51st FOCS, pp. 623–632. IEEE Computer Society Press, October 2010
18.
Halpern, J.Y., Pass, R., Seeman, L.: Computational extensive-form games. In: EC (2016)
19.
20.
21.
Kol, G., Naor, M.: Games for exchanging information. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 423–432. ACM Press, May 2008
22.
Luu, L., Teutsch, J., Kulkarni, R., Saxena, P.: Demystifying incentives in the consensus computer. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 706–719. ACM Press, October 2015
23.
24.
Nayak, K., Kumar, S., Miller, A., Shi, E.: Stubborn mining: generalizing selfish mining and combining with an eclipse attack. In: S&P (2016)
25.
26.
Osborne, M.J., Rubinstein, A.: A Course in Game Theory. MIT Press, Cambridge (1994)MATH
27.
28.
Pass, R., Shi, E.: FruitChains: a fair blockchain. In: Schiller, E.M., Schwarzmann, A.A. (eds.) 36th ACM PODC, pp. 315–324. ACM, July 2017
29.
Rosenfeld, M.: Analysis of bitcoin pooled mining reward systems. CoRR (2011)
30.
31.
32.
Metadaten
Titel
But Why Does It Work? A Rational Protocol Design Treatment of Bitcoin
verfasst von
Christian Badertscher
Juan Garay
Ueli Maurer
Daniel Tschudi
Vassilis Zikas
Copyright-Jahr
2018
Buch
Advances in Cryptology – EUROCRYPT 2018

Print ISBN: 978-3-319-78374-1

Electronic ISBN: 978-3-319-78375-8

Copyright-Jahr: 2018

DOI
https://doi.org/10.1007/978-3-319-78375-8_2