On the Security and Performance of Proof of Work Blockchains Arthur Gervais ETH Zurich

On the Security and Performance of Proof of Work Blockchains
Arthur Gervais ETH Zurich, Switzerland [email protected]
Ghassan O. Karame NEC Laboratories, Europe [email protected]
Karl Wüst ETH Zurich, Switzerland [email protected]
Vasileios Glykantzis ETH Zurich, Switzerland [email protected]
Hubert Ritzdorf ETH Zurich, Switzerland [email protected]
Srdjan ?Capkun ETH Zurich, Switzerland [email protected]
ABSTRACT Proof of Work (PoW) powered blockchains currently account for more than 90% of the total market capitalization of existing digital currencies. Although the security provisions of Bitcoin have been thoroughlyanalysed,thesecurityguaranteesofvariant(forked)PoW blockchains (which were instantiated with different parameters) have not received much attention in the literature. In this paper, we introduce a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains. Based on our framework, we devise optimal adversarial strategies for doublespending and sel?sh mining while taking into account real world constraintssuchasnetworkpropagation,differentblocksizes,block generation intervals, information propagation mechanism, and the impact of eclipse attacks. Our framework therefore allows us to captureexistingPoW-baseddeploymentsaswellasPoWblockchain variants that are instantiated with different parameters, and to objectively compare the tradeoffs between their performance and security provisions.
1. INTRODUCTION Since its inception in 2009, Bitcoin’s blockchain has fueled innovation and a number of novel applications, such as smart contracts, have been designed to take advantage of the blockchain. Bitcoin has been forked a number of times in order to ?ne-tune the consensus (i.e., the block generation time and the hash function), and the network parameters (e.g., the size of blocks and the information propagation protocol) and to increase the blockchain’s ef?ciency. For instance, Litecoin and Dogecoin—Bitcoin’s most prominent forks—reducetheblockgenerationtimefrom10to2.5and1minute. Parallel to these efforts, alternative decentralised blockchain-based networks(suchasEthereum)emergedwiththeambitiontooptimize the consensus and network parameters and to ease the deployment of decentralised applications on top of the blockchain. Although a number of consensus protocols (PBFT 5, Proof of Stake 29, Proof of Elapsed Time 20) have been proposed, most existing blockchains leverage the computationally expensive Proof of Work (PoW) consensus mechanism—which currently accounts for more than 90% of the total market capitalization of existing digital currencies. While the security provisions of Bitcoin have been thoroughly analysed 14,21,30,32, the security guarantees of variant PoW blockchains have not received much attention in the literature. Recent studies hint that the performance of PoW based blockchains cannot be enhanced without impacting their security. However, the relationship between performance and security provisionsofPoWblockchainshassofarnotbeenstudiedin much detail.
PoW Blockchain
Optimal adversarial strategyStale block rate Block propagation times Throughput
Consensus ; Network Parameters
Security Provisions
Stale block rate
Security Parameters
Security Model
Figure 1: Components of our quantitative framework.
In this paper, we address this problem and provide a novel quantitative framework to analyse the security and performance implications of various consensus and network parameters of PoW blockchains. Leveraging our framework, we capture the security properties of existing PoW instantiations (e.g., Bitcoin, Ethereum, Litecoin, and Dogecoin) as well as other possible instantiations subject to different consensus and network parameters. Our framework (cf. Figure 1) consists of two key elements: (i) a blockchain instance and (ii) a blockchain security model. A blockchain instance is a PoW blockchain instantiated with a given set of consensus and network parameters, such as network delays, block generation times, block sizes, information propagation mechanisms, etc. For example, Bitcoin, Litecoin, and Ethereum correspond to 3 different blockchain instances. To realistically capture any other blockchain instance, we design a simulator that mimics the blockchain consensus and network layer by implementing advertisement-based information propagation, unsolicited block pushes, the relay network, the sendheader propagation mechanism, among others.1 The main output of the blockchain instance is the (measured or simulated) stale (orphan) block rate, which is fed as inputintooursecuritymodel. Ontheotherhand,oursecuritymodel is based on Markov Decision Processes (MDP) for double-spending and sel?sh mining and allows us to reason about optimal adversarial strategies while taking into account the adversarial mining power, the impact of eclipse attacks, block rewards, and real world network and consensus parameters—effectively captured by the stale block rate. Given the current discussions in the Bitcoin community about a suitablemaximumblocksizethatensuresthescalabilityandgrowth in the system 1, our work provides a way to holistically compare the security and performance of PoW blockchains when subject to different parameters—-including the block size. For instance, 1We will make our simulator open-source at “address omitted due to anonymization requirements”.
we ?nd that increasing the block size from the current Bitcoin transaction load (average 0.5MB) to up to 4 MB, does not signi?cantly affect the sel?sh mining and double-spending resilience of theblockchain—providedthattheblockpropagationmechanismensures a low stale block rate. We summarize our ?ndings as follows. Summaryof?ndings • We show that sel?sh mining is not always a rational strategy. Tocapturerationaladversaries,wethereforequantifythe double-spending resilience of PoW blockchains and objectivelycomparethesecurityofdifferentPoWblockchainswith respect to the required number of transaction con?rmations. By doing so, we provide merchants with the knowledge to decide on the required number of con?rmations for a given transaction value to ensure security against double-spending. • Our results show that, due to the smaller block rewards and the higher stale block rate of Ethereum2 compared to Bitcoin (from 0.41% to 6.8% due to the faster con?rmation time), Ethereum (block interval between 10 and 20 seconds) needs at least 37 con?rmations to match Bitcoin’s security (block interval of 10 minutes on average) with 6 block con?rmations against an adversary with 30% of the total mining power. Similarly, Litecoin would require 28, and Dogecoin 47 block con?rmations respectively to match the security of Bitcoin. • We show that the higher the block reward of a blockchain (in e.g., USD) the more resilient it is against double-spending. • Finally, we analyze the impact of changing the block size and/ortheblockintervalonsel?shmininganddouble-spending. Our results surprisingly show that setting the block size to an average 1 MB, and decreasing the block interval time to 1 minute do not considerably penalize security. Our results therefore suggest that PoW blockchains can attain an effective throughput above 60 transactions per second (tps) (which implies that the current throughput of Bitcoin of 7 tps can be substantially increased) without compromising the security of the system. The remainder of the paper is organized as follows. In Section 2, we overview the basic concepts behind PoW blockchain. In Section 3, we introduce our MDP model to quantitatively analyze the securityofPoWblockchains. InSection4,wepresentoursimulator and evaluate the security and performance of a number of variant PoW-based blockchain instances. In Section 5, we overview related work, and we conclude the paper in Section 6.
2. BACKGROUND In this section, we brie?y recap the operations of the consensus layer and the network layer of existing PoW blockchains. 2.1 ConsensusLayer The proof of work (PoW) consensus mechanism is the widest deployed consensus mechanism in existing blockchains. PoW was introduced by Bitcoin 27 and assumes that each peer votes with his “computing power” by solving proof of work instances and constructing the appropriate blocks. Bitcoin, for example, employs a hash-based PoW which entails ?nding a nonce value, such that when hashed with additional block parameters (e.g., a Merkle hash, the previous block hash), the value of the hash has to be smaller than the current target value. When such a nonce is found, the miner creates the block and forwards it on the network layer (cf. 2We show that, contrary to common beliefs, Ethereum does not applyGHOST’sprincipletoincludethecontributionsof”uncles”in the main chain and therefore currently resembles Bitcoin.
Section 2.2) to its peers. Other peers in the network can verify the PoW by computing the hash of the block and checking whether it satis?es the condition to be smaller than the current target value. Block interval: The block interval de?nes the latency at which contentiswrittentotheblockchain. Thesmallertheblockintervalis, the faster a transaction is con?rmed and the higher is the probability of stale blocks. The block interval adjustment directly relates to the dif?culty change of the underlying PoW mechanism. A lower dif?culty results in a larger number of blocks in the network, while a higher dif?culty results in less blocks within the same timeframe. It is therefore crucial to analyse whether changing the dif?culty affects the adversarial capabilities in attacking the longest chain— which is the main pillar of security of most PoW-based blockchains. This also implies the adjustment of the required number of con?rmations that a merchant should wait in order to safely accept transactions (and avoid double-spending attacks) (cf. Section 3). 2.1.1 PoW security PoW’s security relies on the principle that no entity should gather more than 50% of the processing power because such an entity can effectively control the system by sustaining the longest chain. We nowbrie?youtlineknownattacksonexistingPoW-basedblockchains. First,anadversarycanattempttodouble-spendbyusingthesame coin(s) to issue two (or more) transactions—thus effectively spending more coins than he possesses. Recent studies have shown that accepting transactions without requiring blockchain con?rmations is insecure 21. The more con?rmations a transaction obtains, the less likely this transaction will be reversed in the future. Second, miners might attempt to perform sel?sh mining 14 attacksinordertoincreasetheirrelativeminingshareintheblockchain, by selectively withholding mined blocks and only gradually publishing them 14,31. Recent studies show that, as a result of these attacks, a sel?sh miner equipped with originally 33% mining power can effectively earn 50% of the mining power. Double-spending attacks and sel?sh mining can be alleviated if all nodes in the blockchain system are tightly synchronised. Note that, in addition to network latency, synchronisation delays can be aggravatedduetoeclipseattacks16,17whereanadversarycreates a logical partition in the network, i.e., provides contradicting block and transaction information to different blockchain network nodes. 2.2 NetworkLayer On the network layer, we identify two main parameters that are of particular importance for PoW-based blockchains, namely: the block size, and the information propagation mechanism. 2.2.1 Block size Themaximumblocksizeindirectlyde?nesthemaximumnumber of transactions carried within a block. This size therefore controls the throughput attained by the system. Large blocks incur slower propagation speeds, which in turn increases the stale block rate (and weaken the security of the blockchain as stated earlier). 2.2.2 Information propagation mechanism The block request management system dictates how information is delivered to peers in the network. Eventually, since all peers are expected to receive all blocks, a broadcast protocol is required. The choice of the underlying broadcast protocol clearly impacts the robustness and scalability of the network (cf. Section 4). In what follows, we brie?y describe well-known network layer implementations of existing PoW-based blockchains. Advertisement-based information dissemination: Most PoW blockchains propagate messages with the help of an advertisement
based request management system. If nodeAreceives information aboutanewobject(e.g.,atransactionorablock)fromanothernode, Awill advertise this object to its other connections (e.g. nodeB) by sending them an inv message (the hash and type of the advertised object). Only if nodeBhas not previously received the advertised object, B will request the object from A with a getdata request. NodeAwill subsequently respond with a Bitcoin object, e.g., the contents of a transaction or a block. Send headers: Peers can alternatively issue a sendheaders message in order to directly receive block headers in the future from their peers—skipping the use of inv messages. This reduces the latency and bandwidth overhead of block message propagation and is adopted by Bitcoin since version 0.12. Unsolicitedblockpush: Thismechanismenablesminerstobroadcast their generated blocks without advertisement (i.e., since they mined the block). Note that this push system is recommended3, but not implemented in Bitcoin. Relay networks: Relay networks 6 primarily enhance synchronization of miners that share a common pool of transactions. Transactions are typically only referenced in relayed blocks with a transaction ID (2 bytes per transaction instead of an average of 250 bytes per transaction). As a consequence, the resulting block size is smaller than the regular block (cf. Bitcoin Relay Network 6). HybridPush/AdvertisementSystems: Anumberofsystems,such as Ethereum, combine the use of push and advertisement dissemination. Here, a block is directly pushed to a threshold number of peers (e.g., Ethereum directly pushes blocks to?n peers, where n is the total number of neighbors connected to the peer). Concurrently, the sender advertises the block hash to all of its neighbors. 2.3 Staleblocks Stale blocks refer to blocks that are not included in the longest chain, e.g., due to concurrency, con?icts. Stale blocks are detrimentaltotheblockchain’ssecurityandperformancebecausetheytrigger chain forks—an inconsistent state which slows down the growth of the main chain and results in signi?cant performance and security implications. On the one hand, stale blocks increase the advantage of the adversary in the network (e.g., double-spending). On the other hand, stale blocks result in additional bandwidth overhead and are typically not awarded mining rewards (except in Ethereum). In an experiment that we conducted, we measure the stale block rate in the Bitcoin (block generation time = 10 minutes, average block size = 534.8KB), Litecoin (block generation time = 2.5 minutes,averageblocksize= 6.11KB)andDogecoin(blockgeneration time = 1 minute, average block size = 8KB) network. All three blockchains rely on a PoW-based blockchain (with different generation times) and the same information propagation system (with different block sizes). We crawled the available nodes in Litecoin and Dogecoin 3 in February 2016 and found about 800 and 600 IP addresses respectively. We then measured the block propagation times by registering the times at which we receive the block advertisements from a particular block from all our connections in the respective network 9. We operated one node for Litecoin and Dogecoin, which we connected to 340 and 200 peers, respectively. Once one of these peers advertises block information in form of either (i) a new hash of a block (inv message) or (ii) a block header (headers message), we registered the time this block information appeared. Every subsequent reception of a particular piece of block information then provides information about the propagation of the block. 3https://bitcoin.org/en/developer-reference#data-messages
Bitcoin Litecoin Dogecoin Ethereum Block interval 10 min 2.5 min 1 min 10-20 seconds Public nodes 6000 800 600 4000 11 Mining pools 16 12 12 13 tMBP 8.7 s 8 1.02 s 0.85 s 0.5 – 0.75 s 12 rs 0.41% 0.273% 0.619% 6.8% sB 534.8KB 6.11KB 8KB 1.5KB
Table 1: Comparison of different Bitcoin forks, Ethereum and the impactofparameterchoicesonthenetworkpropagationtimes. Stale block rate (rs) and average block size (sB) were measured over the last10000blocks. tMBP standsformedianblockpropagationtime.
Our results (cf. Table 1) suggest that the stale block rate indeed largely depends on the block interval and the block sizes. For instance,unlikeDogecoinandLitecoin,Bitcoinfeatureslargerblock sizes due to a higher transaction load (of up to 1MB which results inahigherstaleblockrate(0.41%vs. 0.273%)—althoughtheblock interval of Bitcoin is 4 times longer than that of Litecoin. Moreover, the stale block rate differences between Litecoin and Dogecoin are mainly due to the difference in the block interval (2.5 minutes vs. 1 minute), since their average block sizes are comparable (6.11KB and 8KB). Given a con?rmation time reduction of 60%, the stale block rate increased by 127% from Litecoin to Dogecoin. Notice that in Ethereum, uncle blocks correspond to stale blocks that are referenced in the main chain. The uncle block rate in Ethereum is almost 6.8%, compared to a stale block rate of 0.41% in Bitcoin. In Section 3, we study the impact of the stale block rate on the security of PoW blockchains. 3. POWSECURITYMODEL In this section, we introduce our blockchain security model that weleveragetoquantifytheoptimaladversarialstrategiesfordoublespending and sel?sh mining. We then use these strategies as a basis to compare the security provisions of PoW-based blockchains when instantiated with different parameters. 3.1 SecurityModel Our model extends the Markov Decision Process (MDP) of 31 to determine optimal adversarial strategies, and captures: Staleblockrate The stale block rate rs allows us to account for different block sizes, block intervals, network delays, information propagation mechanisms and network con?guration (e.g., number of nodes). Miningpower ? is the fraction of the total mining power of the adversary (the rest is controlled by the honest network). Miningcosts Theadversarialminingcosts cm ? 0,? correspond to the expected mining costs of the adversary (i.e., total mining costs such as hardware, electricity, man-power) and are expressedintermsofblockrewards. Forexample,if cm = ?, the mining costs of the adversary are equivalent to its mining power times the block reward, i.e., the mining costs are coveredexactlybytheearnedblockrevenueinhonestmining. Thenumberofblockcon?rmations k Thiscorrespondstothenumber of blocks that need to con?rm a transaction, such that a merchant accepts the transaction. Propagationability Thepropagationparameter? capturestheconnectivity of the adversary within the network (i.e., captures thefractionofthenetworkthatreceivestheadversary’sblocks in the case when the adversary and the honest miner release their blocks simultaneously in the network