research-article

Open access

The Bitcoin Backbone Protocol: Analysis and Applications

Authors:

Juan Garay,

Aggelos Kiayias,

Nikos LeonardosAuthors Info & Claims

Journal of the ACM, Volume 71, Issue 4

Article No.: 25, Pages 1 - 49

https://doi.org/10.1145/3653445

Published: 01 August 2024 Publication History

PDF eReader

Abstract

Bitcoin is the first and most popular decentralized cryptocurrency to date. In this work, we extract and analyze the core of the Bitcoin protocol, which we term the Bitcoin backbone, and prove three of its fundamental properties which we call Common Prefix, Chain Quality, and Chain Growth in the static setting where the number of players remains fixed. Our proofs hinge on appropriate and novel assumptions on the “hashing power” of the protocol participants and their interplay with the protocol parameters and the time needed for reliable message passing between honest parties in terms of computational steps. A takeaway from our analysis is that, all else being equal, the protocol’s provable tolerance in terms of the number of adversarial parties (or, equivalently, their “hashing power” in our model) decreases as the duration of a message passing round increases.

Next, we propose and analyze applications that can be built “on top” of the backbone protocol, specifically focusing on Byzantine agreement (BA) and on the notion of a public transaction ledger. Regarding BA, we observe that a proposal due to Nakamoto falls short of solving it, and present a simple alternative which works assuming that the adversary’s hashing power is bounded by 1/3. The public transaction ledger captures the essence of Bitcoin’s operation as a cryptocurrency, in the sense that it guarantees the liveness and persistence of committed transactions. Based on this notion, we describe and analyze the Bitcoin system as well as a more elaborate BA protocol and we prove them secure assuming the adversary’s hashing power is strictly less than 1/2. Instrumental to this latter result is a technique we call 2-for-1 proof-of-work (PoW) that has proven to be useful in the design of other PoW-based protocols.

1 Introduction

Bitcoin, introduced in [59], is a decentralized payment system that is based on maintaining a public transaction ledger in a distributed manner. The ledger is maintained by anonymous participants (parties, “players”) called miners, executing a protocol that maintains and extends a distributed data structure called the blockchain. The protocol requires from miners to solve a “proof of work” (PoW, aka “cryptographic puzzle”—see, e.g., [5, 31, 48, 70]), which essentially amounts to brute-forcing a hash inequality based on SHA-256, in order to generate new blocks for the blockchain. The blocks that comprise the blockchain contain sets of transactions that are generated at will by owners of bitcoins, who issue transactions that credit any entity of their choice who accepts payments in bitcoin. Payers broadcast transactions and miners include the transactions they receive into the blocks they generate. Miners are rewarded for maintaining the blockchain by receiving bitcoins; it is in this manner bitcoins are created and distributed among the miners who are the first recipients of newly minted bitcoins.

An important concern in Bitcoin (or any e-payment system for that matter) is the prevention of double-spending attacks. Specifically, in the context of Bitcoin, a double-spending attack can occur when the attacker initially credits an account, receives service or goods by the account holder, but then manages to reorganize the transaction ledger so that the transaction that credits the account holder is reverted. In this way, the attacker keeps her bitcoin while receiving services and thus she is able to spend it again somewhere else.

Nakamoto [59] provides an initial set of arguments of why the Bitcoin system will prevent double-spending attacks. Specifically, he argues that if a payee waits for the transaction that gives her credit to be succeeded in the blockchain by a number of k blocks, then the probability that an attacker can build an alternative blockchain that “reorganizes” the public blockchain (which contains the credit transaction) drops exponentially with k. Nakamoto argues this by modeling the attacker and the set of honest players as two competing actors performing a random walk moving toward a single direction with probabilistic steps. He demonstrates that the k blocks the payee waits are enough to ensure a negligible (in k) probability of the attacker catching up with the honest players.

Nevertheless, the above analysis can be easily seen to be oversimplified: for example, it does not account for the fact that in Bitcoin’s decentralized setting the attacker may attempt to introduce disagreement between the honest miners, thus splitting their hashing power on different PoW instances. Nakamoto himself appeared to recognize the relevance of agreement in the context of Bitcoin, arguing in a forum post [60] that actually “Bitcoin’s basic concept” of building and exchanging a blockchain is capable of solving Byzantine agreement (BA) [57, 68] in the presence of an actively malicious adversary.¹ However, a thorough analysis establishing the exact security properties of the Bitcoin system has yet to appear.

Our results. In this article, we present the first formal treatment of Bitcoin’s core protocol. In more detail, we extract, formally describe, and analyze this protocol, which we call the Bitcoin backbone, as we describe it in a way that is versatile and extensible and can be used to solve other problems, in addition to maintaining a public transaction ledger. The Bitcoin backbone protocol is executed by players (the miners) that build a blockchain following the Bitcoin source code [61], allowing them to maintain a blockchain in a distributed fashion. The protocol is parameterized by three external functions \(V(\cdot), I(\cdot), R(\cdot)\) which we call the content validation predicate, the input contribution function, and the chain reading function, respectively. At a high level, \(V(\cdot)\) determines the proper structure of the information that is stored into the blockchain, \(I(\cdot)\) specifies how the contents of the blocks are formed by the players, and \(R(\cdot)\) determines how a blockchain is supposed to be interpreted in the context of the application. Note that the structure, contents, and interpretation of the blockchain are not important for the description of the backbone protocol and are left to be specified by the three external functions above, which are application-specific (we provide examples of these functions in Section 5).

Analysis of the Bitcoin backbone protocol. We analyze the protocol in a static setting when the participants operate in a synchronous communication network (more details below and in Section 2; see also Section 7 for an extension of the analysis to a model with bounded delays [30, 66]) in the presence of an adversary that controls a subset of the players. We assume that the protocol is executed by a fixed number of players denoted by n; note, however, that this number is not known to the protocol participants. The players themselves cannot authenticate each other and therefore there is no way to know the source of a message; we capture this by allowing the adversary to “spoof” the source address of any message that is delivered. We assume that messages are eventually delivered and all parties in the network are able to synchronize in the course of a “round.” The notion of round is not important for the description of the backbone protocol (which can also be executed in a loose and asynchronous fashion in the same way that Bitcoin works), however, it is important in terms of Bitcoin’s inherent computational assumption regarding the players’ ability to produce PoWs.

Specifically, we assume that in a single round, all parties involved are allowed the same number of queries to a cryptographic hash function, as well as to communicate with the other participants. The hash function is modeled as a random oracle [10]. For simplicity we assume a “flat model,” where all parties have the same quota of hashing queries per round, say q; the non-flat model where parties have differing hashing power capabilities can be easily captured by clustering the flat-model parties into larger virtual entities that are comprised by more than one flat-model player. In fact “mining pools” in Bitcoin can be thought of such aggregations of flat-model players. The adversary itself represents such pool as it controls \(t\lt n\) players; for this reason, the adversary’s quota per round is \(t\cdot q\) hashing queries. Note that in this setting, \(t\lt n/2\) directly corresponds to the adversary controlling strictly less than half of the system’s total “hashing power” that all players collectively harness, thus, we will use terms such as “honest majority” and “ \((1/2)\) -bounded adversary” interchangeably.

In our analysis of the Bitcoin backbone protocol, we formalize and prove three fundamental properties it possesses. The properties are quantified by the parameter f that represents the probability of a successful PoW calculation by an honest party during a round of protocol execution.

—

The common prefix property. We prove that if \(\frac{t}{n-t}\) is suitably bounded below 1, then the blockchains maintained by the honest players will possess a large common prefix. More specifically, if an honest party “prunes” (i.e., cuts off) k blocks from the end of its local chain, the probability that the resulting pruned chain will not be a prefix of another honest party’s chain drops exponentially in the security parameter (see Definition 3.1 for the precise formulation of the property and Theorem 4.10 for the precise statement). The parameter f plays a critical role in the analysis of the property and should be small in order to approximate honest majority, that is, allowing t to be close to \(n/2\) . A small choice for f, suggests also that the network synchronizes significantly faster than the rate of finding PoWs. On the other hand, when f gets closer to 1 and the network “desynchronizes,” provably achieving a common prefix would be much more challenging—if even possible.

—

The chain quality property. We prove that the ratio of blocks in the chain of any honest player that are contributed by malicious players is bounded by \(\frac{t}{n-t}\) . Again observe that in an honest majority setting, that is, where t is bounded below \(n/2\) , we obtain that the blockchain maintained by honest players is guaranteed to have few, but still some, blocks contributed by honest players; a higher ratio would be necessary to guarantee bigger percentages of blocks contributed by honest players in the blockchain. We also prove that this result is basically tight, that is, that the adversary is capable of following a strategy (that deviates from the strategy of honest players) that enables the introduction of that many blocks in the blockchain, under a favorable (for the adversary) assumption on the propagation of adversarial blocks in the network.

—

The chain growth property. We prove that after any consecutive s rounds, the length of any party’s chain grows by a number of blocks at least \(\tau \cdot s\) , for a parameters \(\tau \in \mathbb {R}\) . that is, this property guarantees that honest parties make progress and their chains grow as they execute the protocol.²

While the above security properties may seem rather abstract since they refer to properties of the data structure that is maintained distributedly by the parties, we demonstrate that they are in fact quite powerful and show that the Bitcoin backbone protocol armed with the above properties can be used as a basis for solving other problems, including the problem of distributively maintaining a “robust” public transaction ledger. In Figure 1, we show how the two properties relate to the properties of the applications that are explained below.

Fig. 1.

BA for \((1/3)\) -bounded adversaries. As a first application, we show how a randomized BA protocol can be built on top of the Bitcoin backbone protocol in a reasonably direct fashion. We instantiate the \(V(\cdot), I(\cdot), R(\cdot)\) functions so that parties form blockchains and act according to the following rules: each party i attempts to insert its own input \(v_i \in \lbrace 0,1\rbrace\) into the blockchain; a blockchain is valid only if blocks contain elements in \(\lbrace 0,1\rbrace\) ; the protocol terminates at a predetermined number of rounds where, with high probability, the blockchain has reached a sufficient length due to chain growth. Each honest party reads its local blockchain and prunes k elements from its end, returning the majority bit appearing in the resulting blockchain’s prefix. We show how the common prefix property and the chain quality property of the backbone protocol ensure Agreement and Validity (BA’s basic properties; see Section 2) with high probability, thus turning the Bitcoin backbone protocol into a probabilistic BA protocol.

Observe that for the above protocol to work, the chain quality property should ensure that a majority of blocks in the blockchain originate from the honest players (otherwise validity is lost). Our chain quality property enables this with overwhelming probability assuming the adversarial power is suitably bounded below \(1/3\) . This approach is different from Nakamoto’s proposal [60] for BA, which, as we also show, only guarantees Validity with overwhelming probability if the adversary has a negligible amount of hashing power. On the positive side, we stress that Nakamoto’s protocol fails gracefully when the adversarial power is larger and even close to \(50\%\) as Validity can be shown with constant probability (but not overwhelming, as one would wish from a randomized BA protocol).

Public transaction ledgers and BA for honest majority. Next, we focus on how a “robust public transaction ledger” can be built on top of the Bitcoin backbone. We instantiate the \(V(\cdot), I(\cdot), R(\cdot)\) functions so that parties form blockchains and act according to the following rules: each party (which in this context is called a “miner”) receives a set S of transactions on its input tape and attempts to insert those in its blockchain, omitting any transactions in S that are already included in it. (A Bitcoin transaction is, for example, a statement of the type “account A credits account B a z number of bitcoins,” which is signed using the secret key that corresponds to account A’s Bitcoin address; each account has a unique Bitcoin address.) Reading a blockchain, on the other hand, amounts to returning the total sequence of transactions that is contained in the blockchain of the miner (and note that miners may disagree about the chain they report).

We show how the common prefix property and the chain quality property ensure two properties needed by the ledger, which we call Persistence and Liveness, assuming an honest majority and arbitrary adversarial behavior. Persistence³ states that once a transaction goes more than k blocks “deep” into the blockchain of one honest player, then it will be included in every honest player’s blockchain with overwhelming probability, and it will be assigned a permanent position in the ledger. On the other hand, Liveness says that all transactions originating from honest account holders will eventually end up at a depth more than k blocks in an honest player’s blockchain, and hence the adversary cannot perform a selective denial of service attack against honest account holders. For both properties to hold we require an honest majority (i.e., that the adversary’s hashing power is strictly less than \(50\%\) ) assuming high network synchronicity (i.e., the duration of a round in terms of the number of computational steps the parties take towards finding a PoW is close to 0). If this is violated, persistence requires stricter bounds on adversarial hashing power in order to be preserved following the bounds of the common prefix property.

The problem of constructing robust transaction ledgers is related to the classical state machine replication (SMR) problem [71] (see Remark 12 for further discussion). In the context of Bitcoin, our analysis implies that the Bitcoin backbone provides an operational transaction ledger under the assumptions: (i) the adversary controls less than half of the total hashing power, and (ii) the network synchronizes much faster relative to the PoW solution rate, (iii) digital signatures cannot be forged. On the other hand, when the network desynchronizes our results cannot support that the ledger is maintained by assuming an honest majority. This negative result is consistent with the experimental analysis provided by Decker and Wattenhoffer [25], who predicted a drop below \(50\%\) in the required adversarial bound for any setting when information propagation is problematic. Our result also provides some justification for the “slow” rate of 10-minute increments used in Bitcoin block generation. Specifically, information propagation in the Bitcoin network is on the order of a few seconds so the ratio (essentially f) of this time window over the average 10-minute period is reasonably close to zero and thus transaction persistence can be shown for roughly an honest majority. On the other hand, cryptocurrencies including Litecoin, Primecoin and others, reacting to the demand to offer faster transaction processing, opted for a faster response rate (some as small as 1 minute), which results in more precarious situations, for example, \(f\gt 0.1\) , which is far from being sufficiently close to 0 and thus cannot support our analysis that a common prefix would be guaranteed by merely assuming an honest majority.

We finally note that the persistence and liveness properties we put forth and prove should not be interpreted as proofs that all Bitcoin’s objectives are met or that they embody all the properties that Bitcoin was intended to offer. For example, they do not guarantee that miners are properly incentivized to carry out the backbone protocol, and they can only offer guarantees in a setting of an honest majority amongst a fixed number of players as opposed to a setting where there is an ever changing population of parties acting rationally; see related work below as well as Section 8 for further discussion.

Next, we present a BA protocol assuming an honest majority, by suitably exploiting the properties of the robust transaction ledger above. The protocol substitutes Bitcoin’s transactions with a type of transactions that are themselves based on PoWs and carry the parties’ inputs. Hence this protocol uses PoWs in two distinct ways: for the maintenance of the ledger and for recording the users’ inputs in the ledger. We show that the ledger’s persistence implies agreement, and that liveness implies validity, because assuming the ledger is maintained for long enough, a majority of transactions originating from the honest parties will be included (despite the fact that honest parties may control a minority of blocks in the blockchain) and as a result applying the majority function on the submitted inputs will recover the honest parties’ input, if they all start with the same bit value. The protocol requires special care in the way it employs PoWs since the adversary should be incapable of “shifting” work between the two PoW tasks that it faces in each round. To solve this problem, we introduce a special strategy for PoW-based protocol composition which we call “2-for-1 PoWs.”

The Bitcoin backbone in the bounded-delay model. We sketch how to extend our analysis for the synchronous model to a bounded-delay model, where, in a nutshell, instead of messages sent in a round being guaranteed to arrive by the end of the round, there is an upper bound of \(\Delta\) rounds for each message delivery event that is unknown to the honest parties (cf. [30, 66]). This analysis is presented in Section 7. It shows that the protocol is secure provided the difficulty level is in a favorable relation with respect to \(\Delta\) . Treating \(\Delta\) as a separate parameter bounding the message passing delay enables to express the honest majority assumption also as a function of \(\Delta\) showing how approaching the \(1/2\) bound hinges on \(\Delta\) being sufficiently small.

Related work. Realizing a digital currency with a centralized entity but while achieving a degree of privacy was proposed early on by Chaum in [21]. A number of other works improved various aspects of this concept, however the approach remained centralized. Nakamoto [59] proposed the first decentralized currency system based on PoWs while relaxing the anonymity property of the payment system to mere pseudonymity. This work was followed by a multitude of other related proposals including Litecoin,⁴ Ethereum,⁵ to mention a few. Our analysis of the Bitcoin backbone covers many of these systems as well, as they are based on the same protocol with only parameter adjustments.

It is interesting to juxtapose our positive results to the results of Eyal and Sirer [32], who introduce an attack strategy called “selfish mining” that shows how the number of blocks contributed to the blockchain by an adversary can exceed the percentage of the hashing power the adversary possesses. Their results are consistent with and complementary to ours. The crux of the issue is (in our terminology) in terms of the chain quality property, as its formulation is quite permissive: in particular we show that if the adversary controls a suitably bounded amount of hashing power, then it is also suitably bounded in terms of the number of blocks it has managed to insert in the blockchain that honest players maintain. Specifically, recall that we prove that the adversary may control at most a \(\frac{t}{n-t}\) percentage of the blocks in the chain (a bound we prove it is tight). For instance, if the adversary has less than \(1/3\) of the hashing power, then it will provably control less than \(50\%\) of the blocks in the honest players’ blockchain. It follows that this does not guarantee that the rate of a party’s hashing power translates to an equal rate of rewards (recall that in Bitcoin the rewards are linearly proportional to the number of blocks that a party contributes in the chain). We define as ideal chain quality the property that for any coalition of parties (following any mining strategy) the percentage of blocks in the blockchain is exactly proportional to their collective hashing power, that is, \(\frac{t}{n}\) . The chain quality property that we prove is not ideal and the results of [32] show that in fact there is a strategy that magnifies the percentage of blocks that a malicious coalition contributes to the blockchain. Still, their selfish mining strategy in our model does worse than our bound. Closing this gap, we show a simple mining strategy that matches our upper bound and hence our chain quality result is tight⁶ assuming the number of honest parties is large.

BA aka “consensus” [57, 68] considers a set of n parties connected by reliable and authenticated pair-wise communication links and with possible conflicting initial inputs that wish to agree on a common output in the presence of the disruptive (even malicious) behavior of some of them. The problem has received a considerable amount of attention under various models. In this article, we are interested in randomized solutions to the problem (e.g., [11, 14, 33, 35, 49, 69])⁷ as in the particular setting we are in (where running time should be sublinear in the number of parties), deterministic BA algorithms are not possible. In more detail, we consider BA in the anonymous synchronous setting, that is, when processors do not have identifiers and cannot correlate messages to their sources, even across rounds, and, further, there is no trusted setup nor a limit to the number of messages delivered per round. Okun, motivated by earlier work [15], considered a slightly weaker model called “anonymous model without port awareness,” which matches the above except for imposing a limit on the number of messages per round and proved the aforementioned impossibility result, namely that deterministic algorithms are impossible for even a single failure [63, 64]. In addition, Okun showed that probabilistic BA is feasible in his setting by suitably adapting Ben-Or’s protocol [11] for the standard, non-anonymous setting (cf. [64]);⁸ the protocol, however, takes exponentially many rounds. It turns out that by additionally assuming that the parties are “port-aware” (i.e., they can correlate messages to sources across rounds), deterministic protocols are possible and some more efficient solutions were proposed [65].

The anonymous synchronous setting for BA without limits on messages per round and hence prone to Sybil attacks [28], was considered by Aspnes et al. [3] who pointed to the potential usefulness of proofs of work (e.g., [5, 31, 48, 70]) as an identity assignment tool, in such a way that the number of identities assigned to the honest and adversarial parties can be made proportional to their aggregate computational power, respectively. For example, by assuming that the adversary’s computational power is less than \(50\%\) , one of the algorithms in [3] results in a number of adversarial identities less than half of the total identities obtained. By running this procedure in a pre-processing stage, it is then suggested that a standard authenticated BA protocol could be run. Such protocols, however, would require the establishment of a consistent PKI (as well as of digital signatures), details of which are not laid out in [3].

In contrast, and as mentioned above, building on our analysis of the Bitcoin backbone protocol, we propose two BA protocols solely based on PoWs that operate in \(O(k)\) rounds with error probability \(e^{-{\mathrm{\Omega }}(k)}\) . The protocols solve BA with overwhelming probability under the assumption that the adversary controls less than \(1/3\) and \(1/2\) of the computational power, respectively. Note that our BA protocols do not require the assignment of identities to parties; furthermore, they require no cryptographic assumption other than the RO model.

The connection between Bitcoin and probabilistic BA was also considered by Miller and LaViola in [58] where they take a different approach compared to ours, by not formalizing how Bitcoin works, but rather only focusing on Nakamoto’s suggestion for BA [60] as a standalone protocol. As we observe here, and also recognized in [58], Nakamoto’s protocol does not quite solve BA since it does not satisfy validity with overwhelming probability. The exact repercussions of this fact are left open in [58], while with our analysis, we provide explicit answers regarding the transaction ledger’s actual properties and the level of security that the Bitcoin backbone realization can offer.

Finally, related to the anonymous setting, the feasibility of secure computation without authenticated links was considered by Barak et al. in [9] in a more extreme model where all messages sent by the parties are controlled by the adversary and can be tampered with and modified (i.e., not only source addresses can be “spoofed,” but also messages’ contents can be altered and messages may not be delivered). It is shown in [9] that it is possible to limit the adversary so that all it can do is to partition the network into disjoint sets, where in each set the computation is secure, and also independent of the computation in the other sets. Evidently, in such system, one cannot hope to build a global ledger.

We refer to [39] for a systematic overview of the consensus problem in the context of blockchain protocols.

Summary of differences with [40]. The most important difference in the current version of the article compared to the original one [40] is the complete rewrite of all our proofs, which now follow a much more streamlined and easier presentation. In particular, this version incorporates the concept of a typical execution that we have in fact introduced in [41] (analysis of the backbone protocol with chains of variable difficulty) and which greatly simplifies our probabilistic analysis, concentrating it on a single theorem (specifically, Theorem 4.5, showing that most executions are typical).

The present version also includes the explicit treatment of security against adaptive adversaries, showing how to reduce the analysis to the case of static adversaries (Section 4.4). We also present an analysis sketch of the Bitcoin backbone protocol in the bounded-delay model against static adversaries, where an (unknown) upper bound is imposed on message delivery (cf. Section 7). This model was considered by Pass et al. [66] and was tackled with a different proof technique; nevertheless, here, we show how our analysis can also extend to the bounded-delay setting and our proof strategy using typical executions can provide a simple security proof. This suggests that the notion of typical executions of [41] and the associated analysis approach are useful tools with the potential of wider applicability in the analysis of blockchain protocols.

In the current version, we refer to the length of the hash function output \(\kappa\) as the (sole) security parameter, and refer to \(\lambda\) —typically the number of consecutive rounds for which a statement would hold—as the tail-bounds parameter. This way, making \(\lambda\) polylogarithmic in the security parameter (e.g., \(\Omega (\log ^2(\kappa))\) ) allows us to clearly express how blockchain properties and applications (e.g., consensus) are satisfied except with negligible probability after that many rounds. Finally, we note that the model in this version makes explicit an upper bound on the number of computation and verification queries to the hash function/random oracle functionality for both honest parties and the adversary.

Organization of the article. The rest of the article is organized as follows. In Section 2, we present our model within which we formally express the Bitcoin backbone protocol and prove its basic properties. The backbone protocol builds “blockchains” based on a cryptographic hash function; we introduce notation for this data structure as well as the backbone protocol itself in Section 3, followed by its analysis in Section 4. Sections 5 and 6 are dedicated to the applications built on top of the backbone protocol—(simple) BA protocols and a robust transaction ledger, respectively. Specifically, Section 5 covers Nakamoto’s suggestion for BA as well as our solution for \(1/3\) adversarial power, while in Section 6, we present our treatment of a robust public ledger (Section 6.1) formalizing the properties of Persistence and Liveness and how they apply to Bitcoin (Section 6.2). We also include in this section (Section 6.3) our BA protocol for \(1/2\) adversarial power. The extension of our analysis to the bounded-delay model is presented in Section 7, while some directions for future research are offered in Section 8.

2 Model and Definitions

In this section, we define our notion of protocol execution and provide a definition of BA in our model. We will describe and analyze our protocols in a multiparty setting that employs elements from previous formulations of secure multiparty computation (MPC) (specifically, Canetti’s formulation of “real world” execution as in [17] and [18, 19, 20]). We adopt the notation and definitions of [20],⁹ while we also employ ideas regarding the formulation of synchronous, proceeding in rounds, secure MPC from [50].

Programs involved in a protocol execution. The execution of a protocol \(\Pi\) is driven by an “environment” program \(\mathcal {Z}\) that may spawn multiple instances running the protocol \(\Pi\) . The programs in question can be thought of as “interactive Turing machines” (ITM) that have communication, input and output tapes. An instance of an ITM running a certain program will be referred to as an ITM instance or ITI. The spawning of new ITI’s by an existing ITI as well as the interaction between them is at the discretion of a control program which is also an ITM and is denoted by C. The pair \((\mathcal {Z}, C)\) is called a system of ITMs [18]. As in this latter article, we will be restricting our exposition to “locally polynomial-bounded” systems of ITM’s which ensures a polynomial-time execution overall [18, Proposition 3]. Moreover, we will be using a more stringent control program C that will be forcing the environment to perform a “round-robin” participant execution sequence for a fixed set of parties.

Specifically, the execution driven by \(\mathcal {Z}\) is defined with respect to a protocol \(\Pi\) , an adversary \(\mathcal {A}\) (also an ITM) and a set of parties \(P_1,\ldots ,P_n\) ; these are hardcoded in the control program C. The protocol \({\mathrm{\Pi }}\) is defined in a “hybrid” setting and has access to two “ideal functionalities,” which are two other ITM’s to be defined below, called the random oracle and the diffusion channel. They are used as subroutines by the programs involved in the execution (the ITI’s of \(\Pi\) and \(\mathcal {A}\) ) and they are accessible by all parties once they are spawned.

Initially, the environment \(\mathcal {Z}\) is restricted by C to spawn the adversary \(\mathcal {A}\) . Each time the adversary is activated, it may send one or more messages of the form \(({\sf Corrupt}, P_i)\) to C. The control program C will register party \(P_i\) as corrupted, only provided that the environment has previously given an input of the form \(({\sf Corrupt}, P_i)\) to \(\mathcal {A}\) and that the number of corrupted parties is less or equal t, a bound that is also hardcoded in C. The first ITI party to be spawned running protocol \(\Pi\) is restricted by C to be party \(P_1\) . After a party \(P_i\) is activated, the environment is restricted to activate party \(P_{i+1}\) , except when \(P_n\) is activated in which case the next ITI to be activated is always the adversary \(\mathcal {A}\) . Note that when a corrupted party \(P_i\) is activated the adversary \(\mathcal {A}\) is activated instead.

Communication and “hashing power.”. We describe next the two functionalities that are accessible to the parties. These functionalities will reflect the parties’ ability (i) to communicate with each other and (ii) to calculate values of a hash function \(H(\cdot):\lbrace 0,1\rbrace ^*\rightarrow \lbrace 0,1\rbrace ^\kappa\) concurrently. We note that they share a state and thus they can be viewed as a single functionality, nevertheless it is convenient to describe them as separate entities.

—

The random oracle (RO) functionality. When queried by honest party \(P_i\) with a value x marked for “calculation” for the function \(H(\cdot)\) (in pseudocode we denote this by \(s\leftarrow H(x)\) ), assuming x has not been queried before, it returns a value y which is selected at random from \(\lbrace 0,1\rbrace ^\kappa\) ; furthermore, it stores the pair \((x,y)\) in the table of \(H(\cdot)\) . Each party \(P_i\) is allowed to ask q calculation queries in each round as determined by the “diffuse” functionality (see below). On the other hand, each party is given unlimited queries for “verification” for the function \(H(\cdot)\) (in pseudocode, \(H(x)=s\) ). (We do not model directly Denial of Service attacks in our model, hence we allow honest parties sufficient time to weed out invalid messages.) In a similar vein, the adversary \(\mathcal {A}\) is given \(t\cdot q\) calculation queries in each round as determined by the diffuse functionality, where t is the number of corrupted parties, and polynomially many verification queries. Note that q is a function of \(\kappa\) . We note that the functionality may maintain tables for functions other than \(H(\cdot)\) as well (for instance, in our protocol descriptions, we will utilise a function \(G(\cdot)\) ), but, by convention the functionality will impose query quotas to function \(H(\cdot)\) only.

—

The diffuse functionality. Initially, the functionality sets a variable round to be 1. It also maintains a Receive string defined for each party \(P_i\) . A party is allowed at any moment to fetch the contents of its personal Receive string. Moreover, when the functionality receives an instruction to diffuse a message m from party \(P_i\) it marks the party as complete for the current round; note that m is allowed to be empty. At any moment, the adversary \(\mathcal {A}\) is allowed to receive the contents of all messages for the round and specify the contents of the Receive string for each party \(P_i\) . The adversary has to specify when it is complete for the current round. When all parties are complete for the current round, the functionality inspects the contents of all Receive strings and includes any messages m that were diffused by the parties in the current round but not contributed by the adversary to the Receive tapes. The variable round is then incremented. We note that by convention, if a party does not want to “speak” in a given round, it will still diffuse the “ \(\bot\) ” symbol to signal that it has completed its program for the current round.¹⁰

We note that by adopting the resource-bounded computation modeling of systems of ITM’s by [20] we obviate the need of imposing a strict upper bound on the number of messages that may be transmitted by the adversary in each activation. In our setting, honest parties, at the discretion of the environment, are given sufficient time to process all messages delivered via the diffuse functionality including all messages that are injected by the adversary. This is also facilitated by the fact that the q bound that is imposed on queries to \(H(\cdot)\) is not imposed for hash verification (with foresight, the q-bound will be only imposed for hash computations during the PoW stage of the protocol).

Note that the above formulation also reflects the fact that the communication graph is not fully connected and messages are delivered through “diffusion”, a communication means that reflects Bitcoin’s peer-to-peer structure. As evidenced by the above, our adversarial model in the network is “adaptive,” meaning that the adversary is allowed to take control of parties on the fly, and “rushing,” meaning that in any given round the adversary gets to see all honest players’ messages before deciding his strategy, and, furthermore, there is no definite source information that can be guaranteed for each delivered message. Note that the adversary cannot change the contents of the messages sent by honest parties nor prevent them from being delivered as restricted by the diffuse functionality. Effectively, this parallels communication over TCP/IP in the Internet where messages between parties are delivered reliably, but nevertheless malicious parties may “spoof” the source of a message they transmit and make it appear as originating from an arbitrary party (including another honest party) in the view of the receiver. Note that the adversary is permitted to abuse the diffusion mechanism and attempt to confuse honest parties by sending and delivering inconsistent messages to them (thus diffuse does not constitute a reliable broadcast).¹¹

The parties’ inputs are provided by the environment \(\mathcal {Z}\) which also receives the parties’ outputs. Parties that receive no input from the environment remain inactive, in the sense that they will not act when their turn comes in each round. The environment activates parties in each round by writing to their input tape. Note that C forces the environment to give all parties an activation in round-robin fashion. In our exposition, we will denote by Input the input tape of each party.

The q-bounded synchronous setting. Based on the above, we will use the notation { view \(^{P,t,n}_{{\mathrm{\Pi }}, \mathcal {A},\mathcal {Z}}(z)\rbrace _{z\in \lbrace 0,1\rbrace ^*}\) to denote the random variable ensemble describing the view of party P after the completion of an execution with environment \(\mathcal {Z}\) , running protocol \({\mathrm{\Pi }}\) , and adversary \(\mathcal {A}\) , on auxiliary input \(z\in \lbrace 0,1\rbrace ^*\) . The view contains all messages sent to and received from the two functionalities the party P has access to, as well as the environment.

In our exposition, we are concerned with a “stand-alone” execution of \({\mathrm{\Pi }}\) and thus we will consider z to be fixed to \(1^\kappa\) for \(\kappa \in \mathbb {N}\) . For this reason, we will simply refer to the ensemble by view \(^{P,t,n}_{{\mathrm{\Pi }},\mathcal {A},\mathcal {Z}}\) . If n parties \(P_1,\ldots , P_n\) execute \({\mathrm{\Pi }}\) , the concatenation of the view of all parties 〈view \(^{P_i,t,n}_{{\mathrm{\Pi }}, \mathcal {A},\mathcal {Z}} \rangle _{i=1,\ldots ,n}\) is denoted by view \(^{t,n}_{{\mathrm{\Pi }}, \mathcal {A},\mathcal {Z}}\) (the views of corrupted parties, by convention, are empty). With foresight, we note that, in contrast to the standard setting where parties are aware of the number of parties executing the protocol, we are interested in protocols \({\mathrm{\Pi }}\) that do not make explicit use of the number of parties n or their identities. Further, note that because of the unauthenticated nature of the communication model the parties may never be certain about the number of participants in a protocol execution. Nonetheless note that the number of parties is fixed during the course of the protocol execution, as this is hardcoded in the control program C.

The parties’ limited ability to produce PoWs is reflected in the limit imposed to all parties in their access of the function \(H(\cdot)\) . Parties are allowed to perform a number of queries q per round. We remark that this is a “flat-model” interpretation of the parties’ computation power, where all parties are assumed equal. In the real world, different honest parties may have different “hashing power;” nevertheless, our flat-model does not sacrifice generality since one can imagine that real honest parties are simply clusters of some arbitrary number of honest flat-model parties. The adversary \(\mathcal {A}\) is allowed to perform \(t^{\prime }\cdot q\) queries per round, where \(t^{\prime }\le t\) is the number of corrupted parties. The environment \(\mathcal {Z}\) , on the other hand, is not permitted any queries to \(H(\cdot)\) . The rationale for this is that we would like to bound the “CPU power” [59] of the adversary to be proportional to the number of parties it controls while making it infeasible for them to be aided by external sources or by transferring the hashing power potentially invested in concurrent or previous protocol executions. This underscores the fact that our analysis is in the standalone setting, where a single protocol instance is executed in isolation.

We will refer to all the above restrictions on the environment, the parties and the adversary as the q-bounded synchronous setting.

Properties of protocols. In our theorems, we will be concerned with properties of protocols \(\Pi\) in the q-bounded synchronous setting. Such properties will be defined as predicates over the random variable view \(^{t,n}_{{\mathrm{\Pi }}, \mathcal {A},\mathcal {Z}}\) by quantifying over all possible adversaries \(\mathcal {A}\) and environments \(\mathcal {Z}\) that are polynomially bounded. Note that all our protocols will only satisfy properties with a small probability of error in \(\kappa\) as well as in potentially other parameters. The probability space is determined by the random choices of the random oracle functionality as well as the private coins of all ITI’s.

Definition 2.1.

Given a predicate Q and a bound \(q,t,n\in \mathbb {N}\) with \(t\lt n\) , we say that the protocol \({\mathrm{\Pi }}\) satisfies property Q in the q-bounded setting for n parties assuming the number of corruptions is bounded by t, provided that for all polynomial-time \(\mathcal {Z}, \mathcal {A}\) , the probability that Q (view \(^{t,n}_{{\mathrm{\Pi }},\mathcal {A},\mathcal {Z}})\) is false is negligible in \(\kappa\) .

Note that we will only consider properties that are polynomial-time computable predicates.

Remark 1.

We remark that the above framework is sufficiently expressive to capture both “safety” and “liveness” properties in our model, since view \(^{t,n}_{{\mathrm{\Pi }},\mathcal {A},\mathcal {Z}}\) captures a concept of time via the interaction of parties with the diffuse functionality, which also acts as a round synchronizer.

BA. As a simple illustration of the formulation above we define the properties of a BA protocol.

Definition 2.2.

A protocol \(\Pi\) solves BA in the q-bounded synchronous setting provided it satisfies the following two properties:

—

Agreement. There is a round after which all honest parties return the same output if queried by the environment.

—

Validity. The output returned by an honest party P equals the input of some party \(P^{\prime }\) at round 1 that is honest at the round P’s output is produced.

We note that in our protocols, the participants are capable of detecting agreement and furthermore they can also detect whether other parties detect agreement, thus termination can be easily achieved by all honest parties. In the traditional cryptographic setting with no trusted setup, it is known that the problem does not have a solution if \(t \ge \frac{n}{3}\) [16]. Interestingly, one of our PoW-based BA protocols works for \(t \lt \frac{n}{2}\) (in the Random Oracle model), assuming only a simultaneous start without a PKI, the same bound that is achievable when a PKI is available.

The formulation of Validity above is intended to capture security/correctness against adaptive adversaries. The notion (specifically, the requirement that the output value be one of the honest parties’ inputs) has also been called “Strong Validity” [62], but the distinction is only important in the case of non-binary inputs. In either case, it is known that in the synchronous cryptographic setting with trusted setup the problem has a solution if and only if \(n \gt |V| t\) , where V is the input/decision domain [35]. Our PoW-based protocol also achieves this bound.

Remark 2.

One may consider a model where a certain percentage of the honest parties is not always able to receive all messages broadcast on the network. We point out that such a situation is subsumed by our adversarial model: simply we let the adversary control these players and simulate them honestly while dropping messages from their incoming tape arbitrarily. Of course, to apply the theorems we prove, one should adjust the total power of the adversary accordingly and add these parties to the adversarial ones.

3 The Bitcoin Backbone Protocol

We start by introducing blockchain notation. Let \(G(\cdot),H(\cdot)\) be cryptographic hash functions with output in \(\lbrace 0,1\rbrace ^\kappa\) . A block is any triple of the form \(B=\langle s, x, ctr\rangle\) where \(s\in \lbrace 0,1\rbrace ^\kappa , x \in \lbrace 0,1\rbrace ^*, ctr\in \mathbb {N}\) are such that satisfy predicate \(\mathsf {validblock}^T_q(B)\) defined as follows:

\begin{equation*} (H(ctr, G(s, x)) \lt T) \wedge (ctr\le q). \end{equation*}

The parameter \(T\in \mathbb {N}\) is also called the block’s difficulty level. The parameter \(q \in \mathbb {N}\) is a bound that in the Bitcoin implementation determines the size of the register ctr; in our treatment, we allow this to be arbitrary, and use it to denote the maximum allowed number of hash queries in a round. We do this for convenience and our analysis applies in a straightforward manner to the case that ctr is restricted to the range \(0 \le ctr \lt 2^{32}\) and q is independent of ctr.

A blockchain, or simply a chain is a sequence of blocks and their hash values in the form of pairs \((B,s)\) . The rightmost block and its hash value is the head of the chain, denoted \(\mathrm{head}(\mathcal {C})\) . Note that the empty string \(\varepsilon\) is also a chain; by convention we set \(\mathrm{head}(\varepsilon) = \varepsilon\) . A chain \(\mathcal {C}\) with \(\mathrm{head}(\mathcal {C}) = (\langle s^{\prime },x^{\prime },ctr^{\prime }\rangle , s)\) can be extended to a longer chain by appending a valid block \(B = \langle s, x, ctr \rangle\) and its hash value \(H(ctr, G(s,x))\) . In case \(\mathcal {C}=\varepsilon\) , by convention, any valid block of the form \(B=\langle s,x,ctr\rangle\) may extend it. Note that in this case s can be an arbitrary string¹² and we may refer to B as the “genesis” block. In either case, we have an extended chain \(\mathcal {C}_\mathsf {new} = \mathcal {C}{\color {black} || (B,s_\mathsf {new})}\) that satisfies \(\mathrm{head}(\mathcal {C}_\mathsf {new}) = (B,s_\mathsf {new})\) . Note that, for brevity, we may simply write B instead of \((B,s_\mathsf {new})\) .

The length of a chain \(\mathop {\rm len}(\mathcal {C})\) is its number of blocks. Given a chain \(\mathcal {C}\) that has length \(\mathop {\rm len}(\mathcal {C})=n\gt 0\) we can define a vector \(\mathbf {x}_\mathcal {C}= \langle x_1,\ldots , x_n\rangle\) that contains all the x-values that are stored in the chain such that \(x_i\) is the value of the ith block.

Consider a chain \(\mathcal {C}\) of length m and any nonnegative integer k. We denote by \(\mathcal {C}^{\lceil k}\) the chain resulting from the “pruning” the k rightmost blocks. Note that for \(k\ge \mathop {\rm len}(\mathcal {C})\) , \(\mathcal {C}^{\lceil k}=\varepsilon\) . If \(\mathcal {C}_1\) is a prefix of \(\mathcal {C}_2\) we write \(\mathcal {C}_1 \preceq \mathcal {C}_2\) .

We note that Bitcoin uses chains of variable difficulty, that is, the value T may change across different blocks within the same chain according to some rule that is determined by the x values stored in the chain.¹³ This is done to account for the fact that the number of parties (and hence the total hashing power of the system) is variable from round to round (as opposed to the unknown but fixed number of parties n we assume). See Section 8 for further discussion. We are now ready to describe the protocol.

3.1 The Backbone Protocol

The Bitcoin backbone protocol is executed by an arbitrary number of parties over an unauthenticated network. For concreteness, we assume that the number of parties running the protocol is n; however, parties need not be aware of this number when they execute the protocol. As mentioned in Section 2, communication over the network is achieved by utilizing a send-to-all Diffuse functionality that is available to all parties (and maybe abused by the adversary in the sense of delivering different messages to different parties). Each party maintains a blockchain, as defined above, starting from the empty chain and mining a block that contains the value \(s_\mathsf {init}\) (by convention this is the “genesis block”). Each party’s chain may be different, but, as we will prove, under certain well-defined conditions, the chains of honest parties will share a large common prefix. (Figure 2 depicts the local view of each party as well as the shared portion of their chains.)

Fig. 2.

In the protocol description, we intentionally avoid specifying the type of values that parties try to insert in the chain, the type of chain validation they perform (beyond checking for its structural properties with respect to the hash functions \(G(\cdot),H(\cdot)\) ), and the way they interpret the chain. In our description, these actions are abstracted by the external functions \(V(\cdot), I(\cdot), R(\cdot)\) which are specified by the application that runs “on top” of the backbone protocol. We will purposely leave these functions undetermined in our description assuming they conform to the following specifications. We will provide explicit instantiations of them in Section 5. Briefly, they are described as follows:

—

Content validation predicate \(V(\cdot)\) . The content validation predicate receives as input the content of a chain \(\mathcal {C}\) , denoted by \(\mathbf {x}_\mathcal {C}\) , and will return 1 if and only if the contents are consistent with the intended application implemented on top of the chain. In its simplest form, \(V(\cdot)\) can ensure that the elements of \(\mathbf {x}_\mathcal {C}\) are of the proper type.

—

Input contribution function \(I(\cdot)\) . It receives as input a tuple, \((st, \mathcal {C}, round\) , Input, Receive), that stands, respectively, for state data st, current chain \(\mathcal {C}\) , current round round, contents of input tape Input and contents of network tape Receive. Given these, it will produce an updated state \(st^{\prime }\) as well as an input x that should be the next input to be inserted in a block. For instance, \(I(\cdot)\) can be as simple as copying the contents of the input tape into x and keeping \(st=\epsilon\) , or performing a more complex operation that involves parsing \(\mathcal {C}\) or even maintaining old input values that have not yet been processed as part of the state st.

—

Chain reading function \(R(\cdot)\) . It receives as input a chain \(\mathcal {C}\) and provides an interpretation of it. In the simplest case it can be just returning \(x_\mathcal {C}\) and leaving it to the callee to process the contents of the chain.

In general our treatment will be independent of the exact operation of \(V,I,R\) apart from requiring the following minimal set of conditions.

(1)

Input Validity. The input contribution function should produce values that are deemed acceptable by the content validation predicate. Formally, for any chain \(\mathcal {C}\) with \(\mathbf {x}_\mathcal {C}= \langle x_1,\ldots ,x_n\rangle\) , the value x produced by an invocation of \(I(\cdot , \mathcal {C},\cdot , \cdot , \cdot)\) should satisfy \(V(\langle x_1,\ldots ,x_{n},x\rangle)=1\) . By convention, \(V(\varepsilon) = 1\) .

(2)

Input Entropy. The probability of the event that two independent invocations of \(I(st, \mathcal {C}, round, v, w)\) , where \(st, \mathcal {C}, round, v,w\) are arbitrary values consistent with the input of \(I(\cdot)\) , result in the same output value x is negligible in \(\kappa\) . With foresight we note that this property is needed to break the symmetry between honest participants.

The Bitcoin backbone protocol is specified as Algorithm 4. Before describing it in detail, we first introduce the protocol’s three supporting algorithms.

Chain validation. The first algorithm, called \(\mathsf {validate}\) performs a validation of the structural properties of a given chain \(\mathcal {C}\) , cf. Algorithm 1. It is given as input the values q and T, as well as a hash function \(H(\cdot)\) . It is parameterized by the content validation predicate \(V(\cdot)\) . For each block of the chain, the algorithm checks that the PoW is properly solved, that the counter ctr does not exceed q and that the hash of the previous block is properly included in the block. It further collects all the inputs from the chain’s blocks and assembles them into a vector \({\mathbf {x}}_\mathcal {C}\) . If all blocks verify and \(V(\mathbf {x}_\mathcal {C})\) is true then the chain is valid; otherwise it is rejected. As mentioned we purposely leave the predicate \(V(\cdot)\) undetermined.

Chain comparison. The objective of the second algorithm, called \(\mathsf {maxvalid}\) , is to find the “best possible” chain when given a set of chains, cf. Algorithm 2. The algorithm is straightforward and is parameterized by a \(\max (\cdot)\) function that applies some ordering in the space of chains. The most important aspect is the chains’ length, in which case \(\max (\mathcal {C}_1, \mathcal {C}_2)\) will return the longest of the two. In case \(\mathop {\rm len}(\mathcal {C}_1) = \mathop {\rm len}(\mathcal {C}_2)\) , some other characteristic can be used to break the tie. In our case, \(\max (\cdot , \cdot)\) will always return the first operand¹⁴; alternatively, other options exist, such as lexicographic order or picking a chain at random. The analysis we will perform will essentially be independent of the tie-breaking rule.¹⁵

Proof of work. The third algorithm, called \(\mathsf {pow}\) , is the main “workhorse” of the backbone protocol, cf. Algorithm 3. It takes as input a chain and a value x and attempts to extend it via solving a PoW. This algorithm is parameterized by two hash functions \(H(\cdot),G(\cdot)\) (which in our analysis will be modeled as random oracles),¹⁶ as well as two positive integers \(q,T\) ; q represents the number of times the algorithm is going to attempt to brute-force the hash function inequality that determines the PoW instance, and T determines the “difficulty” of the PoW. The algorithm works as follows. Given a chain \(\mathcal {C}\) and a value x to be inserted in the chain, it hashes these values to obtain h and initializes a counter ctr. Subsequently, it increments ctr and checks to see whether \(H(ctr, h) \lt T\) ; this is the only invocation of \(H(\cdot)\) that is subject to the bound q. If a suitable ctr is found then the algorithm succeeds in solving the PoW and extends chain \(\mathcal {C}\) by one block inserting x as well as ctr (which serves as the PoW). If no suitable ctr is found, the algorithm simply returns the chain unaltered. (See Algorithm 3.)

The backbone protocol. Given the three algorithms above, we are now ready to describe the Bitcoin backbone protocol, cf. Algorithm 4. This is the protocol that is executed by the miners and which is assumed to run “indefinitely” (our security analysis will apply when the total running time is polynomial in \(\kappa\) ). It is parameterized by two functions, the input contribution function \(I(\cdot)\) and the chain reading function \(R(\cdot)\) , which is applied to the values stored in the chain.

Each miner starts a round with a local chain \(\mathcal {C}\) (we say that the miner has chain \(\mathcal {C}\) at this round) and checks its communication tape Receive to see whether a “better” chain has been received and in such case it adopts it resulting in chain \(\tilde{\mathcal {C}}\) (we say that the miner adopts chain \(\tilde{\mathcal {C}}\) at this round). Choosing the chain \(\tilde{\mathcal {C}}\) is done using the \(\mathsf {maxvalid}\) function; note that it could be that \(\mathcal {C}= \tilde{\mathcal {C}}\) . Then, the miner attempts to extend \(\tilde{\mathcal {C}}\) by running the PoW algorithm \(\mathsf {pow}\) described above.

The value that the miner attempts to insert in the chain is determined by function \(I(\cdot)\) . The input to \(I(\cdot)\) is the state st, the current chain \(\mathcal {C}\) , the contents of the miner’s input tape Input (recall that they can be written by the environment \(\mathcal {Z}\) at the beginning of any round) and communication tape Receive, as well as the current round number round. The protocol expects two types of entries in the input tape, Read, and (Insert, value); other inputs are ignored.

As mentioned, we purposely leave the functions \(I(\cdot), R(\cdot)\) undetermined in the description of the backbone protocol, as their specifics will vary according to the application. When the input x is determined by \(I(\cdot)\) , the protocol attempts to insert it into the chain \(\mathcal {C}\) by invoking \(\mathsf {pow}\) . In case the local chain \(\mathcal {C}\) is modified during the above steps, the protocol transmits (“broadcasts”) the new chain to the other parties. Finally, in case a Read symbol is present in the communication tape, the protocol applies function \(R(\cdot)\) to its current chain and writes the result onto the output tape Output. The round ends when the algorithm diffuses a message ( \(\bot\) in case no message is to be diffused).

3.2 (Desired) Properties of the Backbone Protocol

We next define the two main properties of the backbone protocol that we will prove. The first property is called the common prefix property and is parameterized by a value \(k\in \mathbb {N}\) . It considers an arbitrary environment and adversary in the q-bounded setting, and it holds as long as removing k blocks from an honest party’s chain results to a prefix of another honest party’s chain.

Definition 3.1 (Common Prefix Property).

The common prefix property \(Q_\mathsf {cp}\) with parameter \(k\in \mathbb {N}\) states that for any pair of honest players \(P_1,P_2\) adopting the chains \(\mathcal {C}_1, \mathcal {C}_2\) at rounds \(r_1\le r_2\) , respectively, for any \(r_1,r_2\) , it holds that \(\mathcal {C}_1^{\lceil k} \preceq \mathcal {C}_2\) .

We note that this is a stronger version of the common prefix property compared to the one originally considered in [40], where the property was stated for \(r_1= r_2\) . The stronger formulation enables a more modular proof of the Persistence property in Section 6.1 and for this reason we opt for it here. This was observed in [66]. Note also that \(P_1\) and \(P_2\) could be the same party.

The second property, which we call the Chain Quality property, aims at expressing the number of honest-player contributions that are contained in a sufficiently long and continuous part of an honest player’s chain. Specifically, for parameters \(\ell \in \mathbb {N}\) and \(\mu \in (0,1)\) , the rate of adversarial block contributions in a continuous part of an honest party’s chain of length at least \(\ell\) is bounded by \(1-\mu\) .¹⁷ This is intended to capture that at any moment that an honest player looks at a sufficiently long part of its blockchain, that part will be of sufficient “quality,” that is, the number of adversarial blocks present in that portion of the chain will be suitably bounded.

Definition 3.2 (Chain Quality Property).

The chain quality property \(Q_\mathsf {cq}\) with parameters \(\mu \in \mathbb {R}\) and \(\ell \in \mathbb {N}\) states that for any honest party P adopting a chain \(\mathcal {C}\) at some round, it holds that for any \(\ell\) consecutive blocks of \(\mathcal {C}\) the ratio of honest blocks is at least \(\mu\) .

It is easy to see that, in the absence of an adversary, any set of, say, h honest parties, obtain as many blocks as their proportion of the total hashing power, that is, \(h/n\) . We say that a protocol \(\Pi\) satisfies ideal chain quality if this is the case for adversarial parties as well, that is, \(\mu = 1-t/n\) with respect to those parties. The ideal chain quality is not achieved by the Bitcoin backbone protocol, cf. Theorem 4.13.).

A third property that is convenient to consider in conjunction with the above two and was introduced in follow up work, [51], to our original exposition is chain growth.

Definition 3.3 (Chain Growth Property).

The chain growth property \(Q_\mathsf {cg}\) with parameters \(\tau ,\tau ^{\prime } \in \mathbb {R}\) and \(s \in \mathbb {N}\) states that for any honest party P that has a chain \(\mathcal {C}\) at some round, it holds that after any s consecutive rounds it adopts a chain that is at least \(\tau \cdot s\) blocks longer than \(\mathcal {C}\) .

As mentioned in the introduction, in our original exposition [40] this property was not identified explicitly but rather proven and used directly in the form of a lemma. Nevertheless, as observed in [51], identifying it as a separate property, allows making more modular our proof arguments and for this reason we adopt it here as well. As expressed above, a lower bound is only required for chain growth, however, we note that we also prove an upper bound.

4 Analysis of the Bitcoin Backbone

In this section, we perform the analysis of the protocol presented in the previous section. We will first consider the case of static adversaries; then, in Section 4.4, we will show how an adaptive adversary reduces to a static one.

4.1 Definitions and Preliminary Lemmas

Recall \(\lbrace 0,1\rbrace ^\kappa\) is the range of \(H(\cdot)\) . Recall that n is the number of parties, t of which can be corrupted by the adversary. In the analysis, we are going to assume that the honest parties are sufficiently greater in number than the parties the adversary controls. In particular, we are going to require the following (cf. Table 1 for the definition all of the relevant parameters).

Table 1.

\(\kappa\) : security parameter; length of the hash function output

\(\lambda\) : tail-bounds parameter

n: number of parties mining; t out of which are controlled by the adversary

T: the target hash value used by parties for solving PoWs

t: number of parties controlled by the adversary

\(\delta\) : advantage of honest parties, \((t/ (n-t) \le 1-\delta)\)

f: probability at least one honest party succeeds in finding a PoW in a round

\(\epsilon\) : quality of concentration of random variables in typical executions, cf. Definition 4.4

k: number of blocks for the common prefix property

\(\ell\) : number of blocks for the chain quality property

\(\mu\) : chain quality parameter

s: number of rounds for the chain growth property

\(\tau\) : chain growth parameter

\(\nu\) : min-entropy of \(I(\cdot)\)

L: the total run-time of the system

Q: an upper bound on the number of computation or verification queries to \(G,H\)

\(\epsilon _\mathsf {typ}\) : probability of error in a typical execution.

Table 1. The Parameters in Our Analysis

Positive integers \(n,t,L,Q,s,\ell ,T,k,\kappa\) where \(\log T\) is linearly related to \(\kappa\) ; positive reals \(f,\epsilon ,\delta ,\mu ,\nu ,\tau ,\lambda\) , where \(f,\epsilon ,\delta ,\mu ,\nu \in (0,1)\) .

Honest Majority Assumption. There exist \(\epsilon , \delta , f \in (0,1]\) such that a number of t out of n parties are corrupted with \(t\le (1-\delta)(n-t)\) and \(3f+3\epsilon \lt \delta\) .

Remark 3.

It is worth noting in the above assumption the influence of round duration. Intuitively, the longer the round duration, the higher the value of f is and hence the assumption becomes stronger in terms of the bound imposed on the adversary.

It will be useful for verifying some calculations to note that \(3f+3\epsilon \lt \delta \le 1\) implies \((1+\epsilon)(1+f)\lt (1-\epsilon)(1-f)(1+\delta)\lt (1-\epsilon)(1-f)/(1-\delta)\) and \(f,\epsilon \lt \frac{\delta }{3}\le 1/3\) .

We will call a query of a party successful if it submits a pair \((ctr,h)\) such that \(H(ctr,h)\le T\) . For a positive integer k, let \([k]=\lbrace 1,2,\dots ,k\rbrace\) . For each round i, \(j\in [q]\) , and \(k\in [t]\) , we define Boolean random variables \(X_i,Y_i\) and \(Z_{ijk}\) as follows. If at round i an honest party obtains a PoW, then \(X_i=1\) , otherwise \(X_i=0\) . If at round i exactly one honest party obtains a PoW, then \(Y_i=1\) , otherwise \(Y_i=0\) . Regarding the adversary, if at round i, the jth query of the kth corrupted party is successful, then \(Z_{ijk}=1\) , otherwise \(Z_{ijk}=0\) . Define also \(Z_i=\sum _{k=1}^t\sum _{j=1}^qZ_{ijk}\) . For a set of rounds S, let \(X(S)=\sum _{r\in S}X_r\) and similarly define \(Y(S)\) and \(Z(S)\) . Further, if \(X_i=1\) , we call i a successful round and if \(Y_i=1\) , a uniquely successful round. Uniquely successful rounds have the following important property.

Lemma 4.1.

Suppose the kth block B of a chain \(\mathcal {C}\) was computed by an honest party in a uniquely successful round. Then the kth block of a chain \(\mathcal {C}^{\prime }\) either is B or has been computed by the adversary.

Proof.

Suppose \(B^{\prime }\) is the kth block of a chain \(\mathcal {C}^{\prime }\) that has been computed by an honest party and \(B^{\prime }\) is not B. Since B was computed in a uniquely successful round, B and \(B^{\prime }\) cannot have been computed in the same round. Let r be the earliest round on which B or \(B^{\prime }\) was computed. Since it was computed by an honest party, every other honest party will receive it in the next round and so will adopt a chain of length at least k. It follows that every block computed after round r will be extending a chain of length more than k. □

An important parameter of the protocol is the probability that at least one honest party computes a solution at given round. We denote this parameter by f and for any round i we have

\begin{equation} (1-f)pq(n-t)\lt f=\mathbb {E}[X_i]=1-(1-p)^{q(n-t)}\lt pq(n-t) , \end{equation}

(1)

where \(p=T/2^\kappa\) is the probability of success of a single query. The upper bound follows by Bernoulli’s inequality. The derivation of the lower bound is as follows.

\begin{equation*} \frac{f}{1-f}=\frac{1-(1-p)^{q(n-t)}}{(1-p)^{q(n-t)}} =(1-p)^{-q(n-t)}-1 \gt (1+p)^{q(n-t)}-1 \gt pq(n-t) . \end{equation*}

The first inequality is because \(1/(1-x)\gt 1+x\) for any \(x\in (0,1)\) and the second is Bernoulli’s inequality.

We now provide bounds for the random variables defined above,¹⁸ which relate their expectations to f. With respect to the honest parties we have

\begin{equation} \mathbb {E}[Y_i] \ge q(n-t)p(1-p)^{q(n-t)-1} \gt pq(n-t)[1-pq(n-t)] \ge f(1-f) \gt \Bigl (1-\frac{\delta }{3}\Bigr)f . \end{equation}

(2)

For the first inequality we estimate from below pretending that honest parties make all q queries even after a successful one and summing over all queries the probability that it is the only successful one. The next inequality follows after multiplying by \(1-p\) and applying Bernoulli’s inequality. The last inequality follows from the fact that \(x\mapsto x(1-x)\) is increasing in \((0,\frac{1}{2})\) , since \(f\lt pq(n-t)\lt f/(1-f)\lt \frac{\delta }{3}/(1-\frac{\delta }{3})\le \frac{1}{2}\) (we used the bounds on f above and the assumption \(3\epsilon +3f\lt \delta \le 1\) ). With respect to the expected number of blocks the adversary can compute in a single round we note the bound

\begin{equation} \mathbb {E}[Z_i]=pqt=\frac{t}{n-t}\cdot pq(n-t) \lt \frac{t}{n-t}\cdot \frac{f}{1-f} \lt \Bigl (1+{\frac{\delta }{2}}\Bigr)\cdot f\cdot \frac{t}{n-t} . \end{equation}

(3)

The inequality follows from the bounds in (1) and \(f\lt \delta /3\le 1/3\) .

We next prove the Chain Growth Lemma. It states that, at any round, the length of any honest party’s chain will be at least as large as the number of successful rounds. As a consequence, the chain of honest parties will grow at least at the rate of successful rounds, no matter what strategy the adversary employs.

Lemma 4.2 (Chain Growth Lemma).

Suppose that at round r an honest party has a chain of length \(\ell\) . Then, by round \(s\ge r\) , every honest party has adopted a chain of length at least \(\,\ell +\sum _{i=r}^{s-1}X_i\) .

Proof.

By induction on \(s-r\ge 0\) . For the basis ( \(s=r\) ), observe that if at round r an honest party has¹⁹ a chain \(\mathcal {C}\) of length \(\ell\) , then that party diffused \(\mathcal {C}\) at a round earlier than r. It follows that every honest party will receive \(\mathcal {C}\) by round r.

For the inductive step, note that by the inductive hypothesis every honest party has received a chain of length at least \(\ell ^{\prime }=\ell +\sum _{i=r}^{s-2}X_i\) by round \(s-1\) . When \(X_{s-1}=0\) the statement follows directly, so assume \(X_{s-1}=1\) . Observe that every honest party queried the oracle with a chain of length at least \(\ell ^{\prime }\) at round \(s-1\) . If follows that all honest parties successful at round \(s-1\) broadcast a chain of length at least \(\ell ^{\prime }+1\) . Since \(\ell ^{\prime }+1=\ell +\sum _{i=r}^{s-1} X_i\) , this completes the proof. □

We now define our typical set of executions. Informally, this set consists of those executions with polynomially many rounds and with the property that the sum of the \(X,Y,Z\) variables over any \(\lambda =\Omega (\kappa)\) consecutive rounds does not deviate too much from its expectation.

First, we define a few bad events relevant to the properties of the hash function. In the random oracle model (as long as the execution is polynomially bounded in \(\kappa\) ), these events occur with probability exponentially small in \(\kappa\) .

Definition 4.3.

An insertion occurs when, given a chain \(\mathcal {C}\) with two consecutive blocks B and \(B^{\prime }\) , a block \(B^*\) created after \(B^{\prime }\) is such that \(B,B^*,B^{\prime }\) form three consecutive blocks of a valid chain. A copy occurs if the same block exists in two different positions. A prediction occurs when a block extends one which was computed at a later round. A guess occurs when a verification query \(H(x)=y\) returns true, while no computation query for x precedes it.

Remark 4.

Non-occurrence of all the above events will allow us to assume in the analysis that all adversarial blocks have been computed using oracle queries in a certain sequence of rounds.

Definition 4.4 (Typical Execution).

An execution is \((\epsilon ,\lambda)\) -typical (or just typical), for \(\epsilon \in (0,1)\) and integer \(\lambda \ge 2/f\) , if, for any set S of at least \(\lambda\) consecutive rounds, the following hold.

(a)

\((1-\epsilon)\mathbb {E}[X(S)]\lt X(S)\lt (1+\epsilon)\mathbb {E}[X(S)]\) and \((1-\epsilon)\mathbb {E}[Y(S)]\lt Y(S)\) .

(b)

\(Z(S)\lt \mathbb {E}[Z(S)]+\epsilon \mathbb {E}[X(S)]\) .

(c)

No insertions, no copies, no guesses, and no predictions occurred.

Theorem 4.5.

An execution is not typical with probability less than

\begin{equation*} \epsilon _\mathsf {typ} = 4L^2e^{-\Omega (\epsilon ^2\lambda f)} + 3Q^22^{-\kappa } + [(n-t)L]^22^{-\nu } . \end{equation*}

Proof.

First we note that the input entropy requirement on the input contribution function \(I(\cdot)\) , allows us to condition our probability space on the event that no two honest parties in a polynomially bounded execution queried the \(H(\cdot)\) oracle with the same input. Since there are at most \((n-t)L\) honest queries, the probability this event does not occur is at most \({(n-t)L\choose 2}2^{-\nu }\lt [(n-t)L]^22^{-\nu }\) . In this space, the variables \(X_i\) (and similarly \(Y_i\) ) are independent Bernoulli trials. It follows from the standard Chernoff bound, that each of the four bounds in parts (a) and (b) fails for any S with probability at most \(e^{-\Omega (\epsilon ^2\lambda f)}\) .

For part (c) and \(i\in \lbrace 1,2,3\rbrace\) , let \(B_i=\langle s_i,x_i,ctr_i\rangle\) and \(g_i=G(s_i,x_i)\) . There are at most Q queries posed to G and H, see Table 1. It follows that the probability of a collision occurring is at most \({Q\choose 2}2^{-\kappa }\lt Q^22^{-\kappa }\) . We observe now that if a block extends two distinct blocks, then a collision has occurred. To see this, suppose block \(B_3\) extends two distinct blocks \(B_1\) and \(B_2\) . Then \(s_3=H(ctr_1,g_1)=H(ctr_2,g_2)\) , implying a collision either in H or in G, since \(B_1\) and \(B_2\) are distinct. It is not hard to see that an insertion or a copy imply the existence of a block that extends two distinct blocks (consider the first time such an event occurs). Next, suppose a prediction occurs and block \(B_2\) extends a block \(B_3\) computed at a later round. This means that the hash value the oracle assigned \(B_3\) equals \(s_2\) , which should be an answer of the oracle to a previous query. It follows that the probability a prediction occurs is at most \(Q^2/2^{\kappa }\) . Finally, suppose a guess occurs involving x. The probability this happens at the jth query is less than \(1/(2^\kappa -j+1)\) . Since at most Q verification queries are allowed, then the probability a guess occurs is at most

\begin{equation*} \frac{1}{2^\kappa }+\frac{1}{2^\kappa -1}+\cdots +\frac{1}{2^\kappa -Q+1} \le \int ^{2^\kappa }_{2^\kappa -Q}\frac{1}{x}\ dx =\ln \Bigl (\frac{2^\kappa }{2^\kappa -Q}\Bigr) \lt \frac{Q}{2^\kappa }+\Bigl (\frac{Q}{2^\kappa }\Bigr)^2 \lt \frac{Q^2}{2^\kappa }. \end{equation*}

The statement of the theorem follows easily by applying the union bound. □

Remark 5.

Choosing \(\lambda =\Omega (\log ^2\kappa)\) , the execution fails to be typical with negligible probability in the security parameter \(\kappa\) . We are going to show that all the properties required for our applications hold for a typical execution.

The next lemma is simple, but will make convenient the appeal to the properties of a typical execution.

Lemma 4.6.

The following hold for any sequence S of at least \(\lambda\) consecutive rounds in an \((\epsilon ,\lambda)\) -typical execution.

(a)

\((1-\epsilon)f|S|\lt X(S)\lt (1+\epsilon)f|S|\quad \text{and}\quad \bigl (1-\frac{\delta }{3}\bigr)f|S|\lt (1-\epsilon)f(1-f)|S|\lt Y(S).\)

(b)

\(Z(S)\lt \frac{t}{n-t}\cdot \frac{f}{1-f}\cdot |S|+\epsilon f|S| \le \bigl (1-\frac{2\delta }{3}\bigr)f|S|.\)

(c)

For \(S=\lbrace i:r\lt i\lt s\rbrace\) and \(S^{\prime }=\lbrace i:r\le i\le s\rbrace\) , \(Z(S^{\prime })\lt Y(S).\)

Proof.

(a) The first set of inequalities in part (a) follows by the bounds of (1), since by linearity of expectation \(\mathbb {E}[X(S)]=f|S|\) . For the second set of inequalities use linearity of expectation on the sum \(Y(S)\) , consult (2), and verify that by the Honest Majority Assumption \((1-\epsilon)(1-f)\gt 1-f-\epsilon \gt 1-\delta /3\) .

(b) The first inequality uses (3) and linearity of expectation. For the second one note that by the Honest Majority Assumption it suffices to verify that \((1-\delta)/(1-f)+\epsilon \lt 1-2\delta /3\) ; multiplying by \((1-f)\) and simplifying, it suffices to check \(1-\delta +\epsilon \lt 1-2\delta /3-f\) , which follows directly from our assumption that \(3\epsilon +3f\lt \delta\) .

(c) Using \((1-\frac{\delta }{3})f|S|\lt Y(S)\) from part (a) and \(Z(S^{\prime })\lt (1-\frac{2\delta }{3})f|S^{\prime }|=(1-\frac{2\delta }{3})f(|S|+2)\) from part (b), it suffices to verify that \((1-\frac{2\delta }{3})(\lambda +2)\le (1-\frac{\delta }{3})\lambda\) . This follows using \(\lambda \ge 2/f\gt 6/\delta\) . □

Remark 6.

From the above relations, one can see the importance of the parameter f and the way that the moderate hardness of PoW is relevant to the analysis. In particular f should be large enough so that \(\mathbb {E}[X(S)]\) becomes sufficiently bigger than 0 to be useful. If f is too small, (i.e., producing PoW’s is too hard) the honest participants will produce too few PoW’s for the system to make progress (with foresight, chain growth will be hurt, which in turn will hurt the liveness of the transaction ledger). On the other hand, f cannot be too large, because then the lower bound on Y will be too small (as it depends multiplicatively on \((1-f)\) as well as f). This means that uniquely successful rounds will not produce sufficiently many PoW’s to overcome the PoW’s produced by the adversary. In practice, this underscores the importance of calibrating the difficulty of the PoW to maintain a suitable value of f within the range \((0,1)\) . Such calibration takes place in the Bitcoin system every 2016 blocks and attempts to keep f somewhere between 2 and \(3\%\) (assuming a full communication round takes place every up to 20 seconds).

A corollary of this lemma and the Chain Growth Lemma (Lemma 4.2) is the following theorem concerning the chain growth property.

Theorem 4.7 (Chain Growth).

In a typical execution the chain growth property holds with parameters \(\tau =(1-\epsilon)f\) and \(s\ge \lambda\) .

Proof.

Suppose that at a round r and honest party P has a chain \(\mathcal {C}\) of length \(\ell\) . By the Chain Growth Lemma (Lemma 4.2), after s rounds, P has adopted a chain \(\mathcal {C}^{\prime }\) of length at least \(\ell +X(S)\) , where \(S=\lbrace i:r\le i\lt r+s\rbrace\) . By assumption, \(|S|\ge \lambda\) and Lemma 4.6(a) applies. Thus, in a typical execution, \(X(S)\gt (1-\epsilon)f|S|=\tau \cdot s\) . □

Lemma 4.8.

In a typical execution, any \(k\ge 2\lambda f\) consecutive blocks of a chain have been computed in more than \(\frac{k}{2f}\) consecutive rounds.

Proof.

Assume there is a set of consecutive rounds \(S^{\prime }\) in which the k blocks were computed and \(|S^{\prime }|\lt \frac{k}{2f}\) . Then, there is a set S of consecutive rounds with \(|S|=\lceil \frac{k}{2f}\rceil +1\) such that \(X(S)+Z(S)\ge k\) (adding rounds to \(S^{\prime }\) favors the upper bound that follows). However,

\begin{equation*} X(S)+Z(S)\lt (2+\epsilon -\textstyle \frac{2\delta }{3})f|S|\le (2-2f)f|S|\le (1-f)(k+4f)\lt k, \end{equation*}

where the first inequality uses Lemma 4.6(a) and (b) (note that \(\lceil \frac{k}{2f}\rceil \ge \lambda\) ), the second \(3f+3\epsilon \le \delta\) , and the third \(|S|=\lceil \frac{k}{2f}\rceil +1\le \frac{k}{2f}+2\) and \(k\ge 4\) (recall \(\lambda \ge 2/f\) ). □

4.2 Common Prefix Property

Lemma 4.9 (Common Prefix Lemma).

Suppose that at round r of a typical execution an honest party has or adopts a chain \(\mathcal {C}_1\) and an honest party adopts a chain \(\mathcal {C}_2\) . Then, for \(k\ge 2\lambda f\) , \(\mathcal {C}_1^{\lceil k}\preceq \mathcal {C}_2\) .

Theorem 4.10 (Common Prefix).

In a typical execution the common prefix property holds with parameter \(k\ge 2\lambda f\) .

Proof.

Refer to Definition 3.1, and consider chains \(\mathcal {C}_1\) and \(\mathcal {C}_2\) adopted by honest parties \(P_1\) and \(P_2\) in rounds \(r_1\) and \(r_2\) , in violation of the common prefix property, that is, \(\smash{\mathcal {C}_1^{\lceil k}\not\preceq \mathcal {C}_2}\) . If \(P_1\) still has or adopts a chain containing \(\smash{\mathcal {C}_1^{\lceil k}}\) at round \(r_2\) , then Lemma 4.9 applies at round \(r_2\) directly. Otherwise, at some round r, \(P_1\) has a chain \(\mathcal {C}\) containing \(\smash{\mathcal {C}_1^{\lceil k}}\) and adopts a chain \(\mathcal {C}^{\prime }\) that does not. Note that Lemma 4.9 applies at this round r, where the same honest party has chain \(\mathcal {C}_1\) and adopts chain \(\mathcal {C}_2\) . An illustration of this argument is shown in Figure 3(b). □

Remark 7.

Recall that the honest majority assumption is the important precondition for the above theorem. The dependency on the honest majority assumption is asymptotically tight for high network synchronicity, that is, the setting where f is close to 0, since in case the adversary has more hashing power than the honest parties it is straightforward to violate common prefix by having the attacker mining privately a chain which with non-negligible probability will be longer than the honest parties’ chain. In fact, this attack was described and analyzed by Nakamoto [59].

4.3 Chain Quality Property

Theorem 4.11 (Chain Quality).

In a typical execution the chain quality property holds with parameters \(\ell \ge 2\lambda f\) and

\begin{equation*} \mu =1-\frac{1+f}{(1-f)(1-\epsilon)}\cdot \frac{t}{n-t}-\frac{(1+f)\epsilon }{1-\epsilon } \gt 1-\frac{1}{1-2\delta /3}\cdot \frac{t}{n-t}-\frac{\delta /3}{1-\delta /3} \stackrel{\delta \rightarrow 0}{\longrightarrow } \frac{n-2t}{n-t} . \end{equation*}

Proof.

Let us denote by \(B_i\) the ith block of the chain \(\mathcal {C}\) of an honest party P at some round r so that \(\mathcal {C}=B_1 \dots B_{\mathop {\rm len}(\mathcal {C})}\) and consider some \(\ell\) consecutive blocks \(B_u,\dots ,B_v\) . Define L as the least number of consecutive blocks \(B_{u^{\prime }},\dots ,B_{v^{\prime }}\) that include the \(\ell\) given ones (i.e., \(u^{\prime }\le u\) and \(v\le v^{\prime }\) ) and have the properties (1) that the block \(B_{u^{\prime }-1}\) was computed by an honest party or \(B_{u^{\prime }}=B_1\) in case such block does not exist, and (2) that there exists a round at which an honest party adopted the chain ending at block \(B_{v^{\prime }}\) . Observe that L and \(v^{\prime }\) are well defined since \(B_{\mathop {\rm len}(\mathcal {C})}\) is at the head of a chain that an honest party adopted. Define also \(r_1\) as the round that \(B_{u^{\prime }-1}\) was created ( \(r_1=0\) if \(B_{u^{\prime }}=B_1\) ) and \(r_2\) as the first round that an honest party adopts the chain ending with \(B_{v^{\prime }}\) . Define \(S=\lbrace r:r_1\lt r\lt r_2\rbrace\) and \(S^{\prime }=\lbrace r:r_1\le r\le r_2\rbrace\) . Note that the sequence of L blocks \(B_{u^{\prime }},\dots ,B_{v^{\prime }}\) have been computed either by an honest party in S (due to the definition of \(r_1\) ) or, given part (c) of a typical execution, by the adversary in \(S^{\prime }\) .

Now, define \(\mu\) as in the statement and let x denote the number of blocks from honest parties that are included in the \(\ell\) blocks and, towards a contradiction, assume that

\begin{equation*} x\lt \mu \ell \le \mu L . \end{equation*}

Then,

\begin{equation} Z(S^{\prime }) \ge L-x\gt (1-\mu)L\ge (1-\mu)X(S) \gt (1-\mu)(1-\epsilon)f|S| . \end{equation}

(4)

The first inequality comes from the fact that the adversary computed \(L-x\) of the L blocks. The second one comes from the postulated relation between x and L. The last one is Lemma 4.6(a). To argue the third one, we assume \(X(S)\gt L\) and contradict property (2). Note that at round \(r_1\) an honest party has produced block \(B_{u^{\prime }-1}\) and so at round \(r_1+1\) has a chain of length at least \(u^{\prime }-1\) (note that this holds also in the case \(B_{u^{\prime }}=B_1\) ). By Lemma 4.2, every honest party at round \(r_2\) will adopt a chain of length at least \(u^{\prime }-1+X(S)\gt u^{\prime }-1+L=v^{\prime }\) .

On the other hand, \(|S|\ge \lambda\) by Lemma 4.8 and so the properties of a typical execution apply for the set of rounds S. Combining the upper bound for \(Z(S^{\prime })\) from Lemma 4.6(b) and recalling the value of \(\mu\) ,

\begin{equation} Z(S^{\prime }) \lt f(|S|+2)\Bigl (\frac{t}{n-t}\cdot \frac{1}{1-f}+\epsilon \Bigr) =(1-\mu)(1-\epsilon)f\cdot \frac{|S|+2}{1+f} . \end{equation}

(5)

Inequalities \((4)\) and \((5)\) contradict each other in a typical execution, since \(|S|\ge \lambda \ge 2/f\) .

To verify the lower bound in terms of \(\delta\) , note that

\[\begin{multline*} \frac{1+f}{(1-f)(1-\epsilon)}\cdot \frac{t}{n-t}+\frac{(1+f)\epsilon }{1-\epsilon } \lt \frac{1}{(1-f)^2(1-\epsilon)}\cdot \frac{t}{n-t}+\frac{\epsilon }{(1-f)(1-\epsilon)} \\ \lt \frac{1}{1-2f-\epsilon }\cdot \frac{t}{n-t}+\frac{\epsilon }{1-f-\epsilon } \lt \frac{1}{1-2\delta /3}\cdot \frac{t}{n-t}+\frac{\delta /3}{1-\delta /3} \end{multline*}\]

and recall that the Honest Majority Assumption requires \(3\epsilon +3f\lt \delta\) . □

Corollary 4.12.

In a typical execution the following hold.

—

Any \(\lceil 2\lambda f\rceil\) consecutive blocks in the chain of an honest party contain at least one honest block.

—

For any consecutive \(\lambda\) rounds, the chain of an honest party contains an honest block computed in one of these rounds.

Proof.

Using \(t\le (1-\delta)(n-t)\) , we have \(\mu \gt 1-\frac{1-\delta }{1-2\delta /3}-\frac{\delta /3}{1-\delta /3} \gt 0 .\) Since \(\mu \gt 0\) , the first item follows from Chain Quality.

For the second item, suppose the chain \(\mathcal {C}\) of an honest party contains an honest block B at height \(\ell\) that was computed in round r. Suppose further, towards a contradiction, that there is no honest block after B with timestamp at most \(r+\lambda\) . Let \(r^*\) be the least round after \(r+\lambda\) that an honest party adopts \(\mathcal {C}\) . Then, for \(S=\lbrace i:r\lt i\lt r^*\rbrace\) , \(|S|\ge \lambda\) and so \(X(S)\gt Z(S)\) . However, since all the blocks after B are adversarial, the length of the chain at round \(r^*\) is at most \(\ell +Z(S)\) . By Chain Growth Lemma (Lemma 4.2), the honest parties have chains with height at least \(\ell +X(S)\gt \ell +Z(S)\) . This contradicts the assumption that an honest party adopted \(\mathcal {C}\) at round \(r^*\) . □

We are able to argue that Theorem 4.11 is (asymptotically) tight under the simplification that ties between blockchains of equal length always favor the adversary. In particular, we assume that the function \(\mathsf {maxvalid}\) at line 5 of Algorithm 4, in case of chains of equal length, will always return the suggestion of the adversary if there is one. This simplification is made without loss of generality in our model since the adversary is rushing and hence in case two chains are transmitted in a single round the adversary can always arrange it so that its own solution arrives first.²⁰ Furthermore, if the number of honest parties is large, when an honest party discovers a solution in a round, all other honest parties will prefer the one transmitted by the adversary and thus the effect of a single honest party opting for its own block will be negligible.

Theorem 4.13.

Assume \(\ell \ge 2\lambda f\) and \(n-t\ge 2/\epsilon\) . There exists an adversary such that, with probability at least \(1-e^{-\Omega (\epsilon ^2\ell)}\) , there will be \(\ell\) consecutive blocks in the chain of every honest party of which at most

\begin{equation*} 1-(1-\epsilon)\cdot \frac{t}{n-t}+{2\epsilon ,} \end{equation*}

are honest.

Proof.

The attack is a type of “selfish mining” attack (it is a variation of the one in [32] and appears to be folklore in bitcoin circles) that accomplishes the stated bound. The attack is as follows. Initially, the adversary works on the same chain as every honest party. However, whenever it finds a solution it keeps it private and keeps on extending a private chain. Whenever an honest party finds a solution, the (rushing) adversary releases one block from the private chain; if the private chain is depleted the adversary returns to the public chain.

To analyze this strategy, consider a set S of at least \(\ell /(1-\epsilon)pq(n-t)\) consecutive rounds. The adversary, by announcing each one of his \(Z(S)\) blocks simultaneously with a block announced by an honest party, manages to include most of his \(Z(S)\) blocks in the chain of any honest party and drop an equal number of honest blocks. We now upper bound the number of adversarial blocks that may be orphaned and the number of adversarial blocks that would not be released in S.

Suppose the adversary drops his private chain \(\mathcal {C}A_1\cdots A_k\) in favor for a chain \(\mathcal {C}B_1\cdots B_{k+1}\) . In such a case, all honest blocks \(B_1,\dots ,B_{k+1}\) have been computed by the same honest party, because all other honest parties adopt the adversarial chain. Indeed, according to the strategy, the adversary released each block \(A_i\) ( \(i\in [k]\) ) in the round \(B_i\) was computed. Since ties favor the adversary, the only party to compute \(B_{i+1}\) is the one that computed \(B_i\) . It follows that if k sequential adversarial blocks \(A_1,\dots ,A_k\) are orphaned, then there exist \(k+1\) sequential honest blocks \(B_1,\dots ,B_{k+1}\) that were computed by the same honest party. For each query j by an honest party P extending a block B, define a Boolean random variable \(D_j\) to equal 1 if and only if query j was successful and B was computed by P. Let D be equal to the sum of all \(D_j\) for each query corresponding to a round in S. We have argued that the orphaned adversarial blocks are at most D. We claim that

\begin{equation*} \Pr [D\gt 2\epsilon \ell ]\le e^{-\Omega (\epsilon ^2\ell)} . \end{equation*}

To see this, we observe first that the same distribution is obtained if we first determine the oracle outputs and then we assign identities randomly. Any block has probability \(1/(n-t)\) to receive the same identity as its predecessor. It follows that for any number of k blocks, the number of blocks that contribute to D follows a Binomial distribution with parameters k and \(1/(n-t)\) . By the Chernoff bound, at most \(\frac{1+\epsilon }{1-\epsilon }\cdot \ell \lt 2\ell\) ( \(\epsilon \lt 1/3\) ) honest blocks were computed in S. Assuming \(n-t\ge 2/\epsilon\) , an expected number of at most \(\epsilon \ell\) of these blocks contribute to D. The claim follows by the Chernoff bound.

Nest, suppose the adversary does not release k of the blocks he acquired in S. This can only happen if none of the rounds in which he computed these k blocks was successful for the honest parties. The probability that there was no successful round among the last \(\epsilon ^2|S|\) rounds of S is at most

\begin{equation*} (1-p)^{\epsilon ^2q(n-t)|S|}\lt e^{-\Omega (\epsilon ^2\ell)} . \end{equation*}

Define \(S^{\prime }\) to consist of the \((1-\epsilon ^2)|S|\) initial rounds of S. In a typical execution \(\ell \le X(S)\le (1+\epsilon)\ell\) and \(Z(S^{\prime })\ge (1-\epsilon ^2)\ell t/(n-t)\) . Consider the segment of the chain of any honest party containing the blocks computed in S. With probability at least \(1-e^{-\epsilon ^2\ell }\) , the adversary released \(Z(S^{\prime })\) blocks and at most \(2\epsilon \ell\) of them were orphaned. This segment has length exactly \(X(S)\) and so the ratio of adversarial blocks is at least

\begin{equation*} \frac{Z(S^{\prime })-2\epsilon \ell }{X(S)} \ge \frac{1-\epsilon ^2}{1+\epsilon }\cdot \frac{t}{n-t}-\frac{2\epsilon }{1+\epsilon } \ge (1-\epsilon)\cdot \frac{t}{n-t}-{2\epsilon } . \end{equation*}

□

4.4 Adaptive Adversaries

In this section, we show that the ability to corrupt parties adaptively does not provide any advantage to the adversary. We perform this via reduction to a static adversary and environment. We will in fact reduce the adaptive security of the backbone protocol \({\mathrm{\Pi }} _\mathsf {bb}\) to the static security of a variant of the protocol, \({\mathrm{\Pi }} _\mathsf {bb}^{\prime }\) , which behaves identically with the sole difference that parties instead of adopting the first chain of a certain length they become aware of, they adopt the most recent one. It is straightforward to see that all the results of this section apply to \({\mathrm{\Pi }} _\mathsf {bb}^{\prime }\) as well (in fact all our proofs are independent of any chain “tie-breaking” performed by honest parties).

Proposition 4.14.

For any \(q,t,n\in \mathbb {N}\) with \(t\lt n\) , consider any adaptive adversary and environment pair \(\mathcal {A},\mathcal {Z}\) as well as an event \(E\in \lbrace B_\mathsf {cp},B_\mathsf {cq}, B_\mathsf {cg}\rbrace\) over the view exec \(^{t,n}_{{\mathrm{\Pi }} _\mathsf {bb}, \mathcal {A}, \mathcal {Z}}\) , corresponding to the failure of one of the three properties defined in Section 3.2, respectively. Then, there is a static adversary and environment pair \(\mathcal {A}^{\prime },\mathcal {Z}^{\prime }\) such that it holds that E has the same probability over exec \(^{t,n}_{{\mathrm{\Pi }} _\mathsf {bb}^{\prime }, \mathcal {A}^{\prime }, \mathcal {Z}^{\prime }}\) .

Proof.

We describe \(\mathcal {A}^{\prime },\mathcal {Z}^{\prime }\) that simulate \(\mathcal {A},\mathcal {Z}\) . \(\mathcal {A}^{\prime }\) keeps a counter c, initially set to 0, and initializes a mapping \(F:\lbrace P_1,\ldots ,P_n\rbrace \rightarrow \lbrace P_1,\ldots ,P_n\rbrace\) to the identity mapping. \(\mathcal {A}^{\prime }\) keeps \(\mathcal {Z}^{\prime }\) up to date about F. \(\mathcal {A}^{\prime }\) and \(\mathcal {Z}^{\prime }\) use the correspondence F to route the party activations initiated by \(\mathcal {A}\) and \(\mathcal {Z}\) . At the onset, \(\mathcal {A}^{\prime }\) corrupts all parties with identities \(\lbrace P_1,\ldots ,P_t\rbrace\) . From this point on it simulates all parties, running the honest protocol until a corruption by \(\mathcal {A}\) occurs. Moreover \(\mathcal {A}^{\prime }\) keeps track of the state of all honest parties and orders the messages in all incoming tapes so that any chains of the same length are sequenced with the one possessed by the honest party last (in this way \(\mathcal {A}^{\prime }\) ensures that honest parties’ state in the \({\mathrm{\Pi }}^{\prime }_\mathsf {bb}\) execution matches that of \({\mathrm{\Pi }} _\mathsf {bb}\) execution).

When \(\mathcal {A}\) corrupts a party \(P_i\) , \(\mathcal {A}^{\prime }\) increments c, and updates F with the correspondence \(i \leftrightarrow c\) . Let \(\mathcal {C}\) be the chain of party \(P_i\) and \(\mathcal {C}^{\prime }\) the chain of party \(P_c\) at the time of corruption. \(\mathcal {A}^{\prime }\) delivers \(\mathcal {C}\) as the internal state of \(P_i\) to \(\mathcal {A}\) (despite the fact that \(P_i\) remains uncorrupted in the static execution). \(\mathcal {A}^{\prime }\) also copies all messages directed to \(P_c\) to the incoming tape of \(P_i\) . Furthermore, in case \(|\mathcal {C}|=|\mathcal {C}^{\prime }|\) , \(\mathcal {A}^{\prime }\) delivers to party \(P_i\) the chain \(\mathcal {C}^{\prime }\) as the last message in the upcoming round (so that party \(P_i\) adopts it). Next, we argue that the divergence by the above actions is not detectable by \(\mathcal {A}\) .

In case \(|\mathcal {C}|\lt |\mathcal {C}^{\prime }|\) , this could only be caused by the fact that \(P_c\) updated his state in the current round and hence a message containing \(\mathcal {C}^{\prime }\) is on its way. As a result, during the next activation of party \(P_c\) by \(\mathcal {A}\) , party \(P_i\) will be activated instead by \(\mathcal {A}^{\prime }\) and they would become up to date having received \(\mathcal {C}^{\prime }\) , and thus \(P_i\) will behave identically to the way party \(P_c\) would have. In case \(|\mathcal {C}^{\prime }|\lt |\mathcal {C}|\) , this similarly means that the message containing \(\mathcal {C}\) originating from \(P_i\) is on its way; as a result, the next time \(\mathcal {A}\) activates party \(P_c\) , it is an \(\mathcal {A}\) ’s expectation that the update of party \(P_i\) would be in its incoming tape, and thus party \(P_c\) ’s expected behavior matches party \(P_i\) ’s. Finally, in case \(|\mathcal {C}^{\prime }|=|\mathcal {C}|\) , the substitution of the state of party \(P_i\) with that of party \(P_c\) guarantees that party \(P_i\) will behave identically to party \(P_c\) , and hence will be undetectable in the view of \(\mathcal {Z}, \mathcal {A}\) (recall that in both protocols \({\mathrm{\Pi }} _\mathsf {bb}, {\mathrm{\Pi }} _\mathsf {bb}^{\prime }\) all parties run exactly the same code and ignore their identity).

Based on the above it is easy to see that the probability of the events \(B_\mathsf {cp},B_\mathsf {cg}\) remain the same in both executions as they refer to purely structural aspects of the honest parties’ state. The event \(B_\mathsf {cq}\) relates to the contents of an honest party’s state; to see that this is also unaffected observe that an adaptive corruption at any point of the execution does not change the honest/adversarial designation of any block produced prior to that point. □

5 Simple PoW-based Byzantine Agreement Protocols

We now turn to applications of the Bitcoin backbone protocol, showing how it can be used as a basis to solve other problems. We start in this section by analyzing Nakamoto’s suggestion for solving BA, observing that it falls short of satisfying Definition 2.2; we then present our simple instantiation which solves BA. This protocol, however, only tolerates an adversarial hashing power less than \(1/3\) , which takes us to the next section, where we present Bitcoin’s essential task, namely, distributively maintaining a public transaction ledger, as well as a more elaborate BA protocol tolerating an adversarial power strictly less than \(1/2\) . For simplicity, the algorithms are specified for the case of binary inputs, but the analysis applies to the case of inputs coming from an arbitrary set V, \(|V|\gt 2\) . An overview of our applications and the way their properties depend on those of the backbone protocol was already presented in Figure 1.

5.1 Nakamoto’s Suggestion for Byzantine Agreement

As our first illustration of how the Bitcoin backbone can be used we present Nakamoto’s suggestion for solving BA, as presented in a forum post [60].²¹ We describe his solution (call it \({\mathrm{\Pi }}_{\sf BA}^{\sf nak}\) ) via the backbone protocol by specifying the functions \(V(\cdot), I(\cdot), R(\cdot)\) in a suitable way (see Figure 4). The content validation predicate \(V(\cdot)\) will be defined to require that all valid chains contain the same input value together with a nonce. The chain reading function \(R(\cdot)\) simply returns this value (ignoring the nonce) in case the chain has length at least k (which is the security parameter); otherwise it is undefined. The input contribution function \(I(\cdot)\) examines the contents of the current chain \(\mathcal {C}\) and the contents of the input tape Input. In case \(\mathcal {C}= \varepsilon\) the input contribution for the next block is taken verbatim from the input tape; otherwise, the input contribution is determined as the (unique) value that is already present in \(\mathcal {C}\) (and in this case the local input is ignored). Note that we will only consider environments \(\mathcal {Z}\) that provide an input symbol to all parties. Note that the nonce is added to ensure “work independence”: the parties need to introduce a fresh random \(\kappa\) -bit nonce at each block (cf. the beginning of Section 4).

Fig. 4.

It follows that initially the protocol builds various chains all containing the same value. The intuition is that Agreement will follow from the fact that the honest players will eventually agree on a single chain, as long as the majority of the hashing power lies with the honest parties. While this is true, as we will demonstrate, the second necessary property does not hold: this protocol cannot provide Validity (with high probability).

As we now show, Agreement follows easily from the common prefix property. Indeed, as long as there is a common prefix (irrespective of its length), it is ensured that when \(R(\cdot)\) becomes defined, all honest parties will produce the same output.

Lemma 5.1 (Agreement).

Under the Honest Majority Assumption, it holds that \({\mathrm{\Pi }}_{\sf BA}^{\sf nak}\) from Figure 4 parameterized with \(k=\lceil 2f\lambda \rceil\) running for a total number of rounds \(L\ge 2k/f\) , satisfies Agreement (cf. Definition 2.2) with probability at least \(1- \epsilon _\mathsf {typ}\) .

Proof.

First note that after L rounds every honest party has a chain with more than k blocks. This follows from chain growth property (see Theorem 4.7), since \(\tau L\ge 2(1-\epsilon)k\gt k\) (where \(\epsilon \lt 1/2\) follows from the Honest Majority Assumption).

Observe that chains contain unique values (ignoring the nonces), therefore a disagreement between honest parties implies that two parties have disjoint chains (essentially, this is equivalent to a fork that happens at the onset). It follows from the common prefix property (Theorem 4.10) that two chains of length more than k that are completely disjoint do not exist in a typical execution. □

On the other hand, it is easy to see that Validity cannot be guaranteed with overwhelming probability unless the hashing power of the adversary is negligible compared to the honest players, that is, \(t/n\) is negligible. This is because in case the adversary finds a solution first, then every honest player will extend the adversary’s solution and switch to the adversarial input hence abandoning the original input. While one can still show that Validity can be ensured with non-zero probability (and thus the protocol fails gracefully assuming honest majority), \({\mathrm{\Pi }}_{\sf BA}^{\sf nak}\) falls short from providing a solution to BA. Interestingly, by appropriately modifying the way the backbone protocol is used, we show in the next section how a solution can be derived.

5.2 A Byzantine Agreement Protocol for (1/3)-bounded Adversaries

We now show that the Bitcoin backbone can be directly used to satisfy BA’s properties with an error that decreases exponentially in the length of the chain, assuming however that the adversary’s hashing power is less than \(1/3\) . There are two important differences with respect to the approach in the previous section: (i) parties never abandon their original input but instead they do insist in inserting it into the blockchain, and (ii) after round L they output the majority of their local length-k prefix (note that here we consider binary BA). The protocol (i.e., the specification of the functions \(V(\cdot), I(\cdot) ,R(\cdot)\) ) is presented in Figure 9.

Fig. 5.

Lemma 5.2 (Agreement).

Under the Honest Majority Assumption, it holds that \({\mathrm{\Pi }}_{\mathsf {BA}}^{1/3}\) from Figure 9 parameterized with \(k=\lceil 2f\lambda \rceil\) running for a total number of rounds \(L\ge 4k/f\) , satisfies Agreement with probability at least \(1-\epsilon _\mathsf {typ}\) .

Proof.

In order for agreement to be satisfied, it suffices to argue that the chains of all honest parties begin with the same k blocks. Note that in a typical execution, by Lemma 4.6 and the Chain-Growth Lemma, upon termination (i.e., after L rounds) the chain of every honest party has more than \((1-\epsilon)fL\ge 4(1-\epsilon)k\gt 2k\) blocks (for the inequality note that \(\epsilon \le \delta /3\lt 1/2\) ). Therefore, disagreement in the first k blocks among two chains \(\mathcal {C}_1\) and \(\mathcal {C}_2\) implies \(\mathcal {C}_1^{\lceil k}\not\preceq \mathcal {C}_2\) , in violation of the common prefix property. The statement follows by Theorem 4.10, assuming a typical execution. □

We now turn to the Validity property. In order to prove it we need to show that, upon termination of the protocol, the chain of any honest party will contain among the first k inputs more inputs from honest players than provided by the adversary. As we will see, this is a consequence of the chain quality property.

Lemma 5.3 (Validity).

Under the Honest Majority Assumption strengthened so that \(t\le \frac{1-\delta }{2}\cdot (n-t)\) , it holds that \({\mathrm{\Pi }}_{\mathsf {BA}}^{1/3}\) from Figure 9 parameterized with \(k=\lceil 2f\lambda \rceil\) running for a total number of rounds \(L\ge 4k/f\) , satisfies Validity (cf. Definition 2.2) with probability at least \(1-\epsilon _\mathsf {typ}\) .

Proof.

For the property to be satisfied we only need to ensure that among the first k blocks of any chain \(\mathcal {C}\) that belongs to an honest party upon termination, the majority of the inputs was computed by the honest parties. Assuming a typical execution, Theorem 4.11 applies to the first \(k\ge 2f\lambda\) blocks and the fraction of adversarial blocks is less than

\[\begin{multline*} 1-\mu \le \frac{1+f}{(1-f)(1-\epsilon)}\cdot \frac{1-\delta }{2}+\frac{(1+f)\epsilon }{1-\epsilon } \lt \frac{1+f}{(1-f)(1-\epsilon)}\cdot \frac{1-\delta }{2}+\frac{\epsilon }{(1-\epsilon)(1-f)} \\ \lt \frac{1}{2}\cdot \Bigl (\frac{1-\delta +f}{1-\epsilon -f}+\frac{2\epsilon }{1-\epsilon -f}\Bigr) \le \frac{1}{2}\cdot \frac{1-\delta +2\delta /3}{1-\delta /3} =\frac{1}{2} , \end{multline*}\]

where we used the strengthened assumption, along with \(3\epsilon +3f\le \delta\) and \(1+f\lt 1/(1-f)\) . □

Note that \({\mathrm{\Pi }}_{\mathsf {BA}}^{1/3}\) solves BA only in case the adversary’s hashing power is bounded by \(1/3\) . In case adversarial blocks win all head-to-head races within a round (as it is the case with a rushing adversary), the analysis is tight by Theorem 4.13. In the next section, we show a more elaborate construction based on a transaction ledger which can tolerate an adversary with hashing power bounded by \(1/2\) .

We can thus state the following.

Theorem 5.4.

Under the Honest Majority Assumption strengthened so that \(t\le \frac{1-\delta }{2}\cdot (n-t)\) , it holds that protocol \({\mathrm{\Pi }}_{\mathsf {BA}}^{1/3}\) parameterized with \(k =\lceil 2f\lambda \rceil\) running for a total number of rounds \(L\ge {4k}/f\) , satisfies Agreement and Validity (cf. Definition 2.2) with probability at least \(1-\epsilon _\mathsf {typ}\) .

Remark 8.

In particular, setting \(\lambda =\Theta (\log ^2\kappa)\) , we can achieve negligible probability of error in \(O(\log ^2\kappa)\) rounds.

Remark 9.

As mentioned in Section 2, “Strong Validity” refers to the requirement that the output value be one of the honest parties’ inputs, and the distinction is relevant in the case of non-binary inputs, that is, coming from an arbitrary set V, \(|V| \gt 2\) . It is easy to modify the above algorithm to also satisfy this property by making the chain reading function the element with highest plurality in the chain (ties broken favoring the lexicographically smallest element in V), as opposed to majority, and by imposing a more stringent bound on the adversary, namely, by bounding the hashing power of the adversary by \((1-\delta)/|V|\) . This ensures that the expected number of blocks in the blockchain that are controlled by the adversary is less than \(\frac{1}{|V|}\) , and maintains validity even in the worst case that the honest parties’ inputs are equally split among all possible values but one (i.e., there are \(|V|-1\) inputs equally proportioned among the honest parties). Agreement is ensured in the same way as before via the common prefix property.

Remark 10.

It is interesting to note that to successfully solve consensus with protocol \({\mathrm{\Pi }}_{\mathsf {BA}}^{1/3}\) , we do not need to know the precise number of parties before hand. A crude estimate \(\frac{N}{c}\le n\le N\) for some constant c, suffices to obtain the same results. In particular, we may state the following.

Theorem 5.5.

Under the Honest Majority Assumption strengthened so that \(t\le \frac{1-\delta }{2}\cdot (n-t)\) and assuming \(\frac{N}{c}\le n\le N\) for some constant c, it holds that protocol \({\mathrm{\Pi }}_{\mathsf {BA}}^{1/3}\) parameterized with \(k =\lceil 2f\lambda \rceil\) running for a total number of rounds \(L\ge {4ck}/f\) , satisfies Agreement and Validity (cf. Definition 2.2) with probability at least \(1-\epsilon _\mathsf {typ}\) .

Proof.

The parameter of interest is f, which depends on the values of n and T. We may run the protocol with the parameters chosen for the extreme case \(n=N\) . Note that this implies that the probability of a successful round \(f^{\prime }\) will be less than f. It is not hard to verify, however, that \(f^{\prime }\ge f/c\) . Allowing the protocol to run c times longer, the same analysis holds. □

6 Public Transaction Ledgers

We now come to the application which the Bitcoin backbone was designed to solve: maintaining a public transaction ledger. We first formally introduce this object—a “book” where transactions are recorded—and its properties, and then we show how it can be used to implement the Bitcoin ledger and BA in the honest majority setting by properly instantiating the notion of a transaction.

6.1 Robust Public Transaction Ledgers

A public transaction ledger is defined with respect to a set of valid ledgers \(\mathcal {L}\) and a set of valid transactions \(\mathcal {T}\) , each one possessing an efficient membership test. A ledger \(\mathbf {x}\in \mathcal {L}\) is a vector of sequences of transactions \(\mathrm{tx}\in \mathcal {T}\) . Each transaction \(\mathrm{tx}\) may be associated with one or more accounts, denoted \(a_1,a_2,\ldots\) and so on.

The backbone protocol parties, called miners in the context of this section, process sequences of transactions of the form \(x= \mathrm{tx}_1 \ldots \mathrm{tx}_e\) that are supposed to be incorporated into their local chain \(\mathcal {C}\) . The input inserted at each block of the chain \(\mathcal {C}\) is the sequence x of transactions. Thus, a ledger is a vector of transaction sequences \(\langle x_1,\ldots , x_m\rangle\) , and a chain \(\mathcal {C}\) of length m contains the ledger \(\mathbf {x}_\mathcal {C}= \langle x_1,\ldots , x_m\rangle\) if the input of the jth block in \(\mathcal {C}\) is \(x_j\) . The position of transaction \(\mathrm{tx}_j\) in the ledger \(\mathbf {x}_\mathcal {C}\) is the pair \((i,j)\) where \(x_i = \mathrm{tx}_1 \ldots \mathrm{tx}_e\) .

The description and properties of the ledger protocol will be expressed relative to an oracle \(\mathsf {Txgen}\) which will control a set of accounts by creating them and issuing transactions on their behalf. In an execution of the backbone protocol, the environment \(\mathcal {Z}\) as well as the miners will have access to \(\mathsf {Txgen}\) . Specifically, \(\mathsf {Txgen}\) is a stateful oracle that responds to two types of queries (which we purposely only describe at a high level):

—

\(\mathsf {GenAccount}(1^\kappa)\) : It generates an account a.

—

\(\mathsf {IssueTrans}(1^\kappa , \tilde{\mathrm{tx}})\) : It returns a transaction \(\mathrm{tx}\) provided that \(\tilde{\mathrm{tx}}\) is some suitably formed string, or \(\bot\) .

We also consider a symmetric relation on \(\mathcal {T}\) , denoted by \(C(\cdot , \cdot)\) , which indicates when two transactions \(\mathrm{tx}_1,\mathrm{tx}_2\) are conflicting. Valid ledgers \(\mathbf {x}\in \mathcal {L}\) can never contain two conflicting transactions. We call oracle \(\mathsf {Txgen}\) unambiguous if it holds that for all PPT \(\mathcal {A}\) , the probability that \(\mathcal {A}^{\mathsf {Txgen}}\) produces a transaction \(\mathrm{tx}^{\prime }\) such that \(C(\mathrm{tx}^{\prime },\mathrm{tx}) = 1\) , for a \(\mathrm{tx}\) issued by \(\mathsf {Txgen}\) , is negligible in \(\kappa\) . We only consider unambiguous \(\mathsf {Txgen}\) oracles. Moreover, to simplify the exposition of this section, we will assume that any sequence of non-conflicting transactions constitutes a valid ledger (our results, however, hold for even more constrained ledger languages—cf. Section 6.2).

Finally, a transaction \(\mathrm{tx}\) is called neutral if \(C(\mathrm{tx}, \mathrm{tx}^{\prime }) = 0\) for any other transaction \(\mathrm{tx}^{\prime }\) . The presence of neutral transactions in the ledger can be helpful for a variety of purposes, as we will see next and in the BA protocol that we will build on top of the ledger in Section 6.3. For convenience we will assume that a single random nonce \(\rho \in \lbrace 0,1\rbrace ^\kappa\) is also a valid transaction of the form \(\langle \mathsf {nonce}, \rho \rangle\) . Nonces will be neutral transactions and may be included in the ledger for the sole purpose of ensuring independence between the PoW instances solved by the honest parties.

Next, we determine the three functions \(V(\cdot), I(\cdot), R(\cdot)\) that will turn the backbone protocol into \({\mathrm{\Pi }}_{\sf PL}\) , a protocol realizing a public transaction ledger. See Figure 6.

Fig. 6.

We now introduce two essential properties for a protocol maintaning a public transaction ledger: (i) Persistence and (ii) Liveness. In a nutshell, Persistence states that once an honest player reports a transaction “deep enough” in the ledger, then all other honest players will report it indefinitely whenever they are asked, and at exactly the same position in the ledger (essentially, this means that all honest players agree on all the transactions that took place and in what order). In a more concrete Bitcoin-like setting, Persistence is essential to ensure that credits are final and that they happened at a certain “time” in the system’s timeline (which is implicitly defined by the ledger itself).

Note that Persistence is useful but not enough to ensure that the ledger makes progress, that is, that transactions are eventually inserted in a chain. This is captured by the Liveness property, which states that as long as a transaction comes from an honest account holder and is provided by the environment to all honest players, then it will be inserted into the honest players’ ledgers, assuming the environment keeps providing it as an input for a sufficient number of rounds.²²

We define the two properties below.²³

Definition 6.1.

A protocol \({\mathrm{\Pi }}\) implements a robust public transaction ledger in the q-bounded synchronous setting if it organizes the ledger as a sequence of blocks of transactions and it satisfies the following two properties:

—

Persistence: Parameterized by \(k\in \mathbb {N}\) (the “depth” parameter), if in a certain round an honest player reports a ledger that contains a transaction \(\mathrm{tx}\) in a block more than k blocks away from the end of the ledger (such transaction will be called “stable”), then \(\mathrm{tx}\) will be reported by any honest player in the same position in the ledger, from this round on.

—

Liveness: Parameterized by \(u,k\in \mathbb {N}\) (the “wait time” and “depth” parameters, resp.), provided that a transaction either (i) issued by \(\mathsf {Txgen}\) , or (ii) is neutral, is given as input to all honest players continuously for u consecutive rounds, then all honest parties will report this transaction more than k blocks from the end of the ledger, that is, all report it as stable.

Remark 11.

Since in our model we abstract the transaction transmission to happen within the environment program \(\mathcal {Z}\) , we require that all honest parties should be given as input (from \(\mathcal {Z}\) ) each transaction so that the liveness property will guarantee its inclusion to the ledger. An alternate formulation of the liveness property that would require transaction exchange between parties is possible, in which case a single honest party would suffice to receive it as input.

Remark 12.

It is useful to juxtapose our definition of a robust transaction ledger, as implemented by a blockchain protocol, to the SMR problem [71], as realized by atomic broadcast [22]. In the SMR scenario, a set of processors share the responsibility of implementing distributedly a state machine. In this context, an instance of a state machine consists of state variables as well as commands that modify the contents of the variables following a deterministic program. Processors agree on the sequence of commands that may be submitted by a designated client (or alternatively, any of the processors) and have to be applied in a timely manner. While many types of faults have been considered, the most relevant one to our setting is that of Byzantine faults.

The notion of a robust transaction ledger introduced in this section can be used to implement SMR by adopting the following convention: commands can be emitted as signed transactions only by \(\mathsf {Txgen}\) and it is up to the environment to deliver them to honest nodes. In more detail, valid transactions are of the form \((c,w)\) with c being a command and where w is a digital signature whose secret key is managed by \(\mathsf {Txgen}\) . The corresponding signature verification key is part of the genesis block (by setting the value s in line 3 of Algorithm 3 equal to the verification key) and hence signed symbols can be verified and only those that are valid will be accepted into the ledger by \(V(\cdot)\) . Given a ledger \(\mathbf {x}_\mathcal {C}\) containing a sequence of commands \(c_1,\ldots ,c_n\) from the stable transactions, the machine will be at the state that results by the application of \(c_1,\ldots ,c_n\) to the initial state. We observe that state updates will be applied in a timely manner as long as the environment delivers them for u consecutive rounds to the honest miners. Note that the additional restriction to receive updates signed by \(\mathsf {Txgen}\) comes in handy, since otherwise the timeliness of a state update can be broken even if the environment delivers it for u consecutive rounds (by, for example, simply having the adversary “front-run” the update and deliver an alternative update).

On the flipside, SMRs are not sufficient to capture the class of systems that can be expressed via a robust transaction ledger. The reason is that in an SMR, the outputs of the state machine are completely determined by the given sequence of commands, while in a robust transaction ledger the rules as expressed by \(V(\cdot)\) can vary over time (using the number of blocks as a time-keeper). As a result, a command to insert a certain transaction in the ledger can have a different outcome depending on when it is submitted for processing. An SMR can achieve this by having a client act as time-keeper (at the expense of a single point of failure) or have the processors run an additional distributed protocol simulating a clock. In contrast, in a robust transaction ledger, as implemented by the backbone protocol, the chain growth property (cf. Theorem 4.7) ensures that the length of the blockchain acts as a clock.²⁴

We prove the two properties separately, starting with Persistence. We note first that it is essential to require that the stability of the transaction is reported from the “next round on” from the time that an honest party reports it as stable. Indeed, it is not guaranteed that parties simultaneously report a transaction as stable: the adversary may advance the chain of a certain player at a specific round and thus make the transaction appear as stable when the environment checks it; nevertheless at that round other honest parties may still have chains that have not advanced sufficiently enough and thus report the transaction as not stable. This is akin to the lack of simultaneous termination in early-stopping consensus protocols (cf. [27]).

The proof is essentially based on the common prefix property of the backbone protocol (recall Definition 3.1 and Theorem 4.10).

Lemma 6.2 (Persistence).

Under the Honest Majority Assumption, it holds that \({\mathrm{\Pi }}_{\sf PL}\) from Figure 6 parameterized with \(k=\lceil 2\lambda f\rceil\) satisfies Persistence (cf. Definition 6.1) with probability at least \(1-\epsilon _\mathsf {typ}\) .

Proof.

Consider a typical execution and let \(\mathcal {C}_1\) be the chain of honest player \(P_1\) at round \(r_1\) . Suppose a transaction \(\mathrm{tx}\) is included in \(\mathcal {C}_1^{\lceil k}\) at round \(r_1\) (i.e., it is stable). Consider the chain \(\mathcal {C}_2\) of an honest party \(P_2\) at a round \(r_2\ge r_1\) . By the common prefix property, \(\mathcal {C}_1^{\lceil k}\preceq \mathcal {C}_2\) . The statement follows. □

We next prove Liveness, which is based on the chain quality property (recall Definition 3.2 and Theorem 4.11) and the fact that the chain of honest parties grows at least as fast as the number of blocks they produce (proven in Chain Growth Lemma 4.2).

Lemma 6.3 (Liveness).

Under the Honest Majority Assumption, it holds that \({\mathrm{\Pi }}_{\sf PL}\) from Figure 6 parameterized with \(u=\lceil 4\lambda /(1-\epsilon)\rceil\) rounds and \(k=\lceil 2\lambda f\rceil\) satisfies Liveness (cf. Definition 6.1) with probability at least \(1-\epsilon _\mathsf {typ}\) .

Proof.

We prove that assuming all honest players receive as input the transaction \(\mathrm{tx}\) for at least u rounds, then in a typical execution there exists an honest party with chain \(\mathcal {C}\) such that \(\mathrm{tx}\) is included in \(\mathcal {C}^{\lceil k}\) . Indeed, in a typical execution, after u rounds the honest parties have at least \(4\lambda f=2k\) successful rounds. Invoking Chain Growth Lemma (Lemma 4.2), we infer that the chain’s length of any honest party has increased by at least 2k blocks.

Finally, the chain quality property (Theorem 4.11) implies that at least one of the blocks in the length-k suffix of \(\mathcal {C}^{\lceil k}\) was computed by an honest party. Such a block would include \(\mathrm{tx}\) since it is infeasible for adversarial \(\mathcal {Z}, \mathcal {A}\) to produce a conflicting transaction \(\mathrm{tx}^{\prime }\) (which would be the only event making an honest player drop \(\mathrm{tx}\) from the sequence of transactions x that it attempts to insert in the blockchain). Thus, the lemma follows. □

6.2 Bitcoin-like Transactions and Ledger

Next, we show how to instantiate the public transaction ledger for Bitcoin, by defining the sets of transactions and valid ledgers.

Transactions and accounts are defined with respect to a digital signature scheme that is comprised of three algorithms \(\langle \mathsf {KeyGen}, \mathsf {Sign}, \mathsf {Verify} \rangle\) . An account will be a pair \(a = (vk, G(vk))\) where \(G(\cdot)\) is a hash function and \(G(vk)\) is the “address” corresponding to the account.

A transaction \(\mathrm{tx}\) is of the form “ \(\lbrace a_1,a_2, \ldots , a_{\ell _\mathsf {i}}\rbrace \rightarrow (\sigma , \lbrace (a^{\prime }_1,b_1^{\prime }),\ldots , (a^{\prime }_{\ell _\mathsf {o}},b_{\ell _\mathsf {o}}^{\prime })\rbrace)\) ,” where \(a_1,\ldots , a_{\ell _\mathsf {i}}\) are the addresses of the accounts to be debited, \(a^{\prime }_1,\ldots , a^{\prime }_{\ell _\mathsf {o}}\) are the addresses of the accounts²⁵ to be credited with funds \(b^{\prime }_1,\ldots , b^{\prime }_{\ell _\mathsf {o}}\) , respectively, and \(\sigma\) is a vector \(\langle (vk_1,\sigma _1),\ldots , (vk_{\ell _\mathsf {i}}\) , \(\sigma _{\ell _\mathsf {i}})\rangle\) of verification keys and digital signatures issued under them, on the same message \(\lbrace (a^{\prime }_1,b_1^{\prime }),\ldots , (a^{\prime }_{\ell _\mathsf {o}},b_{\ell _\mathsf {o}}^{\prime })\rbrace\) . (We note that Bitcoin transactions can be more expressive but the above description is sufficient for the purpose of our analysis).

Next, we specify the \(\mathsf {Txgen}\) oracle, which in the context of our analysis abstracts transaction generation on behalf of the honest users.

—

\(\mathsf {GenAccount}(1^\kappa)\) : It generates an account a by running \(\mathsf {KeyGen}\) and computing the hash \(G(\cdot)\) on the verification key. The account is the pair \((vk,G(vk))\) , where \(G(vk)\) is the account’s address. The corresponding secret key, sk, is kept in the state of \(\mathsf {Txgen}\) .

—

\(\mathsf {IssueTrans}(1^\kappa , \tilde{\mathrm{tx}})\) : It returns a transaction \(\mathrm{tx}\) provided that \(\tilde{\mathrm{tx}}\) is a transaction that is only missing the signatures by accounts that are maintained by \(\mathsf {Txgen}\) . (Recall the format of transactions above.) Each account is only allowed a single transaction and its balance is always moved forward in its entirety.

Note that the above restriction on \(\mathsf {IssueTrans}\) is without loss of generality, as in Bitcoin, entities typically maintain a number of accounts and are allowed (although not forced) to move their balances forward to a new account as they make new transactions. The conflict relation \(C(\cdot ,\cdot)\) over \(\mathcal {T}\) satisfies that \(C(\mathrm{tx}_1, \mathrm{tx}_2) = 1\) if and only if \(\mathrm{tx}_1 \ne \mathrm{tx}_2\) and \(\mathrm{tx}_1, \mathrm{tx}_2\) have an input account in common.²⁶ Thus, it is straightforward to prove the unambiguity of the \(\mathsf {Txgen}\) oracle based on the unforgeability of the underlying digital signature (we leave the proof as an exercise for the reader).

Lemma 6.4.

Assume that \(\langle \mathsf {KeyGen}, \mathsf {Sign}, \mathsf {Verify} \rangle\) is an existentially unforgeable signature scheme. Then oracle \(\mathsf {Txgen}\) is unambiguous.

In order to define the set of valid Bitcoin ledgers we first need to determine in what sense a transaction may be valid with respect to a ledger. Then we will define the set of valid ledgers recursively as the maximal set of vectors of sequences of transactions that satisfy this condition. So here it goes.

A transaction \(\mathrm{tx}\) is valid with respect to a Bitcoin ledger \(\mathbf {x}=\langle x_1,\ldots , x_m\rangle\) provided that all digital signatures verify and \(\sum ^{\ell _\mathsf {i}}_{j=1} b_j \ge \sum ^{\ell _\mathsf {o}}_{j=1} b^{\prime }_j\) , where \(b_j\) is the balance that was credited to account \(a_j\) in the latest transaction involving \(a_j\) in \(\mathbf {x}\) . In case \(e = \sum ^{\ell _\mathsf {i}}_{j=1} b_j - \sum ^{\ell _\mathsf {o}}_{j=1} b^{\prime }_j\gt 0\) , then e is a transaction fee that may be claimed separately in a special transaction of the form “ \(\emptyset \rightarrow \ldots\) ,” called a generation transaction. In more detail, a generation transaction has no inputs and its purpose is to enable miners to be rewarded for maintaining the legder. The transaction is of the form “ \(\emptyset \rightarrow \lbrace (a_1,b_1), \ldots , (a_{\ell _\mathsf {o}},b_{\ell _\mathsf {o}})\rbrace\) ,” and \(\sum ^{\ell _\mathsf {o}}_{j=1} b_j\) is determined based on the other transactions that are “bundled” in the block as well as a flat reward fee, as explain below.

A sequence of transactions \(x=\langle \emptyset \rightarrow \lbrace (a_1,b_1), \ldots , (a_{\ell _\mathsf {o}},b_{\ell _\mathsf {o}})\rbrace , \mathrm{tx}_1,\ldots ,\mathrm{tx}_l\rangle\) is said to be valid with respect to a ledger \(\mathbf {x}= \langle x_1,\ldots , x_m\rangle\) , if each transaction \(\mathrm{tx}_j\) is valid with respect to the ledger \(\mathbf {x}\) extended by the transactions \(\mathrm{tx}_1,\ldots , \mathrm{tx}_{j-1}\) . I.e., for all \(j=1,\ldots ,l\) the transaction \(\mathrm{tx}_j\) should be valid with respect to ledger

\begin{equation*} \langle x_1,\ldots , x_m, \mathrm{tx}_1\ldots \mathrm{tx}_{j-1}\rangle , \end{equation*}

and furthermore, the total fee collected in the transaction \(\emptyset \rightarrow \lbrace (a_1,b_1), \ldots , (a_{\ell _\mathsf {o}},b_{\ell _\mathsf {o}})\rbrace\) does not exceed \(r(\mathbf {x})+\sum ^m_{j=1} e_j\) , which includes all the individual fees corresponding to transactions \(\mathrm{tx}_1,\ldots ,\mathrm{tx}_l\) , plus a value \(r(\mathbf {x})\) that is the flat reward given for extending the ledger \(\mathbf {x}= \langle x_1, \ldots ,x_m\rangle\) .²⁷

The set of valid ledgers \(\mathcal {L}\) with respect to a reward function \(r(\cdot)\) contains \(\varepsilon\) (the empty ledger), and any ledger \(\mathbf {x}\) which extends a ledger in \(\mathcal {L}\) by a valid sequence of transactions. Note that the first transaction sequence of any ledger \(\mathbf {x}\in \mathcal {L}\) contains a single transaction of the form \(\emptyset \rightarrow \lbrace (a_1,b_1), \ldots , (a_{\ell _\mathsf {o}},b_{\ell _\mathsf {o}})\rbrace\) that satisfies \(\sum ^{\ell _\mathsf {o}}_{j=1} b_j = r(\varepsilon)\) , where \(r(\varepsilon)\) is the initial flat reward. This first transaction rewards the ledger’s initiator(s).²⁸ It is easy to see that \(\mathcal {L}\) has an efficient membership test.

Given the existence of generation transactions in this application we can do away with random nonces as standalone transactions and the description of the input contribution function I in Figure 6, is modified to include their generation each time an input sequence of transactions is determined to be inserted in the ledger. Specifically, \(I(\cdot)\) will form a generation transaction \(\emptyset \rightarrow \lbrace (a,b) \rbrace\) , where \(b = r(\mathbf {x}) + \sum ^m_{j=1} e_j\) and \(e_j\) is the fee corresponding to x’s jth transaction. Account a is a freshly created account that is obtained interacting with \(\mathsf {Txgen}\) . \(I(\cdot)\) will append account a to its private state st.

We will refer to the modified \({\mathrm{\Pi }}_{\sf PL}\) protocol by the moniker \({\mathrm{\Pi }}_{\sf BTC}\) . \({\mathrm{\Pi }}_{\sf BTC}\) inherits from \({\mathrm{\Pi }}_{\sf PL}\) the properties of Persistence and Liveness which will ensure the following with overwhelming probability in k.

—

Apart from its latest k blocks, the transaction ledger is fixed and immutable for all honest miners.

—

If a majority of miners²⁹ receive an honest transaction and attempt to insert it following the protocol for a sufficient number of rounds (equal to parameter u, the “wait time”), it will become a permanent entry in the ledger (no matter the adversarial strategy of the remaining miners).

Remark 13.

We remark that in the adaptive corruption setting, the \(\mathsf {Txgen}\) oracle would safeguard the keys of honest parties from the adversary.

6.3 Byzantine Agreement for Honest Majority

We now use the public transaction ledger formulation to achieve PoW-based BA for an honest majority by properly instantiating the notion of a transaction, thus improving on the simple BA protocol tolerating a \((1/3)\) -bounded adversary presented in Section 5.

Here we consider a set of valid ledgers \(\mathcal {L}\) that contain sequences of transactions of the form \(\langle nonce, v, ctr \rangle\) , and satisfy the predicate:

\begin{equation} (H_1(ctr, G(\mathit {nonce}, v)) \lt T) \wedge (ctr\le q), \end{equation}

(6)

where \(H_1(\cdot), G(\cdot)\) are two hash functions as in the definition of the backbone protocol, and \(v \in \lbrace 0,1\rbrace\) is a party’s input. (Recall that T is the difficulty level and q determines how many calls to \(H_1(\cdot)\) a party is allowed to make per round.) To distinguish the oracles, in this section we will use \(H_0(\cdot)\) to refer to the oracle used in the backbone protocol.

For the ledger we consider in this section, there will be no accounts and all transactions will be neutral — that is, the conflict predicate \(C(\cdot ,\cdot)\) will be false for all pairs of transactions.

We first provide a high level description of the BA protocol assuming parties have q queries per round to each oracle \(H_0(\cdot), H_1(\cdot)\) . We then show how to use a single oracle \(H(\cdot)\) to achieve the combined functionality of both of them while only using q queries per round.

At a high level, the protocol, \({\mathrm{\Pi }}_{\mathsf {BA}}^{1/2}\) , works as follows:

—

Operation: In each round, parties run two protocols in parallel. The first protocol is protocol \({\mathrm{\Pi }}_{\sf PL}\) (Figure 6), which maintains the transaction ledger and requires q queries to the oracle \(H_0(\cdot)\) . The second process is a “transaction production” protocol \({\mathrm{\Pi }}_{\mathsf {tx}}\) (Figure 7), which continuously generates transactions satisfying predicate (6). The protocol makes q queries to the \(H_1(\cdot)\) oracle.

—

Termination: After (a predetermined) round L, a party collects all the unique PoW transactions that are present in the first \(\lceil \frac{3k}{\delta }\rceil +k\) blocks and returns the majority bit from the bits occurring in these transactions (note that uniqueness takes also the nonce of each transaction into account).

Fig. 7.

As described, protocol \({\mathrm{\Pi }}_{\mathsf {BA}}^{1/2}\) does not conform to the q-bounded setting since parties require q queries to oracle \(H_0(\cdot)\) and q queries to oracle \(H_1(\cdot)\) to perform the computation of a single round (the setting imposes a bound of q queries to a single oracle for all parties). Note that a naïve simulation of \(H_0(\cdot), H_1(\cdot)\) by a single oracle \(H(\cdot)\) in the \((2q)\) -bounded setting (e.g., by setting \(H_b(x) = H(b, x)\) ) would violate the restriction imposed on each oracle individually, since nothing would prevent the adversary, for example, from querying \(H_0(\cdot)\) 2q times. Next, we show how we can combine the two protocols into a single protocol that utilizes at most q queries to a single random oracle in a way that the adversary will remain q-bounded for each oracle. This transformation, explained below, completes the description of \({\mathrm{\Pi }}_{\mathsf {BA}}^{1/2}\) .

2-for-1 PoWs. We now tackle the problem of how to turn a protocol operation that uses two separate PoW subprocedures involving two distinct and independent oracles \(H_0(\cdot), H_1(\cdot)\) into a protocol that utilizes a single oracle \(H(\cdot)\) for a total number of q queries per round. Our transformation is general and works for any pair of protocols that utilize \(H_0(\cdot), H_1(\cdot)\) , provided that certain conditions are met (which are satisfied by protocol \({\mathrm{\Pi }}_{\mathsf {BA}}^{1/2}\) above). In more detail, we consider two protocols \({\mathrm{\Pi }}_0,{\mathrm{\Pi }}_1\) that utilize a PoW step as shown in Algorithm 6 in Figure 8.

Fig. 8.

Fig. 9.

In order to achieve composition of the two protocols \({\mathrm{\Pi }}_0, {\mathrm{\Pi }}_1\) in the q-bounded setting with access to a single oracle \(H(\cdot)\) , we will substitute steps 2-11 in both protocols with a call to a new function, double-pow, defined below. First, observe that in \({\mathrm{\Pi }}_b\) , \(b\in \lbrace 0,1\rbrace\) , the PoW steps 2–12 operate with input \(w_b\) and produce output in \(B_b\) if the PoW succeeds. The probability of obtaining a solution is \(T\cdot 2^{-\kappa }\) .

The modification consists in changing the structure of the PoWs from pairs of the form \((w,ctr)\) to triples of the form \((w, ctr, label)\) , where label is a \(\kappa\) -bit string that is neutral from the point of view of the proof. This will further require the modification of the verification step for PoWs in both protocols \({\mathrm{\Pi }}_0, {\mathrm{\Pi }}_1\) in the following manner.

—

Any verification step in \({\mathrm{\Pi }_0}\) of a PoW \(\langle w_0,ctr\rangle\) which is of the form \(H(ctr,G(w_0)) \lt T\) , will now operate with a PoW of the form \(\langle w_0, ctr, label \rangle\) and will verify the relation

\begin{equation*} H(ctr, \langle G(w_0), label\rangle) \lt T. \end{equation*}

—

Any verification step in \({\mathrm{\Pi }_1}\) of a PoW \(\langle w_1, ctr \rangle\) which is of the form \(H(ctr, G(w_1)) \lt T\) , will now operate with a PoW of the form \(\langle w_1, ctr, label\rangle\) and will verify the relation

\begin{equation*} [ H(ctr, \langle label, G(w_1)\rangle)]^\mathsf {R} \lt T, \end{equation*}

where \([a]^\mathsf {R}\) denotes the reverse of the bitstring a.

This parallel composition strategy in the form of the pseudocode segment is shown in Algorithm 7. Either or both the solutions it returns, \(B_0, B_1\) , may be empty if no solution is found.

Protocol \({\mathrm{\Pi }}_{\mathsf {BA}}^{1/2}\) will employ 2-for-1 PoW, which will substitute the individual PoW operation of the two underlying protocols \({\mathrm{\Pi }}_0,{\mathrm{\Pi }}_1\) as defined in lines 2–11 of Algorithm 6. The correctness of the above composition strategy follows from the following simple observation.

Lemma 6.5.

Consider a uniform random variable U over the integers in \([0,2^{\kappa })\) and an integer T such that \(T=2^t\) for some positive integer \(t\gt \kappa /2\) . Then, the events \((U\lt T)\) and \(([U]^\mathsf {R}\lt T)\) are independent and they both occur with probability \(T\cdot 2^{-\kappa }\) .

Proof.

It is easy to see that each event happens with probability \(T\cdot 2^{-\kappa }\) . The conjunction of the two events involves the choice of an integer U which satisfies \(U\lt T\) and \([U]^\mathsf {R}\lt T\) . Observe that because \(T=2^t\) , it follows that the conditioning on \(U\lt T\) leaves the t least significant bits of U uniformly random while fixing the remaining \(\kappa -t\) bits. Consider the space conditioned on the event \(U\lt T\) . By the discussion above, t most significant bits of \([U]^\mathsf {R}\) are uniformly random, while the event \([U]^\mathsf {R}\lt T\) fixes \(\kappa -t\) of these. It follows that the event \([U]^\mathsf {R}\lt T\) has probability \(2^{t-(\kappa -t)}/2^t=T \cdot 2^{-\kappa }\) , in the conditional space, and so the two events are independent. □

Theorem 6.6.

Under the Honest Majority Assumption, it holds that protocol \({\mathrm{\Pi }}_{\mathsf {BA}}^{1/2}\) parameterized with \(k=\lceil 2\lambda f\rceil\) running for a total number of rounds \(L\ge \frac{5k}{(1-\epsilon)\delta f}\) , satisfies Agreement and Validity (cf. Definition 2.2) with probability at least \(1-\epsilon _\mathsf {typ}\) .

Remark 14.

As we remarked after Theorem 5.4, setting \(\lambda =\Theta (\log ^2\kappa)\) we achieve optimally resilient consensus with negligible probability of error in \(O(\log ^2\kappa)\) rounds.

Proof.

First observe that due to Lemma 6.5 the success probability for all parties to solve a PoW of either kind in each round is independent. In the following, we assume the properties of typical execution for both kinds of blocks.

To verify Agreement, note that by Chain Growth (Theorem 4.7) the chain of every honest party is of length at least \((1-\epsilon)fL \ge \lceil \frac{3k}{\delta }\rceil +2k\) at the end of the L rounds. Thus, the parties prune at least k blocks and Agreement follows directly from the common prefix property.

We next focus on Validity. Consider the prefix \(\mathcal {C}\) of length \(\lceil \frac{3k}{\delta }\rceil +k\) of an honest party’s chain upon termination. By the chain quality property (see Corollary 4.12), the last k blocks of \(\mathcal {C}\) do contain an honest block B computed at some round r. Define the sets of consecutive rounds \(S=\lbrace i:i\lt r\rbrace\) and \(S^{\prime }=\lbrace i:i\lt r+\lambda \rbrace\) . By Lemma 4.8, \(|S|\ge \frac{3k}{2\delta f}\ge \frac{3\lambda }{\delta }\) and so \(|S^{\prime }|=|S|+\lambda \le (1+\frac{\delta }{3})|S|\) . Clearly, there are at least \(X(S)\) honest inputs in \(\mathcal {C}\) . By Corollary 4.12, the adversarial blocks in \(\mathcal {C}\) are at most \(Z(S^{\prime })\) . The following sequence of inequalities shows that the majority of inputs are honest.

\begin{equation*} \frac{Z(S^{\prime })}{X(S)} \lt \frac{(1-2\delta /3)f|S^{\prime }|}{(1-\epsilon)f|S|} \lt \frac{(1-2\delta /3)(1+\delta /3)}{1-\epsilon } \lt \frac{1-\delta /3}{1-\epsilon } \lt 1 . \end{equation*}

The first inequality uses Lemma 4.6, the second uses the upper bound on \(S^{\prime }\) above, and the last follows form \(\epsilon \lt \delta /3\) . □

Remark 15.

Regarding Strong Validity in the multivalued BA setting, that is, where the input domain is V and has a constant cardinality strictly larger than two we can adapt the above protocol to return the plurality from the values stored in the transactions that are found in the ledger. In order to ensure strong Validity by this modification we restrict the hashing power of the adversary to \((1-\delta)/(|V|-1)\) since this will ensure that the adversary’s number of transactions cannot overturn the plurality value as defined by the honest parties’ inputs (even if those are evenly distributed amongst them). The bound is in-line with the known bounds for the computational setting with trusted setup, \(n\gt |V| t\) , cf. [35].

7 The Bitcoin Backbone in the Bounded-Delay Model

In this section, we show how we can extend our analysis to the bounded delay model with static adversaries. The bounded delay model is identical to the model of Section 2 with the following modifications: (1) the parameter q is fixed to be 1, (2) the diffuse functionality allows for \(\Delta\) -delays, that is, when it inspects the contents of all Receive strings, it will necessarily include messages if they are \(\Delta\) rounds old. Note that \(\Delta\) is a parameter of the execution that is unknown to the honest protocol participants (in contrast to q). Observe that now rounds are just units of time rather than message passing rounds where all messages are supposed to be delivered to honest parties from the previous round.

We now describe how to extend our analysis in the bounded delay setting. The most crucial observation is in the notion of uniquely successful round: specifically, while in the synchronous setting we were counting uniquely successful rounds, now we need to count \(\Delta\) -isolated uniquely successful rounds, where isolated means that there is a window of \(\Delta\) rounds before and after where no other successful round took place for the honest parties. (This notion is analogous to the definition of convergence opportunity in [66].) In the rest of this section, we first present formally the parts of the analysis that differ significantly and then discuss informally how the rest of the analysis can be adjusted so that analogous statements can be obtained.

In more details, we can replace the \(Y_i\) random variable by a random variable \(Y^{\prime }_i\) defined as follows. It takes values in \(\lbrace 0,1\rbrace\) and \(Y^{\prime }_i=1\) if and only if round i was uniquely successful (i.e., \(Y_i=1\) ) and \(X_j=0\) for each \(j\ne i\) such that \(|j-i|\lt \Delta\) . When \(Y^{\prime }_i=1\) , we call i a \(\Delta\) -isolated uniquely successful round (we may drop \(\Delta\) if it is clear from the context). We have

\begin{equation*} \mathbb {E}[Y^{\prime }_i]\ge f(1-f)^{2\Delta -1} . \end{equation*}

To verify this inequality observe that the bound \(\mathbb {E}[Y_i]\ge f(1-f)\) in (2) still holds (with \(q=1\) in the definition of f) and that the event that anyone of the \(2\Delta -2\) surrounding rounds is unsuccessful is independent of the other rounds and equal to \((1-f)\) .

We remark that the definition of isolated successful round is adopted with the goal that the (easy but crucial) observation of Lemma 4.1 still holds. This is the main difference with the q-bounded model; in what follows we will argue that the same lemmas and theorems still hold, with small modifications of proofs and parameters.

To obtain a Chain Growth Lemma, cf. Lemma 4.2, although we could use the isolated uniquely successful rounds, it is more natural and gives slightly better results if we use a new Boolean variable \(X^{\prime }_i\) . For a round i, we define \(X^{\prime }_i=1\) , if \(X_i=1\) and \(X_j=0\) for each j such that \(i-\Delta \lt j\lt i\) . When \(X^{\prime }_i=1\) , we call i an isolated successful round. We have

\begin{equation*} \mathbb {E}[X^{\prime }_i]=f(1-f)^{\Delta -1} . \end{equation*}

Lemma 7.1 (Chain Growth Lemma in the Bounded-Delay Model).

Suppose that at round u an honest party has a chain of length \(\ell\) . Then, by round \(v\ge u+\Delta -1\) , every honest party has adopted a chain of length at least

\begin{equation*} \ell +\sum _{u\le r\le v-\Delta }X^{\prime }_r . \end{equation*}

Proof.

By induction on v. For the basis ( \(v=u+\Delta -1\) ), observe that if at round u an honest party has a chain \(\mathcal {C}\) of length \(\ell\) , then that party broadcasts \(\mathcal {C}\) at a round earlier than u. It follows that every honest party will receive \(\mathcal {C}\) by round \(u-1+\Delta =v\) .

For the inductive step, assume the inductive hypothesis for \(v-1\) and consider two cases. First, consider \(X^{\prime }_{v-\Delta }=0\) , in which case we have

\begin{equation*} \ell +\sum _{u\le r\le v-\Delta }X^{\prime }_r=\ell +\sum _{u\le r\lt v-\Delta }X^{\prime }_r=\ell ^{\prime } . \end{equation*}

By the inductive hypothesis every honest party has received a chain of length at least \(\ell ^{\prime }\) by round \(v-1\) .

For the second case, \(X^{\prime }_{v-\Delta }=1\) . By the inductive hypothesis, by round \(v-\Delta\) , every honest party has adopted a chain of length at least

\begin{equation*} \ell ^{\prime } =\ell +\sum _{u\le r\le v-2\Delta }X^{\prime }_r =\ell +\sum _{u\le r\lt v-\Delta }X^{\prime }_r , \end{equation*}

where the second equality holds because \(X^{\prime }_{v-\Delta }=1\) implies \(X^{\prime }_r=0\) for all \(v-2\Delta \lt r\lt v-\Delta\) . It follows that every honest party queried the oracle with a chain of length at least \(\ell ^{\prime }\) at round \(v-\Delta\) . Hence, all honest parties successful at round \(v-\Delta\) broadcast a chain of length at least \(\ell ^{\prime }+X_{v-\Delta }\) . This chain will be received by every honest party by round v. Since \(X^{\prime }_{v-\Delta }=1\) , using the expression for \(\ell ^{\prime }\) displayed above, we have

\begin{equation*} \ell ^{\prime }+X_{v-\Delta }=\ell ^{\prime }+X^{\prime }_{v-\Delta }=\ell +\sum _{u\le r\le v-\Delta }X^{\prime }_r \end{equation*}

and this completes the case and the proof. □

Definition 7.2 (Typical Execution in the Bounded-delay Model).

An execution is \((\epsilon ,\lambda ,\Delta)\) -typical, with \(\epsilon \in (0,1)\) , \(\lambda \ge 2/f\) , and integer \(\Delta\) , if, for any set S of at least \(\lambda\) consecutive rounds, the following hold.

(a)

\((1-\epsilon)\mathbb {E}[X^{\prime }(S)]\lt X^{\prime }(S)\) , \(X(S)\lt (1+\epsilon)\mathbb {E}[X(S)]\) and \((1-\epsilon)\mathbb {E}[Y^{\prime }(S)]\lt Y^{\prime }(S)\) .

(b)

\(Z(S)\lt \mathbb {E}[Z(S)]+\epsilon \mathbb {E}[X^{\prime }(S)]\) .

(c)

No insertions, no copies, no guesses, and no predictions occurred.

Theorem 7.3.

An execution is typical with probability at least

\begin{equation*} 1-4L^2e^{-\Omega (\epsilon ^2\lambda f^2(1-f)^{4\Delta -2})}-3Q^22^{-\kappa }-[(n-t)L]^22^{-\nu } . \end{equation*}

Proof.

Note that \(Y^{\prime }_i\) and \(Y^{\prime }_j\) are not independent anymore when \(|i-j|\lt 2\Delta\) and the standard Chernoff bound does not apply. (Similarly for \(X^{\prime }_i\) and \(X^{\prime }_j\) .) However, \(Y^{\prime }(S)\) , as a function of the honest queries in S, is 2-Lipschitz (see Definition A.2). This is because each query in a round i affects \(Y^{\prime }_j\) only if \(|i-j|\lt \Delta\) and there can be at most two \(Y^{\prime }_j\) ’s equal to 1 in an interval of length \(2\Delta -1\) . By Theorem A.3 we obtain

\begin{equation*} \Pr [Y^{\prime }(S)\le (1-\epsilon)\mathbb {E}[Y^{\prime }(S)] \le \Pr [Y^{\prime }(S)\lt \mathbb {E}[Y^{\prime }(S)]-\epsilon f(1-f)^{2\Delta -1}|S|] \le e^{-\frac{1}{2}\epsilon ^2f^2(1-f)^{4\Delta -2}\lambda } . \end{equation*}

The argument for \(X^{\prime }(S)\) is similar to the above and the rest to Theorem 4.5. □

The honest majority assumption (the part relating \(\epsilon ,f\) , and \(\delta\) ) needs to be strengthened to accommodate the decreased values of \(\mathbb {E}[Y^{\prime }_i]\) and \(\mathbb {E}[X^{\prime }_i]\) . In particular, in the inequality \(3\epsilon +3f\lt \delta\) , instead of f, the product \(\Delta f\) should appear (with an appropriate constant). This is because, in view of the expectations calculated above, we now deal with \((1-f)^\Delta \ge 1-\Delta f\) instead of \((1-f)\) .

We now discuss Chain Growth, Common Prefix, and Chain Quality.

Chain Growth. Note that Lemma 4.8 holds as is, since its proof relies only on the bounds for \(X(S)\) and \(Z(S)\) . Combining with the Chain Growth Lemma (Lemma 7.1) for this model, we obtain that the Chain Growth Property holds with parameter \(\tau =(1-\epsilon)f(1-f)^{\Delta -1}\) .

Common Prefix. To prove a Common Prefix Lemma we may follow the proof of the corresponding Lemma 4.9. The difference is that with respect to the honest parties we need to consider the set of rounds \(S=\lbrace i:r^*+\Delta \lt i\lt r-\Delta -1\rbrace\) . As already mentioned, the definition of a \(\Delta\) -isolated uniquely successful round is such that, if we substitute such rounds for uniquely successful, Lemma 4.1 holds in the bounded-delay model. Thus, we can pair each \(\Delta\) -isolated uniquely successful round in S with an adversarial block computed in \(S^{\prime }\) . To finish the proof we need to argue that

\begin{equation*} Z(S^{\prime })\ge Y^{\prime }(S), \end{equation*}

and that the additional rounds in \(S^{\prime }\) are not enough to compensate the adversary’s inferior computational power. Note that an increased lower bound for k will be required in the statement of the lemma, to absorb the decreased growth rate. This bound will be needed to obtain an analogous statement to that of Lemma 4.8. Then, the Common Prefix property for a typical execution can follow with exactly the same proof as that of Theorem 4.10.

Chain Quality. The Chain Quality property will require an increased lower bound for \(\ell\) , to account for the decreased growth rate. The proof of Theorem 4.11 should be adjusted so that it refers to isolated successful rounds instead of the (simply) successful ones. This in turn asks for the consideration of \(S^{\prime }=\lbrace r:r_1\le r\lt r_2-\Delta \rbrace\) instead of S. As in common prefix, the intuition here is that the few added rounds the adversary has in his disposal are not enough to compensate for his inferior computational power.

Remark 16.

Given the above arguments on the three basic properties, chain growth, chain quality and common prefix, it follows in that all our applications from Sections 5 and 6 can be ported to the bounded-delay setting. With respect to the consensus protocols in particular, if parameter k is sufficiently large to absorb an additive term \(2\Delta\) (see chain quality and common prefix properties above) and parameter L is sufficiently large to incorporate a multiplicative factor \((1-f)^{1-\Delta }\) (see chain growth property above), then the same arguments carry over. Note that this does not contradict the impossibility result of [30] as the security of the resulting consensus protocols cannot be inferred for any choice of \(\Delta\) but only hold if \(\Delta , L, k, f\) satisfy the above relations. In fact, if \(\Delta\) is chosen adversarially given the other parameters common prefix is violated, cf. [66].

8 Summary and Directions for Future Work

In this article, we presented a formal treatment of the Bitcoin backbone, the protocol used at the core of Bitcoin’s transaction ledger. We identified and proved basic properties of the backbone protocol — “common prefix,” “chain quality,” “chain growth” — and showed how they can be used as foundations for designing BA and robust public transaction ledger protocols. Our results show that a (near) honest majority among the (equally equipped) participants suffices, assuming the network synchronizes much faster than the PoW rate (i.e., f is relatively small using our notation), the proper inputs (e.g., transactions) are available to the honest majority,³¹ while the bound on the adversary for honest parties to reach agreement degenerates as f gets larger.

While these are encouraging results, we have demonstrated deviations that are of concern for the proper operation of Bitcoin. Importantly, we show that as the network ceases to synchronize fast enough compared to the PoW rate (i.e., the worst-case time that takes honest players to “hear” each other becomes substantial compared to the time it takes to solve a PoW), the honest majority property ceases to hold and the bound offered by our analysis that is required to obtain a robust transaction ledger approaches 0 as f approaches 1. Note that the effects of bad synchronization is in the maintenance of the Common Prefix property, which is the critical property for showing agreement. A tight characterization of this behavior was provided in follow-up work, [26, 45].

A second important concern is regarding the chain quality property, where our results show that if an adversary controls a hashing power ratio corresponding to some value \(t/n\) then the ratio of the blocks it can contribute to the blockchain is bounded but can be strictly bigger than \(t/n\) , approaching \(t / (n-t)\) in the worst case.

The above caveats in the two basic properties of the backbone protocol have repercussions on the Persistence and Liveness properties of the Bitcoin ledger. Firstly, they illustrate that fast information propagation amongst honest players (in relation to PoW) is essential for transaction persistence. Secondly, they show that transaction liveness becomes more fragile as the relative adversarial power \(t/(n-t)\) , gets close to 1. Note that we achieve Liveness for any relative power less than 1 but we do not assume any upper bound on the number of transactions that may be inserted in a block;³² it is obvious that the fewer blocks the honest miners get into the blockchain the harder may be for a transaction to get through. Furthermore, the fact that chain quality demonstrably fails to preserve a linear correspondence between a party’s hashing power and the ratio of its contributions to the ledger point to the fact that Bitcoin’s rewarding mechanism is not incentive compatible (cf. [32]). In fact we show that the relative hashing power \(\frac{t}{n-t}\) is the essential upper bound on chain quality for the Bitcoin backbone —a result we show also to be tight in our rushing adversary model. In this way, our results flesh out the incentive compatibility problems of the Bitcoin backbone, but, on a more positive note, they also point to the fact that an honest hashing-power majority is sufficient to maintain the public ledger (under favorable network conditions), and hence suggest that the Bitcoin protocol can work as long as the majority of the miners want it to work (without taking into account the rationality of their decision—see below for follow-up work in this direction).

The above observations apply to the setting where the number of participants is fixed. In the dynamic setting (where the number of parties running the protocol may change from round to round), given the flat model that we consider, the difficulty of the blockchain, determined by the target T, may be calibrated according to the number of players n that are active in the system. If T is set by an omniscient trusted party then the analysis carries in a straightforward way but otherwise, if T is somehow calculated by the parties themselves, the adversary can try to exploit its calculation. Note that in this case the \(\mathsf {maxvalid}\) function would need to take the difficulty’s variability into account and thus choose the “most difficult” chain (as opposed to the longest). Comparing chains based on difficulty is simply done by computing the length of a chain by counting blocks proportionally to how difficult they are (for example, a block whose difficulty is two times larger than a given difficulty value would contribute twice as much in “length”). The analysis of the Bitcoin backbone protocol with chains of variable of difficulty is the subject of our follow-up work [41].

Our security analysis is property-based, and holds for stand-alone executions. A follow-up work, which offers a simulation-based, composable treatment of the Bitcoin backbone protocol was presented by Badertscher et al. in [7]. Further, we mentioned above incentive compatibility and majority of miners wanting the protocol to work. Some follow-up work has focused on the security analysis of the Bitcoin backbone protocol in a rational setting as opposed to our cryptographically standard honest/malicious setting. In particular, in [6] Badertscher et al. formally show that assuming a natural class of incentives for the miners’ behavior—that is, rewarding them for adding blocks to the blockchain but having them pay for mining—one can reserve the honest-majority assumption as a fallback: in the setting where the utility of the miners aligns with the rational modeling they provide, the Bitcoin backbone protocol will work as expected.

Other interesting open questions include the substitution of the random oracle assumption with a suitable computational assumption, as well as the development of backbone modifications that improve its characteristics in terms of common prefix and chain quality; see [43, 44] for some work in this direction. In terms of the ledger application, transaction processing times (i.e., reducing the wait time parameter u in the Liveness property) is also an interesting question with implications to practice (since real-world payment systems benefit greatly from fast transaction confirmation and verification—see, for example, [23] for scalability issues and suggestions). In all these cases, our work offers a formal foundation that allows analyzing the security properties of “tweaks” on the backbone protocol (such as the randomization rule of [32] or the “GHOST” rule in [72] used in Ethereum³³) towards meeting the above goals.

We remark that follow-up work has examined additional backbone protocol properties, protocols and model extensions. For instance, we have already mentioned the chain growth property, introduced in [51] which enables one to abstract the blockchain feature of being able to grow unhindered by the adversary. While this is a quite simple property to prove for the Bitcoin backbone, it becomes more subtle in alternative blockchain protocols such as those using the GHOST rule [72]; see [52] for an analysis of such protocols. In [66], Pass et al. put forth a property called self-consistency, which refers to the inability of the adversary to make honest parties disagree with themselves as the protocol advances. Chain growth and self-consistency are useful if one wants to do a black-box reduction of Persistence and Liveness of the ledger to the underlying properties of the blockchain, an approach also fulfilled in the current version of this article, where the common prefix property in Section 3.2 captures self-consistency and chain growth is explicitly treated. Further, [66] also studied the robustness of transaction ledger in the bounded delay model, where messages may not be delivered at the end of a round, but there is still a certain bound within which all messages are eventually delivered, see [30]. We show how the analysis for the synchronous model extends to that setting, cf. Section 7.

Another set of interesting directions includes the development of other applications that may be built on top of the Bitcoin backbone protocol. A notable example is secure MPC [46, 73] with properties such as fairness and guaranteed output delivery (current works in this direction, for example, [2, 12, 13, 54, 55, 56] assume an idealized version of the Bitcoin system).

Further contrast between the solvability of “classical” BA and PoW-based BA in terms of setup assumptions has been established in works such as [1, 42], where it is shown how the latter can be achieved “from scratch”—that is, with no trusted setup, as opposed to the classical setting, where a PKI is required. We refer to [37] for a more detailed treatment of this subject.

The core protocol construct for BA introduced in Section 6.3 (namely composing two PoW sub-protocols, one maintaining a blockchain and the other creating PoWs to enter inputs in the blockchain that are provably in proportion to the honest parties’ computational power) has found further applications in designing blockchain protocols. Specifically, in [67] it was shown that it can be used to achieve a type of fairness in terms of rewards while in [8] it was shown that it can be used to increase transaction throughput. In [53] and later in [36] a “proof-of-stake” equivalent concept was developed that was shown it can be used to achieve similar objectives.

Acknowledgements

The authors are grateful to Giorgos Panagiotakos, Sergio Rajsbaum, Apostolos Tzinas, Hong-Sheng Zhou and Dionysis Zindros for helpful comments and discussions.

Footnotes

In [60], Nakamoto refers to the problem as “Byzantine Generals,” which is often used to refer to the single-source version of the problem. Note that since more than one general may propose a time to attack, his description is a closer match to the setting where every party has an input value, that is, BA. In fact, in an anonymous setting such as Bitcoin’s, the single-source variant of the problem is nonsensical. Note that in the traditional cryptographic setting, with trusted setup, the two problems are not equivalent in terms of the number of tolerated misbehaving parties t ( \(t \lt n\) vs. \(t \lt n/2\) , respectively).

In our original exposition [40], this property was not identified explicitly but rather proven and used directly in the form of a lemma. As observed in follow-up work [51], identifying it as a separate property, allows making our proofs arguments more modular.

This property is also called Consistency. We use the term “persistence” to emphasize the immutable aspect of the ledger.

⁴

http://www.litecoin.com

⁵

https://www.ethereum.org

⁶

Our model allows the unfavorable event of adversarial messages winning all head-to-head races in terms of delivery with honestly generated messages in any given round.

⁷

We remark that, in contrast to the approach used in typical randomized solutions to the problem, where achieving BA is reduced to (the construction of) a shared random coin, the probabilistic aspect here stems from the parties’ likelihood of being able to provide proofs of work. In addition, as our analysis relies on the random oracle model [10], we are interested in computational/cryptographic solutions to the problem.

⁸

Hence, BA in this setting shares a similar profile with BA in the asynchronous setting [34].

⁹

We find the notation and formulation handy, in particular the existence of an environment and a control program, and as a consequence we inherit the designation of parties as spawned instances of ITMs, with input/output tapes, and so on. For simplicity, we choose to keep their operation at a somewhat informal level. Further, we note that we do not perform an analysis in the Universal Composability setting of [18, 19, 20].

¹⁰

See [39] for a comparison of this primitive vis-à-vis point-to-point channels.

¹¹

In the conference version of this article [40], we used the term Broadcast instead of Diffuse to mean the same thing. Given that this leads to some misunderstanding we changed the terminology to employ the term “Diffuse” instead of “Broadcast.” As in the conference version, note that “Diffuse” remains an atomic operation and hence the corruption of a party may not happen while the operation is taking place (cf. [38, 47]).

¹²

Note that we do not consider pre-computation attacks in our model; such attacks would require choosing s in a way it is unpredictable. For instance, the actual deployment of Bitcoin used the headline of The Times of Jan. 3, 2009, “Chancellor on brink of second bailout for banks.”

¹³

In Bitcoin, every 2016 blocks the difficulty is recalibrated according to the time-stamps stored in the blocks so that the block generation rate remains at approximately 10 minutes per block.

¹⁴

Note that the way we deploy \(\mathsf {maxvalid}\) , amounts to parties always giving preference to their local chain as opposed to any incoming chain. This is consistent with current Bitcoin operation; however, some debate about alternate tie-breaking rules has ensued in Bitcoin forums, for example, see [24].

¹⁵

It is worth to point out that the behavior of \(\mathsf {maxvalid}(\cdot)\) is associated with some stability aspects of the backbone protocol and currently there are proposals to modify it (e.g., by randomizing it — cf. [32]). It is an interesting question whether any improvement in our results can be achieved by randomizing the \(\mathsf {maxvalid}\) operation.

¹⁶

In reality the same hash function (SHA-256) instantiates both G and H; however, it is notationally more convenient to consider them as distinct.

¹⁷

For the sake of readability, we modified the original formulation in [40] from \(\mu\) to \(1-\mu\) so that the chain quality coefficient \(\mu\) is increasing in favor of the honest parties.

¹⁸

In previous versions of this article, including [40], we expressed the analysis using parameters \(\alpha =pq(n-t),\beta =pqt,\gamma =\alpha -\alpha ^2, f = pqn\) . Observe that using this notation and for the random variables \(X_i, Y_i, Z_i\) defined above, it holds that \(\mathbb {E}[X_i]\le \alpha\) , \(\mathbb {E}[Y_i]\ge \gamma\) , \(\mathbb {E}[Z_i]\le \beta\) , leading to a more refined analysis. Also, the previous choice of f is an upper-bound on \(\mathbb {E}[X_i+Z_i]\) . Instead, now, we opt to define f as \(\mathbb {E}[X_i]\) and drop the notation \(\alpha ,\beta ,\gamma\) . We believe the new choice of f is more versatile and highlights the role of the parameter better while dropping \(\alpha ,\beta ,\gamma\) simplifies the conditions of the security theorems. Moreover, it unifies our exposition with our follow up work [41].

¹⁹

Recall that we say a party “has” a chain \(\mathcal {C}^*\) at round r, if the value of variable \(\mathcal {C}\) at line 7 of Algorithm 4 is \(\mathcal {C}^*\) , while it “adopts” a chain \(\mathcal {C}^*\) if the value of variable \(\tilde{\mathcal {C}}\) is equal to \(\mathcal {C}^*\) .

²⁰

In fact, this rushing capability was argued to be realistic in [32] through the dispersion of sybil nodes in the Bitcoin peer-to-peer network that echo the adversary’s messages.

²¹

Note that Nakamoto’s description is quite informal. We make the most plausible interpretation of it in our formal framework.

²²

Observe that here we take the view that new transactions are available to all honest players and the way they are propagated is handled by the environment that feeds the backbone protocol. While this makes sense in the honest/malicious cryptographic model, it has been challenged in a model where all players are rational [4]. Analysis of the backbone protocol in a setting where transaction propagation is governed by rational players is beyond the scope of our paper. Still, it is straightforward to use our results to argue about liveness even when some players do not receive all transactions by applying the same reasoning as in Remark 2.

²³

We note that we provide a slightly different formulation for persistence and liveness compared to our original formulation in [40]. Even though the conjunction of the two properties remains equivalent to the original formulation we believe the current formulation is simpler to present.

²⁴

Note that Theorem 4.7 only proves a lower bound on chain growth, however it is easy to prove an upper bound with our techniques—we leave the proof as an exercise to the reader.

²⁵

In bitcoin terminology every account has an address that is used to uniquely identify it. Payments directed to an account require only this “bitcoin address.” The actual verification key corresponding to the account will be revealed only when the account makes a payment.

²⁶

The conflict relation is more permissive in the actual Bitcoin ledger. We adopt the more simplified version given above as it does not change the gist of the analysis.

²⁷

Initially, the flat reward for extending the Bitcoin chain was 50 BTC. The function \(r(\cdot)\) in Bitcoin halves the reward every 210,000 generation transactions.

²⁸

In the case of Bitcoin, it was supposedly Nakamoto himself who collected this first reward of 50 BTC.

²⁹

Recall that we assume a flat model w.r.t. hashing power; a majority of miners corresponds to a set of parties controlling the majority of the hashing power.

³⁰

These queries will be combined with the q queries of the proof of work function Algorithm 3 using the 2-for-1 PoW transformation.

³¹

Our formalization is a way to express what perhaps was Nakamoto’s intuition when he wrote about Bitcoin that “it takes advantage of the nature of information being easy to spread but hard to stifle” [61].

³²

Increasing the block size in the Bitcoin protocol parameterization in order to accomodate more transactions has been an important and long running debate in the Bitcoin community.

³³

https://www.ethereum.org/

A Useful Inequalities

We will require the following inequalities.

Fact 1 (Bernoulli’s Inequality).

For real \(r\ge 1\) and real \(x\ge -1\) , \((1+x)^r\ge 1+rx\) .

Fact 2.

For any real \(\alpha \gt 0\) , \(\,1-\alpha \lt e^{-\alpha }\lt 1-\alpha +\frac{\alpha ^2}{2}\) .

We provide here the form of the Chernoff bound we use in the proofs.

Theorem A.1 (Chernoff bounds).

Suppose \(\lbrace X_i:i\in [n]\rbrace\) are mutually independent Boolean random variables, with \(\Pr [X_i=1]=p\) , for all \(i\in [n]\) . Let \(X=\sum _{i=1}^nX_i\) and \(\mu =pn\) . Then, for any \(\delta \in (0,1]\) ,

\begin{equation*} \Pr [X\le (1-\delta)\mu ]\le e^{-\delta ^2\mu /2}\hbox{~~and~~} \Pr [X\ge (1+\delta)\mu ]\le e^{-\delta ^2\mu /3}. \end{equation*}

In Section 7 we need more general concentration bounds. We provide here the relevant definition and bounds. (See [29, Corollary 5.2])

Definition A.2.

A function \(f(x_1,\dots ,x_n)\) is k-Lipschitz if \(|f(x)-f(x^{\prime })|\le k\) , whenever x and \(x^{\prime }\) differ in at most one coordinate.

Theorem A.3.

Suppose f as a function of n independent random variables \(X_1,\dots ,X_n\) is k-Lipschitz. Then

\begin{equation*} \Pr [f\gt \mathbb {E}[f]+t]\le \exp \Bigl (-\frac{2t^2}{nk^2}\Bigr) \quad \hbox{and}\quad \Pr [f\lt \mathbb {E}f-t]\le \exp \Bigl (-\frac{2t^2}{nk^2}\Bigr). \end{equation*}

References

[1]

Marcin Andrychowicz and Stefan Dziembowski. 2015. PoW-based distributed cryptography with no trusted setup. In Proceedings of the Advances in Cryptology - CRYPTO 2015-35th Annual Cryptology Conference, Part II, Rosario Gennaro and Matthew Robshaw (Eds.). Lecture Notes in Computer Science, Vol. 9216. Springer, 379–399. DOI:

Digital Library

Google Scholar

[2]

Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, and Łukasz Mazurek. 2014. Secure Multiparty Computations on Bitcoin. IEEE Security and Privacy. (2014).

Google Scholar

[3]

James Aspnes, Collin Jackson, and Arvind Krishnamurthy. 2005. Exposing Computationally-challenged Byzantine Impostors. Technical Report YALEU/DCS/TR-1332. Yale University Department of Computer Science.

Google Scholar

[4]

Moshe Babaioff, Shahar Dobzinski, Sigal Oren, and Aviv Zohar. 2012. On bitcoin and red balloons. In Proceedings of the 13th ACM Conference on Electronic Commerce, Boi Faltings, Kevin Leyton-Brown, and Panos Ipeirotis (Eds.). ACM, 56–73.

Digital Library

Google Scholar

[5]

Adam Back. 1997. Hashcash. Retrieved from http://www.cypherspace.org/hashcash

Google Scholar

[6]

Christian Badertscher, Juan A. Garay, Ueli Maurer, Daniel Tschudi, and Vassilis Zikas. 2018. But why does it work? A rational protocol design treatment of bitcoin. In Proceedings of the Advances in Cryptology - EUROCRYPT 2018-37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Part II, Jesper Buus Nielsen and Vincent Rijmen (Eds.). Lecture Notes in Computer Science, Vol. 10821. Springer, 34–65. DOI:

Crossref

Google Scholar

[7]

Christian Badertscher, Ueli Maurer, Daniel Tschudi, and Vassilis Zikas. 2017. Bitcoin as a transaction ledger: A composable treatment. IACR Cryptology ePrint Archive 2017 (2017), 149. Retrieved from http://eprint.iacr.org/2017/149

Google Scholar

[8]

Vivek Kumar Bagaria, Sreeram Kannan, David Tse, Giulia C. Fanti, and Pramod Viswanath. 2018. Deconstructing the blockchain to approach physical limits. IACR Cryptology ePrint Archive 2018 (2018), 992. Retrieved from https://eprint.iacr.org/2018/992

Google Scholar

[9]

Boaz Barak, Ran Canetti, Yehuda Lindell, Rafael Pass, and Tal Rabin. 2011. Secure computation without authentication. Journal of Cryptology 24, 4 (2011), 720–760. DOI:

Digital Library

Google Scholar

[10]

Mihir Bellare and Phillip Rogaway. 1993. Random oracles are practical: A paradigm for designing efficient protocols. In CCS’93, Proceedings of the 1st ACM Conference on Computer and Communications Security, 1993.62–73. DOI:

Digital Library

Google Scholar

[11]

Michael Ben-Or. 1983. Another advantage of free choice: Completely asynchronous agreement protocols (extended abstract). In Proceedings of the 2nd Annual ACM Symposium on Principles of Distributed Computing, Robert L. Probert, Nancy A. Lynch, and Nicola Santoro (Eds.). ACM, 27–30.

Digital Library

Google Scholar

[12]

Iddo Bentov and Ranjit Kumaresan. 2014. How to use bitcoin to design fair protocols. In Proceedings of the Advances in Cryptology - CRYPTO 2014-34th Annual Cryptology Conference, Part II. 421–439. DOI:

Crossref

Google Scholar

[13]

Iddo Bentov and Ranjit Kumaresan. 2014. How to Use Bitcoin to Incentivize Correct Computations. ACM CCS 2014. (2014).

Google Scholar

[14]

Piotr Berman and Juan A. Garay. 1993. Randomized distributed agreement revisited. In Proceedings of the Digest of Papers: FTCS-23, The 23rd Annual International Symposium on Fault-Tolerant Computing. IEEE Computer Society, 412–419. DOI:

Crossref

Google Scholar

[15]

Paolo Boldi, Shella Shammah, Sebastiano Vigna, Bruno Codenotti, Peter Gemmell, and Janos Simon. 1996. Symmetry breaking in anonymous networks: Characterizations. In Proceedings of the 4th Israel Symposium on Theory of Computing and Systems, Proceedings. IEEE Computer Society, 16–26.

Google Scholar

[16]

Malte Borderding. 1996. Levels of authentication in distributed agreement. In Distributed Algorithms, 10th International Workshop, WDAG’96, Bologna, Italy, October 9–11, 1996, Proceedings, Özalp Babaoglu and Keith Marzullo (Eds.). Lecture Notes in Computer Science, Vol. 1151. Springer, 40–55. DOI:

Crossref

Google Scholar

[17]

Ran Canetti. 2000. Security and composition of multiparty cryptographic protocols. Journal of Cryptology 13, 1 (2000), 143–202.

Digital Library

Google Scholar

[18]

Ran Canetti. 2000. Universally Composable Security: A New Paradigm for Cryptographic Protocols. Cryptology ePrint Archive, Report 2000/067. (2000). Retrieved from http://eprint.iacr.org/2000/067

Digital Library

Google Scholar

[19]

Ran Canetti. 2001. Universally composable security: A new paradigm for cryptographic protocols. In Proceedings of the 42nd Annual Symposium on Foundations of Computer Science. IEEE Computer Society, 136–145. DOI:

Crossref

Google Scholar

[20]

Ran Canetti. 2020. Universally composable security. Journal of the ACM 67, 5 (2020), 28:1–28:94. DOI:

Digital Library

Google Scholar

[21]

David Chaum. 1982. Blind signatures for untraceable payments. 199–203.

Google Scholar

[22]

Flaviu Cristian, Houtan Aghili, H. Raymond Strong, and Danny Dolev. 1995. Atomic broadcast: From simple message diffusion to byzantine agreement. Information and Computation 118, 1 (1995), 158–179. DOI:

Digital Library

Google Scholar

[23]

Kyle Croman, Christian Decker, Ittay Eyal, Adem Efe Gencer, Ari Juels, Ahmed E. Kosba, Andrew Miller, Prateek Saxena, Elaine Shi, Emin Gün Sirer, Dawn Song, and Roger Wattenhofer. 2016. On scaling decentralized blockchains - (A position paper). In Proceedings of the Financial Cryptography and Data Security - FC 2016 International Workshops, BITCOIN, VOTING, and WAHC, Christ Church, Barbados, February 26, 2016, Revised Selected Papers, Jeremy Clark, Sarah Meiklejohn, Peter Y. A. Ryan, Dan S. Wallach, Michael Brenner, and Kurt Rohloff (Eds.). Lecture Notes in Computer Science, Vol. 9604. Springer, 106–125. DOI:

Crossref

Google Scholar

[24]

Cunicula. 2013. Why doesn’t Bitcoin use a tiebreaking rule when comparing chains of equal length? Retrieved from https://bitcointalk.org/index.php?topic=355644.0

Google Scholar

[25]

Christian Decker and Roger Wattenhofer. 2013. Information propagation in the Bitcoin network. In Proceedings of the Peer-to-Peer Computing (P2P), 2013 IEEE 13th International Conference. IEEE, 1–10.

Crossref

Google Scholar

[26]

Amir Dembo, Sreeram Kannan, Ertem Nusret Tas, David Tse, Pramod Viswanath, Xuechao Wang, and Ofer Zeitouni. 2020. Everything is a race and nakamoto always wins. In Proceedings of the CCS’20: 2020 ACM SIGSAC Conference on Computer and Communications Security, Jay Ligatti, Xinming Ou, Jonathan Katz, and Giovanni Vigna (Eds.). ACM, 859–878. DOI:

Digital Library

Google Scholar

[27]

Danny Dolev, Rüdiger Reischuk, and H. Raymond Strong. 1990. Early stopping in byzantine agreement. Journal of the ACM 37, 4 (1990), 720–741. DOI:

Digital Library

Google Scholar

[28]

John R. Douceur. 2002. The sybil attack. In Peer-to-Peer Systems, First International Workshop, Revised Papers, Peter Druschel, M. Frans Kaashoek, and Antony I. T. Rowstron (Eds.). Lecture Notes in Computer Science Vol. 2429. Springer, 251–260. DOI:

Crossref

Google Scholar

[29]

Devdatt P. Dubhashi and Alessandro Panconesi. 2012. Concentration of Measure for the Analysis of Randomized Algorithms. Cambridge University Press, New York, NY, USA.

Digital Library

Google Scholar

[30]

Cynthia Dwork, Nancy A. Lynch, and Larry J. Stockmeyer. 1988. Consensus in the presence of partial synchrony. Journal of the ACM 35, 2 (1988), 288–323. DOI:

Digital Library

Google Scholar

[31]

Cynthia Dwork and Moni Naor. 1992. Pricing via processing or combatting junk mail. In CRYPTO, Ernest F. Brickell (Ed.). Lecture Notes in Computer Science, Vol. 740. Springer, 139–147.

Digital Library

Google Scholar

[32]

Ittay Eyal and Emin Gun Sirer. 2014. Majority is not enough: Bitcoin mining is vulnerable. In Proceedings of the Financial Cryptography.

Crossref

Google Scholar

[33]

Pesech Feldman and Silvio Micali. 1997. An optimal probabilistic protocol for synchronous byzantine agreement. SIAM Journal of the Computing 26, 4 (1997), 873–933.

Digital Library

Google Scholar

[34]

Michael J. Fischer, Nancy A. Lynch, and Mike Paterson. 1985. Impossibility of distributed consensus with one faulty process. Journal of the ACM 32, 2 (1985), 374–382.

Digital Library

Google Scholar

[35]

Matthias Fitzi and Juan A. Garay. 2003. Efficient player-optimal protocols for strong and differential consensus. In Proceedings of the 22nd Annual Symposium on Principles of Distributed Computing, Elizabeth Borowsky and Sergio Rajsbaum (Eds.). ACM, 211–220.

Digital Library

Google Scholar

[36]

Matthias Fitzi, Peter Gazi, Aggelos Kiayias, and Alexander Russell. 2018. Parallel chains: Improving throughput and latency of blockchain protocols via parallel composition. IACR Cryptology ePrint Archive 2018 (2018), 1119. Retrieved from https://eprint.iacr.org/2018/1119

Google Scholar

[37]

Juan Garay and Aggelos Kiayias. 2018. SoK: A Consensus Taxonomy in the Blockchain Era. Cryptology ePrint Archive, Report 2018/754. (2018). Retrieved from https://eprint.iacr.org/2018/754

Google Scholar

[38]

Juan A. Garay, Jonathan Katz, Ranjit Kumaresan, and Hong-Sheng Zhou. 2011. Adaptively secure broadcast, revisited. In Proceedings of the 30th Annual ACM Symposium on Principles of Distributed Computing, Cyril Gavoille and Pierre Fraigniaud (Eds.). ACM, 179–186. DOI:

Digital Library

Google Scholar

[39]

Juan A. Garay and Aggelos Kiayias. 2020. SoK: A consensus taxonomy in the blockchain era. In Proceedings of the Topics in Cryptology - CT-RSA 2020 - The Cryptographers’ Track at the RSA Conference 2020, Proceedings, Stanislaw Jarecki (Ed.). Lecture Notes in Computer Science, Vol. 12006. Springer, 284–318. DOI:

Digital Library

Google Scholar

[40]

Juan A. Garay, Aggelos Kiayias, and Nikos Leonardos. 2015. The Bitcoin Backbone Protocol: Analysis and applications. In Proceeding of the Advances in Cryptology - EUROCRYPT 2015-34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings, Part II. 281–310. DOI:

Crossref

Google Scholar

[41]

Juan A. Garay, Aggelos Kiayias, and Nikos Leonardos. 2017. The Bitcoin Backbone protocol with chains of variable difficulty. In Proceeding of the Advances in Cryptology - CRYPTO 2017-37th Annual International Cryptology Conference, Proceedings, Part I, Jonathan Katz and Hovav Shacham (Eds.). Lecture Notes in Computer Science, Vol. 10401. Springer, 291–323. DOI:

Crossref

Google Scholar

[42]

Juan A. Garay, Aggelos Kiayias, Nikos Leonardos, and Giorgos Panagiotakos. 2018. Bootstrapping the blockchain, with applications to consensus and fast PKI setup. In Proceedings of the Public-Key Cryptography - PKC 2018-21st IACR International Conference on Practice and Theory of Public-Key Cryptography, Proceedings, Part II, Michel Abdalla and Ricardo Dahab (Eds.). Lecture Notes in Computer Science, Vol. 10770. Springer, 465–495. DOI:

Crossref

Google Scholar

[43]

Juan A. Garay, Aggelos Kiayias, and Giorgos Panagiotakos. 2017. Consensus from Signatures of Work. Cryptology ePrint Archive, Report 2017/775. (2017). Retrieved from https://eprint.iacr.org/2017/775

Google Scholar

[44]

Juan A. Garay, Aggelos Kiayias, and Giorgos Panagiotakos. 2019. Iterated Search Problems and Blockchain Security under Falsifiable Assumptions. Cryptology ePrint Archive, Report 2019/315. (2019). Retrieved from https://eprint.iacr.org/2019/315

Google Scholar

[45]

Peter Gazi, Aggelos Kiayias, and Alexander Russell. 2020. Tight consistency bounds for bitcoin. In Proceedings of the CCS’20: 2020 ACM SIGSAC Conference on Computer and Communications Security, Jay Ligatti, Xinming Ou, Jonathan Katz, and Giovanni Vigna (Eds.). ACM, 819–838. DOI:

Digital Library

Google Scholar

[46]

Oded Goldreich, Silvio Micali, and Avi Wigderson. 1987. How to play any mental game or a completeness theorem for protocols with honest majority. In Proceedings of the 19th Annual ACM Symposium on Theory of Computing. ACM, 218–229.

Google Scholar

[47]

Martin Hirt and Vassilis Zikas. 2010. Adaptively secure broadcast. In Proceedings of the Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques. Proceedings, Henri Gilbert (Ed.). Lecture Notes in Computer Science, Vol. 6110. Springer, 466–485. DOI:

Digital Library

Google Scholar

[48]

Ari Juels and John G. Brainard. 1999. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In Proceedings of the Network and Distributed System Security Symposium. The Internet Society.

Google Scholar

[49]

Jonathan Katz and Chiu-Yuen Koo. 2009. On expected constant-round protocols for Byzantine agreement. Journal of Computer and System Sciences 75, 2 (2009), 91–112. DOI:

Digital Library

Google Scholar

[50]

Jonathan Katz, Ueli Maurer, Björn Tackmann, and Vassilis Zikas. 2013. Universally composable synchronous computation. In Proceedings of the 10th Theory of Cryptography Conference on Theory of Cryptography. 477–498. DOI:

Digital Library

Google Scholar

[51]

Aggelos Kiayias and Giorgos Panagiotakos. 2015. Speed-security tradeoffs in blockchain protocols. IACR Cryptology ePrint Archive 2015 (2015), 1019. Retrieved from http://eprint.iacr.org/2015/1019

Google Scholar

[52]

Aggelos Kiayias and Giorgos Panagiotakos. 2016. On trees, chains and fast transactions in the blockchain. IACR Cryptology ePrint Archive 2016 (2016), 545. Retrieved from http://eprint.iacr.org/2016/545

Google Scholar

[53]

Aggelos Kiayias, Alexander Russell, Bernardo David, and Roman Oliynykov. 2017. Ouroboros: A provably secure proof-of-stake blockchain protocol. In Proceedings of the Advances in Cryptology - CRYPTO 2017-37th Annual International Cryptology Conference, Proceedings, Part I (Lecture Notes in Computer Science), Jonathan Katz and Hovav Shacham (Eds.). Vol. 10401. Springer, 357–388. DOI:

Crossref

Google Scholar

[54]

Aggelos Kiayias, Hong-Sheng Zhou, and Vassilis Zikas. 2016. Fair and robust multi-party computation using a global transaction ledger. In Advances in Cryptology - EUROCRYPT 2016-35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings, Part II, Marc Fischlin and Jean-Sébastien Coron (Eds.). Lecture Notes in Computer Science, Vol. 9666. Springer, 705–734. DOI:

Crossref

Google Scholar

[55]

Ranjit Kumaresan and Iddo Bentov. 2016. Amortizing secure computation with penalties. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 418–429. DOI:

Digital Library

Google Scholar

[56]

Ranjit Kumaresan, Vinod Vaikuntanathan, and Prashant Nalini Vasudevan. 2016. Improvements to secure computation with penalties. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 406–417. DOI:

Digital Library

Google Scholar

[57]

Leslie Lamport, Robert E. Shostak, and Marshall C. Pease. 1982. The byzantine generals problem. ACM Transactions on Programming Languages and Systems 4, 3 (1982), 382–401.

Digital Library

Google Scholar

[58]

Andrew Miller and Joseph J. LaViola. 2014. Anonymous Byzantine Consensus from Moderately-Hard Puzzles: A Model for Bitcoin. University of Central Florida. Tech Report, CS-TR-14-01. (April2014).

Google Scholar

[59]

Satoshi Nakamoto. 2008. Bitcoin: A Peer-to-peer Electronic Cash System. Retrieved from http://bitcoin.org/bitcoin.pdf

Google Scholar

[60]

Satoshi Nakamoto. 2008. “The Proof-of-work Chain is a Solution to the Byzantine Generals’ Problem”. The Cryptography Mailing List, Retrieved from https://www.mail-archive.com/[email protected]/msg09997.html. (November2008).

Google Scholar

[61]

Satoshi Nakamoto. 2009. Bitcoin Open Source Implementation of P2P Currency. Retrieved from http://p2pfoundation.ning.com/forum/topics/bitcoin-open-source

Google Scholar

[62]

Gil Neiger. 1994. Distributed consensus revisited. Information Processing Letters 49, 4 (1994), 195–201.

Digital Library

Google Scholar

[63]

Michael Okun. 2005. Agreement among unacquainted byzantine generals. In Proceedings of the 19th international conference on Distributed Computing, Pierre Fraigniaud (Ed.). Lecture Notes in Computer Science, Vol. 3724. Springer, 499–500.

Digital Library

Google Scholar

[64]

Michael Okun. 2005. Distributed Computing Among Unacquainted Processors in the Presence of Byzantine Distributed Computing Among Unacquainted Processors in the Presence of Byzantine Failures. Ph.D. Thesis Hebrew University of Jerusalem. (2005).

Google Scholar

[65]

Michael Okun and Amnon Barak. 2008. Efficient algorithms for anonymous byzantine agreement. Theory of Computing Systems 42, 2 (January2008), 222–238. DOI:

Digital Library

Google Scholar

[66]

Rafael Pass, Lior Seeman, and Abhi Shelat. 2016. Analysis of the blockchain protocol in asynchronous networks. IACR Cryptology ePrint Archive 2016 (2016), 454. Retrieved from http://eprint.iacr.org/2016/454

Google Scholar

[67]

Rafael Pass and Elaine Shi. 2017. FruitChains: A fair blockchain. In Proceedings of the ACM Symposium on Principles of Distributed Computing, Elad Michael Schiller and Alexander A. Schwarzmann (Eds.). ACM, 315–324. DOI:

Digital Library

Google Scholar

[68]

Marshall C. Pease, Robert E. Shostak, and Leslie Lamport. 1980. Reaching agreement in the presence of faults. Journal of the ACM 27, 2 (1980), 228–234.

Digital Library

Google Scholar

[69]

Michael O. Rabin. 1983. Randomized byzantine generals. In Proceedings of the 24th Annual Symposium on Foundations of Computer Science. IEEE Computer Society, 403–409.

Digital Library

Google Scholar

[70]

R. L. Rivest, A. Shamir, and D. A. Wagner. 1996. Time-lock Puzzles and Timed-release Crypto. Technical Report. Cambridge, MA, USA.

Digital Library

Google Scholar

[71]

Fred B. Schneider. 1990. Implementing fault-tolerant services using the state machine approach: A tutorial. ACM Computing Surveys 22, 4 (December1990), 299–319. DOI:

Digital Library

Google Scholar

[72]

Yonatan Sompolinsky and Aviv Zohar. 2013. Accelerating bitcoin’s transaction processing. Fast money grows on trees, not chains. IACR Cryptology ePrint Archive 2013 (2013), 881. Retrieved from http://eprint.iacr.org/2013/881

Google Scholar

[73]

Andrew Chi-Chih Yao. 1982. Protocols for secure computations (extended abstract). In Proceedings of the 23rd Annual Symposium on Foundations of Computer Science. IEEE, 160–164.

Google Scholar

Cited By

View all

Sai Dasarath KSai Pranith KLeela Balaji KSena Reddy BBindu G(2024)Blockchain-Based Solution for Supply Chain Data IntegrityInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24MAY148(193-198)Online publication date: 17-May-2024
https://doi.org/10.38124/ijisrt/IJISRT24MAY148

Index Terms

The Bitcoin Backbone Protocol: Analysis and Applications
1. Security and privacy
  1. Cryptography
    1. Mathematical foundations of cryptography

Recommendations

Mastering Bitcoin: The Secret Tips on Making Money Through Bitcoin Mining and Investment
Bitcoin for Dummies: Bitcoin Secrets and Tips that Will Change Your Life in Three Weeks
The effects of individual-level espoused national cultural values on the willingness to use Bitcoin-like blockchain currencies
Abstract
Some have called bitcoin a real bubble, while, according to others, it is the most radical invention of the twenty-first century. Nevertheless, there is a consensus regarding the disruptive potential of blockchain technology, which is ...
Highlights
- Espoused national cultural values affect the use of blockchain currencies.
- ...

Comments

Information & Contributors

Information

Published In

Journal of the ACM Volume 71, Issue 4

August 2024

240 pages

EISSN:1557-735X

DOI:10.1145/3613647

Editor:
Venkatesan Guruswami
University of California, Berkeley, United States

Issue’s Table of Contents

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 August 2024

Online AM: 18 April 2024

Accepted: 06 December 2023

Revised: 13 April 2021

Received: 26 June 2019

Published in JACM Volume 71, Issue 4

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
752
Total Downloads

Downloads (Last 12 months)752
Downloads (Last 6 weeks)547

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Sai Dasarath KSai Pranith KLeela Balaji KSena Reddy BBindu G(2024)Blockchain-Based Solution for Supply Chain Data IntegrityInternational Journal of Innovative Science and Research Technology (IJISRT)10.38124/ijisrt/IJISRT24MAY148(193-198)Online publication date: 17-May-2024
https://doi.org/10.38124/ijisrt/IJISRT24MAY148

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

1 Introduction

2 Model and Definitions

3 The Bitcoin Backbone Protocol

3.1 The Backbone Protocol

3.2 (Desired) Properties of the Backbone Protocol

4 Analysis of the Bitcoin Backbone

4.1 Definitions and Preliminary Lemmas

4.2 Common Prefix Property

4.3 Chain Quality Property

4.4 Adaptive Adversaries

5 Simple PoW-based Byzantine Agreement Protocols

5.1 Nakamoto’s Suggestion for Byzantine Agreement

5.2 A Byzantine Agreement Protocol for (1/3)-bounded Adversaries

6 Public Transaction Ledgers

6.1 Robust Public Transaction Ledgers

6.2 Bitcoin-like Transactions and Ledger

6.3 Byzantine Agreement for Honest Majority

7 The Bitcoin Backbone in the Bounded-Delay Model

8 Summary and Directions for Future Work

Acknowledgements

Footnotes

A Useful Inequalities

References

Cited By

Index Terms

Recommendations

Mastering Bitcoin: The Secret Tips on Making Money Through Bitcoin Mining and Investment

Bitcoin for Dummies: Bitcoin Secrets and Tips that Will Change Your Life in Three Weeks

The effects of individual-level espoused national cultural values on the willingness to use Bitcoin-like blockchain currencies

Comments

Information

Published In

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Funding Sources

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations