Security, Latency, and Throughput of Proof-of-Work Nakamoto Consensus

TL;DR

The study uncovers a fundamental trade-off between transaction throughput and confirmation latency, ultimately determined by the desired fault tolerance and the rate at which block propagation delay increases with block size.

Abstract

This paper investigates the fundamental trade-offs between block safety, confirmation latency, and transaction throughput of proof-of-work (PoW) longest-chain fork-choice protocols, also known as PoW Nakamoto consensus. New upper and lower bounds are derived for the probability of block safety violations as a function of honest and adversarial mining rates, a block propagation delay limit, and confirmation latency measured in both time and block depth. The results include the first non-trivial closed-form finite-latency bound applicable across all delays and mining rates up to the ultimate fault tolerance. Notably, the gap between these upper and lower bounds is narrower than previously established bounds for a wide range of parameters relevant to Bitcoin and its derivatives, including Litecoin and Dogecoin, as well as Ethereum Classic. Additionally, the study uncovers a fundamental trade-off between transaction throughput and confirmation latency, ultimately determined by the desired fault tolerance and the rate at which block propagation delay increases with block size.

Figures (11)

• Figure 1: An example of blocks and chains. Nonpublic blocks are shaded. Each adversarial block is marked by a pair of horns on top.
• Figure 2: Balancing candidates $b$ and $b'$ for target block $g$ and $g'$, respectively. Blocks on the same height are connected by dashed lines. Left: block $b$ becomes a balancing candidate upon its mining; its candidacy is $[t_b,t_b+\Delta]$. Right: block $b'$ becomes a candidate after a lower block $c$ is mined, in disagreement with block $b'$. Block $b'$ has a shorter candidacy $[t_c,t_{b'}+\Delta]$.
• Figure 3: An example of \ref{['eq:violates_aftertau']} in Lemma \ref{['lm:errorevent']}. Let the depth of confirmation $k=5$. Blocks $b$ and $e$ are on the same height. Block $b$ is the highest public chain at $s$ (block $g$'s parent is not yet public). The lead $L_s = 2$. Here $c$ and $f$ refer to the same block, i.e., $c=f$. At time $t_f$, block $g$ is $k$-confirmed by the highest chain $c$, as $h_c=h_g+k-1$. The highest disagreeing chain $z$ at $t_f$ is on height $h_z=h_g+2<h_c$. The (first) violation occurs at time $d=t_v$, when chain $v$ is mined, which is credible as $h_v=h_c$. Height $h_g+1$ is balanced, with $X^g_{t_f}=1$. A single jumper is mined during $(\tau,d-\Delta]$. Three A-blocks are mined during $(s,d]$. Therefore, we have $L_s+X_{t_f+\Delta}^g+A_{s,d}-J_{\tau,d-\Delta}= 5 = k$, i.e., \ref{['eq:violates_aftertau']} holds in this case.
• Figure 4: Bitcoin's safety versus confirmation time.
• Figure 5: ETC's safety versus confirmation time.

Theorems & Definitions (39)

• Definition 1: block
• Definition 2: blockchain and height
• Definition 3: public and public height
• Definition 4: credible
• Definition 5: confirmation by time
• Definition 6: confirmation by depth
• Definition 7: safety violation of a block
• Definition 8: types of blocks
• Definition 9: chain delay bound $\Delta$
• Definition 10: Poisson mining processes