Low-Variance Mining with Bobtail - Scaling Bitcoin...• The variance of Bitcoin’s inter-block...

Low-Variance Mining with Bobtail

– or – Why Variance is the Root of All Evil

College of Information & Computer Sciences

Brian Neil Levine

George Bissias and

U N I V E R S I T Y O F M A S S A C H U S E T T S A M H E R S T https://arxiv.org/abs/1709.08750

Overview• The variance of Bitcoin’s inter-block delay is more than an annoyance.

• It’s at the root of doublespend, selfish mining, and eclipse attacks.

• We propose a simple method of low-variance mining

• We evaluate its performance and show how it increases security

• We talk about consequences of deployment

Problem Definition

5% of blocks take at least 30 minutes 80% of blocks are between 1–21 minutes

0 10 20 30 40 50 60 70 80 90 100 110

0 10 20 30 40 50 60 70

seconds per block (Ethereum)

minutes per block (Bitcoin)

Problem Definition0 5 10 15 20 25 30 35 40 45 50 55 60

0 5 10 15 20 25 30 35 40

minutes per block (Bitcoin)C

0 10 20 30 40 50 60 70 80 90 100 110

0 10 20 30 40 50 60 70

0 5 10 15 20 25 30 35 40

0 10 20 30 40 50 60 70 80 90 100 110

0 10 20 30 40 50 60 70

0 5 10 15 20 25 30 35 40

0 10 20 30 40 50 60 70 80 90 100 110

0 10 20 30 40 50 60 70

t }5% of blocks take at least 30 minutes 80% of blocks are between 1–24 minutes

Variance in PoW Mining• Inter-block time variance is due to

Proof of Work mining. • Each miner samples from a uniform

distribution • The first miner to find 1 sample below a

target wins.

• Until they pick a number that meets the target.

• When the network of miners get lucky, blocks come early.

• When the network of miners get very unlucky, blocks come late.

0 2256target

Variance in PoW Mining• Inter-block time variance is due to

Proof of Work mining. • Each miner samples from a uniform

distribution • The first miner to find 1 sample below a

target wins.

• Until they pick a number that meets the target.

• When the network of miners get lucky, blocks come early.

• When the network of miners get very unlucky, blocks come late.

0 2256target

Variance is the root of all evil• With low variance between blocks, blockchains would perform more consistently.

• Fast blocktimes are what some competitors have over Bitcoin. • Waiting 6 blocks to overcome fear of doublespend is a drag.

• Wouldn’t it be better if blocks almost always arrived within 7–12 minutes? • And if we were confident about waiting just 1 block?

• But variance is not just an inconvenience:

• High variance mining is the cause of low security in blockchains.

Variance is the root of all evil• When you enter a casino, the house has the advantage.

• In expectation the house will win. • Your goal is to keep betting until you are ahead, and then exit. • This strategy is possible because you are taking advantage of variance • The house occasionally loses, possibly a few times in a row.

Doublespend Attacks• Doublespend attacks are

a race between honest and attacking miners.

• Just like in the casino, there is a non-zero chance she’ll win.

• She’s waiting for either: • the honest miners to hit a

sequence of unlucky block discovery times

• for herself to hit a sequence of lucky block discovery times.

good evil

Selfish Mining Attacks

good evil

• Selfish mining attacks have the same story.

• Several countries are considering launching blockchains

• Some countries are starting to not like them.

• What is the current defense against Nation/state-based SM attacks on a currency?

good evil

Reducing Variance in PoW Mining

0 2256

target

• Bobtail: the mean of the k-lowest samples must be below the target. • The samples come from all miners.

0 2256

target

0 2256

target

0 2256

target

Ak = 4

0 2256

target

Ak = 4

0 2256

target

ACk = 4

0 2256

target

ACk = 4

0 2256

target

ACk = 4

0 2256

target

A B AC

ACk = 4

0 2256

target

A B AC

ACk = 4

Reducing Variance in PoW Mining• Target is adjusted so there is no change in the expected number of samples.

• k can be raised or lowered from one block to the next without issues.

• This is basic applied statistics: • if you want a better estimate, take more samples. • Compared to Bitcoin, variance of inter-block time is reduced:

Reduction in variance:

0 10 20 30 40 50 60 70 80 90 100 110

0 10 20 30 40 50 60 70

0 5 10 15 20 25 30 35 40 45 50 55 60

0 5 10 15 20 25 30 35 40

0 5 10 15 20 25 30 35 40 45 50 55 60

0 5 10 15 20 25 30 35 40

Problem Definition

0 10 20 30 40 50 60 70 80 90 100 110

0 10 20 30 40 50 60 70

0 5 10 15 20 25 30 35 40 45 50 55 60

0 5 10 15 20 25 30 35 40

Problem Definition

k: 1k: 5

k: 10k: 20

0 10 20 30 40 50 60 70 80 90 100 110

0 10 20 30 40 50 60 70

010002000

0100020003000

020004000

0200040006000

k: 1k: 5

k: 10k: 20

0 10 20 30 40 50 60 70 80 90 100 110

0 10 20 30 40 50 60 70

010002000

0100020003000

020004000

0200040006000

0 5 10 15 20 25 30 35 40 45 50 55 60

0 5 10 15 20 25 30 35 40

Problem Definition

Problem DefinitionFor Bitcoin now (k=1):

• Worst 5% of blocks take 30–70 minutes.

0 5 10 15 20 25 30 35 40 45 50 55 60

0 5 10 15 20 25 30 35 40

Problem DefinitionFor Bitcoin now (k=1):

• Middle 80% of blocks take 1–24 minutes.

0 5 10 15 20 25 30 35 40 45 50 55 60

0 5 10 15 20 25 30 35 40

}Problem Definition0 5 10 15 20 25 30 35 40 45 50 55 60

0 5 10 15 20 25 30 35 40

For k=40:

• eclipse attacks are trivial to detect.

• Middle 80% of blocks take 7–12 minutes.

Increased Security: Doublespend

●●

●●●

1 2 3 4 5 6 7 8 9 10k

attacker mining power●

0.10.2

0.30.4

0.450.49

Bitcoin

For Bitcoin now (k=1):

• A 20% miner has a 13% chance of doublespend at z=1 blocks.

• And 1% chance at z=6 blocks.

When k=5, the 20% miner at z=1 block is 1%.

Increased Security: Doublespend

●●

●●●

1 2 3 4 5 6 7 8 9 10k

0.10.2

0.30.4

0.450.49

Bitcoin

For Bitcoin now (k=1):

• A 20% miner has a 13% chance of doublespend at z=1 blocks.

• And 1% chance at z=6 blocks.

When k=5, the 20% miner at z=1 block is 1%.

• When k=40, Bitcoin double spending after z=1 blocks requires ~40% of the mining power to get above 1% chance of success.

• 50x improvement.

Doublespend for z=1 block

●●

●●●

●●●●

0 10 20 30 40 50 60 70 80 90 100k

0.10.2

0.30.4

0.450.49

Bitcoin

• When k=40, Bitcoin double spending after z=1 blocks requires ~40% of the mining power to get above 1% chance of success.

• 50x improvement.

Doublespend for z=1 block

●●

●●●

●●●●

0 10 20 30 40 50 60 70 80 90 100k

0.10.2

0.30.4

0.450.49

Bitcoin

●●

● ●●

●●

● ● ● ●●

● ● ● ● ●●

● ● ● ● ● ● ●

● ● ● ● ● ● ● ●

0.0 0.1 0.2 0.3 0.4 0.5attacker mining power

n k●

125102040

Selfish Mining can be eliminated • With Bitcoin, any amount of

mining power enables the attack.

Selfish Mining can be eliminated • With Bitcoin, any amount of

mining power enables the attack.

• When k≥5, attackers need 43% of the mining power to selfish mine.

• When k≥20, attackers need 49% of the mining power to selfish mine.

• No other defense against DoS attacks are available.

• k can be adjusted on the fly.●

●●

● ●●

●●

● ● ● ●●

● ● ● ● ●●

● ● ● ● ● ● ●

● ● ● ● ● ● ● ●

0.0 0.1 0.2 0.3 0.4 0.5attacker mining power

n k●

125102040

Version 1 Deployment (Naive)• Naive version: miners simply announce block headers as they find them.

• Each new block on the chain is a collection of k full headers. • Instead of an 80-byte header, headers would be k*80 bytes.

• That’s 800B for k=10, and 3KB for k=40

• A lot of traffic as values are found. • But values greater than k*target will never be part of the block.

• Since headers can be stolen, no incentive for miners to share.

Version 2 Deployment (no stealing)• Reward all miners who helped find the k values

• Miners collect transactions and create standard header, h.

• let v= Hash( Hash(h), prior, Address)• If v<kt, then miners announce the pre-image of 36 bytes• Recipients check if hash of pre-image is less than kt.

• Values cannot be stolen as Address is a part of the hash pre-image.

• Values cannot be reused since prior is part of the hash pre-image.

• Still: When a block is found, there are k-1 values that can be reused!

8Bytes of 8Bytes of

Version 3 (no reuse of values)• To prevent this problem, we add another field to the

hash. • Miners keep track of the Least Order Stat they’ve seen to date • v= Hash( Hash(h), Address, Prior, LOS)• 8+20+8+8= 44 bytes per k• No values can be included in the LOS is lower than the

lowest OS. • Coinbase reward is via a ranking by LOS; ties are broken by v.

• Reduces the rewards for miners that attempt it. • This drastically reduces the opportunities for reuse. • This also thwarts hoarding among a collusion of miners.

Ethereum Bitcoin

5 6 7 8 9 10 5 6 7 8 9 100%

Number of honest miners out of 10

attacker

honest

Ethereum Bitcoin

5 6 7 8 9 10 5 6 7 8 9 100%

attacker

honest

Ethereum Bitcoin

5 6 7 8 9 10 5 6 7 8 9 100%

attacker

honest

Rewardsk L.O.S. Proof Reward (BTC)

1 - 358325 11.9882020

2 358325 1217458 0.2827381

3 358325 1721868 0.1339286

4 358325 1777139 0.0632440

6 358325 1995396 0.0139509

8 358325 3621245 0.0030227

12 358325 4582015 0.0001308

14 358325 4781376 0.0000254

17 358325 7277279 0.0000018

k L.O.S. Proof Reward (BTC)9 1826037 3761724 0.0012788

11 1826037 4420661 0.000290615 1826037 6302668 0.000010918 1826037 7514262 0.000000719 1826037 7601030 0.00000025 3521660 1826037 0.0111607

13 3521660 4707122 0.00003637 3927808 3521660 0.0018601

20 3927808 7881560 0.000000110 6374495 3927808 0.000116316 9175814 6374495 0.0000009

Proportional Rewards• Simulations show that

rewards are proportion to mining power

• Results are same as Bitcoin today.

●●

●● ●

● ●●

● ● ●

●●

● ● ● ●●0%

2%4%6%8%10%12%14%16%18%

0 5 10 15 20miner

proportion

Frequently Asked Questions• Doesn’t this slow down the block announcements?

• Seen my Graphene presentation? • Each k value has an INV. • And can be stuffed into Bloom Filter and IBLT.

• Don’t the rich get richer? • No, that would be the case if we took the k-lowest values from each miner.

• What about existing ASICS? • Yes, I think maybe they can be used for this (possibly).

Using existing ASICs• version (4)

• prior (32)

• merkle (32)

• time (4)

• nBits (4)

• nonce (4)

• version (4)

• address (20), and LOS (12)

• Hash(h)>> 24 (8), Prior>>24 (8), pad with 16 bytes of zeros

• nonce (4)

• kt bound

• nonce (4)

64 bits of nonce to play with

Header would be 56(k-1)+80 bytes

Summary

k header (bytes)

coinbase(bytes)

equivalent to #TXNs

90% delay (minutes)

mining power needed for selfish

mining

mining power needed to

doublespend(2 blocks)

1 358325 -1 80 205 0 ½ – 40 0% 10%

5 256 345 1 3½ – 19 42% 20%

10 476 520 3 5 – 16½ 46% 25%

20 916 870 7 6½ – 14½ 49% 35%

40 1796 1570 14 7½ – 13 49.5% 40%

Conclusion• Bobtail reduces inter-block time variance in PoW blockchains

• by generalizing target criterion to k values.

• Significantly increases difficulty of doublespend

• Effectively eliminates selfish mining

• Reward rate and orphan rate do not change.

• Secure against attacks

• Cost is very small in terms of bytes.

• Adjustable and incrementally deployable bnl@umass.edu

Conclusion• Bobtail reduces inter-block time variance in PoW blockchains

• by generalizing target criterion to k values.

• Significantly increases difficulty of doublespend

• Effectively eliminates selfish mining

• Reward rate and orphan rate do not change.

• Secure against attacks

• Cost is very small in terms of bytes.

• Adjustable and incrementally deployable

Bobtail

bnl@umass.edu

Low-Variance Mining with Bobtail - Scaling Bitcoin...• The variance of Bitcoin’s inter-block...

Documents

How Bad is Selﬁsh Routing?tedb/Courses/UCSBpf/routing.pdf · How Bad is Selﬁsh Routing?∗ Tim Roughgarden† Eva Tardos´ ‡ December 5, 2001 Abstract We consider the problem

PONDICHERRY UNIVERSITY...Standard costing and variance analysis: material cost variance- Labour cost variance- overhead variance- sales variance- profit variance. Unit –IV Financial

Exploring selﬁsh reinforcement learning in … Agent Multi-Agent Syst DOI 10.1007/s10458-006-9007-0 Exploring selﬁsh reinforcement learning in repeated games with stochastic rewards

Operating Variance Details - Brampton Budget/Proposed...Variance - 1 Operating Variance Details Brampton Library Variance - 2 Community Services Variance - 5 Corporate Services Variance

Stats notes Chapter 5 of Data Mining From Witten and Franklohall/dm/Chpt5mod.pdf · Mean and variance for a Bernoulli trial: p, p (1–p) Expected success rate f=S/N Mean and variance

Introduction to Bitcoincrp161/wiki.files/bitcoinDec2015c.pdf · Mining pools Miners create cartels called the mining pools This allows them to reduce the variance of their income

Analysis of variance reporting - Nelson CollegeMinistry of Education | Analysis of variance reporting Analysis of variance reporting Analysis of variance reporting School name: NELSON

Allan variance - Iowa State Universityhome.engineering.iastate.edu/~shermanp/AERE432/lectures/Rate Gyros... · Allan variance 1 Allan variance The Allan variance (AVAR), also known

How Many Attackers Can Selﬁsh Defenders Catch?mavronic/pdf/HAWAII.pdfHow Many Attackers Can Selﬁsh Defenders ... Since malicious attacks are independent, ... with a Fractional

Uncle-Block Attack: Blockchain Mining Threat Beyond Block ... › ~schang2 › docs › UBA_ACNS19.pdf · in PoW join mining pools to reduce the variance for more stable reward income

variance co-variance

Stubborn Mining: Generalizing Selﬁsh Mining and …kartik/papers/5_stubborn_eclipse.pdfstubborn miner can additionally exploit network-level at-tacks to further increase its gains

Selﬁsh MAC Layer Misbehavior in Wireless Networksdisc.ece.illinois.edu/publications/kyasanur2004tmc.pdf · Selﬁsh MAC Layer Misbehavior in Wireless Networks Pradeep Kyasanur+

One-Way Analysis of Variance (ANOVA): Between …howardsei.org/uploads/One-way_Between_ANOVA.pdf · Systematic Variance Systematic variance (or between-groups variance) is that part

Stubborn Mining: Generalizing Selﬁsh Mining and Combining with an Eclipse Attackkartik/papers/5_stubborn_eclipse.pdf · 2018. 10. 11. · members of a mining pool can launch a block

Stubborn Mining: Generalizing Selﬁsh Mining and Combining ... · Stubborn Mining: Generalizing Selﬁsh Mining and Combining with an ... thus violating the longest-chain ... while

MINING ERROR VARIANCE AND HITTING PAY …socpsy/papers/miningError.pdf · MINING ERROR VARIANCE AND HITTING PAY-DIRT: Discovering Systematic Variation in Social Sentiments Lisa Thomas

Optimal Selﬁsh Mining Strategies in Bitcoinyoni_sompo/pubs/15/SelfishMining.pdf · Optimal Selﬁsh Mining Strategies in Bitcoin Ayelet Sapirshtein1, Yonatan Sompolinsky1, and Aviv

Hunts better than selﬁsh ones - arXiv · 2017-12-11 · Hunts better than selﬁsh ones Alexander Peysakhovich Facebook AI Research Adam Lerer Facebook AI Research Abstract Deep

Variance swaps and CBOE S&P 500 variance futures