Proof of Work Without All the Work:Computationally Efficient Attack-Resistant Systems

Diksha Gupta1, Jared Saia ∗2, and Maxwell Young†3

1Dept. of Computer Science, University of New Mexico, NM, USAdgupta@unm.edu

2Dept. of Computer Science, University of New Mexico, NM, USAsaia@cs.unm.edu

3Computer Science and Engineering Dept., Mississippi State University, MS, USAmyoung@cse.msstate.edu

Abstract

Proof-of-work (PoW) is an algorithmic tool used to secure networks by imposing a computationalcost on participating devices. Unfortunately, traditional PoW schemes require that correct devices per-form computational work perpetually, even when the system is not under attack.

We address this issue by designing a general PoW protocol that ensures two properties. First, the net-work stays secure. In particular, the fraction of identities in the system that are controlled by an attackeris always less than 1/2. Second, our protocol’s computational cost is commensurate with the cost of anattacker. In particular, the total computational cost of correct devices is a linear function of the attacker’scomputational cost plus the number of correct devices that have joined the system. Consequently, if thenetwork is attacked, we ensure security with cost that grows linearly with the attacker’s cost; and, in theabsence of attack, our computational cost remains small. We prove similar guarantees for bandwidthcost.

Our results hold in a dynamic, decentralized system where participants join and depart over time, andwhere the total computational power of the attacker is up to a constant fraction of the total computationalpower of correct devices. We demonstrate how to leverage our results to address important security prob-lems in distributed computing including: Sybil attacks, Byzantine consensus, and Committee election.

∗This work is supported by the National Science Foundation grants CNS-1318880 and CCF-1320994.†This work is supported by the National Science Foundation grant CCF 1613772 and by a research gift from C Spire.

1

arX

iv:1

708.

0128

5v3

[cs

.DC

] 1

7 Fe

b 20

18

1 Introduction

Twenty-five years after its introduction by Dwork and Naor [62], proof-of-work (PoW) is enjoying a researchrenaissance. Succinctly, PoW is an economic tool to prevent abuse of a system by requiring participants tosolve computational puzzles in order to access system resources or participate in group decision making. Inrecent years, PoW is playing a critical role in cryptocurrencies such as Bitcoin [119], and other blockchaintechnologies [30, 48, 57, 64, 86, 107, 134].

Yet, despite success with Bitcoin and its analogs, PoW has not found widespread application in miti-gating a range of malicious behaviors, such as Sybil attacks [60], and application-layer distributed denial-of-service (DDoS) attacks. These are well-known and enduring security problems for which PoW seemswell-suited, and yet proposals [33,41,78,90,105,110,130,156,157] built around PoW have seen only limiteddeployment.

A Barrier to Widespread Use. A major impediment to the widespread use of PoW is “the work”. Inparticular, current PoW approaches have significant computational overhead, given that puzzles must al-ways be solved, even when the system is not under attack. This non-stop resource burning translates into asubstantial energy — and, ultimately, a monetary – cost [47, 63, 149].1 Consequently, PoW approaches arecurrently used primarily in applications where participants have a financial incentive to continually performwork, such as cryptocurrencies. This is a barrier to wide-spread use of a technique that has the potential tofundamentally advance the field of cybersecurity.

In light of this, we seek to reduce the cost of PoW systems and focus on the following question: Canwe design PoW systems where the resource costs are low in the absence of attack, and grow commen-surately with the effort expended by an attacker?

In this paper, we design and analyze an algorithm that answers this question in the affirmative. Initially,our result is presented in the context of the Sybil attack; however, it applies more generally to safeguardinga distributed system from any attack where an adversary seeks to obtain significantly more than its fair shareof network resources.

1.1 Our Model

Our system consists of virtual identifiers (IDs), and an attacker (or adversary). Each ID is either good orbad. Each good ID follows our algorithm, and all bad IDs are controlled by the adversary.

Adversary. Our assumption that a single adversary controls all the bad IDs pessimistically represents perfectcollusion and coordination among the bad IDs. Bad IDs may deviate from our protocols in an arbitrarymanner including sending incorrect or spurious messages. This type of adversary encapsulates the celebratedSybil attack [60]. Section 1.4 summarizes the extensive prior literature in this area.

We critically assume that the adversary controls up to an α fraction of the computational resources inthe network, for α a constant that is a parameter of our algorithms. This assumption is standard in past PoWliterature [11, 70, 111, 119, 130, 153].

Our algorithms employ public key cryptography, and we make the usual cryptographic assumptionsneeded for this. We assume that the adversary knows all of our algorithms, but does not know the privaterandom bits of any good ID.

Communication. All communication among good IDs occurs through a broadcast primitive, denotedby DIFFUSE, which allows a good ID to send a value to all other good IDs within a known and boundedamount of time, despite the presence of an adversary. We assume that when a message is diffused in the

1For example, in 2015, the Economist calculated that Bitcoin consumes at least 1.46 terawatt-hours of electricity per year, orenough to power 135, 000 American homes [63].

2

network, it is not possible to determine which ID initiated the diffusion of that message. Such a primitive isa standard assumption in PoW schemes [27, 68, 70, 109]; see [112] for empirical justification. We assumethat each message originating at a good ID is signed by the ID’s private key.

Time is discretized into rounds. As a standard assumption, all IDs are assumed to be synchronized, butour algorithms can tolerate a small amount of skew. The length of a round is a positive constant times ∆,where ∆ > 0 is some constant upper bound on the time to deliver a message. As the value of ∆ is madelarger, the communication latency becomes less of a factor; however, computational effort increases.

For simplicity, we initially assume that the time to diffuse a message is small in comparison to the timeto solve computational puzzles.2 However, we later relax this assumption to account for a network latencywhich is upper bounded by ∆.

We pessimistically assume that the adversary can send messages to any ID at will, and that it can readthe messages diffused by good IDs before sending its own.

Hashes and Puzzles. We assume that all IDs know a hash function h that maps bit strings to real numbersin [0, 1). We make the standard random oracle assumption about h [24, 36, 100, 119]. This assumption isthat when first computed on an input, x, h(x) is selected independently and uniformly at random from [0, 1),and that on subsequent computations of h(x) the same output value is always returned.3 A puzzle solutionis typically a certain type of input to the hash function that achieves an output that is sufficiently small.

Let µ denote the number of hash function queries that a good ID can make per unit time. Hence, wemeasure the computational power of a good ID in terms of µ.

Joins and Departures. The system is dynamic with IDs joining and departing over time (i.e., churn),subject to the constraint that at most a constant fraction of the good IDs can join or depart in any round.Maintaining performance guarantees amidst churn is often challenging in decentralized systems [13–17].We pessimistically assume that all join and departure events are scheduled in a worst-case fashion by theadversary.

We assume that all good IDs announce their departure to the network. In practice, this assumption couldbe relaxed through the use of heartbeat messages that are periodically sent out to indicate that an ID is stillin the network.

The minimum number of good IDs in the system at any point is assumed to be at least n0. Our goalis to provide security and performance guarantees for O(nγ0) joins and departures of IDs, for any desiredconstant γ ≥ 1. In other words, the guarantees on our system hold with high probability (w.h.p.)4 over thispolynomial number of dynamic events. This implies security despite a system size that may vary wildlyover time, increasing and decreasing polynomially in n0 above a minimum number of n0 good IDs.

We impose a loose constraint on the rate of departures: at most an ε0-fraction of good IDs may join/departin any single round, where ε0 > 0 is a small, known constant. Note that this constraint still allows for anamount of dynamism that is linear in the current system size.

1.2 Our Goals.

We have two key security goals.

Population Goal: Ensure that the fraction of bad IDs in the entire system is always less than 1/2.

Achieving this goal will help ensure that system resources – such as jobs executed on a server, orbandwidth obtained from a wireless access point – consumed by the bad IDs are (roughly) proportional to the

2A recent study of the Bitcoin network shows that the communication latency is 12 seconds in contrast to the 10 minutes blockinterval [50], which motivates our assumption of computational latency dominating the communication latency in our system.

3In practice, h is a cryptographic hash function, such as SHA-2 [129], with inputs and outputs of sufficiently large bit lengths.4With probability at least 1− n−c0 for any desired c ≥ 1.

3

adversary’s computational power. Possible application domains include: content-sharing overlays [66,147];and open cloud services [9, 40, 114, 160].

Committee Goal: Ensure there always exists a committee that (i) is known to all good IDs; (ii) is of scalablesize i.e., of size Θ(log n0); and (iii) contains less than a 1/2 fraction of bad IDs.

Achieving the Committee Goal will ensure that the committee can solve the Byzantine consensus prob-lem [103]. In this problem, each good ID has an initial input bit. The goal is for (i) all good IDs to decideon the same bit; and (ii) this bit to equal the input bit of at least one good ID.

Byzantine consensus enables participants in a distributed network to reach agreement on a decision,even in the presence of a malicious minority. Thus, it is a fundamental building block for many cryptocur-rencies [32, 65, 70, 77]; trustworthy computing [35, 37, 39, 44, 46, 101, 145]; peer-to-peer networks [3, 128];and databases [117, 133, 169]. Establishing Byzantine consensus via the use of committees is a commonapproach; for examples, see [70, 97, 109].

We note that it is possible to reduce the fraction 1/2 in either goal by reducing the value of α. Second,we expect the Population Goal to be particularly relevant for small or medium-sized networks, where it ismanageable to maintain membership information. In contrast, the Committee Goal may be more relevantfor larger networks, since it does not require maintenance of large membership lists.

1.3 Main Results

We measure computational cost as the effort required to solve computational puzzles (see Section 2.1 fordetails), and we measure bandwidth cost as the number of calls to DIFFUSE. Let TC and TB denote thetotal computational and total bandwidth costs, respectively, incurred by the adversary. Let gnew denote thenumber of good IDs that have joined the system. The lifetime of the system is defined as the time until atleast O(nγ0) i.e., polynomially in n0 join or leave events.

Theorem 1. Assume that the adversary holds at most an α = 1/6-fraction of the total computational powerof the network. Then, w.h.p. our algorithm (CCOM in Section 2) ensures the following properties hold overthe lifetime of the system:

• Population Goal: The fraction of bad IDs in the system is always less than 1/2.

• Committee Goal: There is a committee always known to all IDs such that at all times the committeecontains (1) a logarithmic number of IDs; and (2) less than a 1/2 fraction of bad IDs.

• The cumulative computational cost to the good IDs is O (TC + gnew).

• The cumulative bandwidth cost to the good IDs is O (TB + gnew).

Note that the computational and bandwidth costs incurred by the good IDs grow slowly with the costincurred by the adversary. Recalling our discussion at the beginning of this section, this is precisely the typeof result we sought. When there is no attack on the system, the costs are low and solely a function of thenumber of good IDs; there is no excessive overhead. But as the adversary spends more to attack the system,the costs required to keep the system secure grow commensurately with the adversary’s costs.

Empirical Results and Applications. In Section 3, we empirically evaluate our algorithm. For a variety ofnetworks, our algorithm significantly reduces computational cost.

In Section 4, we discuss applications of our algorithm to (1) Byzantine consensus; and (2) Elastico,which is a committee election algorithm that can be used to achieve consensus on Blockchains for cryp-tocurrencies.

4

1.4 Related Work

A preliminary version of our results appeared as an extended abstract in [82]. This current work makesseveral significant extensions to these earlier results. First, we provide a method to greatly reduce theamount of state that needs to be stored by good IDs; see Section 2.8. Second, we demonstrate that our resultis robust to a bounded amount of communication delay; see Section 2.9. Third, we extend the empiricalevaluation of our algorithm under aggressive attack; see Section 3. Additionally, this work contains the fullproofs, along with an expanded discussion of related work and future open problems.

The Sybil Attack. Our work applies – but is not limited – to the Sybil attack [60]. There is large bodyof literature on mitigating such attacks (for example, see surveys [59, 89, 116, 127]), and additional workdocumenting real-world Sybil attacks [123, 150, 155, 162]. Critically, none of these prior results have thedesired property that the resource costs to the good IDs grow commensurately with the cost incurred by theadversary. We note that this can be characterized as a resource-competitive approach [4, 25, 26, 54, 56, 71,72,74,98,168]. However, for simplicity, we omit a discussion of resource-competitive algorithms since it isnot critical to understanding our results.

We note that obtaining large numbers of machines is expensive; computing power costs money, whetherobtained via Amazon AWS [7] or a botnet rental [10]. This premise is borne out by Bitcoin and other cryp-tocurrencies where an adversary has a strong incentive to wield as much computational power as possible.

Beyond PoW, several other approaches have been proposed. In a wireless setting with multiple com-munication channels, Sybil attacks can be mitigated via radio-resource testing which relies on the inabilityof the adversary to listen to many channels simultaneously [73, 75, 118, 127]. However, this approach mayfail if the adversary can monitor most or all of the channels. Furthermore, the same shortcoming exists: thesystem must constantly perform tests to guarantee security which leads to wasted bandwidth in the absenceof attack.

There are several results that leverage social networks to yield Sybil resistance [104, 115, 158, 165–167]. However, social-network information may not be available in many settings. Another idea is to usenetwork measurements to verify the uniqueness of IDs [22, 58, 69, 108, 144, 154], but these techniques relyon accurate measurements of latency, signal strength, or round-trip times, for example, and this may notalways be possible. Containment strategies are examined in overlays [53,142], but the extent to which goodparticipants are protected from the malicious actions of Sybil IDs is limited.

PoW and Alternatives. As a choice for PoW, computational puzzles provide certain advantages. First,verifying a solution is much easier than solving the puzzle itself. This places the burden of proof on deviceswho wish to participate in a protocol rather than on a verifier. In contrast, bandwidth-oriented schemes, suchas [153], require verification that a sufficient number of packets have been received before any service isprovided to an ID; this requires effort by the verifier that is proportional to the number of packets.

A recent alternative to PoW is proof-of-stake (PoS) where security relies on the adversary holding a mi-nority stake in an abstract finite resource [2]. When making a group decision, PoS weights each participant’svote using its share of the resource; for example, the amount of cryptocurrency held by the participant. Awell-known example is ALGORAND [70], which employs PoS to form a committee. A hybrid approachusing both PoW and PoS has been proposed in the Ethereum system [6]. We note that PoS can only beused in systems where the “stake” of each participant is globally known. Thus, PoS is typically used only incryptocurrency applications.

Recent work by Pass et. al [132] proposes a consensus protocol for a dynamic cryptocurrency system,where they use the blockchain protocol to elect a new committee everyday. The committee runs a ByzantineFault Tolerant (BFT) protocol on the transactions to generate a daily log, which is logged in the blockchain.They introduce a new performance measure called responsiveness that is applicable to a cryptocurrencysystem only if it possesses the ability to log a transaction input to an honest ID within some function of the

5

actual delay rather than that of a loose upper bound on the delay in the system.

Finally, when the number of bad participants is assumed to be always bounded, a number of results onadversarial fault-tolerant systems exist [3, 34, 35, 38, 49, 88, 91, 102, 120, 137–139].

2 Our Algorithm

In this section, we describe the main ingredients that go into our algorithm.

2.1 Computational Puzzles

All IDs have access to a hash function, h, about which we make the standard random oracle assump-tion [24, 36, 100]. Succinctly, this assumption is that when first computed on an input, x, h(x) is selectedindependently and uniformly at random from the output domain, and that on subsequent computations ofh(x) the same output value is always returned. We assume that both the input and output domains are thereal numbers between 0 and 1. In practice, h may be a cryptographic hash function, such as SHA-2 [129],with inputs and outputs of sufficiently large bit lengths.

In general, an ID must find an input x such that h(x) is less than some threshold. Decreasing thisthreshold value will increase the difficulty, since one must compute the hash function on more inputs tofind an output that is sufficiently small. We note that many other types of puzzles exist (for examples,see [87, 93, 135]) and our results are likely compatible with other designs.

We assume that each good ID can perform µ hash-function evaluations per round for µ > 0. Addi-tionally, we assume that µ is of some size polynomial in n0 so that logµ = Θ(log n0). It is reasonable toassume large µ since, in practice, the number of evaluations that can be performed per second is on the orderof millions to low billions [28, 29, 83].

For any integer ρ ≥ 1, we define a ρ-round puzzle to consist of finding ` = C logµ solutions, each ofdifficulty τ = ρ(1 − δ)µ/(C logµ), where δ > 0 is a small constant and C is a sufficiently large constantdepending on δ and µ.

Let X be a random variable giving the expected number of hash evaluations needed to compute ` solu-tions. Then X is a negative binomial random variable and we have the following concentration bound (see,for example, Lemma 2.2 in [20]).

For every 0 < ε ≤ 1, it holds that

Pr(|X − E(X)| ≥ εE(X)) ≤ 2e−ε2`/(2(1+ε))

Given the above, we can show that every good ID will solve a ρ-round puzzle with at most ρµ hashfunction evaluations, and that the adversary must compute at least (1 − 2δ)dρµ hash evaluations to solveevery ρ-round puzzle. This follows from a union bound over O(nγ0) joins and departure events, for Csufficiently large as a function of δ and γ. Note that for small δ, the difference in computational cost isnegligible, and that µ is also unnecessary in comparing costs. Thus, for ease of exposition, we assume thateach ρ-round puzzle requires computational cost ρ to solve.

Finally, each participant v uses a public key Kv, generated via public key encryption, as its ID. Theinput to a puzzle always incorporates Kv and s, where the solution string s is selected by v (for good IDs,s will be a random string).

2.2 How Puzzles Are Used

Although, each puzzle is constructed in the same manner, they are used in two distinct ways by our algo-rithm. First, when a new ID wishes to join the system, it must provide a solution for a 1-round puzzle; this is

6

Commensurate Computation (CCOM):Sold: set of IDs after most recent purge.S: current set of IDs.r: current random seed.

Do the following forever; the committee makes all decisions using Byzantine Consensus:

1. Each joining ID, v, generates a public key; solves an entrance puzzle using that key and the currenttimestamp T and broadcasts the solution via DIFFUSE. Upon verifying the solution, the committeeadds v to S .

2. If |(S ∪ Sold)− (S ∩ Sold)| ≥ |Sold|/3, then the current committee does the following:

• Generate a random string r and broadcast via DIFFUSE.

• Sets Sold and S to the set of IDs that return valid solutions.

• Sets new committee to be the set of IDs submitting the smallest solutions in the range(

12(k+1)/d ,

12k/d

]for some k ≥ 1, and diffuses this new committee to all good IDs.

Figure 1: Pseudocode for CCOM.

referred to as entrance puzzle. Here, the input to the puzzle isKv||s||T , where T is the timestamp of whenthe puzzle solution was generated. In order to be verified, the value T in the solution to an entrance puzzlemust be within some small margin of the current time. In practice, this margin would primarily depend onnetwork latency.

We note that, in the case of a bad ID, this solution may have been precomputed by the adversary byusing a future timestamp. This is not a problem since the purpose of this puzzle is only to force the adver-sary to incur a computational cost at some point, and to deter the adversary from reusing puzzle solutions.Importantly, the entrance puzzle is not used to preserve guarantees on the fraction of good IDs in the system.

The second way in which puzzles are used is to limit the fraction of bad IDs in the system; this is referredto as a purge puzzle. An announcement is periodically made that all IDs already in the system should solvea 1-round puzzle. When this occurs, a random string r of Θ(log nγ0) bits is generated and included aspart of the announcement. The value r must also be appended to the inputs for all requested solutions inthis round; that is, the input is Kv||s||r. These random bits ensure that the adversary cannot engage in apre-computation attack — where it solves puzzles and stores the solutions far in advance of launching anattack — by keeping the puzzles unpredictable. For ease of exposition, we omit further discussion of thisissue and consider the use of these random bits as implicit whenever a purge puzzle is issued.

While the same r is used in the puzzle construction for all IDs, we emphasize that a different puzzle isassigned to each ID since the public key used in the construction is unique. Again, this is only of importanceto the second way in which puzzles are used. Using the public key in the puzzle construction also preventspuzzle solutions from being stolen. That is, ID Kv cannot lay claim to a solution found by ID Kw since thesolution is tied to the public key Kw.

Can a message mv from ID Kv be spoofed? This is prevented in the following manner. ID Kv signs mv

with its private key to get signv, and then sends (mv||signv||Kv) via DIFFUSE. Any other ID can use Kv

to check that the message was signed by the ID Kv and thus be assured that ID Kv is the sender.

7

2.3 Algorithm Overview

We begin by describing our algorithm Commensurate Computation (CCOM). The pseudocode is providedin Figure 1. A key component of our system is a subset of IDs called a committee for which the CommitteeGoal (recall Section 1.2) must hold; this is proved in Section 2.4.

2.3.1 Updating and Maintaining System Membership

The committee tracks the membership in the system using the set S. Updates to this set are performed inthe following manner. Each ID that wishes to join the system must solve an entrance puzzle. Each goodID in the committee will check the solution to the entrance puzzle and, upon verification, the joining ID isallowed into the system.

Verification of a puzzle solution requires checking that (1) all C logµ inputs to h submitted generatean output that is at most (C logµ)/((1 − δ)µ); and (2) each of these inputs contains the string r and alsothe individual public key of the ID. Upon verification, the good IDs in the committee solve BC in order toagree on the contents of S. Those IDs that fail to submit valid puzzle solutions are denied entrance into thesystem.

Similarly, S is also updated and agreed upon when a good ID informs the server that it is departing. Ofcourse, bad IDs may not provide such a notification and, therefore, S is not necessarily accurate at all times.

Finally, if we wish to achieve only the Committee Goal, then the last portion of Line 1 is amended: thereis no need for the committee to verify solutions or maintain S.

2.3.2 Executing Purges

At the beginning of the system, the committee knows the existing membership denoted by Sold; assume|Sold| = n0 initially. At some point, |(S ∪ Sold) − (S ∩ Sold)| ≥ |Sold|/3. When this happens, Step 2 isimmediately triggered, whereby all IDs are issued a purge puzzle and each ID must respond with a validsolution within 1 round. The issuing of these purge puzzles is performed by the committee via the diffusingof r to all IDs; this random string is created via solving BC in order to overcome malicious behavior by badIDs that are members.5

Recall from Section 1.1 that a round is of sufficient length that the computation time to solve a 1-round puzzle dominates the round trip communication time between the client and server (we remove thisassumption later in Section 2.9). The good IDs update and agree on S at the end of the purge.

Figure 2 illustrates this purging process; good IDs are black and bad IDs are red. Let x be the numberof IDs after the most recent purge; at most x/3 of these IDs are bad, since α = 1/3. According to Step 2in CCOM, the next purge occurs immediately when the number of new IDs entering would become greaterthan or equal to x/3. At the point when a purge is triggered, the number of new IDs that have been allowedto enter is less than x/3. Thus, the total number of bad IDs is less than 2

3x, and the total number of goodIDs is at least 2

3x.How is r sent such that each good ID trusts it came from the committee? Recall that a participant v that

joins the system generates a public key, Kv, and the corresponding private key, kv; the public key is used asits ID. If ID Kv is a committee member, it will sign the random string r using its private key kv to obtainsignv. Then, (r||signv||Kv) is sent using DIFFUSE. Any good ID can verify signv via Kv to ensureit returns r. This implicitly occurs in Step 2 of Algorithm 1, but we omit the details in the pseudocode forsimplicity.

5Agreeing on each random bit of r will suffice. Alternatively, a secure multiparty protocol for generating random values can beused; for example, the result in [146].

8

Solve a puzzle or be ejected

Fraction of new IDs ≥ 1/3

Figure 2: An overview of our approach. The system starts with x = 12 IDs of which 4 are bad and 8 aregood. When the (x/3)th = 4th ID joins, a purge is immediately executed and all IDs must solve a purgepuzzle or be ejected from the system.

2.3.3 Updating and Maintaining Committee Membership

Recall from Section 1.1 that good IDs always inform all other IDs of their departure. Thus, a good ID Kv

that is a committee member will inform other committee members of its departure. Since bad IDs maynot inform of their departure, our estimate of churn will not be accurate but this will not jeopardize thecommittee goal.

The execution of CCOM is conceptually broken into sets of consecutive rounds called epochs, which aredelineated by the execution of Step 2. Over the lifetime of the system, the committee should always satisfythe Committee Goal. As joins and departures occur, this invariant may become endangered. To addressthis issue, committees are disbanded and rebuilt over time. In particular, a new committee is completed andready to be used by the start of a each successive epoch, and the currently-used committee is disbanded.

The construction of a new committee occurs in Step 2 over a single round. There is a sequence ofmembership intervals

(1

2(k+1)/d ,1

2k/d

]for k ≥ 1 and where d is a constant we can set subject to d ≥ 20γ

(this is required for the proof of Lemma 1). For each interval, the ID that generates the smallest hash functionoutput in the kth interval becomes the kth committee member; this determination is handled by the currentcommittee. In Section 2.4, we prove that this process results in a committee of size Θ(log n0), which is acriterion of the Committee Goal.

Given that the adversary has a minority of the computational power, we expect the newly-formed com-mittee to have a good majority. Byzantine consensus allows for agreement on the members of the newcommittee, and this is communicated to all good IDs in the network via DIFFUSE. These two propertiessatisfy the other two criteria of the Committee Goal; this is argued formally in Section 2.4.

Over the round during which this construction is taking place, the existing committee still satisfies theCommittee Goal; this is proved in Lemma 1. After the round completes, the new committee members areknown to all good IDs in the system. Those committee members that were present prior to this constructionare no longer recognized by the good IDs. Finally, any messages that are received after this single round areconsidered late and discarded.

2.3.4 Initialization of Committee

Finally, we address the initialization of a committee at the time the system is first created. To do this, wemust solve the view reconciliation problem. In this problem, we start out in our model with some unknownset of good IDs, and an adversary that controls an α fraction of the total computational power. The goal is toensure that (1) all good IDs agree on a set of IDs; and (2) this set contains all of the good IDs, and a number

9

of bad IDs that is at most an α fraction of the set size.Several algorithms to solve this problem have been recently described. In [11], Andrychowicz and

Dziembowski showed how to solve the problem, even for any fixed α < 1. In [94], Katz, Miller and Shidescribed an algorithm to solve the problem when α < 1/2. Both of these protocols require time that isΘ(n), and a number of calls to DIFFUSE by good IDs that is Θ(n2). In a recent result [85], Hou et al.show how to improve these costs substantially for the case where α < 1/4. They describe an algorithm tosolve view reconciliation that takes time Θ

(logn

log logn

), and that requires a number of calls to DIFFUSE that

is Θ(n logn

log logn

).

Because we assume α ≤ 1/6, we are able to use the protocol of [85] for initialization of our system. Westress that we only need to call this protocol once, at system creation.

2.4 Analysis of the Committee Goal

In this section, we prove that with high probability CCOM preserves the Committee Goal over the lifetimeof the system. For any epoch i, we let Bi and Gi respectively denote the number of bad and good IDs inthe system at the end of epoch i, and we letNi = Bi +Gi. Recall that B0 < N0/3. We also assume thatat the time of system creation, the fraction of bad IDs is less than 3/10; in particular, B0 < (3/10)N0.

To simplify our presentation, our claims are proved to hold with probability at least 1 − O(1/nγ+20 ),

where O hides a poly(log n0) factor. Of course, we wish the claims of Theorem 1 to hold with probabilityat least 1 − 1/nγ+1

0 such that a union bound over nγ0 joins and departures yields a w.h.p. guarantee. Byproviding this “slack” of an Ω(1/n0)-factor in each of the guarantees of this section, we demonstrate this isfeasible while avoiding an analysis cluttered with specific settings for the constants used in our arguments.

Throughout the following, Ct denotes the membership of committee in round t ≥ 0 of the current epoch.In particular, C0 denotes the membership of committee upon its creation at the beginning of the currentepoch. We now prove that the committee goal is met over the duration of any epoch.

Throughout, we assume µ = n`0 for some constant ` ≥ 1, since µ is a polynomial in n0 (recall Sec-tion 1.1). The next lemma assumes bounds of α ≤ 1/6. Although a larger value of α may be tolerable, thisbound is chosen in order to simplify the analysis and provide a clean presentation.

Lemma 1. Let α ≤ 1/6, d be a sufficiently large constant depending on γ, and n0 be sufficiently large.Then for any fixed epoch, with probability at least 1− O(1/nγ+2

0 ), the following holds. For any round t ≥ 0in the epoch, Ct has size Θ(log n0), contains a majority of good IDs, and is known to all good IDs.

Proof. Recall that for an ID Kv to become a committee member, it must obtain the smallest value (viaa hash-function evaluation) in

(1

2(k+1)/d ,1

2k/d

]for some integer k ≥ 1. For any k ≥ 1, let the indicator

random variable Xv,k = 1 if ID Kv finds a value in the kth membership interval, although not necessarilythe smallest value in this interval; otherwise, Xv,k = 0.

Fix some an epoch i. Let the set of good IDs present at the beginning of that epoch be denoted byG. These are the good IDs that may become committee members. Let the random variable XG,k =∑

Kv,k∈G Xv,k which counts the number of values by good IDs that land in the kth membership interval.Let the set of all bad IDs present at any point in epoch i be denoted by B. Define XB,k =

∑Kv,k∈BXv,k

which counts the number of values by bad IDs that land in the kth membership interval.

Expected Value Calculation. Fix some k ≥ 1. We have:

E[XG,k] = E

[ ∑Kv∈G

Xv,k

]≥ |G| µ

2k/d= Gi−1

(n`0

2k/d

)Similarly:

10

E[XB,k] = E

[ ∑Kv∈B

Xv,k

]≤ |B| µ

2k/d≤(Gi−1

5

)(n`0

2k/d

)where the last inequality follows from noting that α = |B|

|B|+|G| ≤ 1/6 implies |B| ≤ |G|/5.

Concentration Bounds on XG,k. For a fixed k ≥ 1, the Xv,k variables are independent over different valuesof v. Thus, a Chernoff bound tightly bounds XG,k such that for any δ > 0, we have:

Pr

(XG,k < (1− δ)Gi−1n

`0

2k/d

)≤ exp

(−δ

2Gi−1 n`0

2(k/d)+1

)Let η = Gi−1n

`0/(κ(γ + 2) lnn0) for a sufficiently large constant κ > 0. For the good IDs, we consider k

over the range from 1 to d lg η. In this range:

exp

(−δ

2Gi−1 n`0

2(k/d)+1

)≤ exp

(−(δ2/2)κ(γ + 2) lnn0

)= O

(1/nγ+2

0

)for κ ≥ 2/δ2. Taking a union bound over all d lg η intervals, the following is true with probability atleast 1 − O(1/nγ+2

0 ). For all 1 ≤ k ≤ d lg η, the number of good IDs in the kth interval is at least(1− δ)Gi−1µ/2

k/d.A similar calculation yields upper bounds onXG,k with the same probabilistic guarantee for each interval

over this range of k:

Pr

(XG,k > (1 + δ)

Gi−1n`0

2k/d

)= O

(1/nγ+2

0

)Taking a union bound over over all d lg η intervals, the following is true with probability at least 1 −

O(1/nγ+20 ): for all 1 ≤ k ≤ d lg η, the number of puzzle solutions from good IDs in the kth interval is at

most (1 + δ′)Gi−1µ/2k/d.

Concentration Bounds on XB,k. Over the range of 1 ≤ k ≤ d lg η, a similar argument proves that:

(1− δ)(Gi−1

5

)(n`0

2k/d

)≤ XB,k ≤ (1 + δ)

(Gi−1

5

)(n`0

2k/d

)with probability at least 1−O(1/nγ+2

0 ). A similar union bound shows that the above holds with probability1− O(1/nγ+2

0 ) for all 1 ≤ k ≤ d lg η.However, can the adversary obtain values in membership intervals for k > d lg(η)? For such intervals,

we expect only a small number of values and we pessimistically assume that, if one exists, it belongs to theadversary rather than a good ID.

Each such membership interval has size less than 1/(2jη) for j ≥ 1. We wish to know a value j suchthat, with probability 1 − O(1/nγ0), the adversary does not obtain a puzzle solution in the correspondinginterval, nor in any of the subsequent (smaller) intervals. This will bound the number of committee membersthe adversary obtains from the membership intervals for k > d lg(η). We solve for j in n`0/(2

jη) ≤ 1/nγ+20

which yields

j ≥ (`+ γ + 2) lg n0 − lg η

= (γ + 2) lg n0 − lg(Gi−1) + lg(κ(γ + 2) lnn0)

11

Since Gi−1 ≥ n0, and for sufficiently large n0, it follows that lg(Gi−1) ≥ lg(κ(γ + 2) lnn0). Therefore,with probability at least 1 − O(1/nγ+2

0 ), the adversary gains at most (γ + 2) lg n0 additional committeemembers.

Size of Committee. We note that the same argument used above to bound the number of bad IDs for member-ship intervals with k > d lg(η) also applies to good IDs. By this fact, and the above bounds, with probabilityat least 1− O(1/nγ+2

0 ) the following holds:

d lg(η) ≤ |C0| ≤ d lg(η) + 2(γ + 2) lg(n0)

By the definition of η, and given that ` and γ are constants, it follows that |C0| = Θ(log n0). Finally, sincethe committee size can only decrease, and further it decreases by at most a 1/3-factor within an epoch, itfollows that |Ct| = Θ(log n0) for any round t > 0.

Fraction of Good Committee IDs at the Beginning of Epoch. We begin by analyzing the fraction of good IDsin the committee at the beginning of the epoch. Each hash-function evaluation that falls in the kth member-ship interval has the same probability as any other of being the smallest. Therefore, pulling the abovearguments together: with probability at least 1 − O(1/nγ+2), the probability that a good ID obtains thesmallest output in the kth interval for 1 ≤ k ≤ d lg(η) is at least:

(1− δ)Gi−1n`0/2

k/d

(1 + δ)Gi−1n`0/2k/d + (1 + δ)(Gi−1/5)n`0/2

k/d≥ (1− ε′)5

6

for any ε′ > 0 provided that δ is sufficiently small.To obtain a lower bound on the number of good IDs in C0, define the indicator random variable Yk = 1

if some good ID has the smallest output in the kth interval; otherwise, Yk = 0. Let Y =∑d lg(η)

k=1 Yk. Thisimplies a lower bound on the expected number of good IDs:

E[Y ] =E

d lg(η)∑k=1

Yk

=

d lg(η)∑k=1

E[Yk]

≥d lg(η)∑k=1

(1− ε′)(5/6) = (1− ε′)(5/6)d lg(η)

We now make two observations. First, the Yk values are independent, thus using a Chernoff bound, wecan obtain a tight bound on the number of good IDs in C0:

Pr(Y < (1− 2ε′)(5/6)d lg(η)

)= Pr

(Y <

(1− ε′

1− ε′

)E(Y )

)≤ exp

(− ε′2

2(1− ε′)

(5 d lg η

6

))=O(1/nγ+2

0 )

where the last equality holds for d ≥ (1−ε′)12(γ+2)ε′25 lg(e)

.

Second, we derived above that, with probability at least 1− O(1/nγ+2), |C0| ≤ d lg(η) + 2(γ+ 2) lg n0.Therefore, using our first observation, with probability at least 1 − O(1/nγ+2), the fraction of good IDs inC0 is at least:

(1− 2ε′)(5/6)d lg(η)

d lg(η) + 2(γ + 2) lg(n0)≥ (1− 2ε′)(5/6)d lg(η)

d lg(η) + 2(γ + 2) lg(η)≥ 7/10

12

where the second inequality holds for any d ≥ 21(γ+2)(2−25ε′) . Therefore, for sufficiently large d, C0 has at least a

7/10-fraction of good IDs.The existing committee members come to agreement on C0 by executing a Byzantine Consensus protocol

that succeeds with probability at least 1 − O(1/nγ+20 ). Each committee member propagates its view of C0

to all remaining IDs in the network via DIFFUSE. A good ID not in the committee will take the majorityvalue of these different views and, since the committee has a good majority, the majority value will be C0.Therefore, the newly-formed C0 is known to all good IDs.

Fraction of Good Committee IDs at Any Point in the Epoch. What about the fraction of good committee IDsover the entire epoch? Over the epoch, at most |C0|/3 IDs can depart. In the worst case, these are all goodIDs. Let X denote the number of good IDs in C0, let Y ≥ X denote the total number of IDs in C0, and letZ ≤ Y/3 be the number of good IDs that have left. Then, X−ZY−Z ≥

X−(Y/3)(2/3)Y = (3/2)(X/Y ) − (1/2) ≥

(3/2)(7/10) − (1/2) = 11/20. Where X/Y ≥ 7/10 holds with probability at least 1 − O(1/nγ+20 ) from

the argument above.Recall that at most a constant ε0-fraction of good IDs may depart over the single round in which the

new committee is being formed during Step 2 of CCOM (see our model for joins and departures describedin Section 1.1). By a Chernoff bound, for ε0 < 1/20, the fraction of good IDs that leave the committee istightly bounded such that the fraction of good IDs remaining in the committee exceeds 1/2 with probabilityat least 1 − O(1/nγ+2

0 ) during this final round. Therefore, for the current epoch, a majority of good IDsexists in Ct until a new committee has been created.

Conclusion. By the above steps of our argument, with probability 1− O(1/nγ+20 ), over all rounds t ≥ 0 in

a fixed epoch, the following properties hold for Ct: it has size Θ(log n0); it contains a majority of good IDs;and it is known to all good IDs in the system.

2.5 Analysis of the Population Goal

Lemma 2. For all i ≥ 0, Bi < Ni/3.

Proof. This is true by assumption for i = 0. For i > 0, note that the adversary has computational powerless than Gi/2. Thus, after Step 2 that ends epoch i, we have Bi < Gi/2. Adding Bi/2 to both sides of thisinequality yields (3/2)Bi < Ni/2, from which, Bi < Ni/3.

Let nai , gai , b

ai denote the total, good, and bad IDs that arrive over epoch i. Similarly, let ndi , g

di , b

di

denote the total, good, and bad IDs that depart over epoch i.Note that the committee will always have an accurate value for all of these variables except for possi-

bly bdi — recall from Section 1.1 that bad IDs do not need to give notification when they depart — and,consequently, ndi ; in these two cases, the committee may hold values which are underestimates of the truevalues.

Lemma 3. The fraction of bad IDs is always at most 1/2.

Proof. Fix some epoch i > 0. Recall that an epoch ends when |(S ∪ Sold) − (S ∩ Sold)| ≥ |Sold|/3 where|Sold| = Ni−1. Therefore, we have bai + gdi ≤ Ni−1/3. We are interested in the maximum value of the ratioof bad IDs to total IDs at any point during the epoch. Thus, we pessimistically assume all additions of badIDs and removals of good IDs come first in the epoch. We are then interested in the maximum value of theratio:

Bi−1 + baiNi−1 + bai − gdi

.

13

By Lemma 2, Bi−1 ≤ Ni−1/3. Thus, the we want to find the maximum of Ni−1/3+baiNi−1+bai−gdi

, subject to the

constraint that bai + gdi ≤ Ni−1/3. This ratio is maximized when the constraint achieves equality, that iswhen gdi = Ni−1/3− bai . Plugging this back into the ratio, we get

Ni−1/3 + baiNi−1 + bai − gdi

≤ Ni−1/3 + bai2Ni−1/3 + 2bai

= 1/2

Therefore, the maximum fraction of bad IDs is 1/2 at any point during any arbitrary epoch i > 0.Finally, we note that this argument is valid even though S may not account for bad IDs that have departed

without notifying the committee (recall this is possible as stated in Section 1.1). Intuitively, this is not aproblem since such departures can only lower the fraction of bad IDs in the system; formally, the criticalequation in the above argument is bai + gdi ≤ Ni−1/3, and this does not depend on bdi .

2.6 Cost Analysis and Proof of Theorem 1

We now examine the cost of running CCOM. When computing the bandwidth cost for the decentralizednetwork, we assume that the good IDs are connected in a sparse overlay network. In particular, for epochi, we assume that the number of edges in this network is O(Gi) where O indicates the omission of apoly(logGi) = poly(log n0) factor.

Lemma 4. Let TC and TB denote the total computational and bandwidth costs, respectively, incurred bythe adversary. Let gnew denote the number of good IDs that have joined the system. Then, CCOM has costsas follows:

• The total computational cost to the good IDs is O (TC + gnew).

• The total bandwidth cost to the good IDs is O (TB + gnew).

Proof. We begin with computational cost. In epoch i, the computational cost to the good IDs equals Gi,which is no more than Gi−1 + gai . By the end of epoch i, we know that a 1/3 fraction of the IDs in Coldleave. Let Costi be the computational cost to the algorithm in epoch i, and let Ti be the computation costspent by the adversary in epoch i. There are two cases.

Case 1: At least a 1/6 fraction of the IDs that leave the committee are good. Since the good IDs in thecommittee are a logarithmic-sized random sample of the good IDs in the system, gdi = Θ(Gi−1), with highprobability by a standard Chernoff bound. Thus, Costi ≤ c1g

di + gai for some constant c1.

Case 2: At least a 1/6 fraction of the IDs that leave the committee are bad. Then, at the beginning of theepoch, the adversary must have incurred Θ(Gi−1) computational cost in order to obtain positions in thecommittee for this constant fraction of bad IDs. Thus, Ti−1 = Θ(Gi−1), and so Costi ≤ c2Ti−1 + gai forsome constant c2.

Combining these two cases, we have that for every epoch i, it is the case thatCosti ≤ c1gdi +c2Ti−1+gai .

By summing over all epochs, we get that the total computational cost to the algorithm is no more than thefollowing.

∑i

(c1gdi + c2Ti−1 + gai ) ≤ c2

∑i

Ti + c1

∑i

gdi +∑i

gai

= O (TC + gnew)

14

where the last line follows since gnew =∑

i gai = Ω(gdi ).

To analyze the bandwidth cost, first recall that we assume the IDs are connected in a network withO(Gi) edges. A record-breaking analysis shows that each edge in this network will be traversed by anexpected O(logGi) messages during the formation of a new committee. In particular, the source of eachedge perceives a random sequence of O(Gi) values, and in expectation O(logGi) of these will be thesmallest seen so far, and so will require a message. Thus, the number of messages sent equals the numberof minimum values seen in a sequence of x independent and uniformly distributed random variables on theinterval (0, 1]. This expectation is O(log x); see [79] for details. Thus the total bandwidth cost during theformation of a new committee is O(Gi).

Since this is within logarithmic factors of the computational cost, we can apply the same analysis as forthe computational cost to achieve the bound given in the lemma.

Pulling the pieces together from the previous sections, we can now prove Theorem 1.

Proof. By Lemma 2.4, with probability at least 1 − O(1/nγ+10 ), the committee has a majority of good

IDs, has size Θ(log n0), and its members are communicated to all good IDs via DIFFUSE; therefore, theCommittee Goal is met. Given that the Committee Goal holds, by Lemma 3 the fraction of bad IDs is lessthan 1/2 over the lifetime of the system; therefore, the Population Goal is met. The computational cost andbandwidth cost follows directly from Lemma 4.

2.7 Enhancements to CCOM

In this section, we present two enhancements to our main result. The first allows for a reduction in theamount of state that needs to be maintained by committee members. The second illustrates how our resultscontinue to hold when there is bounded communication latency.

2.8 Reducing Cost of Tracking Departures

In order to determine when an epoch should end, CCOM implicitly requires that the committee communicatewith each good ID to learn of its departure; recall our assumption in Section 1.1 that good IDs alert the com-mittee of their departure. Additionally, the committee must also calculate the symmetric difference betweentwo (possibly large sets) S and Sold. Unfortunately, both this tracking and calculation can be expensive.

To reduce this cost, we modify CCOM such that the committee tracks the state ofO(log n0) IDs currentlyin the system; this set is referred to as a sample set. By tracking how many IDs depart from the (small)sample set, the committee is able to determine the end of an epoch with less computational cost. We referto this modified algorithm as ENHANCED CCOM (ECCOM).

The amount of churn experienced by the system is estimated through sample sets S ′old and S ′, whichare generated by the committee using a hash function h′ computed using secure multi-party computation(MPC) such as in [12, 23, 31, 51, 52, 55, 76]. Note that h′ is unknown to the IDs and thus, the adversarycannot precompute the sample sets. The committee adds an ID, say v to the sample set if the hash of its IDh′(v) ≤ c logn0

|Sold| , for some constant c > 0. A fresh sample set, S′old, is generated at the beginning of every

epoch. As new IDs join the system, they are sampled by the committee using h′ and added to the currentsample set, S′.

Initially, the committee knows the existing membership denoted by S, and so |S| = n0. The committeegenerates S ′old and updates the current sample set, S ′ as described above. At any time during the execution, if|(S ′∪S ′old)−(S ′∩S ′old)| exceeds S ′old/4, the system undergoes a purge test (Step 2). As before, the committeebroadcasts r to conduct purge puzzle with a round of sufficient length that the computation time dominatesthe round trip communication time between the client and committee.Those IDs that fail to submit validpuzzle solutions during step 2 are de-registered — that is, they are effectively removed from the system.

15

Enhanced Commensurate Computation (ECCOM):

S ′old: sample set of IDs after most recent purge.S ′: current sample set of IDs.Sold: set of IDs after most recent purge.S: current set of IDs.r: current random seed.

Do the following forever; the committee makes all decisions using Byzantine Consensus:

1. Each joining ID, v, generates a public key; solves an entrance puzzle using that key and the currenttimestamp T and broadcasts the solution via DIFFUSE. Upon verifying the solution sv, the committeeadds v to S .

2. If h′(v) ≤ c logn0

|Sold| , then add v to S ′.

3. Ping all IDs in S ′old ∪ S ′ in every round, and remove those IDs that do not respond.

4. If |(S ′ ∪ S ′old)− (S ′ ∩ S ′old)| ≥ |S ′old|/4, then the current committee does the following:

• Generate a random string r and broadcast via DIFFUSE.

• Sets Sold and S to the set of IDs that return valid solutions.

• Sets S ′old and S ′ to the set of IDs that return a valid solutions whose value under h′ is at most c logn0

|Sold|

• Sets the current committee to be the set of IDs submitting the smallest solutions in the range(1

2(k+1)/d ,1

2k/d

]for some k ≥ 1, and diffuses this new committee to all good IDs.

Figure 3: Pseudocode for ECCOM.

2.8.1 Estimating the Symmetric Difference

For an epoch i, suppose Sold is the set of IDs in the system at the beginning of the epoch and S is the set ofIDs in the system at time t. Let f iN denote the fraction of new IDs that remain active in the system throughepoch i, and let f iL denote the fraction of IDs that leave from Sold in epoch i. Similarly, let f i

′N denote the

fraction of new IDs that remain active in S ′ through epoch i, and f i′L denote the fraction of IDs that leave

from S ′old in epoch i.

Lemma 5. For any epoch i, if f i′N + f i

′L ≤

14 , then f iN + f iL ≤

13 w.h.p.

Proof. The probability that an ID becomes member of the sample set is c logn0

|Sold| . Fix a time step duringan epoch. Let S be the set of IDs in the system at that time step. Then the size of the sample set willbe |S| c logn0

|Sold| ≥23c log n0 in expectation. From Section 4.2.3 on Chernoff Bounds of [113], for constants

δ = 124 and c ≥ 1728γ, the following hold:

Pr(f iL /∈ [f i′L − δ, f i

′L + δ]) < e

−cδ2 logn02 + e

−cδ2 logn03

Pr(f iN /∈ [f i′N − δ, f i

′N + δ]) < e

−cδ2 logn02 + e

−cδ2 logn03

Thus, w.h.p. f iL ∈ [f i′L − δ, f i

′L + δ] and f iN ∈ [f i

′N − δ, f i

′N + δ], using which we get

f iL + f iN ≤ f i′L + f i

′N + 2δ

On solving the above inequality using the fact that f i′N + f i

′L ≤

14 , we get f iN + f iL ≤

13 .

16

Lemma 6. For any epoch i, if f i′N + f i

′L ≥

14 , then f iN + f iL ≥

16 w.h.p.

Proof. Following the same argument as Lemma 5, we have f iN ≥ f i′N − δ and f iL ≥ f i

′L − δ. On summing

the two inequalities, we get:

f iN + f iL ≥ f i′N − δ + f i

′L − δ ≥

1

4− 2δ ≥ 1

6

Theorem 2. Assume that the adversary holds at most an α = 1/6 fraction of the total computational powerof the network. Then, w.h.p., algorithm ECCOM ensures the following properties hold over the lifetime ofthe system:

• The Population Goal and Committee Goal are maintained.

• The cumulative computational cost to the good IDs is O(TC + gnew).

• The cumulative bandwidth cost to the good IDs is O(TB + gnew).

Proof. From Lemma 5, when the purge puzzle is triggered in ECCOM, the system has seen at most 1/3churn. Hence, from Lemma 3, the Population Goal is satisfied. Also, since the sample set enhancements donot change the rules for forming committees, the Committee Goal is also satisfied.

For calculating the cumulative computational cost to the good IDs, note from Lemma 6 that when thepurge puzzle is triggered, the fraction of churn in the system is at least 1

6 , which is half of the triggeringfraction in CCOM. Thus, extending the results of Theorem 1 by multiplying the cumulative computationalcost by 2, we get that the cumulative computational cost to the good IDs is O(T + gnew) for ECCOM.

The cumulative bandwidth cost follows from Lemma 4.

2.9 Handling Bounded Communication Latency

Previously, all messages were assumed to be delivered with negligible delay when compared with the timeto solve computational puzzles. In this section, we relax this assumption to the following: the adversarymay choose to arbitrarily delay messages, subject to the constraint that they are delivered within a constantnumber of rounds ∆ > 0. Such a model of communication delay is often referred to as partial synchronyor ∆-bounded delay in the literature [61, 131]. We address this issue in the following analysis for each ofour algorithms.

2.9.1 In DISTRIBUTED CCOM

In CCOM, messages are exchanged with good IDs every time the committee is constructed. Thus, weincrease the wait time for receiving the solutions to the purge puzzle by 2∆. To simplify the analysis of a∆-bounded delay in the network where the adversary holds an α-fraction of the total computational power,we can instead consider a 0-bounded delay network, but where the adversary holds an increased fraction ofthe total computational power; this is addressed by Lemma 7.

Lemma 7. A ∆-bounded network latency with an adversary that holds an α-fraction of total computationalpower of the network is equivalent to a 0-bounded network latency with an adversary that holds a 2α∆+α

2α∆+1 -fraction of the total computational power of the network.

Proof. Recall from Section 1.1, the fraction of computational power with an adversary is α-times the totalcomputational power of the network. Given the ∆-bounded delay in the network, the adversary has 2∆ + 1rounds to perform evaluations. Fix a time time step during an epoch. Suppose P is the total computational

17

power of the network at that time step. Then, the number of evaluations of the hash function an adversarycan make is Pα(2∆ + 1)µ.

Note that the computational power of the good IDs remains the same, which is P (1 − α)µ since theyobey the protocol, and we assume that the bounded delay only benefits the adversary. Thus, the ∆-boundeddelay model is equivalent to the 0-bounded delay model with an adversary who holds a 2α∆+α

2α∆+1 -fraction ofthe computational power.

Lemma 8. Assume a ∆-bounded delay and an adversary that holds an α-fraction of computational power,for α ≤ 1/(10∆ + 6). With probability at least 1 − O(1/nγ+1

0 ), the fraction of good IDs in the committeeexceeds 1/2 for the duration of the epoch.

Proof. From Lemma 7, the ∆-bounded delay is equivalent to a 0-bounded delay with an adversary that holdsa 2α∆+α

2α∆+1 -fraction of computational power of the network. By Lemma 1, for a 0-bounded delay model withan adversary that holds an α′-fraction of the computational power for α′ ≤ 1/6, the fraction of good IDsexceeds 7/10. Substituting α′ = 2α∆+α

2α∆+1 , the ∆-bounded delay model with an α-fraction of computationalpower has at least 7/10-fraction of good IDs, for α ≤ 1/(10∆ + 6).

2.9.2 In ECCOM

In ECCOM, the purge puzzle is triggered when |(S ′ ∪ S ′old) − (S ′ ∩ S ′old)| ≥ |S ′old|/4. Due to ∆-boundednetwork latency, the adversary can choose to delay the departure notifications from the good IDs by ∆rounds, thereby delaying the detection of the need to purge. This may jeopardize the Population Goal andwe address this issue here.

Recall from Section 1.1 that the maximum fraction of good IDs that can depart in a round is ε0. Hence,the maximum fraction of good IDs that can depart in ∆-rounds is ∆ε0. In order to satisfy the Populationgoal, it is required that purge puzzles be issued when |(S ′ ∪ S ′old)− (S ′ ∩ S ′old)| ≥ |S ′old|(1/4− ε0∆). Due tothis modification, our computational and bandwidth costs will be increased by at most a constant factor.

3 Empirical Validation

We simulate CCOM to evaluate its performance against a well-known PoW scheme named SYBILCON-TROL [105]. The experiments allow us to (1) compare the computational cost incurred by the good IDsand (2) investigate the extent to which a Sybil Attack can impact the fraction of good IDs under these twoalgorithms.

Our goal is to offer a proof of concept, not a full-fledged comparison. To this end, we simulate acentralized version of CCOM from our preliminary work in [82]. In this version, the committee is replacedby a single server that assumes the duties of the committee; the server unilaterally generates the randomstring r and verifies solutions to entrance and purge puzzles (the use of membership intervals in Step 2 ofCCOM is no longer needed; recall Section 2.3.3). This approach greatly reduces the number of parametersthat we need to correctly estimate for our simulations, and it allows us to focus on obtaining a first-orderapproximation of the system. Because the distributed version has asymptotically equal resource costs, weexpect similar performance for the distributed algorithm.Overview of SYBILCONTROL. Under this algorithm, the number of bad IDs are limited through the useof computational puzzles. Each ID must solve a puzzle to join the system. Additionally, each ID tests itsneighbors every 5 seconds with a puzzle, removing those IDs from its list of neighbors that failed to provide asolution within a time limit. It may be the case that an ID is a neighbor to more than one ID and thus, receivesmultiple puzzles to solve simultaneously; in this case, they are combined into a single puzzle whose solutionsatisfies all the received puzzles. We implement our own simulation of the SYBILCONTROL algorithm.

18

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 5.5 6Time (in seconds) #105

0

1

2

3

4

5

6

7

8 #105 Computational Cost to Good IDs

SybilControlCCOM & SybilControl

(a)

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 5.5 6Time (in seconds) #105

100

105

1010

Cumulative Computational Cost to Good IDs

SybilControlCCOM

(b)

Figure 4: Computational cost and cumulative computational for good IDs in absence ofan attack using the Bitcoin Dataset.

This comparison is not a straw man. SYBILCONTROL, with its perpetual resource burning, is typicalof existing PoW-based schemes; see Section 1.4 for examples. One may consider enhancing SYBILCON-TROL via anomaly-detection techniques to determine when to use puzzle challenges. However, bad IDs canhide by obeying protocol until an opportunity to attack presents itself. Thus, such an approach is unlikely toprovide acceptable security guarantees.

Points of Comparison. To compare both algorithms fairly, we assume that the computational cost for solvinga single PoW is 1 for both algorithms. Since in both algorithms require that a new ID solves a puzzle to jointhe system, we refrain from measuring this computational cost. We let the fraction of computational powerof the adversary, g

α be the same for both algorithms. We perform Monte-Carlo Simulations for generatingplots for Section 3.2 and 3.3, where each observed value is averaged over 20 separate simulations.

We first examine performance on real-world Bitcoin data [125, 126] in Section 3.1. In Section 3.2,we present a comparative study on three real-world peer-to-peer networks, namely - BitTorrent, Skype andBitcoin [81, 125, 126, 148] . Finally, we study the effect of joins and departures on the two algorithmspresented in Section 3.3, where we simulate session lengths governed by Weibull Distribution.

3.1 The Bitcoin Network

We simulate SYBILCONTROL and CCOM on a real-world dataset for the Bitcoin Network [124]. This dataconsists of roughly 1 week of join/departure event timestamps.6

The computational cost is examined under two scenarios: (1) in the absence of bad IDs (i.e., no attack)and (2) when bad IDs are present (i.e., an attack). For our experiments, we assume that α = 1/10.

For scenario (1), we assume all events in the dataset are the result of good IDs joining/departing thesystem. In Figure 4(a), the dense green area signifies the high frequency of computational cost paid bygood IDs in SYBILCONTROL in comparison to the increasingly-spaced blue plot for CCOM. Figure 4(b)shows the cumulative computational cost to the good IDs for SYBILCONTROL and CCOM in this scenario.Importantly, the cumulative cost to the good IDs is less by roughly 4 orders of magnitude after 13hours of simulation time, and this gap continues to widen with time; note the logarithmic y-axis. This resultdemonstrates that our resource-competitive solution can be efficient in the absence of attack.

6The method of collection uses ongoing crawls from multiple seed machines in the Bitcoin network and captures IP addressesof reachable participants at 5-minute intervals. Data obtained by personal correspondence with Till Neudecker (coauthor on [124]).

19

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 5.5 6Time (in seconds) #105

0

1

2

3

4

5

6

7

8 #105 Computational Cost

SybilControlCCOM & SybilControlAdversary

(a)

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 5.5 6Time (in seconds) #105

100

105

1010

Cumulative Computational Cost

SybilControlCCOMAdversary

(b)

Figure 5: Computational cost and cumulative computational cost versus time under alarge-scale attack using the Bitcoin Dataset.

For scenario (2), the same join and departure events occur as in scenario (1), but additionally an aggres-sive attack is orchestrated using the following adversarial strategy. From time t/3 seconds to 2t/3 seconds,where t = 604, 970, every 5 seconds, the adversary adds a number of bad IDs that is a 1/3 fraction of thecurrent system size. We note that the plot is over roughly 7 days. Given this attack, a computational test istriggered in both algorithms every 5 seconds, which aligns with the periodic testing in SYBILCONTROL.

In Figure 5(a), the dense green region represents the computational cost paid by the good IDs in SYBIL-CONTROL, the dense blue region represents that paid by good IDs in CCOM and the red region by theadversary. Due to the setup of the stress test, the computational cost paid by good IDs in both the algorithmsfrom t

3 to 2t3 , is equivalent, thus the blue region overlaps the green. Figure 5(b) depicts the cumulative cost

to the good IDs for SYBILCONTROL, CCOM, and the adversary, and we make two observations. First, thecost of CCOM is less than that of SYBILCONTROL. Second, CCOM’s cost is indeed a function of the costpaid by the adversary; in contrast, without a resource-competitive guarantee, SYBILCONTROL’s cost growsat a significantly faster rate (again, note the logarithmic y-axis).

3.2 Application to BitTorrent and Skype

BTDebian BTFlatOut SkypeSN Bitcoin

100

102

104

Computational Cost to Good IDs per Unit TimeSybilControlCCOM

Figure 6: Computational Cost per unitTime for Peer-to-Peer Networks.

To illustrate the savings obtained by our approach inadditional network settings when there is no attack,we compare performance on three different networks,namely BitTorrent, Skype and Bitcoin. For Skype, weconsider the network of supernodes; we refer to this bySkypeSN. For BitTorrent, we performed experiments ontwo BitTorrent overlays associated with (i) Debian ISOimages, and (ii) a demo of the game FlatOut; we refer tothese as BTDebian and BTFlatOut, respectively.

For each network, respective session times are dic-tated by a Weibull distribution with parameters set ac-cording to the empirical findings in [81, 124, 148]. Theshape (k) and scale (λ) parameter values of Weibull Dis-tribution for session time of k = 0.38 and λ = 42.2 forDebian, and k = 0.59 and λ = 41.9 for FlatOut. The Skype supernodes had also have a Weibull Distribu-tion for session time with median session time of 5.5 hours, and shape parameter of 0.64. We generate the

20

0 2000 4000 6000 8000 10000Average Session Time (in seconds)

0

1000

2000

3000

4000

5000Comp. Cost to good IDs per unit time

SybilControlCCOM

(a)

0 2000 4000 6000 8000 10000Average Session Time (in seconds)

0

10

20

30

40

50

60

70

80Max. percentage of sybil IDs in the network

SybilControlCCOM

(b)

Figure 7: Computational Cost per unit time and Maximum Percentage of bad IDs insystem versus Average Session length.

session time for 10,000 good IDs from these parameter values and sample for the bitcoin network from thereal-world data obtained from [125, 126].

The computational cost to the good IDs per unit time is plotted for SYBILCONTROL and CCOM inFigure 6. Note again the logarithmic y-axis. We observe that CCOM outperforms SYBILCONTROL in allfour cases in terms of computational costs of the network. CCOM outperforms SYBILCONTROL by 34.5%in BitTorrent Debian, by 45.6% in BitTorrent FlatOut, by 99.9% in Skype Supernodes and 83.9% in Bitcoin.We use the following definition of performance: 100 ·

(1− CCOM

SYBILCONTROL

).

3.3 Effect of Joins and Departures

We examine the effect of churn on the performance of CCOM versus SYBILCONTROL. Intuitively, CCOM shouldperform best relative to SYBILCONTROL when the churn is low since purges will be infrequent (whereasSYBILCONTROL is continually performing tests every 5 seconds). In contrast, under significant churn, theperformance gap between these two algorithms may narrow. Furthermore, when there is significant churn,SYBILCONTROL may be unable to limit the number of bad IDs given that a 5-second interval between testsis insufficient. In this section, we present the results of our experiments in order to better understand theseaspects of performance.

Empirical studies of session lengths in many overlay networks indicate that the Weibull Distribution [159]is a better fit than the often-used Poisson Distribution [148]. Hence, in our experiments, we used the Weibulldistribution to generate the session lengths of IDs.

The average session length ranged from as low as 0.1 seconds to 10, 000 seconds. The system wasinitialized with 10, 000 good IDs and the simulations were carried out until 15, 000 new IDs joined thenetwork. Each new ID could be good or bad with probability 0.5. For each value of average session length,we took the mean of our observations over 30 runs.

Our results are depicted in Figure 7. With the increase in the average session length (on the order ofhours), CCOM is able to give similar guarantees as SYBILCONTROL in terms of the maximum percentageof bad IDs in the system at much lower computation cost to the good IDs. On the other hand, when sessionlength are small (order of minutes), CCOM is able to maintain a constant percentage of bad IDs in thesystem whereas SYBILCONTROL is not able to give any such guarantees; indeed, the percentage of bad IDscan become unbounded.

21

4 Applications

4.1 Scalable Byzantine Consensus

The problem of Byzantine Consensus (BC) was introduced by Lamport, Shostak and Pease [103]; thisproblem is also referred to as Byzantine Agreement. There are n IDs, of which some hidden subset are bad.These bad IDs may deviate from a prescribed algorithm in an arbitrary way. The remaining IDs are good,and will follow our algorithm faithfully. Each good ID has an initial input bit. The goal is for (1) all goodIDs to decide on the same bit; and (2) this bit to equal the input bit of at least one good ID.

Byzantine consensus enables the creation of a reliable system from unreliable components. Therefore, itis not surprising that BC is used in areas as diverse as: maintaining blockchains [32, 42, 65, 77]; trustworthycomputing [35, 37, 39, 44, 46, 101, 145]; P2P networks [3, 128]; and databases [117, 133, 169]

A major shortcoming of current algorithms for BC is that they do not scale. For example, Rhea et al.write: “Unfortunately, Byzantine agreement requires a number of messages quadratic in the number ofparticipants, so it is infeasible for use in synchronizing a large number of replicas” [136] (see also [49],[43]). This quadratic message cost hinders deployment in modern systems where the number of participantscan be large.

Recent results reduce the total number of messages to O(n3/2) [95, 96]. However, these algorithms (1)have high cost in practice; (2) are complicated to implement; and (3) require non-constructive combinatorialobjects such as expander graphs.

How Our Result Applies. Our result allows us to reduce the communication cost for BC. The bad IDs areagain incarnated as a single adversary with equivalent computational power. Each good participant has asingle ID, while the adversary is not constrained in its creation of IDs.

The members of the committee execute any BC algorithm that requires a quadratic number of messages;this implies a message cost of O(log2 n) generated by the committee. The committee then diffuses thesigned consensus value to all other IDs. On receiving these agreed upon values from their committee mem-bers, the non-committee members take the majority of these verified consensus values. Since committee hasa majority of good members, this results in all IDs holding the correct consensus value.

In this way, we are able to solve traditional BC with O(n) number of messages in total. Additionally,we can solve a dynamic version of BC, where IDs are joining and leaving, and can do so with computationalcost to the good IDs that is commensurate with the cost incurred by the adversary.

4.2 ELASTICO: Committee Election

ELASTICO is a secure protocol [109], which aims to achieve agreement on a set of transactions in ablockchain i.e., the state of the blockchain. Informally, the core idea is to partition the system into smallerfragments called committees, where each committee executes a BC protocol to agree upon its set of trans-actions. Then, the committee that was formed last — referred to as the final committee — computes thefinal digest of all transactions in the system; these transactions having been received from other committees.This final digest is broadcast to all other participants in the system.

How Our Result Applies. In order to reduce message cost, ELASTICO makes use of a special committeereferred to as the directory committee (DC), which coordinates the formation of all other committees. Wepropose the election of the DC using CCOM with the last portion of Line 1 is amended: there is no needfor the committee to verify solutions or maintain S (recall Section 2.3.1). This ensures the CommitteeGoal and our cost results; that is, we can guarantee that (1) the committee contains a majority of goodIDs for a polynomial number of join and leave events; and (2) bandwidth and computational costs growcommensurately with the costs of the adversary.

22

5 Conclusion

We have described algorithms to efficiently use PoW computational puzzles to reduce the fraction of badIDs in open systems. Unlike previous work, our algorithms require the good IDs to expend computationalresources that grow only linearly with the computational resources expended by the adversary. In particular,assume the adversary incurs computational cost TC and sends TB messages, and that gnew good IDs enter thesystem. Then our algorithm requires O(TC + gnew) computational cost and sends O(TB + gnew) messages.

Many open problems remain. An immediate question is whether we can improve the asymptotic costsfor our algorithm, or prove a lower bound of Ω(T+gnew). Our intuition is that the former is possible, althoughproving this appears to be non-trivial. For example, in order to reduce the frequency with which ByzantineConsensus is solved, a plausible approach is to adopt the concept of a core set from [92]. Informally, acore set captures the notion that good IDs can have different views of good committee members, but that asufficiently large overlap between these views exists such that correctness is still guaranteed.

One of particular interest is: Can we adapt our technique to secure multi-party computation? Theproblem of secure multi-party computation (MPC) involves designing an algorithm for the purpose ofcomputing the value of an n-ary function f over private inputs from n IDs x1, x2, ..., xn, such that the IDslearn the value of f(x1, x2, ..., xn), but learn nothing more about the inputs than what can be inferred fromthis output of f . The problem is generally complicated by the assumption that an adversary controls a hiddensubset of the IDs. In recent years, a number of attempts have been made to solve this problem for very largen manner [12, 23, 31, 51, 52, 55, 76]. We believe that our technique for forming committees in a dynamicnetwork could be helpful to solve a dynamic version of this problem, while ensuring that the resource coststo the good IDs is commensurate with the resource costs to an adversary.

As another avenue of future work, there are scenarios where it may be unreasonable to assume that“good” IDs always blindly follow our algorithm. Instead, these IDs may be rational but selfish, in that theyseek to optimize some known utility function. The adversary still behaves in a worst-case manner, capturingthe fact that the utility function of the adversary may be completely unknown. This approach is similar toBAR (Byzantine, Altruistic, Rational) games [45] in distributed computing, see also [1,5,106,151,152,161].Extending our result to accommodate this model is of interest.

Finally, there is a substantial body of literature on attack-resistant overlays; for example [8, 18–21, 67,80,84,99,121,122,140,141,143,163,164]. These results critically depend on the fraction of bad IDs alwaysbeing upper-bounded by a constant less than 1/2; however, there are only a handful of results that proposea method for guaranteeing this bound; see Section 1.4. A natural idea is to examine whether CCOM can beapplied to this setting in order to guarantee this bound (via the Population Goal).

References

[1] Ittai Abraham, Lorenzo Alvisi, and Joseph Y. Halpern. Distributed Computing Meets Game Theory:Combining Insights from Two Fields. SIGACT News, 42(2):69–76, June 2011.

[2] Ittai Abraham and Dahlia Malkhi. The Blockchain Consensus Layer and BFT. Bulletin of the EATCS:Distributed Computing Column, 2017.

[3] Atul Adya, William J. Bolosky, Miguel Castro, Gerald Cermak, Ronnie Chaiken, John R. Douceur,Jon Howell, Jacob R. Lorch, Marvin Theimer, and Roger P. Wattenhofer. FARSITE: Federated,Available, and Reliable Storage for Incompletely Trusted Environment. In 5th USENIX Symposiumon Operating Systems Design and Implementation (OSDI), pages 1–14, 2002.

23

[4] Abhinav Aggarwal, Varsha Dani, Thomas Hayes, and Jared Saia. Secure One-Way Interactive Com-munication. In Proceedings of the 15th International Conference on Distributed Computing andNetworking (ICDCN), 2017.

[5] Amitanand S. Aiyer, Lorenzo Alvisi, Allen Clement, Mike Dahlin, Jean-Philippe Martin, and CarlPorth. BAR Fault Tolerance for Cooperative Services. In Proceedings of the Twentieth ACM Sympo-sium on Operating Systems Principles (SOSP), pages 45–58, 2005.

[6] Alyssa Hertig. Ethereum’s Big Switch: The New Roadmap to Proof-of-Stake. https://www.coindesk.com/ethereums-big-switch-the-new-roadmap-to-proof-of-stake/.

[7] Amazon. Amazon Web Service (AWS). https://aws.amazon.com/.

[8] Emmanuelle Anceaume, Romaric Ludinard, Aina Ravoaja, and Francisco Vilar Brasileiro. PeerCube:A Hypercube-Based P2P Overlay Robust against Collusion and Churn. In Proceedings of the 2nd

IEEE International Conference on Self-Adaptive and Self-Organizing Systems (SASO), pages 15–24,2008.

[9] David P. Anderson. BOINC: A System for Public-Resource Computing and Storage. In Proceedingsof the 5th IEEE/ACM International Workshop on Grid Computing (GRID), pages 4–10, 2004.

[10] Ross Anderson, Chris Barton, Rainer Bohme, Richard Clayton, Michel JG Van Eeten, Michael Levi,Tyler Moore, and Stefan Savage. Measuring the Cost of Cybercrime. In The Economics of Informa-tion Security and Privacy, pages 265–300. Springer, 2013.

[11] Marcin Andrychowicz and Stefan Dziembowski. Pow-Based Distributed Cryptography with NoTrusted Setup. In Annual Cryptology Conference, pages 379–399. Springer, 2015.

[12] Benny Applebaum, Yuval Ishai, and Eyal Kushilevitz. From secrecy to soundness: Efficient verifica-tion via secure computation. Automata, languages and Programming, pages 152–163, 2010.

[13] John Augustine, Anisur Rahaman Molla, Ehab Morsy, Gopal Pandurangan, Peter Robinson, and EliUpfal. Storage and Search in Dynamic Peer-to-peer Networks. In Proceedings of the Twenty-fifthAnnual ACM Symposium on Parallelism in Algorithms and Architectures (SPAA), pages 53–62, 2013.

[14] John Augustine, Gopal Pandurangan, and Peter Robinson. Fast Byzantine Agreement in DynamicNetworks. In Proceedings of the ACM Symposium on Principles of Distributed Computing (PODC),pages 74–83, 2013.

[15] John Augustine, Gopal Pandurangan, and Peter Robinson. Fast Byzantine Leader Election in Dy-namic Networks. In International Symposium on Distributed Computing (DISC), pages 276–291.Springer, 2015.

[16] John Augustine, Gopal Pandurangan, Peter Robinson, Scott Roche, and Eli Upfal. Enabling Robustand Efficient Distributed Computation in Dynamic Peer-to-Peer Networks. In Proceedings of theIEEE 56th Annual Symposium on Foundations of Computer Science (FOCS), pages 350–369, 2015.

[17] John Augustine, Gopal Pandurangan, Peter Robinson, and Eli Upfal. Towards Robust and EfficientComputation in Dynamic Peer-to-peer Networks. In Proceedings of the Twenty-third Annual ACM-SIAM Symposium on Discrete Algorithms (SODA), pages 551–569, 2012.

[18] Baruch Awerbuch and Christian Scheideler. Group Spreading: A Protocol for Provably Secure Dis-tributed Name Service. In 31st International Colloquium on Automata, Languages, and Programming(ICALP), pages 183–195, 2004.

24

[19] Baruch Awerbuch and Christian Scheideler. Robust Random Number Generation for Peer-to-peerSystems. In 10th International Conference On Principles of Distributed Systems (OPODIS), pages275–289, 2006.

[20] Baruch Awerbuch and Christian Scheideler. Towards a Scalable and Robust DHT. In Proceedingsof the 18th ACM Symposium on Parallelism in Algorithms and Architectures (SPAA), pages 318–327,2006.

[21] Baruch Awerbuch and Christian Scheideler. Towards Scalable and Robust Overlay Networks. InProceedings of the 6th International Workshop on Peer-to-Peer Systems (IPTPS), page n. pag., 2007.

[22] Rida A Bazzi and Goran Konjevod. On the Establishment of Distinct Identities in Overlay Networks.In Proceedings 24th Annual ACM Symposium on Principles of Distributed Computing (PODC), pages312–320, 2005.

[23] Zuzana Beerliova-Trubıniova and Martin Hirt. Efficient multi-party computation with dispute control.In TCC, volume 3876, pages 305–328. Springer, 2006.

[24] Mihir Bellare and Phillip Rogaway. Random Oracles are Practical: A Paradigm for Designing Ef-ficient Protocols. In Proceedings of the 1st ACM Conference on Computer and CommunicationsSecurity (CCS), pages 62–73. ACM, 1993.

[25] Michael A. Bender, Jeremy T. Fineman, Seth Gilbert, and Maxwell Young. How to Scale ExponentialBackoff: Constant Throughput, Polylog Access Attempts, and Robustness. In Proceedings of the 27th

Annual ACM-SIAM Symposium on Discrete Algorithms (SODA), pages 636–654, 2016.

[26] Michael A. Bender, Jeremy T. Fineman, Mahnush Movahedi, Jared Saia, Varsha Dani, Seth Gilbert,Seth Pettie, and Maxwell Young. Resource-Competitive Algorithms. SIGACT News, 46(3):57–71,September 2015.

[27] BitcoinWiki. BitcoinWiki Network. https://en.bitcoin.it/wiki/Network#Standard_relaying.

[28] BitcoinWiki. Mining Hardware Comparison, 2016. https://en.bitcoin.it/wiki/Mining_hardware_comparison.

[29] BitcoinWiki. Non-Specialized Hardware Comparison, 2016. https://en.bitcoin.it/wiki/Non-specialized_hardware_comparison.

[30] Blockstack. Blockstack: The New Decentralized Internet, 2017. https://blockstack.org/.

[31] Peter Bogetoft, Dan Lund Christensen, Ivan Damgard, Martin Geisler, Thomas P Jakobsen, MikkelKrøigaard, Janus Dam Nielsen, Jesper Buus Nielsen, Kurt Nielsen, Jakob Pagter, et al. Secure mul-tiparty computation goes live. In Financial Cryptography, volume 5628, pages 325–343. Springer,2009.

[32] Joseph Bonneau, Andrew Miller, Jeremy Clark, Arvind Narayanan, Joshua A. Kroll, and Edward W.Felten. SoK: Research Perspectives and Challenges for Bitcoin and Cryptocurrencies. In Proceedingsof the IEEE Symposium on Security and Privacy (SP), pages 104–121, 2015.

[33] Nikita Borisov. Computational Puzzles As Sybil Defenses. In Proceedings of the Sixth IEEE Inter-national Conference on Peer-to-Peer Computing (P2P), pages 171–176, 2006.

25

[34] Edward Bortnikov, Maxim Gurevich, Idit Keidar, Gabriel Kliot, and Alexander Shraer. Brahms:Byzantine Resilient Random Membership Sampling. In Proceedings of the 27th ACM Symposium onPrinciples of Distributed Computing (PODC), pages 145–154, 2008.

[35] Christian Cachin and Jonathan A. Poritz. Secure Intrusion-Tolerant Replication on the Internet. InProceedings of the International Conference on Dependable Systems and Networks (DSN), pages167–176, 2002.

[36] Ran Canetti. Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information.In Proceedings of the Annual International Cryptology Conference, pages 455–469. Springer, 1997.

[37] Miguel Castro and Barbara Liskov. Practical Byzantine Fault Tolerance. Operating Systems Review,33:173–186, 1998.

[38] Miguel Castro and Barbara Liskov. Byzantine Fault Tolerance Can Be Fast. In International Confer-ence on Dependable Systems and Networks, pages 513–518, 2001.

[39] Miguel Castro and Barbara Liskov. Practical Byzantine Fault Tolerance and Proactive Recovery.ACM Transactions on Computer Systems (TOCS), 20(4):398–461, 2002.

[40] Abhishek Chandra and Jon Weissman. Nebulas: Using Distributed Voluntary Resources to BuildClouds. In Proceedings of the 2009 Conference on Hot Topics in Cloud Computing (HotCloud),2009.

[41] Wu chang Feng, Ed Kaiser, Wu chi Feng, and Antoine Luu. The Design and Implementation ofNetwork Puzzles. In Proceedings of the Annual Joint Conference of IEEE Computer and Communi-cations Societies (INFOCOM), pages 2372–2382, 2005.

[42] Jing Chen and Silvio Micali. ALGORAND. CoRR, abs/1607.01341v9, 2016.

[43] Chien-Fu Cheng, Shu-Ching Wang, and Tyne Liang. The Anatomy Study of Server-Initial Agreementfor General Hierarchy Wired/Wireless Networks. Computer Standards & Interfaces, 31(1):219 – 226,2009.

[44] Allen Clement, Mirco Marchetti, Edmund Wong, Lorenzo Alvisi, and Mike Dahlin. Byzantine FaultTolerance: The Time is Now. In Proceedings of the Second Workshop on Large-Scale DistributedSystems and Middleware (LADIS), pages 1–4, 2008.

[45] Allen Clement, Jeff Napper, Harry Li, Jean-Philipe Martin, Lorenzo Alvisi, and Michael Dahlin. The-ory of BAR Games. In Proceedings of the 26th Annual ACM Symposium on Principles of DistributedComputing (PODC), pages 358–359, 2007.

[46] Allen Clement, Edmund Wong, Lorenzo Alvisi, Mike Dahlin, and Mirco Marchetti. Making Byzan-tine Fault Tolerant Systems Tolerate Byzantine Faults. In Proceedings of the Sixth USENIX Sympo-sium on Networked Systems Design and Implementation (NSDI), pages 153–168, 2009.

[47] CoinDesk. Think Tank Reignites Debate Over Bitcoin Mining’s Environmental Effects. 2015. http://www.coindesk.com/think-tank-debate-bitcoin-mining-environment/.

[48] Chain Core. Chain Core, 2017. https://chain.com/.

[49] James Cowling, Daniel Myers, Barbara Liskov, Rodrigo Rodrigues, and Liuba Shrira. HQ Replica-tion: A Hybrid Quorum Protocol for Byzantine Fault Tolerance. In Proceedings of the Third USENIXSymposium on Operating Systems Design and Implementation (OSDI), pages 177–190, 1999.

26

[50] Kyle Croman, Christian Decker, Ittay Eyal, Adem Efe Gencer, Ari Juels, Ahmed Kosba, AndrewMiller, Prateek Saxena, Elaine Shi, Emin Gun Sirer, et al. On scaling decentralized blockchains. InInternational Conference on Financial Cryptography and Data Security, pages 106–125. Springer,2016.

[51] Ivan Damgard and Yuval Ishai. Scalable secure multiparty computation. In Crypto, volume 4117,pages 501–520. Springer, 2006.

[52] Ivan Damgard, Yuval Ishai, Mikkel Krøigaard, Jesper Nielsen, and Adam Smith. Scalable multipartycomputation with nearly optimal work and resilience. Advances in Cryptology–CRYPTO 2008, pages241–261, 2008.

[53] George Danezis, Chris Lesniewski-laas, M. Frans Kaashoek, and Ross Anderson. Sybil-ResistantDHT Routing. In Proceedings of the 10th European Symposium On Research In Computer Security(ESORICS), pages 305–318, 2005.

[54] Varsha Dani, Tom Hayes, Mahnush Movahedi, Jared Saia, and Maxwell Young. Interactive Commu-nication with Unknown Noise Rate. Information and computation, 2017.

[55] Varsha Dani, Valerie King, Mahnush Movahedi, and Jared Saia. Quorums quicken queries: Efficientasynchronous secure multiparty computation. In International Conference on Distributed Computingand Networking, pages 242–256. Springer, 2014.

[56] Varsha Dani, Mahnush Movahedi, Jared Saia, and Maxwell Young. Interactive Communication withUnknown Noise Rate. In Proceedings of the Colloquium on Automata, Languages, and Programming(ICALP), 2015.

[57] Dash. Dash is Digital Cash, 2017. (https://www.dash.org/.

[58] Murat Demirbas and Youngwhan Song. An RSSI-based Scheme for Sybil Attack Detection in Wire-less Sensor Networks. In Proceedings of the 2006 International Symposium on on World of Wireless,Mobile and Multimedia Networks (WOWMOM), pages 564–570, 2006.

[59] Jochen Dinger and Hannes Hartenstein. Defending the Sybil Attack in P2P Networks: Taxonomy,Challenges, and a Proposal for Self-Registration. In Proceedings of the First International Conferenceon Availability, Reliability and Security (ARES), pages 756–763, 2006.

[60] John Douceur. The Sybil Attack. In Proceedings of the Second International Peer-to-Peer Symposium(IPTPS), pages 251–260, 2002.

[61] Cynthia Dwork, Nancy Lynch, and Larry Stockmeyer. Consensus in the presence of partial synchrony.Journal of the ACM (JACM), 35(2):288–323, 1988.

[62] Cynthia Dwork and Moni Naor. Pricing via Processing or Combatting Junk Mail. In Proceedingsof the 12th Annual International Cryptology Conference on Advances in Cryptology, pages 139–147,1993.

[63] The Economist. The Magic of Mining. 2015. www.economist.com/news/business/21638124-minting-digital-currency-has-become-big-ruthlessly-competitive-business-magic.

[64] Ethereum. Ethereum: Blockchain App. Program, 2016. https://www.ethereum.org/.

27

[65] Ittay Eyal, Adem Efe Gencer, Emin Gun Sirer, and Robbert Van Renesse. Bitcoin-NG: A ScalableBlockchain Protocol. In Proceedings of the 13th USENIX Symposium on Networked Systems Designand Implementation (NSDI), pages 45–59, 2016.

[66] Jarret Falkner, Michael Piatek, John P. John, Arvind Krishnamurthy, and Thomas Anderson. Profilinga Million User DHT. In 7th ACM SIGCOMM Conference on Internet Measurement, pages 129–134,2007.

[67] Amos Fiat, Jared Saia, and Maxwell Young. Making Chord Robust to Byzantine Attacks. In Pro-ceedings of the 13th European Symposium on Algorithms (ESA), pages 803–814, 2005.

[68] Juan Garay, Aggelos Kiayias, and Nikos Leonardos. The Bitcoin Backbone Protocol: Analysis andApplications. In Proceedings of 34th Annual International Conference on the Theory and Applica-tions of Cryptographic Techniques (EUROCRYPT), pages 281–310, 2015.

[69] Stephanie Gil, Swarun Kumar, Mark Mazumder, Dina Katabi, and Daniela Rus. Guaranteeing Spoof-Resilient Multi-Robot Networks. In Proceedings of Robotics: Science and Systems, Rome, Italy, July2015.

[70] Yossi Gilad, Rotem Hemo, Silvio Micali, Georgios Vlachos, and Nickolai Zeldovich. Algorand: Scal-ing Byzantine Agreements for Cryptocurrencies. In Proceedings of the 26th Symposium on OperatingSystems Principles (SOSP), pages 51–68, 2017.

[71] Seth Gilbert, Valerie King, Seth Pettie, Ely Porat, Jared Saia, and Maxwell Young. (Near) OptimalResource-Competitive Broadcast with Jamming. In Proceedings of the 26th ACM Symposium onParallelism in Algorithms and Architectures (SPAA), pages 257–266, 2014.

[72] Seth Gilbert, Valerie King, Jared Saia, and Maxwell Young. Resource-Competitive Analysis: A NewPerspective on Attack-Resistant Distributed Computing. In Proceedings of the 8th ACM InternationalWorkshop on Foundations of Mobile Computing, 2012.

[73] Seth Gilbert, Calvin Newport, and Chaodong Zheng. Who Are You? Secure Identities in Ad HocNetworks. In Proceedings of the 28th International Symposium on Distributed Computing (DISC),pages 227–242, 2014.

[74] Seth Gilbert and Maxwell Young. Making Evildoers Pay: Resource-Competitive Broadcast in SensorNetworks. In Proceedings of the 31th Symposium on Principles of Distributed Computing (PODC),pages 145–154, 2012.

[75] Seth Gilbert and Chaodong Zheng. SybilCast: Broadcast on the Open Airwaves. In Proceedingsof the 25th Annual ACM Symposium on Parallelism in Algorithms and Architectures (SPAA), pages130–139, 2013.

[76] Oded Goldreich. Secure multi-party computation. Manuscript. Preliminary version, pages 86–97,1998.

[77] Sergey Gorbunov and Silvio Micali. Democoin: A Publicly Verifiable and Jointly Serviced Cryp-tocurrency. Cryptology ePrint Archive, Report 2015/521, 2015. http://eprint.iacr.org/2015/521.

[78] Jeff Green, Joshua Juen, Omid Fatemieh, Ravinder Shankesi, Dong Jin, and Carl A. Gunter. Recon-structing Hash Reversal Based Proof of Work Schemes. In Proceedings of the 4th USENIX Confer-ence on Large-scale Exploits and Emergent Threats (LEET), pages 10–10, 2011.

28

[79] Charles Miller Grinstead and James Laurie Snell. Introduction to probability. American Mathemati-cal Soc., 2012.

[80] Rachid Guerraoui, Florian Huc, and Anne-Marie Kermarrec. Highly Dynamic Distributed Computingwith Byzantine Failures. In Proceedings of the 2013 ACM Symposium on Principles of DistributedComputing (PODC), pages 176–183, 2013.

[81] Saikat Guha and Neil Daswani. An Experimental Study of the Skype Peer-to-peer VoIP System.Technical report, Cornell University, 2005.

[82] Diksha Gupta, Jared Saia, and Maxwell Young. Proof of Work Without All the Work. In Proceedingsof the 19th International Conference on Distributed Computing and Networking (ICDCN), 2018.

[83] Hashcat. Benchmark Results, 2016. http://thepasswordproject.com/oclhashcat_benchmarking.

[84] Kristen Hildrum and John Kubiatowicz. Asymptotically Efficient Approaches to Fault-Tolerance inPeer-to-peer Networks. In Proceedings of the 17th International Symposium on Distributed Comput-ing, pages 321–336, 2004.

[85] Ruomu Hou, Irvan Jahja, Loi Luu, Prateek Saxena, and Haifeng Yu. Randomized view reconciliationin permissionless distributed systems. 2017.

[86] IOTA. IOTA: The Economy of Things, 2017. http://iota.org/.

[87] Yves Igor Jerschow and Martin Mauve. Modular Square Root Puzzles: Design of Non-Parallelizableand Non-Interactive Client Puzzles. Computers and Security, 35:25–36, June 2013.

[88] Havard Johansen, Andr Allavena, and Robbert van Renesse. Fireflies: Scalable Support for Intrusion-Tolerant Network Overlays. In ACM SIGOPS Operating Systems Review, pages 3–13, 2006.

[89] R. John, J. P. Cherian, and J. J. Kizhakkethottam. A Survey of Techniques to Prevent Sybil Attacks.In Proceedings of the International Conference on Soft-Computing and Networks Security (ICSNS),pages 1–6, 2015.

[90] Ed Kaiser and Wu chang Feng. Mod kaPoW: Mitigating DoS with Transparent Proof-of-Work. InProceedings of the 2007 ACM CoNEXT Conference, pages 74:1–74:2, 2007.

[91] Apu Kapadia and Nikos Triandopoulos. Halo: High-Assurance Locate for Distributed Hash Tables.In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2008.

[92] Bruce Kapron, David Kempe, Valerie King, Jared Saia, and Vishal Sanwalani. Fast AsynchronousByzantine Agreement and Leader Election with Full Information. In Proceedings of the Symposiumon Discrete Algorithms (SODA), pages 1038–1047, 2008.

[93] Ghassan O. Karame and Srdjan Capkun. Low-Cost Client Puzzles Based on Modular Exponentiation.In Proceedings of the 15th European Conference on Research in Computer Security (ESORICS),pages 679–697, 2010.

[94] Jonathan Katz, Andrew Miller, and Elaine Shi. Pseudonymous secure computation from time-lockpuzzles. 2014.

29

[95] Valerie King and Jared Saia. Breaking the O(n2) Bit Barrier: Scalable Byzantine Agreement withan Adaptive Adversary. In Proceedings of the 29th ACM Symposium on Principles of DistributedComputing (PODC), pages 420–429, 2010.

[96] Valerie King and Jared Saia. Breaking the O(n2) Bit Barrier: Scalable Byzantine Agreement with anAdaptive Adversary. Journal of the ACM (JACM), 58(4), 2011.

[97] Valerie King, Jared Saia, Vishal Sanwalani, and Erik Vee. Scalable Leader Election. In Proceedingsof the 17th Annual ACM-SIAM Symposium on Discrete Algorithm (SODA), pages 990–999, 2006.

[98] Valerie King, Jared Saia, and Maxwell Young. Conflict on a Communication Channel. In Proceedingsof the 30th Symposium on Principles of Distributed Computing (PODC), pages 277–286, 2011.

[99] Jeffrey Knockel, George Saad, and Jared Saia. Self-Healing of Byzantine Faults. In Proceedingsof the International Symposium on Stabilization, Safety, and Security of Distributed Systems (SSS),pages 98–112, 2013.

[100] Neal Koblitz and Alfred J Menezes. The Random Oracle Model: A Twenty-Year Retrospective.Designs, Codes and Cryptography, 77(2-3):587–610, 2015.

[101] Ramakrishna Kotla, Lorenzo Alvisi, Mike Dahlin, Allen Clement, and Edmund Wong. Zyzzyva:Speculative Byzantine Fault Tolerance. In Proceedings of 21st ACM SIGOPS Symposium on Operat-ing Systems Principles, pages 45–58, 2007.

[102] John Kubiatowicz, David Bindel, Yan Chen, Steven Czerwinski, Patrick Eaton, Dennis Geels, Ra-makrishna Gummadi, Sean Rhea, Westley Weimer Hakim Weatherspoon, Chris Wells, and Ben Zhao.OceanStore: An Architecture for Global-Scale Persistent Storage. In 9th International Conferenceon Architectural Support for Programming Languages and Operating Systems (ASPLOS), 2000.

[103] Leslie Lamport, Robert Shostak, and Marshall Pease. The Byzantine Generals Problem. ACM Trans-actions on Programming Languages and Systems (TOPLAS), 4(3):382–401, 1982.

[104] Chris Lesniewski-Laas and M. Frans Kaashoek. Whanau: A Sybil-Proof Distributed Hash Table.In Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation,NSDI’10, pages 8–8, 2010.

[105] Frank Li, Prateek Mittal, Matthew Caesar, and Nikita Borisov. SybilControl: Practical Sybil Defensewith Computational Puzzles. In Proceedings of the Seventh ACM Workshop on Scalable TrustedComputing, STC ’12, pages 67–78, 2012.

[106] Harry C. Li, Allen Clement, Edmund L. Wong, Jeff Napper, Indrajit Roy, Lorenzo Alvisi, and MichaelDahlin. BAR Gossip. In Proceedings of the 7th Symposium on Operating Systems Design andImplementation, OSDI ’06, pages 191–204, 2006.

[107] litecoin. litecoin: Global Decentralized Currency, 2017. https://litecoin.org/.

[108] Y. Liu, D. R. Bild, R. P. Dick, Z. M. Mao, and D. S. Wallach. The Mason Test: A Defense AgainstSybil Attacks in Wireless Networks Without Trusted Authorities. IEEE Transactions on MobileComputing, 14(11):2376–2391, 2015.

[109] Loi Luu, Viswesh Narayanan, Chaodong Zheng, Kunal Baweja, Seth Gilbert, and Prateek Saxena. ASecure Sharding Protocol For Open Blockchains. In Proceedings of the 2016 ACM SIGSAC Confer-ence on Computer and Communications Security (CCS), pages 17–30, 2016.

30

[110] Ivan Martinovic, Frank A. Zdarsky, Matthias Wilhelm, Christian Wegmann, and Jens B. Schmitt.Wireless Client Puzzles in IEEE 802.11 Networks: Security by Wireless. In Proceedings of the FirstACM Conference on Wireless Network Security, WiSec ’08, pages 36–45, 2008.

[111] Andrew Miller and Joseph J LaViola Jr. Anonymous Byzantine Consensus from Moderately-HardPuzzles: A Model for Bitcoin. 2014. https://socrates1024.s3.amazonaws.com/consensus.pdf.

[112] Andrew Miller, James Litton, Andrew Pachulski, Neil Spring, Neal Gupta, Dave Levin, and BobbyBhattacharjee. Discovering Bitcoin’s Public Topology and Influential Nodes, 2015. http://cs.umd.edu/projects/coinscope/coinscope.pdf.

[113] Michael Mitzenmacher and Eli Upfal. Probability and Computing: Randomization and ProbabilisticTechniques in Algorithms and Data Analysis. Cambridge university press, 2017.

[114] Abedelaziz Mohaisen, Huy Tran, Abhishek Chandra, and Yongdae Kim. Trustworthy distributedcomputing on social networks. In Proceedings of the 8th ACM SIGSAC Symposium on Information,Computer and Communications Security, ASIA CCS ’13, pages 155–160, 2013.

[115] Aziz Mohaisen and Scott Hollenbeck. Improving Social Network-Based Sybil Defenses by Rewiringand Augmenting Social Graphs. In Proceedings of the 14th International Workshop on InformationSecurity Applications (WISA), pages 65–80, 2014.

[116] Aziz Mohaisen and Joongheon Kim. The Sybil Attacks and Defenses: A Survey. Smart ComputingReview, 3(6):480–489, 2013.

[117] Hector Garcia Molina, Frank Pittelli, and Susan Davidson. Applications of Byzantine Agreement inDatabase Systems. ACM Transactions on Database Systems (TODS), 11:27–47, 1986.

[118] Diogo Monica, Jo ao Leitao, Luıs Rodrigues, and Carlos Ribeiro. On the Use of Radio ResourceTests in Wireless Ad-Hoc Networks. In Proceedings of the 3rd Workshop on Recent Advances onIntrusion-Tolerant Systems, pages F21–F26, 2009.

[119] Satoshi Nakamoto. Bitcoin: A Peer-to-Peer Electronic Cash System, 2008. http://bitcoin.org/bitcoin.pdf.

[120] A. Nambiar and M. Wright. Salsa: A Structured Approach to Large-Scale Anonymity. In Proceedingsof the 13th ACM Conference on Computer and Communications Security, pages 17–26, 2006.

[121] Moni Naor and Udi Wieder. A Simple Fault Tolerant Distributed Hash Table. In Proceedings of theSecond International Workshop on Peer-to-Peer Systems (IPTPS), pages 88–97, 2003.

[122] Moni Naor and Udi Wieder. Novel Architectures for P2P Applications: The Continuous-DiscreteApproach. In Fifteenth ACM Symposium on Parallelism in Algorithms and Architectures (SPAA),2003.

[123] Till Neudecker. Bitcoin Cash (BCH) Sybil Nodes on the Bitcoin Peer-to-Peer Network, 2017. http://dsn.tm.kit.edu/publications/files/332/bch_sybil.pdf.

[124] Till Neudecker, Philipp Andelfinger, and Hannes Hartenstein. A Simulation Model for Analysisof Attacks on the Bitcoin Peer-to-Peer Network. In Proceedings of the IFIP/IEEE InternationalSymposium on Integrated Network Management (IM), pages 1327–1332, 2015.

31

[125] Till Neudecker, Philipp Andelfinger, and Hannes Hartenstein. Timing analysis for inferring the topol-ogy of the bitcoin peer-to-peer network. In Proceedings of the 13th IEEE International Conferenceon Advanced and Trusted Computing (ATC), July 2016.

[126] Till Neudecker and Hannes Hartenstein. Could network information facilitate address clustering inbitcoin? In International Conference on Financial Cryptography and Data Security. springer, 2017.

[127] James Newsome, Elaine Shi, Dawn Song, and Adrian Perrig. The Sybil Attack in Sensor Networks:Analysis & Defenses. In Proceedings of the 3rd International Symposium on Information Processingin Sensor Networks (IPSN), pages 259–268, 2004.

[128] Oceanstore. The Oceanstore Project. http://oceanstore.cs.berkeley.edu.

[129] National Institute of Standards and Technology. Secure Hash Standard (SHS). http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf, 2015.

[130] Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, and Yih-Chun Hu. Portcullis:Protecting Connection Setup from Denial-of-Capability Attacks. ACM SIGCOMM Computer Com-munication Review, 37(4):289–300, 2007.

[131] Rafael Pass, Lior Seeman, and Abhi Shelat. Analysis of the blockchain protocol in asynchronousnetworks. In Annual International Conference on the Theory and Applications of CryptographicTechniques, pages 643–673. Springer, 2017.

[132] Rafael Pass and Elaine Shi. Hybrid consensus: Efficient consensus in the permissionless model. IACRCryptology ePrint Archive, 2016:917, 2016.

[133] Nuno Preguica, Rodrigo Rodrigues, Christovao Honorato, and Joao Lourenco. Byzantium:Byzantine-Fault-Tolerant Database Replication Providing Snapshot Isolation. In Proceedings of theFourth Conference on Hot Topics in System Dependability, page 9. USENIX Association, 2008.

[134] Primecoin. Primecoin: A New Type of Cryptocurrency Which is Proof-of-work Based on Searchingfor Prime Numbers, 2017. (http://primecoin.io/.

[135] Jothi Rangasamy, Douglas Stebila, Lakshmi Kuppusamy, Colin Boyd, and Juan Gonzalez Nieto.Efficient Modular Exponentiation-Based Puzzles for Denial-of-Service Protection, pages 319–331.Springer Berlin Heidelberg, 2012.

[136] Sean Rhea, Patrick Eaton, Dennis Geels, Hakim Weatherspoon, Ben Zhao, and John Kubiatowicz.Pond: The OceanStore prototype. In Proceedings of the 2nd USENIX Conference on File and StorageTechnologies, pages 1–14, 2003.

[137] Rodrigo Rodrigues and Petr Kouznetsov andBobby Bhattacharjee. Large-Scale Byzantine Fault Tol-erance: Safe but Not Always Live. In 3rd workshop on on Hot Topics in System Dependability,2007.

[138] Rodrigo Rodrigues and Barbara Liskov. Rosebud: A Scalable Byzantine-Fault-Tolerant Storage Ar-chitecture. Technical Report TR/932, MIT LCS, December 2003.

[139] Rodrigo Rodrigues, Barbara Liskov, and Liuba Shrira. The Design of a Robust Peer-to-Peer System.In 10th workshop on ACM SIGOPS European workshop, page 2002.

[140] George Saad and Jared Saia. Self-Healing Computation. In Proceedings of the International Sympo-sium on Stabilization, Safety, and Security of Distributed Systems (SSS), pages 195–210, 2014.

32

[141] Jared Saia and Maxwell Young. Reducing Communication Costs in Robust Peer-to-Peer Networks.Information Processing Letters, 106(4):152–158, 2008.

[142] Christian Scheideler and Stefan Schmid. A Distributed and Oblivious Heap, pages 571–582. 2009.

[143] Siddhartha Sen and Michael J. Freedman. Commensal Cuckoo: Secure Group Partitioning for Large-Scale Services. ACM SIGOPS Operating Systems, 46(1):33–39, February 2012.

[144] Micah Sherr, Matt Blaze, and Boon Thau Loo. Veracity: Practical Secure Network Coordinatesvia Vote-based Agreements. In Proceedings of the 2009 Conference on USENIX Annual TechnicalConference, USENIX’09, pages 13–13, 2009.

[145] SINTRA. SINTRA - Distributed Trust on the Internet. http://www.zurich.ibm.com/security/dti/.

[146] K. Srinathan and C. Pandu Rangan. Efficient asynchronous secure multiparty distributed computation.In INDOCRYPT 2000, Lecture Notes in Computer Science, volume 1977, pages 117–129. Springer-Verlag, 2000.

[147] Moritz Steiner, Taoufik En-Najjary, and Ernst W. Biersack. A Global View of KAD. In 7th ACMSIGCOMM Conference on Internet Measurement, pages 117 – 122, 2007.

[148] Daniel Stutzbach and Reza Rejaie. Understanding Churn in Peer-to-peer Networks. In Proceedingsof the 6th ACM SIGCOMM Conference on Internet Measurement (IMC), pages 189–202, New York,NY, USA, 2006. ACM.

[149] Ars Technica. Mining Bitcoins Takes Power, But is it an Environmental Disas-ter? 2013. http://arstechnica.com/business/2013/04/mining-bitcoins-takes-power-but-is-it-an-environmental-disaster/.

[150] Nguyen Tran, Bonan Min, Jinyang Li, and Lakshminarayanan Subramanian. Sybil-Resilient OnlineContent Voting. In Proceedings of the 6th USENIX Symposium on Networked Systems Design andImplementation (NSDI), pages 15–28, 2009.

[151] Xavier Vilaca, Oksana Denysyuk, and Luıs Rodrigues. Asynchrony and Collusion in the N-partyBAR Transfer Problem. In Proceedings of the 19th International Conference on Structural Informa-tion and Communication Complexity (SIROCCO), pages 183–194, 2012.

[152] Xavier Vilaca, Joao Leitao, Miguel Correia, and Luıs Rodrigues. N-Party BAR Transfer. In Pro-ceedings of the 15th International Conference on Principles of Distributed Systems (OPODIS), pages392–408, 2011.

[153] Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker. DDoSDefense by Offense. ACM Transactions on Computer Systems (TOCS), 28(1):3, 2010.

[154] Honghao Wang, Yingwu Zhu, and Yiming Hu. An Efficient and Secure Peer-to-Peer Overlay Net-work. In Proceedings of the IEEE Conference on Local Computer Networks, pages 764–771, 2005.

[155] L. Wang and J. Kangasharju. Real-World Sybil Attacks in BitTorrent Mainline DHT. In 2012 IEEEGlobal Communications Conference (GLOBECOM), pages 826–832, 2012.

[156] XiaoFeng Wang and Michael K. Reiter. Defending Against Denial-of-Service Attacks with PuzzleAuctions. In Proceedings of the 2003 IEEE Symposium on Security and Privacy, page 78, 2003.

33

[157] Brent Waters, Ari Juels, Alex Halderman, and Edward Felten. New Client Puzzle Outsourcing Tech-niques for DoS Resistance. In Proceedings of the 11th ACM Conference on Computer and Commu-nications Security (CCS), pages 246–256, 2004.

[158] Wei Wei, Fengyuan Xu, Chiu C. Tan, and Qun Li. SybilDefender: A Defense Mechanism forSybil Attacks in Large Social Networks. IEEE Transactions on Parallel & Distributed Systems,24(12):2492–2502, 2013.

[159] Waloddi Weibull. Wide applicability. Journal of applied mechanics, 103(730):293–297, 1951.

[160] Jon B. Weissman, Pradeep Sundarrajan, Abhishek Gupta, Matthew Ryden, Rohit Nair, and AbhishekChandra. Early Experience with the Distributed Nebula Cloud. In Proceedings of the Fourth Inter-national Workshop on Data-intensive Distributed Computing (DIDC), pages 17–26, 2011.

[161] Edmund L. Wong, Joshua B. Leners, and Lorenzo Alvisi. It’s on Me! The Benefit of Altruism inBAR Environment. In Proceedings of the 24th International Conference on Distributed Computing(DISC), pages 406–420, 2010.

[162] Zhi Yang, Christo Wilson, Xiao Wang, Tingting Gao, Ben Y. Zhao, and Yafei Dai. Uncovering SocialNetwork Sybils in the Wild. In Proceedings of the 2011 ACM SIGCOMM Conference on InternetMeasurement Conference (IMC), pages 259–268, 2011.

[163] Maxwell Young, Aniket Kate, Ian Goldberg, and Martin Karsten. Practical Robust Communication inDHTs Tolerating a Byzantine Adversary. In Proceedings of the 30th IEEE International Conferenceon Distributed Computing Systems (ICDCS), pages 263–272, 2010.

[164] Maxwell Young, Aniket Kate, Ian Goldberg, and Martin Karsten. Towards Practical Communicationin Byzantine-Resistant DHTs. IEEE/ACM Transactions on Networking, 21(1):190–203, February2013.

[165] Haifeng Yu. Sybil Defenses via Social Networks: A Tutorial and Survey. SIGACT News, 42(3):80–101, October 2011.

[166] Haifeng Yu, Phillip B. Gibbons, Michael Kaminsky, and Feng Xiao. SybilLimit: A Near-OptimalSocial Network Defense Against Sybil Attacks. IEEE/ACM Trans. Netw., 18(3):885—898, June2010.

[167] Haifeng Yu, Michael Kaminsky, Phillip B. Gibbons, and Abraham Flaxman. SybilGuard: DefendingAgainst Sybil Attacks via Social Networks. Proceedings of the 2006 Conference on Applications,Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), 36:267–278, August 2006.

[168] Mahdi Zamani, Jared Saia, and Jedidiah Crandall. TorBricks: Blocking-Resistant Tor Bridge Dis-tribution. In International Symposium on Stabilization, Safety, and Security of Distributed Systems(SSS), pages 426–440. Springer, 2017.

[169] Wenbing Zhao. A Byzantine Fault Tolerant Distributed Commit Protocol. In Proceedings of the3rd IEEE International Symposium on Dependable, Autonomic and Secure Computing, pages 37–46,2007.

34