AdvancesinCryptology –CRYPTO2021
41stAnnualInternationalCryptologyConference,CRYPTO2021 VirtualEvent,August16–20,2021 Proceedings,PartIII
Editors TalMalkin
ColumbiaUniversity
NewYorkCity,NY,USA
ChrisPeikert
UniversityofMichigan
AnnArbor,MI,USA
ISSN0302-9743ISSN1611-3349(electronic)
LectureNotesinComputerScience
ISBN978-3-030-84251-2ISBN978-3-030-84252-9(eBook) https://doi.org/10.1007/978-3-030-84252-9
LNCSSublibrary:SL4 – SecurityandCryptology
© InternationalAssociationforCryptologicResearch2021
Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartofthe materialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodologynow knownorhereafterdeveloped.
Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse.
Thepublisher,theauthorsandtheeditorsaresafetoassumethattheadviceandinformationinthisbookare believedtobetrueandaccurateatthedateofpublication.Neitherthepublishernortheauthorsortheeditors giveawarranty,expressedorimplied,withrespecttothematerialcontainedhereinorforanyerrorsor omissionsthatmayhavebeenmade.Thepublisherremainsneutralwithregardtojurisdictionalclaimsin publishedmapsandinstitutionalaffiliations.
ThisSpringerimprintispublishedbytheregisteredcompanySpringerNatureSwitzerlandAG Theregisteredcompanyaddressis:Gewerbestrasse11,6330Cham,Switzerland
Preface
The41stInternationalCryptologyConference(Crypto2021),sponsoredbythe InternationalAssociationofCryptologicResearch(IACR),washeldduringAugust 16–20,2021.DuetotheongoingCOVID-19pandemic,andforthesecondconsecutive year,Cryptowasheldasanonline-onlyvirtualconference,insteadofatitsusualvenue oftheUniversityofCalifornia,SantaBarbara.Inaddition,sixaffiliatedworkshop eventstookplaceduringthedaysimmediatelypriortotheconference.
TheCryptoconferencecontinuesitssubstantialgrowthpattern:thisyear ’soffering receivedarecord-high430submissionsforconsideration,ofwhich103(alsoarecord) wereacceptedtoappearintheprogram.Thetwoprogramchairswerenotallowedto submitapaper,andProgramCommittee(PC)memberswerelimitedtotwosubmissionseach.ReviewandextensivediscussionoccurredfromlateFebruarythrough mid-May,inadouble-blind,two-stageprocessthatincludedanauthorrebuttalphase (followingtheinitialreviews)andextensivediscussionbyreviewers.Wethankthe 58-personPCandthe390externalreviewersfortheireffortstoensurethat,duringthe continuingCOVID-19pandemicandunusualworkandlifecircumstances,weneverthelesswereabletoperformahigh-qualityreviewprocess.
ThePCselectedfourpaperstoreceiverecognitionviaawards,alongwithinvitationstotheJournalofCryptology,viaavoting-basedprocessthattookintoaccount conflictsofinterest(theprogramchairsdidnotvote).
– TheBestPaperAwardwentto “OnthePossibilityofBasingCryptographyon EXP ≠ BPP” byYanyiLiuandRafaelPass.
– TheBestPaperbyEarlyCareerResearchersAward,alongwithanHonorable MentionforBestPaper,wentto “LinearCryptanalysisofFF3-1andFEA” byTim Beyne.
– HonorableMentionsforBestPaperalsowentto “EfficientKeyRecoveryforall HFESignatureVariants” byChengdongTao,AlbrechtPetzoldt,andJintaiDing; and “ThreeHalvesMakeaWhole?BeatingtheHalf-GatesLowerBoundfor GarbledCircuits” byMikeRosulekandLawrenceRoy.
Inadditiontotheregularprogram,Crypto2021includedtwoinvitedtalks,by VanessaTeagueon “Whiche-votingproblemsdoweneedtosolve?” andJensGroth on “AworldofSNARKs.” Theconferencealsocarriedforwardthelong-standing traditionofhavingarumpsession,organizedinavirtualformat.
Thechairswouldalsoliketothankthemanyotherpeoplewhosehardworkhelped ensurethatCrypto2021wasasuccess:
– VladimirKolesnikov(GeorgiaInstituteofTechnology) Crypto2021general chair.
– DanieleMicciancio(UniversityofCalifornia,SanDiego),ThomasRistenpart (CornellTech),YevgeniyDodis(NewYorkUniversity),andThomasShrimpton (UniversityofFlorida) Crypto2021AdvisoryCommittee.
– CarmitHazay(BarIlanUniversity) Crypto2021workshopchair.
– BertramPoetteringandAntigoniPolychroniadou Crypto2021rumpsession chairs.
– KevinMcCurley,forhiscriticalassistanceinsettingupandmanagingtheHotCRP papersubmissionandreviewsystem,conferencewebsite,andothertechnology.
– KevinMcCurley,KayMcKelly,andmembersoftheIACR ’semergencypandemic teamfortheirworkindesigningandrunningthevirtualformat.
– AnnaKramerandhercolleaguesatSpringer. July2021TalMalkin
ChrisPeikert
Organization
GeneralChair
VladimirKolesnikovGeorgiaInstituteofTechnology,USA
ProgramCommitteeChairs
TalMalkinColumbiaUniversity,USA ChrisPeikertUniversityofMichiganandAlgorand,Inc.,USA
ProgramCommittee
AbhiShelatNortheasternUniversity,USA AndrejBogdanovChineseUniversityofHongKong,HongKong AntigoniPolychroniadouJPMorganAIResearch,USA
BriceMinaudInriaand ÉcoleNormaleSupérieure,France ChayaGaneshIndianInstituteofScience,India ChrisPeikertUniversityofMichiganandAlgorand,Inc.,USA
ClaudioOrlandiAarhusUniversity,Denmark DanieleVenturiSapienzaUniversityofRome,Italy DavidCashUniversityofChicago,USA DavidWuUniversityofVirginia,USA
DennisHofheinzETHZurich,Switzerland
DiveshAggarwalNationalUniversityofSingapore,Singapore DominiqueUnruhUniversityofTartu,Estonia ElenaAndreevaTechnicalUniversityofVienna,Austria ElenaKirshanovaImmanuelKantBalticFederalUniversity,Russia FabriceBenhamoudaAlgorandFoundation,USA FangSongPortlandStateUniversity,USA FrederikVercauterenKULeuven,Belgium GhadaAlmashaqbehUniversityofConnecticut,USA
ItaiDinurBen-GurionUniversity,Israel Jean-PierreTillichInria,France
JeremiahBlockiPurdueUniversity,USA
JohnSchanckUniversityofWaterloo,Canada
JonathanBootleIBMResearch,Switzerland JosephJaegerUniversityofWashington,USA JunqingGongEastChinaNormalUniversity,China LisaKohlCWIAmsterdam,TheNetherlands ManojPrabhakaranIITBombay,India
MarcelKellerCSIRO’sData61,Australia MarianaRaykovaGoogle,USA
MikeRosulekOregonStateUniversity,USA MorWeissBar-IlanUniversity,Israel
Muthuramakrishnan
Venkitasubramaniam UniversityofRochester,USA
NiTrieuArizonaStateUniversity,USA
NirBitanskyTelAvivUniversity,Israel NuttapongAttrapadungAIST,Japan
OmerPanethTelAvivUniversity,Israel PaulGrubbsNYU,CornellTechandUniversityofMichigan,USA
PeihanMiaoUniversityofIllinoisatChicago,USA
PeterSchwabeMaxPlanckInstituteforSecurityandPrivacy, Germany,andRadboudUniversity,TheNetherlands RanCanettiBU,USA,andTelAvivUniversity,Israel
RomainGayIBMResearch,Switzerland
RonSteinfeldMonashUniversity,Australia
RosarioGennaroCityUniversityofNewYork,USA RyoNishimakiNTTSecurePlatformLaboratories,Japan
SandroCorettiIOHK,Switzerland
SikharPatranabisVisaResearch,USA
SinaShiehianUCBerkeleyandStonyBrookUniversity,USA SiyaoGuoNYUShanghai,China
StanislawJareckiUniversityofCalifornia,Irvine,USA TalMalkinColumbiaUniversity,USA
TarikMoatazArokiSystems,USA ThomasPetersUCLouvain,Belgium
ThomasPeyrinNanyangTechnologicalUniversity,Singapore TianrenLiuUniversityofWashington,USA VietTungHoangFloridaStateUniversity,USA XavierBonnetainUniversityofWaterloo,Canada YuYuShanghaiJiaoTongUniversity,China
AdditionalReviewers
AaramYun
AarushiGoel
AayushJain
AbhishekJain
AdrienBenamira
AgnesKiss
AishwaryaThiruvengadam
AjithSuresh
Akin Ünal
AkinoriKawachi
AkiraTakahashi
AkshayDegwekar
AkshayaramSrinivasan
Akshima
AlainPasselègue
AlexBienstock
AlexLombardi
AlexanderGolovnev
AlexanderHoover
AlexanderMay
AlexandreWallet
AlexandruCojocaru
AlicePellet-Mary
AlinTomescu
AminSakzad
AmitSinghBhati
AmitabhTrehan
AmosBeimel
AnatPaskin-Cherniavsky
AncaNitulescu
André Chailloux
AndreEsser
André Schrottenloher
AndreaColadangelo
AndreasHülsing
AntoninLeroux
AntonioFlorez-Gutierrez
ArchitaAgarwal
ArielHamlin
ArkaRaiChoudhuri
ArnabRoy
AshrujitGhoshal
AshutoshKumar
AshwinJha
AtsushiTakayasu
AuroreGuillevic
AvijitDutta
AvishayYanay
BaiyuLi
BalazsUdvarhelyi
BalthazarBauer
BartMennink
BenSmith
BenjaminDiamond
BenjaminFuller
BennyApplebaum
BenoîtCogliati
BenoitLibert
BertramPoettering
BinyiChen
Bo-YinYang
BogdanUrsu
BrunoFreitasdosSantos
BryanParno
ByeonghakLee
CarlBootland
CarlesPadro
CarmitHazay
CarstenBaum
CeciliaBoschini
ChanNamNgo
CharlesMomin
CharlotteBonte
ChenQian
Chen-DaLiu-Zhang
ChenkaiWeng
ChethanKamath
ChrisBrzuska
ChristianBadertscher
ChristianJanson
ChristianMajenz
ChristianMatt
ChristinaBoura
ChristofPaar
ChristophEgger
CodyFreitag
DahmunGoudarzi
DakshitaKhurana
DamianVizar
DamianoAbram
DamienStehlé
DamienVergnaud
DanielEscudero
DanielJost
DanielMasny
DanielTschudi
DanielWichs
DarioCatalano
DarioFiore
DavidGerault
DavidHeath
DebbieLeung
DeanDoron
DebapriyaBasuRoy
DimaKogan
DimitriosPapadopoulos
DivyaGupta
DivyaRavi
DominiqueSchröder
EduardoSoria-Vazquez
EldonChung
EmmanuelaOrsini
EranLambooij
EranOmri
EshanChattopadhyay
EstuardoAlpirezBock
xOrganization
EvgeniosKornaropoulos
EysaLee
FabioBanfi
FelixEngelmann
FelixGünther
FerdinandSibleyras
FermiMa
FernandoVirdia
FrancescoBerti
François-XavierStandaert
FuyukiKitagawa
GaëtanCassiers
GaëtanLeurent
GayathriAnnapurnaGarimella
GeoffroyCouteau
GeorgFuchsbauer
GhousAmjad
GildasAvoine
GiorgosPanagiotakos
GiorgosZirdelis
GiulioMalavolta
GuyRothblum
HamidrezaKhoshakhlagh
HamzaAbusalah
HanjunLi
HannahDavis
HaoyangWang
HartMontgomery
HenryCorrigan-Gibbs
HilaDahari
HuijiaLin
IanMcQuoid
IgnacioCascudo
IgorsStepanovs
IlanKomargodski
IliaIliashenko
IngridVerbauwhede
ItamarLevi
IttaiAbraham
IvanDamgård
JackDoerner
JacobSchuldt
JamesBartusek
JanCzajkowski
Jan-PieterD’Anvers
JaspalSingh
JeanPaulDegabriele
JesperBuusNielsen
Jesús-JavierChi-Domínguez
JiLuo
JianGuo
JiaxinPan
JiayuXu
JoanneAdams-Woodage
JoãoRibeiro
JoëlAlwen
JuliaHesse
JuliaLen
JulianLoss
JunichiTomida
JustinHolmgren
JustinThaler
Kai-MinChung
KaterinaSotiraki
KatharinaBoudgoust
KathrinHövelmanns
KatsuyukiTakashima
KazuhikoMinematsu
KeitaXagawa
KevinYeo
KewenWu
KhoaNguyen
KojiNuida
KristinaHostáková
LaasyaBangalore
LarsKnudsen
LawrenceRoy
LejlaBatina
LennartBraun
LéoColisson
LeodeCastro
LéoDucas
LéoPerrin
LinLyu
LingSong
LucaDeFeo
LucaNizzardo
LucjanHanzlik
LuisaSiniscalchi
ŁukaszChmielewski
MaciejObremski
MadalinaBolboceanu
MahimnaKelkar
MariaEichlseder
MaríaNaya-Plasencia
MarilynGeorge
MariosGeorgiou
MarkAbspoel
MarkSimkin
MarkZhandry
MarkulfKohlweiss
MarshallBall
MartaMularczyk
MartinAlbrecht
MartinHirt
MaryWooters
MasayukiAbe
MatteoCampanelli
MatthiasFitzi
MiaFilic
MichaelReichle
MichaelRosenberg
MichaelWalter
MicheleOrru
MiguelAmbrona
MingyuanWang
MiranKim
MirunaRosca
MiyakoOhkubo
MohammadHajiabadi
MohammadHosseinFaghihiSereshgi
MonosijMaitra
MorganShirley
MridulNandi
MuhammedF.Esgin
MustafaKhairallah
NaomiEphraim
NathanManohar
NatyPeter
NavidAlamati
NgocKhanhNguyen
NicholasSpooner
Nicholas-PhilipBrandt
NicoDöttling
NicolasResch
NicolasSendrier
NikolaosMakriyannis
NikolasMelissaris
NilsFleischhacker
NinaBindel
NirvanTyagi
NivGilboa
NoahStephens-Davidowitz
OlivierBlazy
OlivierBronchain
OmriShmueli
OrfeasStefanosThyfronitisLitos
OrrDunkelman
OxanaPoburinnaya
PatrickDerbez
PatrickLonga
PatrickTowa
PaulRösler
PaulZimmermann
PeterGazi
PeterRindal
PhilippeLangevin
PierreBriaud
PierreMeyer
PierrickGaudry
PierrickMèaux Po-ChuHsu
PrabhanjanAnanth
PrashantVasudeval
PratikSarkar
PratikSoni
PratyayMukherjee
PratyushMishra
QianLi
QiangTang
QipengLiu
QuanQuanTan
RachitGarg
RaduTitiu
RajeevRaghunath
RajendraKumar
RanCohen
RaymondK.Zhao
RiadWahby
RishabGoyal
RishabhBhadauria
RishirajBhattacharyya
RitamBhaumik
RobiPedersen
RohitChatterjee
RolandoLaPlaca
RomanLangrehr
RongmaoChen
RupengYang
RuthNg
SabaEskandarian
SabineOechsner
SaharMazloom
SaikrishnaBadrinarayanan
SamKim
SamirHodzic
SanjamGarg
SayandeepSaha
SchuylerRosefield
SemyonNovoselov
SergeFehr
ShaiHalevi
ShashankAgrawal
ShermanS.M.Chow
ShiBai
ShifengSun
ShivamBhasin
ShotaYamada
ShuaiHan
ShuichiKatsumata
SiangMengSim
SomitraSanadhya
SoniaBelaïd
SophiaYakoubov
SrinivasVivek
SrinivasanRaghuraman
SruthiSekar
StefanoTessaro
SteveLu
StevenGalbraith
StjepanPicek
SumeghaGarg
SusumuKiyoshima
SvenMaier
TakahiroMatsuda
TakashiYamakawa
TalMoran
TamerMour
ThomWiggers
ThomasAgrikola
ThomasAttema
ThomasDebris-Alazard
ThomasDecru
TianchengXie
TimBeyne
TitouanTanguy
TommasoGagliardoni
VarunMaram
VassilisZikas
VenkataKoppula
VincentZucca
VirginieLallemand
WardBeullens
WeiDai
WillyQuach
WouterCastryck
XiaoLiang
XiaoWang
XiongFan
YaelKalai
YanBoTi
YannRotella
YannickSeurin
YaobinShen
YashvanthKondi
YfkeDulek
YiannisTselekounis
YifanSong
YileiChen
YixinShen
YongsooSong
YuLongChen
YuSa
YueGuo
YuncongHu YupengZhang
YuriyPolyakov
YuvalIshai
ZahraJafargholi
ZeyongLi
ZhengfengJi
ZichenGui
ZuoxiaYu
ZvikaBrakerski
Contents – PartIII
Models
ARationalProtocolTreatmentof51%Attacks......................3
ChristianBadertscher,YunLu,andVassilisZikas
MoSS:ModularSecuritySpecificationsFramework...................33
AmirHerzberg,HemiLeibowitz,EwaSyta,andSaraWrótniak
TightState-RestorationSoundnessintheAlgebraicGroupModel.........64 AshrujitGhoshalandStefanoTessaro
SeparatingAdaptiveStreamingfromObliviousStreamingUsing theBoundedStorageModel...................................94 HaimKaplan,YishayMansour,KobbiNissim,andUriStemmer
AppliedCryptographyandSideChannels
ProvableSecurityAnalysisofFIDO2............................125 ManuelBarbosa,AlexandraBoldyreva,ShanChen, andBogdanWarinschi
SSEandSSD:Page-EfficientSearchableSymmetricEncryption..........157 AngèleBossuat,RaphaelBost,Pierre-AlainFouque,BriceMinaud, andMichaelReichle
TowardsTightRandomProbingSecurity..........................185 GaëtanCassiers,SebastianFaust,MaximilianOrlt, andFrançois-XavierStandaert
SecureWireShufflingintheProbingModel.......................215 Jean-SébastienCoronandLorenzoSpignoli
Cryptanalysis
Differential-LinearCryptanalysisfromanAlgebraicPerspective..........247 MeichengLiu,XiaojuanLu,andDongdaiLin
Meet-in-the-MiddleAttacksRevisited:Key-Recovery,Collision, andPreimageAttacks.......................................278 XiaoyangDong,JialiangHua,SiweiSun,ZhengLi,XiaoyunWang, andLeiHu
RevisitingtheSecurityofDbHtSMACs:Beyond-Birthday-Bound intheMulti-userSetting.....................................309
YaobinShen,LeiWang,DawuGu,andJianWeng
ThinkingOutsidetheSuperbox.................................337 NicolasBordes,JoanDaemen,DaniëlKuijsters,andGillesVanAssche
CryptanalysisofFullLowMCandLowMC-MwithAlgebraicTechniques...368 FukangLiu,TakanoriIsobe,andWilliMeier
TheCosttoBreakSIKE:AComparativeHardware-BasedAnalysis withAESandSHA-3.......................................402 PatrickLonga,WenWang,andJakubSzefer
ImprovedTorsion-PointAttacksonSIDHVariants...................432 VictoriadeQuehen,PéterKutas,ChrisLeonardi,ChloeMartindale, LorenzPanny,ChristophePetit,andKatherineE.Stange
CodesandExtractors
SmoothingOutBinaryLinearCodesandWorst-CaseSub-exponential HardnessforLPN..........................................473 YuYuandJiangZhang
Silver:SilentVOLEandObliviousTransferfromHardnessofDecoding StructuredLDPCCodes......................................502 GeoffroyCouteau,PeterRindal,andSrinivasanRaghuraman
Non-malleableCodesforBoundedParallel-TimeTampering............535 DanaDachman-Soled,IlanKomargodski,andRafaelPass
ImprovedComputationalExtractorsandTheirApplications.............566 DakshitaKhuranaandAkshayaramSrinivasan
AdaptiveExtractorsandTheirApplicationtoLeakageResilient SecretSharing............................................595 NishanthChandran,BhavanaKanukurthi, SaiLakshmiBhavanaObbattu,andSruthiSekar
SecretSharing Upslices,Downslices,andSecret-SharingwithComplexityof1:5n ........627 BennyApplebaumandOdedNir
Asymptotically-GoodArithmeticSecretSharingover Z=p‘ Z withStrong MultiplicationandItsApplicationstoEfficientMPC..................656 RonaldCramer,MatthieuRambaud,andChaopingXing
LargeMessageHomomorphicSecretSharingfromDCRandApplications...687 LawrenceRoyandJaspalSingh
TraceableSecretSharingandApplications.........................718 VipulGoyal,YifanSong,andAkshayaramSrinivasan
QuadraticSecretSharingandConditionalDisclosureofSecrets..........748 AmosBeimel,HussienOthman,andNatyPeter
ConstructingLocallyLeakage-ResilientLinearSecret-SharingSchemes.....779 HemantaK.Maji,AnatPaskin-Cherniavsky,TomSuad, andMingyuanWang
AuthorIndex ............................................809
Models
ARationalProtocolTreatmentof51% Attacks
ChristianBadertscher1 ,YunLu2(B) ,andVassilisZikas3
1 IOHK,Zurich,Switzerland christian.badertscher@iohk.io 2 UniversityofEdinburgh,Edinburgh,UK Y.Lu-59@sms.ed.ac.uk 3 PurdueUniversity,WestLafayette,USA vzikas@cs.purdue.edu
Abstract. Game-theoreticanalysesofcryptocurrenciesand—more generally—blockchain-baseddecentralizedledgersofferinsightontheir economicrobustnessandbehaviorwheneventheirunderpinningcryptographicassumptionsfail.Inthisworkweutilizetherecentlyproposed blockchainadaptationoftherationalprotocoldesign(RPD)framework [EUROCRYPT’18]toanalyze51%double-spendingattacksagainst Nakamoto-styleproof-of-workbasedcryptocurrencies.Wefirstobserve apropertyoftheoriginallyproposedutilityclassthatyieldsanunnaturalconclusionagainstsuchattacks,andshowhowtodeviseautility thatavoidsthispitfallandmakespredictionsthatmatchtheobservablebehavior—i.e.,thatrendersattackingadominantstrategyinsettingswhereanattackwasindeedobservedinreality.Wethenpropose agenericremedytotheunderlyingprotocolparametersthatprovably deteradversariescontrollingamajorityofthesystem’sresourcesfrom attacksonblockchainconsistency,includingthe51%double-spending attack.Thiscanbeusedasguidancetopatchsystemsthathavesuffered suchattacks,e.g.,EthereumClassicandBitcoinCash,andservesasa demonstrationofthepowerofgame-theoreticanalyses.
1Introduction
Theclassicalcryptographicanalysisofblockchainledgersestablishesworstcaseguaranteesontheirsecurityeitherbyprovingcentralsecurityproperties[GKL15, PSs17],suchas consistency/common-prefix—thestablepartsofthe chainsheldbyhonestpartiesareprefixesofone-another—liveness—newblocks withrecenttransactionskeepbeingadded–orbyprovingthattheprotocolrealizesanidealledgerfunctionality[BMTZ17].Typicallysuchanalysesrelyon anassumedlimitationontheadversary’sinfluence/presenceinthesystem.In particular,themajorityofanunderlyingresource—e.g.,hashingpowerforproofof-work(PoW)-basedprotocolssuchasBitcoin[Nak08]andEthereum[But13]
Werefertoourfullversion[BLZ21]forthecompleteformalproofsanddefinitions.
c InternationalAssociationforCryptologicResearch2021
T.MalkinandC.Peikert(Eds.):CRYPTO2021,LNCS12827,pp.3–32,2021. https://doi.org/10.1007/978-3-030-84252-9 1
(beforeversion2.0),orstakeinProof-of-Stake(PoS)-basedprotocolssuchas Algorand,Ouroboros,andSnowWhite[KRDO17, BGK+18, CM19, DPS19]—is owned/contributedbypartieswhohonestlyruntheprotocol.
Althoughsuchananalysisisinstrumentalforunderstandingtheproperties andlimitationsoftheanalyzedledgersandgainingconfidenceintheirsecurity, itdoesnottakeintoaccountafundamentalpropertyofsuchsystems,namely thattheledger’sstateisoftenassociatedwithsomemonetaryvalueandthereforetheprotocol’ssecuritymightrelyonhowprofitableanattackmightbe. Thus,inadditiontotheclassicalcryptographicanalysisofsuchsystems,itis usefultoanalyzetheirso-called economicrobustness,namelytheirlevelofprotectionorsusceptibilitytoattacksbyanincentive-driven(alsocalledrational) attacker.Suchananalysiscanfortifythesecurityofthesesystemsbyprovingafallbackrationalassumption,e.g.,assuminganincentivesmodelofthe attacker,securityismaintainedevenwhencertaincryptographicassumptions fail,orindicatethattheprovensecurityisfragilebypointingoutnaturalincentivesthatleadtoviolatingthesecurityassumptions.Additionally,itcanoffera higherresolutionpictureofthesystemsguarantees—e.g.,itstendencytodecentralize[BKKS20]—and/ormorerealisticestimatesoftheparametersassociated withitssecurityproperties—e.g.,relationbetweenthedensityofhonestblocks (thatis,thechain-qualityparameter[GKL15])andthepropertiesofthecommunicationnetwork[ES14, NKMS16].Perhaps,evenmoreinteresting,itcanoffer insightonthesystem’sbehaviorwhenthemain(cryptographic)assumption fails,e.g.,whentheattackercontrolsa51%fractionoftheunderlyingresource oftheblockchainprotocol.
Motivatedbytherecent(repeated)51%double-spendingattacksthathave drainedmillionsofdollarsfrompopularblockchain-basedcryptocurrencies,we deviseagame-theoreticanalysisofsuchattacksforNakamoto-stylesystems,e.g., Bitcoin,BitcoinCash/Gold,Ethereum(Classic),etc.Weusetheadaptationof therationalprotocoldesign(RPD)frameworkbyGaray etal. [GKM+13]to blockchains,whichwasrecentlyproposedbyBadertscher etal. [BGM+18],to analyzetheutilityofanattackeragainstthesesystemsasafunctionoftheir basicparameters.
Acentralquestiontotherelevanceforpracticeofanygame-theoreticanalysis istowhatextentthemodelandassumedutilitiescapturetheincentivesofreal worldattacks.Indeed,iftheutilitiesaredisconnectedfromreality,theycanlead tocounter-intuitivestatements.Wedemonstrateaninstanceofsuchanartifact in[BGM+18]andproposeadifferentclassofutilitieswhichisbothnaturaland avoidsthisartifact.Wevalidateourutilityagainstarangeofsecurityparameters matchingthoseofEthereumClassic,aPoW-basedsystemthatfellvictimto51% double-spendingattacks.Weobservethatwhenthepayofffordouble-spending ishigh,attackingisindeedadominatingstrategy.Thatis,predictionsofour utilitychoicematchreality.Wethenuseourframeworktodeviseagenerictuning ofoneofthecoreparametersofsuchblockchains—namely,thenumber cutOff ofmost-recentblocksneededtobedroppedtoachievetheso-calledcommonprefixpropertywithparameter cutOff (cf.[BMTZ17, BGM+18, GKL15])—to
deteranyattacksonconsistencybyarationalattackerwithourutility.Stated differently,weshowhowanincentivemodelcanserve,possiblyinadditionto cryptographicassumptions,tofindarobustprotocolparameterization.This therebydemonstrateshowourmodelandanalysiscanbeusedtoimprovethe economicrobustnessofsuchblockchains,andoffersaguidetohowto“patch” suchprotocolstoavoidfutureoccurrences.
1.1RelatedLiterature
Anumberofworkshavefocusedonarationalanalysisofdecentralizedledgersandcryptocurrencies(e.g.,[Ros11, CKWN16, ES14, Eya15, SBBR16, SSZ16, LTKS15, TJS16, NKMS16, PS17, GKW+16]tomentionsome).Typically, theseworksabstractawaythecomputationalaspectsofcryptographictools(signatures,hash-functions,etc.)andprovideagamewhichcapturescertainaspects oftheexecutionthatarerelevantfortherationalanalysis.Incontrast,RPDuses acryptographicsimulation-basedframeworktoincorporatethesecomputational considerationsintotheanalyzedgame,ensuringthatpredictionsaboutattacker behaviorholdfortheactualprotocolandnotonlyforanidealizedversion(unless theidealizationisobtainedviaacryptographiccompositionargumentsuchas UC).Incorporatingsuchcomputationalconsiderationswithinarationaltreatmentishighlynon-trivial(see[GKM+13, CCWrao20]foradiscussion).WediscusstheRPDframeworkinmoredetailinthefollowingsection.
Theterm 51%(double-spending)attack isdefinedin[Inv]asanattackwhere theadversarygainsanymajority(notnecessarilyjust51%)ofminingpowerand reversestransactionsinordertodouble-spenditscoins,oftenbycreatingadeep forkinthechain.ThesiteCoinDeskkeepstrackofnewsof51%attacks[Coia], ofwhichtherearequitemany:mostrecently,Vergesufferedanattackwith 200daysworthoftransactionserasedinFeb,2021.Alsorecently,Ethereum Classicsufferedthree51%attacksinthesamemonthofAugust,2020,prompting asolutioncalledMESStomitigatesuchattackswhichstillmaynotprovide robustsecurity[Coib].Otherrecentvictimsofsuchattacksincludewell-known coinssuchasBitcoinGold(Jan2020),andBitcoinCash(May2019).Amajor avenueof51%double-spendingattacksistheuseofrentedhashpower[For]. Thesite https://www.crypto51.app/ givesroughestimatesonthevulnerability ofdifferentcoins,basedonwhether51%ofhashingpowercanberentedviaa servicecalledNicehash.Insomecases,e.g.BitcoinGold,itisestimatedtoonly costafewhundreddollarstohave51%ofhashingpowerfor1h.
Previousworkshaveconsideredtheabilityofblockchainprotocolstorecover from51%attacks.In[AKWW19],conditionedonhonestmajoritybeingsatisfiedonexpectation,Bitcoinwasproventoberesilientagainsta(temporary) dishonestmajority.In[BGK+20],nosuchconditionisassumedandtheauthors giveconcreterecoveryboundsasafunctionoftheactualpoweroftheadversary (capturedasabudgettogoovermajorityhashingpower).Weusethelatterwork forouranalysisoftheblockchain’ssecurityagainstincentive-drivenattackers.
Theprofitabilityof51%double-spendingattackshavealsobeenanalyzedin previousworks.Theworkof[Bud18]explorestheseattacksthroughaneconomics
perspective,andleavingthecostoftheattackasaparameterthatiscomputed viasimulations.Theworkof[JL20]computesprobabilityofattackbymodeling attacksasrandomwalkoftwoindependentPoissoncountingprocesses(PCPs). Incomparison,ourrationalanalysesaredoneintheRationalProtocolDesign (RPD)framework,whereaforkisformallydefinedasacommandinaUC ledgerfunctionality.AnothertechniqueproposedistheMarkovDecisionProcess (MDP)model,whichisusedbyboth[GKW+16]and[HSY+21].Inthismodel, theadversarytakesaseriesofactionsrelevanttodouble-spending:adoptingor overridingthehonestparty’schain,waiting,orstopping.SolvingtheMDPallows theseworkstoreasonabouttheoptimaldouble-spendingadversary.Whilewedo notanalyzeanoptimaldouble-spendingadversary,ourmodelismoregeneral. Wedonotrestricttheactionsoftheadversary,whichallowsustoanalyze conditionsunderwhichtheprotocolissecureagainstattacksonconsistencyby any incentive-drivenadversary.Moreover,sincestandardMDPsolverscannot solveinfinitestateMDPs,theMDPisrestrictedtoonlyconsidersituations wherethechainlengthislessthansomelength c [GKW+16].
1.2OurResults
WestartbydevisingautilityinRPDwhichnaturallycapturestheincentivesof anattackertoprovokeadouble-spendingattack.Tothisdirection,weobserve thattheutilityconsideredin[BGM+18]doesnotcapturesuchanincentive. Intuitively,thereasonisthattheutilityin[BGM+18]essentiallyonlyconsidersincentivesrelatedtotheconsensuslayeroftheprotocol.Thismeansthat anattackerisrewardedwhensuccessfullyminingablock,butisnotrewarded dependingontheblockcontents—i.e.whatkindsoftransactionsareinthe block.Theirextensiontoautilityfunctiontoincludetransactionfeesdoesnot applytodouble-spendingattacks.Inthiscase,the(only)reasontoattackthe blockchainstemsfromtheexistenceofasuper-polynomialtransactionfee,and assumingamoderaterangeoffees,noincentivetoattackispresent.Wediscuss whysuper-polynomialquantitiesaregenerallyproblematicinSect. 4.Itfollows from[BGM+18]thattheattackerwiththeseutilityfunctions(andassuming moderatetransactionfees)hasnoincentivetoforkovermininghonestly.Yet, lookingatreal-lifedouble-spendingattacks,thisisclearlynotthecase.Tocapturedouble-spending,weintroduceaspecialpayoffthattheattackerreceives whensuccessfullycreatingadeep-enoughfork(i.e.,orphansasufficientlylong validchain).Intuitively,thispayoffcorrespondstotheutilitythattheattacker receiveswhenitdouble-spendsbyreplacingtheorphanedchainwithhisown.
Perhapscounter-intuitively,whenanalyzingBitcoin1 withthisextendedutilityfunction,theattackerisstillindifferentbetweenforkingandhonestmining. Wedemonstratethisartifactandpinpointthereasonforit:Intuitively,theutility functionfrom[BGM+18](withorwithouttheextrapayoffforforking)rewards
1 OuranalysisusesBitcoinasarepresentativeexampleofNakamoto-style blockchainledgers,butsimilarlyanyblockchainprotocolwhichrealizestheledger from[BMTZ17, BGK+18]couldbeanalyzed.
theattackerbythesameamountinallroundsinwhichitcreates(mines)a block.Thismeansthatgivenanyadversarythatprovokesafork,thereisalways anhonest-miningadversarywhoachievesmoreutilitywithoutforkingbysimply accumulatingblockrewardsoveralongerperiodoftime.Wedistillthesource ofthisissueinapropertywhichwecall unboundedincentives,anddemonstrate thatanyutilitywhichsatisfiesthispropertywillmakeanydeviationfrompassive miningaweakly dominated strategy.
Wethendevisearevisionofthisutilityclasswhichallowsustoavoidthe abovecounter-intuitiveartifact.Thisutility,whichsatisfiesapropertyweterm limitedhorizons—astrongnegationofunboundedincentives—hastheproperty thatthe(actual)rewardsofanadversaryminingablockdiminishwithtime.This isanaturalwaytoavoidreasoningaboutextremely“long-lived”adversaries,i.e., thattakedecisionsbasedonpayoffstoofarinthefuture,andcapturesfeatures whicharewell-knowninutilitytheory[Ber54]—intuitively,earning$10todayis moreattractivethan$1millionin100years,anexampleofthe“St.Petersburg Paradox”.Wenextturninanalyzingtheprofitabilityof51%double-spending attacks,byshowinghowourrevisedutilitycanactuallycapturethem.Weprovidearangeofpayoffsfordouble-spendingwhichwouldincentivizeanattack. Thenwevisualizeourresultusingconcreteparametersestimatedfromthoseof EthereumClassic,forwhichperformingtheattackisindeedadominantstrategy.Thisdemonstratesthattheaboveresultcanexplain,inagame-theoretic framework,howrecentvictimsof51%attacksarevulnerable.
Finally,wediscusswhetherandhowtheblockchainprotocolcanbetuned sothatsuch51%double-spendingattacksaredeterred.Infact,weprovidea muchstrongertuning,whichdetersattacksonconsistencybyanyincentivedrivenadversary.Thetuningdependsonthecosts(e.g.electricityorcosttorent hashingpower),positivepayoffs(e.g.blockrewardsandpayoffforcausingafork, fromdouble-spendingorotherwise),andprotocolparameters(e.g.thedifficulty ofcreatingablock).Intuitively,foranycombinationoftheseparameters,we showhowthewindowsizeoftheunderlyingblockchainprotocolcanbeadjusted sothatitisnotrationalfortheattackertoperformthisattack.Atthecoreof thisresultsisalemmathatrelatestheincentivemodeltoanattackpattern, whichcoupledwiththeself-healingpropertiesofNakamoto-stylePoW,leadsto thedesiredestimateofasafeparameter.Weviewthisasademonstrationthat gametheorycanaidusinfortifyingblockchainsevenwhenassumptionsmade bythecryptographicanalysesfail.
2Preliminaries
2.1TheBitcoinBackboneProtocol
TheabstractionoftheBitcoinprotocolthatisusedinthecryptographicliteratureisknownasthe Bitcoinbackboneprotocol [GKL15, PSs17, BMTZ17]which wedenoteby Π B .Inthisabstraction,Bitcoinismodeledasaround-basedprotocol,whereanumberofparticipants(theminers)areconnectedviaamulticast
networkwithboundeddelay Δ (unknowntotheprotocol).Ineveryround,each partyadoptsthelongestchain C = B0 || ... ||Bk ofblock Bi (connectedbyhashpointers)ithasreceivedsofar,where B0 istheuniquegenesisblockofthe system.Eachpartytriestoextendthislongestchainanbyadditionalblock,via runningthePoW-lottery:anextensionofchain C byanewblock Bk +1 canonly bevalid,ifitshash H (Bk +1 )belongstoadedicatedsmallportionoftheoutput domainofthefunction(typically,thehashmusthavealotofleadingzeros).In suchanalyses,thehashfunctionismodeledusingarandom-oraclefunctionality FRO thatreturnsuniformvaluesuponeachquery.Therefore,whenextending thechain,eachpartymakesacertainnumberof miningqueries perround(that is,RO-querieswithcandidateblocks Bk +1 containingarandomnoncetoobtain thehash)andwecallaminingquery successful,iftheoutputisbelowthethreshold.InthesettingwithfixedPoWdifficulty,wecanassignasuccessprobability p toeachsuchminingquery.Finally,ifaminerissuccessful,itwillsendthenew chainoverthemulticastnetworktoallotherminers.
CryptographicSecurity.
Themainsecurityguarantee2 provenfortheBitcoin protocoliseventual consistency:everyblockthatisdeepenoughcanbeconsideredimmutableandonlythemostrecent, cutOff numberofblocksmight betransient.This cutOff-consistency(wherethecutoffparameterisoftenleft implicitifclearfromcontext)guaranteestatesthatatanypointintime,the prefixof C consistingof |C|− cutOff blocksiscommontoallhonestminers:
Definition1(Consistency). Let C1 C2 denotetheprefix-ofrelation,then theconsistencyguarantee(withparameter cutOff)statesthatatanytwopoints intime a ≤ b inanexecution,whereparty P atround a holdschain C1 andparty P atround b holdschain C2 ,wehavethat C1 |cutOff C2 ,wherethenotation C|k denotestheprefixof C obtainedbyremovingthemostrecent k blocks(andif k exceedsthelengthof C ,itisdefinedtocorrespondtothegenesisblock).
Inthecryptographicsetting(withoutincentives),suchaguaranteeonlyholds ifwerestricttheadversarytohaveaminorityofminingpower.Thatis,given n(r ) a and n(r ) h denotethenumbersofadversarialandhonestminingqueriesin round r ,respectively,thentheprotocol Π B issecureifinanyround r the inequality n(r ) a <θpow · n(r ) h holds,with θpow :=(1 p)(2Δ+1)Tub beingthe well-establishedsecuritythresholdforBitcoin(oftenstatedinitslinearapproximation1 2(Δ +1)pTub )[GKL15, PSs17, BMTZ17],wherethequantity Tub denotestheupperboundonthenumberofminingqueriesperround.Throughoutthiswork,weworkintheso-called flatmodel ofBitcoinfornotationalsimplicity[GKL15, BGM+18],whereeachminergetsoneminingqueryperround (andtheadversary’spoweristhenumberofcorruptedminers).Wenotethat sometimesitisconvenienttoassumealowerbound Tlb onthenumberofmining queries(a.k.a.participation)perround,inparticularwhenarguingaboutthe
2 Whileothersecurityguaranteesexist,suchas chainquality,ourfocusinthispaper isconsistency.
ARationalProtocolTreatmentof51%Attacks9 guaranteedgrowthoftheblockchainovertimeincombinationwiththesecurity threshold.Finally,wepointoutthateveniftherearenoadversarialplayers,an upperbound Tub onthenumberofqueriesisnecessaryforsecurityinthefixed difficultysetting,whenaimingforacommonprefixguaranteeforsometarget parameter cutOff.AsthefailureprobabilityofBitcoinbecomesnegligibleasa functionof cutOff (moreprecisely,therelevantfactorisoftheorder2 Ω (cutOff) ), weoftentreatitasa(ofcoursepolynomial-bounded)function cutOff(κ)ofa securityparameter κ,and(insymbolicnotation) cutOff = ω (log(κ))isatleast requiredtoobtainanegligibleprobabilityofafailure.
BitcoinBackboneandUC. TheRPDframeworkisbasedontheUCframework. Assuch,theaboveBitcoinbackboneprotocol Π B isseenasaUCprotocolas in[BMTZ17],whereitisproventoUC-realizeastrongtransactionledgerfunctionality Gledger underthehonestmajorityassumption.Wegiveherejustthe explanationofhowtheidealconsistencyguaranteelookslike:thefunctionality Gledger ensuresthatatanypointintime,thereisonlyoneuniqueledgerstate (sequencesoftransactionspackedinblocks),wherethestateisappend-only(that is,whateverappearsasablockinthestateisimmutable).Furthermore,different honestpartiesseedifferentprefixesofthisstate,withtheguaranteethatthese views areincreasingandwithinawindowof windowSize (aledgerparameter) blocksfromthetipofthestate.Notethatthecut-offparameterofBitcoincorrespondsexactlytothesizeofthatwindowintherealizedledger Gledger .More precisely,wheneverBitcoinsatisfiesDefinition 1,thentheabovementionedcorrespondenceholdsandtheledgerstateisasinglechainofblocks[BMTZ17].
InUC,theprotocol Π B assumesacoupleofhybridfunctionalities.First,the round-basedstructureisachievedusingUC-synchronoustools(assumingaclock functionality),anetwork,andarandomoracle,whererestrictionsonthemining queriescanbecapturedbyfunctionalitywrappersrestrictingthenumberofRO evaluations,e.g.[BMTZ17, GKO+20].OneextremelyhelpfulaspectofUCinthe contextofRPDisthecompatibilitywiththecompositiontheorem[GKM+13]. Inthisworkthisisleveragedasfollows.TheBitcoinbackbone Π B admitsa modularstructurethatisolatesthelotteryaspectasasubmoduleofthesystem. Technically,theproofsin[BMTZ17, PSs17]showthatwheneverthePoW-lottery UC-realizesthe stateexchange functionality FStX (in[PSs17]therelatedconcept iscalled Ftree ),theNakamoto-stylelongestchainruleprotocol(undertheabove honest-majoritysecuritythreshold)realizestheledger.Thisintermediatestepis importantduetotwothings:first,itmodelsanidealizedminingprocesswhere eachminingqueryisanindependentBernoullitrialwithsuccessprobability p (andhenceabstracts awaythosereal-lifenegligibleprobabilityeventsthat woulddestroyindependence),andseconditabstracts awaythelow-leveldetails ofthechainstructure(wheree.g.,“hashcollisions”couldcausedisruptions).It isprovenin[BMTZ17]thattheproof-of-worklayerofBitcoin(intherandom oraclemodel)UC-realizes FStX .Moreover,sinceitonlyabstractsthelottery partofthesystem,thisrealizationdoesnotdependonanysecuritythreshold. WecanthereforeleveragecompositionwhenanalyzingtheutilitiesofBitcoin andworkwiththeidealizedlotterydirectly.
2.2RationalProtocolDesign
TheRationalProtocolDesignframework(RPD)allowsustoanalyzethesecurity oftheblockchainwithoutassuminghonestmajority.Althoughconsistencyand othersecuritypropertiesarelostifanattackercanarbitrarilybreakhonest majority,assumingattackersare rational offersanalternatemethodoflimiting hisactions.Thatis,althoughtheattackerisfreetoactinanyway(e.g.corrupt morethanmajorityhashingpower),hewillonlydosoifitisprofitable.Building on[BGM+18],ouranalysisisbasedontheRationalProtocolDesign(RPD) frameworkintroducedin[GKM+13].RPDanalyzesthesecurityofprotocols, suchasBitcoin,withrespecttoanincentive-drivenadversary.Inthismodel, aprotocoldesigner D playsan attackgame G withanattacker A.First,the designer D comesupwithaprotocol Π .Then,theattacker A—whoisinformed about Π —comesupwithanadversarialstrategy A toattack Π .Theutilityof theattacker(resp.designer)isthendefinedonthe strategyprofile (Π, A ),and isdenoted uA (Π, A )(resp. uD (Π, A )).Inthiswork,wefocusontheattacker’s utility uA (Π, A ).
Thegame G isdefinedwithrespecttoanattackmodel M =(F , F ,vA ,vD ). F isthefunctionalitywhichthedesignerwouldliketoimplementsuchasa ledgerthatprovidescertainidealguaranteesasdescribedabove.However,when certainassumptions,e.g.honestmajorityforBitcoin,arenotmet(whichas statedaboveweexplicitlydonotwanttodemand apriori),wecannothope toget F .Instead,thedesigner D’sprotocol Π (inourcase,theBitcoinprotocol Π B )onlyimplementsaweakerfunctionality.Thisweakerfunctionalitythat Bitcoinimplementswhenliftingthehonestmajorityassumptionisproventobe G B weak-ledger in[BGM+18]andprovidedinourfullversion[BLZ21]forcompleteness.Intuitively,theweakledgerisderivedfromthestrongerversion[BMTZ17] byintroducingafewweaknesses.Forexample,itallowstheadversarytofork theledgerstateandhenceallowsittobreakconsistency(thiseventcorresponds toadeepreorganizationoftheblockchainintherealworld).Thisisallowed bythe fork commandin G B weak-ledger .Giventheviewsofthesimulatorand environmentinanidealworldexecution,thevaluefunctions vA and vD assign payoffstotheattackeranddesignerrespectively,whencertaineventshappen intheviews,suchaswhenthesimulatorforkstheblockchainvia G B weak-ledger Finally,utilities uA and uD arefunctionsofpayoffs(definedwith vA and vD )of simulatorsthatcansimulate A in Π intheenvironment Z .Lookingahead, thegoalofRPDistofindconditionsunderwhicharationalattackerwouldnot invoketheweaknessesof G B weak-ledger (e.g.,itistoocostlytoperformanattack). Forexample,ifunderaclassofutilities,norationalattackerinvokesthe fork command,thenweessentiallyobtainastrongerledger(i.e.,thesameexcept thatthiscommandisabsentandhencetheledgerstateremainsauniquechain) againstattackersincentivizedbythisclassofutilities.
2.3UtilityoftheAttackerFrom[BGM+18]
Wedetailtheattacker’sutilityin[BGM+18],whichintheRPDframework capturestheexpectedpayoffofaparticularadversarialstrategy A inagiven protocol Π (inourcase Π = Π B ).Thispayoffiscalculatedbasedondifferent events thatoccurintherealexecutionandthecorrespondingidealexperiment whereablack-boxsimulatorisattemptingtosimulatethisadversarialstrategy. Specifically,theworkof[BGM+18]considersthefollowingevents:
1.Event W A q,r ,foreachpair(q,r ) ∈ N2 :Thesimulatorsimulates q miningqueries bytheadversaryinround r ofthesimulatedexecution.
2.Event I A b,r ,foreachpair(b,r ) ∈ N2 :Thesimulatorinserts b blocksintothe stateoftheledgerinround r ,suchthatalltheseblockswerepreviously queriestothe(simulated)randomoraclebytheadversary.Informally,this eventoccurswhenanhonestpartyviewstheseblocksas“confirmed”(part ofhisownledgerstate).
Adifferentpayoffisassociatedwitheachevent.Inordertomake q mining queriesandinvokeevent W A q,r ,theattackermustpay q · mcost,where mcost is thecostofmakingaminingquery(e.g.electricitycostperhashquery).When b blocksmadebytheadversaryareinsertedintotheledgerandevent I A b,r occurs, theattackerreceivespayoff b · breward · CR.Here breward istherewardfor makingablockinthecurrencyoftheblockchain(e.g.Bitcoins),and CR isan exchangeratetothesamecurrencyusedfor mcost (e.g.USD).
Then,[BGM+18]definesthefollowingattacker’sutilityforastrategyprofile (Π, A ).Let CA denotethesetofsimulatorsthatcanemulateanadversary A in theidealworldwithaccesstotheweakerledgerfunctionality G B weak-ledger ,and Z denoteanenvironment.The realpayoff ofanadversary A attackingtheprotocol isdefinedastheminimumpayoffoverallsimulatorsin CA .If CA = ∅ (thereare nosimulatorsthatcansimulate A )then uA (Π, A )= ∞ bydefinition.Then,the utility uA (Π, A )istherealpayoff,maximizedoverallpossibleenvironments Z (weassumeforsimplicitythatenvironmentsareclosedandruninpolynomial timeinthesecurityparameter[Can01]).
Theworkof[GKM+13]introducesthefollowingnotionofsecurityagainst incentive-drivenadversaries:Nomattertheutilityachievedbyanadversary A runningtheprotocol Π intherealworld,thereexistsanadversary A running thedummyprotocolwithaccesstotheidealfunctionality F thatachievesthe sameorbetterutility.Inotherwords,eventhebestadversaryattacking Π , cannotachievebetterutilitythanonewhodoesnotinvokeanyofthe“bad
events”in F .Notethathere F canbeanystrengtheningofitsweakerversion. Forexample,theweakledgerwithouttheoptiontobreakconsistencywouldbe astrengtheningof G B weak-ledger inwhichcaseattack-payoffsecurityimpliesthat thereisnoincentive(evenforamajority-controllingadversary)tocreateafork (thatis,adeepreorganization)eventhoughhetechnicallycouldbeableto.
Strictlyspeaking,theutilitiesarealsofunctionsinthesecurityparameter κ (theenvironmentobtainstheparameterasinputinUC)butweomititfor notationalsimplicity.Wenotethatasfunctionsinthesecurityparameter κ,the asymptoticbehavioroftheinvolvedfunctionsistherelevantaspect.
Definition2(Attackpayoffsecurity [GKM+13]). Let M =(F , F ,vA ,vD ) beanattackmodelinducingutility uA ,andlet ΦF bethedummy F -hybridprotocol.Aprotocol Π is attack-payoffsecure for M ifforall A ,thereisan A such that uA (Π, A ) ≤ uA (ΦF , A )+ negl(κ)
Thisnotionofattack-payoffsecuritydoesnotnecessarilymeananincentivedrivenadversarywillhonestlyfollowtheprotocol—thereisnorestrictiononthe honestlyoftheactionsof A intheabovedefinition.Tocapturethisstronger requirementinthecontextofBitcoin,wealsoconsiderastrongernotionintroducedby[BGM+18]:theattackerisincentivizedtoalwayschoosea frontrunning,passive-mining adversaryoverany(potentiallymalicious)strategy. Informally,thispassiveadversarybehavesexactlylikeanhonestparty(miningwithallhishashingpowerandreleasingablockhehasfoundimmediately), excepttheadversary’smessagesarealwaysdeliveredbeforethehonestparties’(front-running).Front-runninggivestheadversaryanadvantagesinceifan adversary’sblockisconcurrentlycompetingwithanhonestparty’sblocktobe appendedtothelongestchain,theadversaryalwayswins.
Definition3(Front-running,passive-miningadversary [BGM+18]). The front-runningadversarialstrategy A∈ Afr isspecifiedasfollows:Uponactivationinround r> 0, A activatesinaround-robinfashionallits(passively) corruptedparties,say p1 ,..., pt .Whencorruptparty pi generatessomenew messagetobesentthroughthenetwork, A immediatelydeliversittoallitsrecipients.Inaddition,uponanyactivation,anymessagesubmittedtothenetwork FN-MC byanhonestpartyismaximallydelayed.
Π B wasprovedtobestronglyattack-payoffin[BGM+18]fortheutilityin Eq. 1.Informally,aprotocolisstronglyattack-payoffsecureifthereisalwaysa passiveadversarialstrategythatisatleastasgoodasanymaliciousstrategy. Inthiswork,wearealsointerestedinthecasewheresecuritydoesnothold: wesayanadversary A breaks strongattack-payoffsecurityif uA (Π, A )exceeds uA (Π, A )forany A ∈ Afr ,byanon-negligibleamount.
Definition4(Stronglyattack-payoffsecure [BGM+18]). Aprotocol Π is stronglyattack-payoffsecure forattackmodel M ifthereisa A ∈ Afr suchthat forall A , uA (Π, A ) ≤ uA (Π, A )+ negl(κ)
Inourwork,wewillfollowtheapproachfrom[BGM+18]thatsimplifiesthe proofswhenanalyzingtheutilitiesfromminingintheprotocol Π B byutilizingthecompositiontheoremofRPD.Asexplainedabove,insteadofanalyzing theprobabilitiesofpayoff-inducingeventsfor Π B whichusestherandomoracleasthelottery,onecananalyzeprobabilitiesforthe modular ledgerprotocol w.r.t.anidealizedlotterythatmakesuseofthestateexchangefunctionality FStX (forcompleteness,definedinfullversion[BLZ21]).Inmoredetail:when aparty(ortheadversaryinthenameofacorruptedparty)wishestoextenda chain,theywouldinvoke FStX witha submit-new command,whichperforms acointossandinformshimwhetherheissuccessful.Ifthepartyissuccessful, thefunctionalityincludesthisnewchainintoatreedatastructureandallows thepartytomulticastthisnewchainwitha send command;thismulticastingis doneautomaticallyforhonestparties.DuetothecorrespondenceofROqueries intheBitcoinprotocolandthe submit-new-commandsinthemodularizedBitcoinprotocol[BMTZ17],theeventsdefinedfor u B A (Π, A )(forthefullBitcoin protocol)aboveremainvalidandmeaningfulalsointhishybridworld,because theblack-boxsimulatorfortheoverallBitcoinprotocolsimulatesoneRO-query (asareactiontoaninputbyacorruptedparty)wheneverthe(black-box)simulatorforthemodularledgerprotocolsimulatesone submit-new-command,as areactiontothecorrespondinginputbythesameparty[BGM+18].
3ArtifactsofUnboundedIncentives
Inthissection,wediscussanartifactoftheutilityfunctionEq. 1,whichwe willeliminateinthenextsection.Concretely,weprovethatthisRPDutilityis inappropriatetocapturethemostrealisticsituationofattackersthatattackthe system,e.g.,attemptaforktoprofitfromdouble-spending.Todoso,weprove Lemma 1 and 2,whichroughlyshowthissurprisingfact:ifrunningtheprotocol(semi-)honestlyisprofitableinexpectation,thenthereisnoincentivefor anadversarytofork.Theintuitivereasonforthisisclear:Anyfixedpayofffor forkingincurredbytheadversarycanbeoffsetbyanadversarywhorunsslightly longer(andstillpolynomiallylong)butdoesnotfork.This,however,isanartifactoftheasymptoticdefinitionanddoesnotreflectreal-worldincentive-driven attackscenarios,whereminingisanticipatedtobeprofitable—otherwisenoone wouldmine—butattackersstillperformforkingattacks(inparticular,inorder todouble-spendcoins).Wedistillapropertyoftheutilityfrom[BGM+18]that isthereasonthisartifact,whichwecall unboundedincentives,andprovethat anyutilitysatisfyingthispropertywillsufferfromthesameartifact.Looking aheadtothefollowingsection,wewillproposeanaturaladaptationofthisutilityfunctionthatdoesnotsufferfromtheaboveartifact(andwhereinparticular thedurationofanattackactuallystartstomatter).
3.1DemonstratingtheArtifact
LetusfirstconsiderthestraightforwardadaptationoftheutilityfromEq. 1 to modelthepayoff(e.g.double-spending)anadversarygainsbyforkingtheledger.
Definetheevent K as:Thereisaround r wherethesimulatorusesthe fork commandoftheweakledgerfunctionality G B weak-ledger (see[BLZ21]forformal definition)thatallowsthesimulatortoinvokeafork.Let fpayoff bethepayoff forinvokingthefork.Then,theutility uf becomes:
Below,weshowthatfortheutilityfunction uf above,theBitcoinprotocol Π B isstronglyattack-payoffsecureaslongasminingisprofitable.Ourprooftakes advantageoftheartifactofunboundedincentives:informally,firstweshowthat thepayoffofanypolynomial-run-timeadversary A isboundedbyapolynomial p(κ)ofthesecurityparameter;then,weshowthatthereisapassive,frontrunningadversarywhoserun-timeisalsopolynomial(albeitbiggerthanthatof A ),andwhoachievesatleast p(κ)utility.3
Lemma1(Attackpayoffsecuritywithforking). Let Tub > 0 betheupper boundontotalnumberofminingqueriesperround, p ∈ (0, 1) betheprobabilityofsuccessofeachminingquery,and cutOff = ω (log(κ)) betheconsistencyparameter.Let M beamodelwhoseinducedutility uf hasparameters fpayoff, breward, CR, mcost ≥ 0.TheBitcoinprotocol Π B isstronglyattackpayoffsecurein M if p breward CR mcost > 0
3.2AFirstAttempttoEliminatetheArtifact
AlthoughweprovedthatBitcoinisstronglyattackpayoffsecureevenwitha payoffforforking,thisisactuallynotagoodsign,asthisresultdoesnotreflect reality.Inreality,attackersdoforkblockchainstogainprofitviae.g.doublespendingtransactions.Thus,thefactthatwecanproveLemma 1 meansthat theremustbeaproblemwithourassumptions.
WhywereweabletoproveLemma 1?Itturnsouttheutilityfunctionwe usedhastheweaknessthatitconsidersanattackerwhodoesnotcareabout theephemeralpayoffforforking—hecansimplyobtainmoreutilityviablock rewardsifhejustputinabitmorehashingpowerformining.Thus,somewhat counter-intuitively,tomodelincentivesforforkingattacks,wemustconsider utilitiesthatlimittheamountofmininganattackercando.
Afirstnaturalinstinctmaybetoincorporateintheutilitythe(oftensubstantial)initialinvestment(e.g.costofbuyingminingrigs)anattackermust
3 Wenotethatforthesimpleutilityfunctionpresentedin[BGM+18]otherprooftechniquescouldconcludeattack-payoffsecuritywithouttheruntime-extensionargument.Themainpointhereistodemonstratetheimportanceofconsideringthe attackdurationintheutilityfunction.
makebeforebeingabletoparticipateintheblockchainprotocol.Thisturnsout tobenotonlyanaturalextension,butalsoaverysimpleone.Concretely,we capturethisinvestmentas costofpartycorruption:inordertousepartyfor mining,theadversaryneedstocorrupthim,whichcorrespondstoacquiringits miningequipment.Formally,foreach g ∈ N define C A g asfollows:Themaximum numberofcorruptedpartiesatanyroundis g .Let ccost(g )bethecostofevent C A g ,i.e.corrupting g parties.Thenwedefinetheutilityfunction:
Interestingly,asweseebelow,thisnaturalextensionisstillinsufficientto alignthemodelwiththerealitythatforkingattacksoccur.Indeed,evenwith thisadditionalcost,wecanstillprovearesultsimilarLemma 1.Concretely,the followinglemmashowsthatfor uf,c above,wecanprovethestatementasthe oneinLemma 1 about Π B beingattack-payoffsecurebyagainexploitingthe artifactofunboundedincentives.
Lemma2(Attackpayoffsecuritywithforking,withcostofcorruption). Let Tub > 0 betheupperboundontotalnumberofminingqueries perround, p ∈ (0, 1) betheprobabilityofsuccessofeachminingquery, and cutOff = ω (log(κ)) betheconsistencyparameter.Let M bethemodel whoseinducedutility uf,c hasparameters fpayoff, breward, CR, mcost ≥ 0, ccost(·): N → R+ .TheBitcoinprotocolisstronglyattack-payoffsecurein M if p breward CR mcost > 0
3.3TheSourceoftheArtifact:UnboundedIncentives
Distillingtheissueinabovelemmas,weobservethatthataslongastheadversary keepsaccumulatingrewardsasroundsareaddedtotheprotocol—i.e.,mining remainsprofitable—hedoesnotcareaboutthepayoffforforking:therealways existsapolynomial-time,passivelyminingstrategythatsimplygainsthesame amountofutilitybyminingabitmore.However,notonlydoreal-lifeattackersin factprofitfromforks,eventheassumptionontheprofitabilityofminingforever isunrealistic:anyattackerisatleastlimitedintimebye.g.theanticipatedage oftheuniverse,andcannot,inpractice,keepaccumulatingutilityinperpetuity. Thus,tomakeaccuratepredictionabouttheattackabilityofablockchain protocoltheutilityfunctionmustexcludetheeternalprofitabilityofpassivemining.Wegeneralizethisintuition,bydefiningthenotionof unboundedincentives:
