aviv zohar the hebrew university of jerusalem & microsoft
TRANSCRIPT
![Page 1: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/1.jpg)
Aviv Zohar
The Hebrew University of Jerusalem
& Microsoft Research Israel
1
![Page 2: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/2.jpg)
Blue: 2
Red: 1
3 0
2
![Page 3: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/3.jpg)
Blue: 2
Red: 1
Blue: 2
Red: 1
Blue: 2
Red: 1
Blue: 2
Red: 1 Blue: 2
Red: 1 Blue: 2
Red: 1
Blue: 2
Red: 1
The double spending problem
Blue: 2
Red: 1
3
![Page 4: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/4.jpg)
Hash
Block Chain
Hash Hash
New Block
Hash
Another Node’s Block
1. Make block creation hard
(once every 10 minutes)
via computational “puzzles”
2. Quickly send blocks to all nodes
3. Adopt (conflicting) blocks iff
they make up a longer chain
4
![Page 5: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/5.jpg)
The Double-Spend Attack
5
![Page 6: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/6.jpg)
We can be safe.
The probability of block replacement
decreases exponentially as more
blocks are added to chain.
Attacker controls
< 50% of
compute power
Nodes can send
blocks quickly
Nodes have
incentive to
participate
Main theorem [Satoshi Nakamoto]
6
![Page 7: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/7.jpg)
Hash
Incentives
1MB size limit
(DOS prevention)
+ minted coins
Pay nodes for work
“Mining”
7
![Page 8: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/8.jpg)
8
![Page 9: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/9.jpg)
9
![Page 10: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/10.jpg)
10
![Page 11: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/11.jpg)
11
![Page 12: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/12.jpg)
Incentives to send messages
Competition is important
In order to compete nodes need access to
Transactions
recent blocks
No proper incentives to share either one
“On Bitcoin and Red Balloons” [Babaioff, Dobzinsky, Oren, Zohar]
12
![Page 13: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/13.jpg)
Selfish Mining
Attacker knocks out more blocks than he looses
Works if attacker has “enough” comp. power (e.g., over 1/3), or communicates fast.
How do we fix this?
First step: how do we find a best-response?
H2 H1
A1 A2
First demonstrated
by [Eyal & Sirer]
13
![Page 14: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/14.jpg)
Optimal Selfish Mining [Sapirshtein, Sompolinsky, Zohar]
State: length of each chain after the fork
Actions: wait, adopt, override…
H2 H1
A1 A2
What should we
do?
14
![Page 15: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/15.jpg)
We know how to find the optimal deviation
(using a reduction to MDPs)
15
![Page 16: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/16.jpg)
Results
Smaller miners can in fact profit from these attacks
Some suggested fixes slightly worse than expected (e.g., 50-50 fix by E&S) others much worse than prev. thought.
The really bad news:
In networks with delays all miners profit from deviation.
16
![Page 17: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/17.jpg)
Many more incentive
problems and connections
Fee markets need to replace minting
Externalities that are not reflected in
prices
every transaction accepted consumes
resources from all
Every block helps all previous
blocks be a bit more secure.
17
![Page 18: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/18.jpg)
“Breaking the chains” of blockchain protocols [Lewnberg, Sompolinsky, Zohar]
Hidden links to social choice?
Intuitions…
18
![Page 19: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/19.jpg)
Bigger & Faster
Bitcoin 3.3 transactions per sec
Visa > 2000 tps
Bitcoin blocks: every 10 minutes
Need faster confirmation times!
19
![Page 20: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/20.jpg)
Speeding up is problematic
Need new protocol that will be more tolerant to delay, but still secure.
20
![Page 21: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/21.jpg)
Hidden links to social choice?
Pizza
Pasta Pizza
Pasta
x2 x3
Pi
Pa ? Run plurality, vote
for the winner
21
![Page 22: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/22.jpg)
The revelation principle
Pi
Pa ?
Tell us about all blocks you saw.
Pi
Pa
This is now different:
22
![Page 23: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/23.jpg)
Chainless protocols
a
c' b’
b c d
e
Given a DAG
Output a linear order of the blocks (topological sort)
a c' b’ b c d e
Accept transactions in order of appearance (toss out illegal ones)
23
![Page 24: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/24.jpg)
Insight from social choice
Pizza
Pasta
Burger
Pizza
Pasta
Burger Pizza
Pasta
Burger
x2 x2 x3
Pi
Pa
B
When there are delays in the network, many blocks are created in parallel
Blocks Pa, Pi have no conflicting transactions. Can we consider them “accepted”?
24
![Page 25: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/25.jpg)
Our result: a new protocol (on ArXiv soon)
Chainless we pick an order over all blocks
Resilience in the presence of delays. Double spending attacks
Confirmation delay attacks (unless it is for a visible double-spend)
Based on voting with “ranked pairs”
Blocks have “preferences” prefer blocks that they see over ones they do not.
(Unfortunately, much more complicated)
25
![Page 26: Aviv Zohar The Hebrew University of Jerusalem & Microsoft](https://reader034.vdocuments.us/reader034/viewer/2022052309/5891a88a1a28abfd438c3f36/html5/thumbnails/26.jpg)
Conclusion
Bitcoin already “exceeds expectations”
Incentives are needed!
I am optimistic!
More insights from social choice?
Simple Complex
26