Basic Properties of the Blockchain: (Invited Talk)

Proceedings of the ACM Workshop on Blockchain, Cryptocurrencies and Contracts Pub Date : 2017-04-02 DOI:10.1145/3055518.3055519

J. Garay

{"title":"Basic Properties of the Blockchain: (Invited Talk)","authors":"J. Garay","doi":"10.1145/3055518.3055519","DOIUrl":null,"url":null,"abstract":"As the first decentralized cryptocurrency, Bitcoin [1] has ignited much excitement, not only for its novel realization of a central bank-free financial instrument, but also as an alternative approach to classical distributed computing problems, such as reaching agreement distributedly in the presence of misbehaving parties, as well as to numerous other applications-contracts, reputation systems, name services, etc. The soundness and security of these applications, however, hinges on the thorough understanding of the fundamental properties of its underlying blockchain data structure, which parties (\"miners\") maintain and try to extend by generating \"proofs of work\" (POW, aka \"cryptographic puzzle\"). In this talk we follow the approach introduced in [2], formulating such fundamental properties of the blockchain, and then showing how applications such as consensus and a robust public transaction ledger can be built ``on top'' of them. The properties are as follows, assuming the adversary's hashing power (our analysis holds against arbitrary attacks) is strictly less than ½ and high network synchrony: Common prefix: The blockchains maintained by the honest parties possess a large common prefix. More specifically, if two honest parties \"prune\" (i.e., cut off) k blocks from the end of their local chains, the probability that the resulting pruned chains will not be mutual prefixes of each other drops exponentially in the that parameter. Chain quality: We show a bound on the ratio of blocks in the chain of any honest party contributed by malicious parties. In particular, as the adversary's hashing power approaches ½, we show that blockchains are only guaranteed to have few, but still some, blocks contributed by honest parties. Chain growth: We quantify the number of blocks that are added to the blockchain during any given number of rounds during the execution of the protocol. (N.B.: This property, which in [2] was proven and used directly in the form of a lemma, was explicitly introduced in [3]. Identifying it as a separate property enables modular proofs of applications' properties.) The above properties hold assuming that all parties-honest and adversarial-\"wake up\" and start computing at the same time, or, alternatively, that they compute on a common random string (the \"genesis\" block) only made available at the exact time when the protocol execution is to begin. In this talk we also consider the question of whether such a trusted setup/behavioral assumption is necessary, answering it in the negative by presenting a Bitcoin-like blockchain protocol that is provably secure without trusted setup, and, further, overcomes such lack in a scalable way-i.e., with running time independent of the number of parties [4]. A direct consequence of our construction above is that consensus can be solved directly by a blockchain protocol without trusted setup assuming an honest majority (in terms of computational power).","PeriodicalId":248708,"journal":{"name":"Proceedings of the ACM Workshop on Blockchain, Cryptocurrencies and Contracts","volume":"23 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-04-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the ACM Workshop on Blockchain, Cryptocurrencies and Contracts","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3055518.3055519","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

As the first decentralized cryptocurrency, Bitcoin [1] has ignited much excitement, not only for its novel realization of a central bank-free financial instrument, but also as an alternative approach to classical distributed computing problems, such as reaching agreement distributedly in the presence of misbehaving parties, as well as to numerous other applications-contracts, reputation systems, name services, etc. The soundness and security of these applications, however, hinges on the thorough understanding of the fundamental properties of its underlying blockchain data structure, which parties ("miners") maintain and try to extend by generating "proofs of work" (POW, aka "cryptographic puzzle"). In this talk we follow the approach introduced in [2], formulating such fundamental properties of the blockchain, and then showing how applications such as consensus and a robust public transaction ledger can be built ``on top'' of them. The properties are as follows, assuming the adversary's hashing power (our analysis holds against arbitrary attacks) is strictly less than ½ and high network synchrony: Common prefix: The blockchains maintained by the honest parties possess a large common prefix. More specifically, if two honest parties "prune" (i.e., cut off) k blocks from the end of their local chains, the probability that the resulting pruned chains will not be mutual prefixes of each other drops exponentially in the that parameter. Chain quality: We show a bound on the ratio of blocks in the chain of any honest party contributed by malicious parties. In particular, as the adversary's hashing power approaches ½, we show that blockchains are only guaranteed to have few, but still some, blocks contributed by honest parties. Chain growth: We quantify the number of blocks that are added to the blockchain during any given number of rounds during the execution of the protocol. (N.B.: This property, which in [2] was proven and used directly in the form of a lemma, was explicitly introduced in [3]. Identifying it as a separate property enables modular proofs of applications' properties.) The above properties hold assuming that all parties-honest and adversarial-"wake up" and start computing at the same time, or, alternatively, that they compute on a common random string (the "genesis" block) only made available at the exact time when the protocol execution is to begin. In this talk we also consider the question of whether such a trusted setup/behavioral assumption is necessary, answering it in the negative by presenting a Bitcoin-like blockchain protocol that is provably secure without trusted setup, and, further, overcomes such lack in a scalable way-i.e., with running time independent of the number of parties [4]. A direct consequence of our construction above is that consensus can be solved directly by a blockchain protocol without trusted setup assuming an honest majority (in terms of computational power).

查看原文本刊更多论文

区块链的基本属性:(特邀演讲)

作为第一个去中心化的加密货币，比特币[1]引发了很多兴奋，不仅因为它新颖地实现了一种无央行的金融工具，而且还作为经典分布式计算问题的替代方法，例如在行为不端的情况下分布式地达成协议，以及许多其他应用程序-合同，声誉系统，名称服务等。然而，这些应用程序的可靠性和安全性取决于对其底层区块链数据结构的基本属性的透彻理解，各方(“矿工”)维护并试图通过生成“工作证明”(POW，又名“加密谜题”)来扩展这些数据结构。在本次演讲中，我们将遵循[2]中介绍的方法，阐述区块链的这些基本属性，然后展示如何在它们“之上”构建共识和健壮的公共交易分类账等应用程序。假设对手的哈希算力(我们的分析针对任意攻击)严格小于1 / 2和高网络同步，属性如下:公共前缀:诚实各方维护的区块链拥有一个大的公共前缀。更具体地说，如果两个诚实的参与方从其本地链的末端“修剪”(即切断)k个区块，则修剪后的链不是彼此的相互前缀的概率在该参数中呈指数级下降。链质量:我们展示了恶意方在任何诚实方贡献的链中区块比例的界限。特别是，当对手的哈希算力接近1 / 2时，我们表明区块链只能保证由诚实各方贡献的区块很少，但仍然有一些。链增长:我们量化在协议执行期间任何给定的轮数中添加到区块链的区块数量。注:这个性质，在[2]中被证明并直接以引理的形式使用，在[3]中被明确地引入。将其识别为单独的属性可以实现应用程序属性的模块化证明。)假设所有各方——诚实的和敌对的——“醒来”并同时开始计算，或者，他们在一个公共随机字符串(“创世纪”块)上计算，只有在协议开始执行的确切时间才可用，上述属性成立。在这次演讲中，我们还考虑了这样一个可信设置/行为假设是否必要的问题，通过提出一个类似比特币的区块链协议来回答这个问题，该协议在没有可信设置的情况下被证明是安全的，并且，进一步，以可扩展的方式克服了这种缺乏。，运行时间与参与方数量无关[4]。我们上面的构造的一个直接结果是，共识可以直接通过区块链协议解决，而不需要假设诚实多数(就计算能力而言)的可信设置。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the ACM Workshop on Blockchain, Cryptocurrencies and Contracts

自引率

0.00%

发文量