On Trees, Chains and Fast Transactions in the Blockchain

Abstract

A fundamental open problem in the area of blockchain protocols is whether the Bitcoin protocol is the only solution for building a secure transaction ledger. A recently proposed and widely considered alternative is the GHOST protocol which, notably, was proposed to be at the core of Ethereum as well as other recent proposals for improved Bitcoin-like systems. The GHOST variant is touted as offering superior performance compared to Bitcoin (potentially offering block production speed up by a factor of more than 40) without a security loss. Motivated by this, in this work, we study from a provable security point of view the GHOST protocol.

We introduce a new formal framework for the analysis of blockchain protocols that relies on trees (rather than chains) and we showcase the power of the framework by providing a unified description of the GHOST and Bitcoin protocols, the former of which we extract and formally describe. We then prove that GHOST implements a “robust transaction ledger” (i.e., possesses liveness and persistence) and hence it is a provably secure alternative to Bitcoin; moreover, our bound for the liveness parameter is superior to that proven for the bitcoin backbone in line with the original expectation for GHOST. Our proof follows a novel methodology for establishing that GHOST is a robust transaction ledger compared to previous works, which may be of independent interest and can be applicable to other blockchain variants.

Aggelos Kiayias—Research supported by ERC project CODAMODA #25915. Part of this work was based in a technical report published in e-print (https://eprint.iacr.org/2015/1019).

Appendices

A Probability of Uniquely Successful Rounds

In this section we demonstrate a lower bound on the probability of uniquely successful rounds. This bound allows us to argue about the security of GHOST even when f is larger than 1.

Lemma 7

For \(p<0.1\) and \(a\in (p,2k) : e^{-a-kp} \le (1-p)^{\frac{a}{p} - k} \le e^{-a+kp}\)

Proof

The second inequality is well studied and holds for \(p>0\). For the first inequality by solving for a we get \(a \le k\frac{ln(1-p)}{ 1+ \frac{ln(1-p)}{p} } \) which holds for \(p<0.1\) and \(a \in (p,2k)\).   \(\square \)

Let \(\gamma \) be a lower bound on the probability of a uniquely successful round (a round where only one block is found). From the event where \((n-t)\) players throw q coins each and exactly one coin toss comes head, the probability of a uniquely successful rounds is at least:

$$\begin{aligned} n-t)qp(1-p)^{q(n-t)-1} \ge \alpha e^{-\alpha -kp} \end{aligned}$$

We set \(\gamma = ae^{-a-kp}\), for the minimum k that satisfies the relation \(\alpha \in (p,2k)\). This is a substantially better bound that \(\gamma _u\) and is also a lower bound for the event that at a round is successful. The relation of the two bounds is depicted in Fig. 2.

Fig. 2.

Comparison of the lower bounds on the probability of a uniquely successful round, \(\gamma \) and \(\gamma _u\), used respectively in this work and [9]. Notice that \(\gamma \) allows as to argue about security when f is greater than 1.

B Proofs

1.1 B.1 Proof of Lemma 3

Proof

We are first going to prove two preliminary claims that show the effect of a uniquely successful round to \(\mathrm {p}_{\mathrm{dom}}\). The first claim shows that if a uniquely successful round s is not compensated accordingly by the adversary, a newly mined block will be forced into \(\mathrm {p}_{\mathrm{dom}}(s,1)\).

Claim 1

Let round s be a uniquely successful round and b be the honest block mined at round s. If the adversary does not broadcast any block at round \(s-1\) then .

Proof of Claim

First, notice that since the adversary does not broadcast any block it holds that for any honest player P, \(\mathcal {T}_{s}\) is equal to \(\mathcal {T}^P_{s}\). Therefore, all nodes in the path from \(v_{\mathrm {root}}\) to the parent of b are at least 0-dominant in \(\mathcal {T}_{s}\) and thus this path is in \(\mathrm {HonestPaths}(s)\). Since s is uniquely successful, all conditions of the second bullet of Proposition 1 are met, and thus it is implied that all nodes up to the newly mined block in \(\hat{\mathcal {T}}_{s}\) are 1-dominant. It follows that \(b \in \mathrm {p}_{\mathrm{dom}}(s,1)\).   \(\dashv \)

The second claim shows the effect of a uniquely successful round s to an existing \(\mathrm {p}_{\mathrm{dom}}(s-1,d)\) path. Notice that if the adversary broadcasts less than d blocks the same nodes continue to be at least 1-dominant in the following round.

Claim 2

Let round s be a uniquely successful round, b be the honest block mined at round s and \(\mathrm {p}_{\mathrm{dom}}(s-1,d) \not = \bot \). If the adversary broadcasts (i) \(k < d\) blocks at round \(s-1\) then \(\mathrm {p}_{\mathrm{dom}}(s-1,d) \subseteq \mathrm {p}_{\mathrm{dom}}(s,d+1-k)\), (ii) \(k=d\) blocks at round \(s-1\) then either \(b\in \mathrm {p}_{\mathrm{dom}}(s,1)\) or \(\mathrm {p}_{\mathrm{dom}}(s-1,d) \subseteq \mathrm {p}_{\mathrm{dom}}(s,1)\) and b is a descendant of the last node in \(\mathrm {p}_{\mathrm{dom}}(s-1,d)\).

Proof of Claim

There are two cases. In the first case suppose the adversary broadcasts \(k<d\) blocks. Then, according to the first bullet of Proposition 1, the adversary can lower the dominance in \(\mathcal {T}_{s}\) of nodes in \(\mathrm {p}_{\mathrm{dom}}(s-1,d)\) by at most k. Thus \(\mathrm {p}_{\mathrm{dom}}(s-1,d)\) will be a prefix of all the chains in \(\mathrm {HonestPaths}(s)\). But because s is a uniquely successful round, the dominance in \(\hat{\mathcal {T}}_{s}\) of all nodes in \(\mathrm {p}_{\mathrm{dom}}(s-1,d)\) will increase by one. Therefore \(\mathrm {p}_{\mathrm{dom}}(s-1,d) \subseteq \mathrm {p}_{\mathrm{dom}}(s,d+1-k)\) and b will be a descendant of the last node in \(\mathrm {p}_{\mathrm{dom}}(s-1,d)\).

In the second case suppose the adversary broadcasts \(k=d\) blocks. If he does not broadcast all of these blocks to reduce the dominance in \(\mathcal {T}_{s}\) of the nodes in \(\mathrm {p}_{\mathrm{dom}}(s-1,d)\), then \(\mathrm {p}_{\mathrm{dom}}(s-1,d)\) will be a prefix of all the chains in \(\mathrm {HonestPaths}(s)\) and as in the previous case, \(\mathrm {p}_{\mathrm{dom}}(s-1,d) \subseteq \mathrm {p}_{\mathrm{dom}}(s,d+1-k)\) and b will be a descendant of the last node in \(\mathrm {p}_{\mathrm{dom}}(s-1,d)\).

Otherwise the adversary will reduce the dominance in \(\mathcal {T}_{s}\) of at least one node in \(\mathrm {p}_{\mathrm{dom}}(s-1,d)\) to zero. If b is a descendant of the last node in \(\mathrm {p}_{\mathrm{dom}}(s-1,d)\), then all nodes in \(\mathrm {p}_{\mathrm{dom}}(s-1,d)\) will be 1-dominant in \(\hat{\mathcal {T}}_{s}\) and \(\mathrm {p}_{\mathrm{dom}}(s-1,d) \subseteq \mathrm {p}_{\mathrm{dom}}(s,1) = \mathrm {p}_{\mathrm{dom}}(s,d+1-d) \). If b is not a descendant of the last node in \(\mathrm {p}_{\mathrm{dom}}(s-1,d)\), then for the player P that mined this block it holds that \(\mathcal {T}^P_{s} = \mathcal {T}_{s}\), because he would have not mined a chain that does not contain \(\mathrm {p}_{\mathrm{dom}}(s-1,d)\) at round s otherwise. Therefore, P at round s was mining a chain that belonged to \(\mathrm {HonestPaths}(s,v_{\mathrm {root}})\) and thus all nodes in the chain are at least 0-dominant in \(\mathcal {T}_{s}\). But because s is a uniquely successful round the dominance of all nodes in the chain that b belongs to will increase by one and thus \(b \in \mathrm {p}_{\mathrm{dom}}(s,1)\).   \(\dashv \)

Let \(b_i\) denote the honest block mined at round \(r_i\). Let us assume that \(r=r_m\). We are going to prove the lemma using induction on the number of uniquely successful rounds m.

For the base case suppose \(m=1\). The adversary does not broadcast any block until round \(r_1-1\) and from the first claim \(b_1 \in \mathrm {p}_{\mathrm{dom}}(r_1,1)\). Thus the base case is proved. Suppose the lemma holds for \(m-1\) uniquely successful rounds and let \(k_1\) be the number of blocks that the adversary broadcasts in the round interval \([r'-1,r_{m-1}-1]\). We have two cases.

(First case) \(k_1 = m-1\) and the adversary broadcasts no blocks in the rest of the rounds. From the first claim it follows that \(b_m \in \mathrm {p}_{\mathrm{dom}}(r_m,1)\).

(Second case) \(k_1 < m-1\) and from the induction hypothesis there exist blocks \(b'_1,...,b'_{m-1-k_1}\) mined by honest players at the uniquely successful rounds \(r_1,..,r_{m-1}\) where \(b'_i \in \mathrm {p}_{\mathrm{dom}}(r_{m-1},i)\). Let \(k_2\) be the number of blocks that the adversary broadcasts until round \(r_m-2\) and \(k_3\) the number of blocks he broadcasts at round \(r_m-1\). If \(k_2 = m-1\) then again from the first claim it follows that \(b_m \in \mathrm {p}_{\mathrm{dom}}(r_m,1)\). If \(k_2<m-1\) then if \(k_3+k_2 = m-1\) then from the second claim either \(b_m \in \mathrm {p}_{\mathrm{dom}}(r_m,1)\) or \(b'_{m-1-k_1} \in \mathrm {p}_{\mathrm{dom}}(r_m,1)\). If \(k_3+k_2 < m-1\) then again from the second claim at round \(r_m\), \(b'_i \in \mathrm {p}_{\mathrm{dom}}(r_m-1, i)\) for i in \(\{ k_2+k_3+1,.., m-1-k_1 \}\) and either \(b'_{k_2+k_3}\) is in \(\mathrm {p}_{\mathrm{dom}}(r_m,1)\) or \(b_m\) is in \(\mathrm {p}_{\mathrm{dom}}(r_m,1)\). This completes the induction proof.

We proved that if \(k_4<m\) is the number of blocks the adversary broadcasts until round \(r_m-1\), then there exists honest blocks \(b'_1,..,b'_{m-k_4}\) s.t. \(b'_i\) is in \(\mathrm {p}_{\mathrm{dom}}(r_m,i)\). Now in the case \(r > r_m\), let \(k_5<m-k_4\) be the number of blocks the adversary broadcasts in the remaining rounds. The lemma follows easily from the second claim.

Remark 1

Let \(r_1,..,r_m\) be uniquely successful rounds up to round r and the honest block mined at round \(r_1\) be in \(\mathrm {p}_{\mathrm{dom}}(r_1,1)\). If the adversary broadcasts \(k < m\) blocks from round \(r_1\) until round \(r-1\), then there exists an honest block b mined in one of the rounds \(r_1,..,r_m\) such that b in \(\mathrm {p}_{\mathrm{dom}}(r,m-k)\). (to see why the remark holds notice that blocks that the adversary broadcasts before round \(r_1\) affect only the dominant path at round \(r_1\), and not at the following rounds)   \(\square \)

1.2 B.2 Proof of Lemma 4

Proof

Let random variable \(Z_{s_1,s_2}\) (resp. \(Z^{bd}_{s_1,s_2}\)) denote the number of blocks the adversary computes (resp. broadcasts) from round \(s_1\) until round \(s_2\), and random variable \(X_{s_1,s_2}\) denote the number of rounds that are uniquely successful in the same interval.

We are first going to prove two preliminary claims. We show that as long as from some round r and afterwards the adversary broadcasts less blocks than the total number of uniquely successful rounds, the chain that any honest player adopts after round r extends \(\mathrm {p}_{\mathrm{dom}}(r, X_{1,r} - Z_{1,r})\). More generally we can prove the following claim.

Claim 3

Consider any execution such that for all rounds \(s_2 \ge s_1\), for some round \(s_1\), it holds that \(Z_{1,s_2} < X_{1,s_2}\). Then, the chain that any honest player adopts after round \(s_1\) extends .

Proof of Claim

Since \(X_{1,s_1}>Z_{1,s_1}\) from Lemma 3 it follows that

$$\begin{aligned} p = \mathrm {p}_{\mathrm{dom}}(s_1,X_{1,s_1} - Z_{1,s_1-1}) \not = \bot \end{aligned}$$

As long as the number of blocks that the adversary broadcasts at round \(s_2\) are less than the dominance of the nodes in p in \(\hat{\mathcal {T}}_{s_2-1}\), all honest players at round \(s_2\) will adopt chains containing p. Thus uniquely successful rounds will increase the dominance of these nodes. But since from the assumptions made, \(Z_{1,s_2} < X_{1,s_2}\), in all rounds after round \(s_1\), the nodes in p are at least 1-dominant in every \(\mathcal {T}^P_{s_2}\) where P is an honest player; the claim follows.   \(\dashv \)

Next we will show that if successive u.s. rounds occur such that the blocks mined are on different branches, then the adversary must broadcast an adequate number of blocks, as specified below.

Claim 4

Consider any execution where \(s_1<s_2<...<s_m\) are u.s. rounds and \(s_k\) is the first u.s. round such that the honest block mined in this round is not a descendant of the honest block mined in round \(s_{k-1}\), for \(k\in \{2,..,m\}\). Then either \(Z^{bd}_{s_1-1,s_m-1} > X_{s_1,s_m-1}\) or \(Z^{bd}_{s_1-1,s_m-1} = X_{s_1,s_m-1}\) and the honest block mined at round \(s_m\) will be in .

Proof of Claim

Let \(b_1,..,b_m\) denote the honest blocks mined at rounds \(s_1,..,s_m\) respectively. We are going to prove the claim for \(m=2\). Suppose, for the sake of contradiction, that \(Z^{bd}_{s_1-1,s_2-1} < X_{s_1,s_2-1}\). By the definition of \(s_2\), the honest blocks mined on all u.s. rounds until round \(s_2-1\) are descendants of \(b_1\). From Lemma 3 at least one honest block b computed in one of the u.s. rounds in \([s_1,s_2-1]\) will be in . Since from our hypothesis the adversary will broadcast less than \(Z^{bd}_{s_2-1,s_2-1} < X_{s_1,s_2-1} - Z^{bd}_{s_1-1,s_2-2}\) blocks at round \(s_2-1\), it is impossible for \(b_2\) not to be a descendant of b and thus of \(b_1\) which is a contradiction. Hence, \(Z^{bd}_{s_1-1,s_2-1} \ge X_{s_1,s_2-1}\). If \(Z^{bd}_{s_1-1,s_2-1} > X_{s_1,s_2-1}\) the base case follows. Otherwise, \(Z^{bd}_{s_1-1,s_2-1} = X_{s_1,s_2-1}\) and we have two cases. In the first case, \(X_{s_1,s_2-1} = Z^{bd}_{s_1-1,s_2-2}\) and at round round \(s_2-1\) the adversary does not broadcast any block. From Claim 1 of Lemma 3, \(b_2\) will be in . In the second case, it holds that the adversary broadcasts exactly \(X_{s_1,s_2-1} - Z^{bd}_{s_1-1,s_2-2}\) blocks at round \(s_2-1\). From Claim 2 of Lemma 3, since \(b_2\) cannot be a descendant of the last node of , \(b_2\) will be in . Hence, the base case follows.

Suppose the lemma holds until round \(s_m\). By the inductive hypothesis we have two cases. In the first case \(Z^{bd}_{s_1-1,s_m-1} > X_{s_1,s_m-1}\), which implies that \(Z^{bd}_{s_1-1,s_m-1}\) is greater or equal to \(X_{s_1,s_m}\). If no u.s. round happens during rounds \(s_{m}+1,\ldots ,s_{m+1}-1\) then from Claim 1 in the proof of Lemma 3 the claim follows. Otherwise, a u.s. round \(s'\) happens during these rounds, where the honest block mined is a descendant of \(b_{m}\). Then we can make the same argument as for the base case starting from round \(s'\) and get that either \(Z^{bd}_{s'-1,s_{m+1}-1} > X_{s',s_{m+1}-1}\) or \(Z^{bd}_{s'-1,s_{m+1}-1} = X_{s',s_{m+1}-1}\) and the honest block mined at round \(s_{m+1}\) will be in . Since \(Z^{bd}_{s'-1,s_{m+1}-1} < Z^{bd}_{s_m-1,s_{m+1}-1}\) and \(X_{s',s_{m+1}-1}\) is equal to \(X_{s_m+1,s_{m+1}-1}\), by the inequality of the inductive hypothesis the claim follows.

In the second case \(Z^{bd}_{s_1-1,s_m-1} = X_{s_1,s_m-1}\) and the honest block \(b_m\) mined at round \(s_m\) will be in . From Remark 1 of the proof of claim Lemma 3, for an application of this Lemma from rounds \(s_m\) until \(s_{m+1}-1\) we can count the adversarial blocks starting from round \(s_m\). Thus from the same argument as for the base case starting from round \(s_{m}\) we get that either \(Z^{bd}_{s_m,s_{m+1}-1} > X_{s_m,s_{m+1}-1}\) or \(Z^{bd}_{s_m,s_{m+1}-1} = X_{s_m,s_{m+1}-1}\) and the honest block mined at round \(s_m\) will be in . By the equality of the inductive hypothesis the claim follows.   \(\dashv \)

Next, we observe that Lemma 3 as well as Claims 3 and 4 can be applied on a subtree of the block tree, if all honest blocks mined after the round the root of the subtree was mined are on this subtree.

Observation 1

Let b be an honest block computed at round \(s_1\) that is in the chains adopted by all honest players after round \(s_2\). Also, suppose that all blocks mined at u.s. rounds after round \(s_1\) are descendants of b.Then the following hold:

1. 1.

   Regarding applications of Lemma 3 and Claim 4 on the subtree of the block tree rooted on b after round \(s_1\), we can ignore all blocks that the adversary has mined up to round \(s_1\).

2. 2.

   Regarding applications of Claim 3 after round \(s_2\), we can ignore all blocks that the adversary has mined up to round \(s_1\).

To see why the observation holds consider the following. Since the adversary receives block b for the first time at round \(s_1+1\), all blocks that the adversary mines before round \(s_1+1\) cannot be descendants of b. Regarding the first point, blocks that are not descendants of b do not affect the validity of Lemma 3 and Claim 4 on the subtree of the block tree rooted on b; this is because blocks that are not descendants of b, do not affect the dominance of the nodes of the subtree rooted at b. Regarding the second point, consider the dominant path at round \(s_3>s_2\) in the subtree that is rooted on b. Then, this path can be extended up to the root node, since, by our assumption, b is in the chains adopted by all honest players after round \(s_2\).

We are now ready to prove the lemma. First, we are going to define a set of bad events which we will show that hold with probability exponentially small in s. Assuming these events don’t occur we will then show that our lemma is implied, and thus the lemma will follow with overwhelming probability.

Let \(BAD(s_1,s_2)\) be the event that \(X_{s_1,s_2} \le Z_{s_1,s_2}\). In [9, Lemma 5], by an application of the Chernoff bounds it was proved that assuming that \(\gamma \ge (1+\delta ) \beta \) for some \(\delta \in (0,1)\), then with probability at least \((1-e^{-\frac{\beta }{243}\delta ^2 s' })(1-e^{-\frac{\gamma }{128}\delta ^2 s' }) \ge 1-e^{-(\min (\frac{\beta }{243}, \frac{\gamma }{128})\delta ^2 s' - \ln (2))} \) for any \(r'>0,s'\ge s\):

$$\begin{aligned} X_{r',r'+s'-1} > \left( 1+\frac{\delta }{2}\right) Z_{r',r'+s'-1} \end{aligned}$$

(1)

Thus, there exists an appropriate constant \(\epsilon = \delta ^2 \min (\frac{\beta }{243}, \frac{\gamma }{128})\), independent of r, such that it holds that for any \(r'>0,s'\ge s\), \(BAD(r',r'+s'-1)\) occurs with probability at most \(e^{-\epsilon \delta ^2 s' + \ln 2}\). From an application of the union bound, we get that for the function \(g(s)= \epsilon \delta ^2s - \ln 2 + \ln (1 - e^{-\epsilon \delta ^2})\), the probability that \(\bigvee _{r'\ge s } BAD(s_1+1,s_1+r')\) happens is:

$$\begin{aligned} \Pr \left[ \bigvee _{r'\ge s }BAD(s_1+1,s_1+r') \right] \le&\sum _{r'\ge s} e^{-\epsilon \delta ^2 r' + \ln 2}\\ \le&e^{\ln 2}\sum _{r'\ge s} e^{-\epsilon \delta ^2 r'}\\ \le&e^{\ln 2} \frac{e^{-\epsilon \delta ^2s}}{1 - e^{-\epsilon \delta ^2} }\\ \le&e^{-g(s)} \end{aligned}$$

Until now we have assumed that the execution we are studying is collision-free; no two queries in the oracle return the same value for different inputs. Let COL denote the event where a collision occurs in our execution. The probability of COL in a polynomial number of rounds, is exponentially small on \(\kappa \).

$$\begin{aligned} \Pr [ COL ] \le (f\kappa ^{c})^2/2^{\kappa +1} = e^{-\varOmega (\kappa )} \le e^{-\varOmega (s)} \end{aligned}$$

Let \(BAD(s_1)\) denote the event where \(\bigvee _{r'\ge s } BAD(s_1+1,s_1+r')\) or COL happens. From the union bound the probability that \(BAD(s_1)\) happens, for any \(s_1\) is negligible.

$$\begin{aligned} \Pr [ BAD(s_1) ] \le e^{-g(s)} + e^{-\varOmega (s)} \le e^{-\varOmega (s)} \end{aligned}$$

We are going to show next that, conditioning on the negation of this event the statement of the lemma follows.

We will use the convention that block \(b_i\) is mined at round \(r_i\). Let \(b_1\) be the most recent honest block that is in the chains that all honest players have adopted on and after round r, such that the blocks mined at all u.s. rounds after round \(r_1\) are descendants of \(b_1\). This block is well defined, since in the worst case it is the genesis block. If \(r_1\) is greater or equal to \(r-s\), then the lemma follows for block \(b_1\) with probability 1.

Suppose round \(r_1\) is before round \(r-s\) and that \(BAD(r_1)\) does not happen. The negation of \(BAD(r_1)\) implies that \(X_{r_1+1, r-1+c} > Z_{r_1+1, r-1+c}\), for \(c\ge 0\). By Lemma 3 and Claim 3 there exists at least one honest block \(b_2\), mined in a u.s. round and contained in the chains of all honest players on and after round r. W.l.o.g. let \(b_2\) be the most recently mined such block. By the definition of \(b_1\), \(b_2\) is a descendant of \(b_1\). If \(r_2\) is greater or equal to \(r-s\) then the lemma follows, since \(b_2\) is an honest block mined on and after round \(r-s\) that satisfies the conditions of the lemma.

Suppose round \(r_2\) is before round \(r-s\). Let \(r_3\) be the earliest u.s. round, such that \(b_3\) and the blocks mined at all u.s. rounds afterwards are descendants of \(b_2\). Since \(b_2\) will be in the chains of all honest players after round r, round \(r_3\) is well defined. Also let \(s_1<\ldots<s_m<\ldots \) be the sequence of u.s. rounds after round \(r_1\) that satisfy the conditions of Claim 4. That is, \(s_k\) is the first u.s. round such that the honest block mined in this round is not a descendant of the honest block mined in round \(s_{k-1}\), for \(k\in \{2,..,m\}\). The first u.s. round after round \(r_1\) corresponds to \(s_1\).

We will argue that \(r_3\) is equal to some \(s_i>s_1\) in the aforementioned sequence. Suppose, for the sake of contradiction that it does not. This implies that the honest block mined at round \(r_3\) (denoted by \(b_3\)) is a descendant of the honest block mined at some round \(s_i\) of the sequence. W.l.o.g. suppose that \(s_i\) is the largest such round that is before round \(r_3\). There are three cases. In the first case, \(r_2< s_i < r_3\). By the definition of \(s_i\) and \(r_3\), the block mined at round \(s_i\) is an ancestor of \(b_3\) and also a descendant of \(b_2\). Hence, \(s_i\) satisfies the definition of \(r_3\) which is a contradiction (there is an earlier round than \(r_3\) with the same property). In the second case, \(s_i = r_4\), where \(b_4\) is a descendant of \(b_1\) and either \(b_2=b_4\) or \(b_4\) is an ancestor of \(b_2\). Then \(b_4\) is a block that satisfies the definition of \(b_1\), and is more recent, which is a contradiction. In the third case, \(r_1< s_i < r_2\) and the block mined at round \(s_i\) is not an ancestor of \(b_2\). By the definition of \(s_i\), the honest block mined at round \(s_i\) is an ancestor of \(b_3\), that has been mined before round \(r_2\). But this is contradictory, since no honest block can be an ancestor of \(b_3\), mined before round \(r_2\), but not be an ancestor of \(b_2\).

Since we proved that \(r_3\) is equal to some \(s_i\) we can apply Claim 4 from round \(r_{1}+1\) until round \(r_3\). Again, from Observation 1, regarding applications of Claim 4 after round \(r_1\) we can ignore blocks that were mined before round \(r_1+1\). Then either \(Z_{r_1+1,r_3-1} \ge Z^{bd}_{r_1+1,r_3-1} > X_{r_1+1,r_3-1}\) or \(Z_{r_1+1,r_3-1} \ge Z^{bd}_{r_1+1,r_3-1} = X_{r_1+1,r_3-1}\) and the honest block mined at round \(r_3\) will be in .

Suppose, for the sake of contradiction, that round \(r_3\) is after round \(r_2+s\). Then \((r_3-1)-(r_1+1) \ge s\) and \(Z_{r_1+1,r_3-1} \ge X_{r_1+1,r_3-1}\). This is a contradiction, since in this case \(\lnot BAD(r_1)\) implies \(Z_{r_1+1,r_3-1} < X_{r_1+1,r_3-1}\). Therefore, \(r_3 \le r_2+s < r\). In addition, notice that \(\lnot BAD(r_1)\) also implies

$$\begin{aligned} X_{r_1+1,r_2+s} > Z_{r_1+1,r_2+s} \end{aligned}$$

(2)

We are going to apply Lemma 3 and Observation 1 from round \(r_3\) until round \(r_2+s\) in the subtree rooted at \(b_2\). According to the analysis we made previously there are two cases. In the first case, \(Z^{bd}_{r_1+1,r_3-1} > X_{r_1+1,r_3-1}\) or equivalently \(Z^{bd}_{r_1+1,r_3-1} \ge X_{r_1+1,r_3}\). Suppose, for the sake of contradiction, that \(r_3 = r_2+s\). Then \(Z_{r_1+1,r_2+s-1} \ge X_{r_1+1,r_2+s}\). But this is a contradiction, since \(\lnot BAD(r_1)\) implies Inequality 2. Therefore, \(r_3 < r_2+s\). From Inequality 2:

$$\begin{aligned} X_{r_3+1,r_2+s} \ge X_{r_1+1,r_2+s} - X_{r_1+1,r_3} > Z_{r_1+1,r_{k}+s} - Z^{bd}_{r_1+1,r_3-1} \ge Z^{bd}_{r_3,r_2+s} \end{aligned}$$

The last inequality, stems from two facts: that we can ignore blocks that were mined before round \(r_1+1\) regarding applications of Lemma 3 and also that the blocks that the adversary broadcasts at distinct rounds are different (adversaries that broadcast the same block multiple times can be ignored without loss of generality).

In the second case, \(Z^{bd}_{r_1+1,r_3-1} = X_{r_1+1,r_3-1}\) and the honest block mined at round \(r_3\) will be in . Again from Inequality 2:

$$\begin{aligned} X_{r_3,r_2+s} = X_{r_1+1,r_2+s} - X_{r_1+1,r_3-1} > Z_{r_1+1,r_{k}+s} - Z^{bd}_{r_1+1,r_3-1} \ge Z^{bd}_{r_3,r_2+s} \end{aligned}$$

The same analysis holds for all rounds after \(r_2+s\). By an application of Claim 3, an honest block b, computed in one of the u.s. rounds after round \(r_2\) and before round r, will be in the chains that honest players adopt on and after round r. Since \(b_2\) is the most recently mined block, before round \(r-s\), included in the chain of all honest players, b must have been mined on and after round \(r-s\) (since \(r_3 > r_2\)). Let A be the event that there exists a block mined by an honest player on and after round \(r-s\), that is contained in the chain which any honest player adopts after round r. We have proved that \((\lnot BAD(r_1))\) implies A. Then:

$$\begin{aligned} Pr[ A ]&= Pr[ A \wedge BAD(r_1) ] +\Pr [ A \wedge \lnot BAD(r_1) ]\\&\ge Pr[ A \wedge \lnot BAD(r_1) ]\\&= Pr[ A |\lnot BAD(r_1) ]Pr[ \lnot BAD(r_1)]\\&= Pr[ \lnot BAD(r_1)]\\&\ge 1 - e^{-g(s)} \end{aligned}$$

Hence, the lemma holds with probability at least \(1 - e^{-g(s)}\).   \(\square \)