Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Larger-scale Nakamoto-style Blockchains Don't Necessarily Offer Better Security

Jannik Albrecht, Sebastien Andreina, Frederik Armknecht, Ghassan Karame, Giorgia Marson, Julian Willingmann

TL;DR

A probabilistic corruption model is introduced to express the increasing difficulty for an attacker to corrupt resources in larger networks and shows that increasing the number of nodes eventually violates security, but relying on a small number of nodes does not provide decent security provisions either.

Abstract

Extensive research on Nakamoto-style consensus protocols has shown that network delays degrade the security of these protocols. Established results indicate that, perhaps surprisingly, maximal security is achieved when the network is as small as two nodes due to increased delays in larger networks. This contradicts the very foundation of blockchains, namely that decentralization improves security. In this paper, we take a closer look at how the network scale affects security of Nakamoto-style blockchains. We argue that a crucial aspect has been neglected in existing security models: the larger the network, the harder it is for an attacker to control a significant amount of power. To this end, we introduce a probabilistic corruption model to express the increasing difficulty for an attacker to corrupt resources in larger networks. Based on our model, we analyze the impact of the number of nodes on the (maximum) network delay and the fraction of adversarial power. In particular, we show that (1) increasing the number of nodes eventually violates security, but (2) relying on a small number of nodes does not provide decent security provisions either. We then validate our analysis by means of an empirical evaluation emulating hundreds of thousands of nodes in deployments such as Bitcoin, Monero, Cardano, and Ethereum Classic. Based on our empirical analysis, we concretely analyze the impact of various real-world parameters and configurations on the consistency bounds in existing deployments and on the adversarial power that can be tolerated while providing security. As far as we are aware, this is the first work that analytically and empirically explores the real-world tradeoffs achieved by current popular Nakamoto-style deployments.

Larger-scale Nakamoto-style Blockchains Don't Necessarily Offer Better Security

TL;DR

A probabilistic corruption model is introduced to express the increasing difficulty for an attacker to corrupt resources in larger networks and shows that increasing the number of nodes eventually violates security, but relying on a small number of nodes does not provide decent security provisions either.

Abstract

Extensive research on Nakamoto-style consensus protocols has shown that network delays degrade the security of these protocols. Established results indicate that, perhaps surprisingly, maximal security is achieved when the network is as small as two nodes due to increased delays in larger networks. This contradicts the very foundation of blockchains, namely that decentralization improves security. In this paper, we take a closer look at how the network scale affects security of Nakamoto-style blockchains. We argue that a crucial aspect has been neglected in existing security models: the larger the network, the harder it is for an attacker to control a significant amount of power. To this end, we introduce a probabilistic corruption model to express the increasing difficulty for an attacker to corrupt resources in larger networks. Based on our model, we analyze the impact of the number of nodes on the (maximum) network delay and the fraction of adversarial power. In particular, we show that (1) increasing the number of nodes eventually violates security, but (2) relying on a small number of nodes does not provide decent security provisions either. We then validate our analysis by means of an empirical evaluation emulating hundreds of thousands of nodes in deployments such as Bitcoin, Monero, Cardano, and Ethereum Classic. Based on our empirical analysis, we concretely analyze the impact of various real-world parameters and configurations on the consistency bounds in existing deployments and on the adversarial power that can be tolerated while providing security. As far as we are aware, this is the first work that analytically and empirically explores the real-world tradeoffs achieved by current popular Nakamoto-style deployments.
Paper Structure (39 sections, 10 theorems, 38 equations, 11 figures, 7 tables)

This paper contains 39 sections, 10 theorems, 38 equations, 11 figures, 7 tables.

Table of Contents

  1. Introduction
  2. System and Security Model
  3. System Model
  4. Relative power $\rho_{\mathrm{adv}}$
  5. Block Generation Rate $\lambda$
  6. Maximum Communication Delay $\Delta$
  7. Existing Security Models
  8. Security Properties
  9. Gaps in Existing Models
  10. Motivating Example
  11. Research Questions
  12. Our Security Framework
  13. Security Model
  14. Corruption Model
  15. Security Analysis
  16. ...and 24 more sections

Key Result

Theorem 1

Consider a Nakamoto-style blockchain with $n$ nodes, where all validators possess the same amount of power. The system has a block frequency $\lambda$ and a maximum communication delay of $\Delta$. Moreover, let $e$ be the magnification factor as explained in sec:hma_tresholds and $\rho_{\mathrm{adv where $f(\rho_{\mathrm{adv}}\xspace)=\left(\frac{e\cdot \rho_{\mathrm{adv}}\xspace\cdot (1-\rho_{\m

Figures (11)

  • Figure 1: Security probability vs number of nodes. We measure the probability (cf. \ref{['eq:success']}) that a Nakamoto-style blockchain provides persistence and liveness when faced with the probabilistic node corruption. Here, we consider a PoW-based blockchain that generates blocks at a rate of one block per 20 seconds (the case of Cardano). We assume that an adversary can delay selective blocks by up to 100 seconds, i.e., five block generations, (e.g., using DBLP:conf/ccs/GervaisRKC15DBLP:conf/uss/HeilmanKZG15) and can corrupt each individual miner with probability $12.5\%$. Our results show that a network comprising of 20000.0 nodes is optimal in terms of security, but that a blockchain comprising of 10 nodes offers larger security compared to a network comprising of a million nodes.
  • Figure 2: Motivating Example. Existing security models consider Blockchain A (left) to be more secure than Blockchain B (right).
  • Figure 3: Impact of the block generation rate on the security probability (cf. \ref{['eq:success']}).
  • Figure 4: Summary of the popular gossip protocols used in existing Nakamoto-style blockchains.
  • Figure 5: Impact of $n$ on $\Delta$ and the average delay $\widehat{\delta}$ (in the benign case) using various gossip protocols.
  • ...and 6 more figures

Theorems & Definitions (17)

  • Definition 1: Event of Security $\mathds{E}_{\mathrm{sec}}\xspace$
  • Theorem 1
  • Lemma 1
  • proof
  • Theorem 2: Maximum Delay
  • Definition 2: Characterization
  • Definition 3: Random Variable $R\xspace_{\mathrm{adv}}\xspace(n_{\mathrm{val}}\xspace,C\xspace)$
  • Theorem 3: Bounding $R\xspace_{\mathrm{adv}}\xspace(n_{\mathrm{val}}\xspace,C\xspace)$
  • Corollary 1: Limits of $R\xspace_{\mathrm{adv}}\xspace(n_{\mathrm{val}}\xspace,C\xspace)$
  • Lemma 2: Chernhoff Bound
  • ...and 7 more