ADESS: A Proof-of-Work Protocol to Deter Double-Spend Attacks

Abstract

A principal vulnerability of a proof-of-work (“PoW”) blockchain is that an attacker can re-write the history of transactions by forking a previously published block and building a new chain segment containing a different sequence of transactions. If the attacker’s chain has the most cumulative mining puzzle difficulty, nodes will recognize it as canonical. We propose a modification to PoW protocols, called ADESS, that contains two novel features. The first modification enables a node to identify the attacker chain by comparing the temporal sequence of blocks on competing chains. The second modification penalizes the attacker by requiring it to apply exponentially increasing hashrate in order to make its chain canonical. We demonstrate two things; (i) the expected cost of carrying out a double-spend attack is weakly higher under ADESS compared to the current PoW protocols and (ii) for any value of transaction, there is a penalty setting in ADESS that renders the expected profit of a double-spend attack negative.

Appendix

Generalizing \(\boldsymbol{ADESS}\) to Multiple Chains and Multiple Forks

ADESS can be extended to a general blockchain network in which there are multiple forks, each with two or more descendant chains where penalty assignments are made at each fork. To accommodate this, we generalize the ADESS protocol so that a penalized chain cannot become canonical until it has overcome all penalties assigned to it. Proposition 1 and its Corollary prove that there is always exactly one canonical chain.

Tree Graph Representation of a Blockchain Network. A blockchain network can be represented as a directed tree graph. A chain is a unique directed path running from a fork-block to a chain head.³⁰ At any time t there are N fork-blocks in the blockchain network, each one denoted \(f_{n},\; n \in \{1,...,n,...,N\}\) and M heads, each one denoted \(B_{m},\; m \in \{1,...,m,...,M\}\). We also denote \(B_{m}\) as the chain connecting a fork-block to a chain head. Figure 6 displays the blockchain network as a directed tree graph at t periods after the Genesis block was broadcast.

Penalty Nomenclature. We simplify the presentation by assuming that an attacker forks the parent of the block to which the transaction is appended, so that \(\lambda = 0\).³¹ The baseline chain for fork-block \(f_{n}\) is the first chain to broadcast \(\alpha \) post-fork blocks, which is denoted \(\alpha :f_{n}\). For example in Fig. 6, \(\alpha :f_{2}\) indicates that chain \(B_{4}\) is the baseline chain relative to \(f_{2}\), since it was the first chain to broadcast a chain segment with \(\alpha \) blocks, starting at \(f_{2}\). A more complicated example involves chain \(B_{1}\). \(\alpha :f_{1}\) indicates that \(B_{1}\) was the first chain to broadcast a chain segment with \(\alpha \) blocks, starting at \(f_{1}\) and \(\alpha :f_{3}\) indicates that chain \(B_{2}\) was the first chain to broadcast a chain segment with \(\alpha \) blocks, starting at \(f_{3}\). In this case \(B_{1}\) is the baseline chain for fork \(f_{1}\) and is not the baseline chain for fork \(f_{3}\). At each fork \(f_{n}\) a penalty may (or may not) be assigned to one or more chains \(B_{m}\). When a assignment is made, the penalized chain is compared to the baseline chain \(B_{m'}\).³²

The penalty is “active” at fork-block \(f_{n}\) so long as the penalized chain has not overcome the penalty. The tuple \(<B_{m}:\widehat{f}_{n}:B_{m'}:t>\) denotes that \(B_{m}\) is actively penalized relative to \(B_{m'}\) at \(f_{n}\) at time t. The penalty is “inactive” after it has been overcome by the penalized chain. An inactive penalty is denoted \(<B_{m}:f_{n}:B_{m'},t>\). In the latter case, \(B_{m}\) has become the baseline chain relative to fork \(f_{n}\). In general, \(\widehat{f}_{n}\) indicates a currently active penalty and \(f_{n}\) indicates a past penalty that has been overcome. The set of active and inactive penalties assigned to \(B_{m}\) at time t is denoted by a list such as \(\{<B_{m}:\widehat{f}_{n}:B_{m'}:t>, <B_{m}:f_{n+i}:B_{m'+j}:t>, ...\}\).

Fig. 6.

A blockchain network

Generalized Penalty Assignment Rule and Penalty Function. We restate the penalty assignment rule and penalty function for the general case.

Generalized Penalty Assignment Rule

1. (i)

   Apply the ADESS Penalty Assignment Rule to each fork-block \(f_{n}\) (i.e. a chain that is not first to broadcast \(\alpha \) post-fork blocks is assigned a penalty relative to the chain that is first to broadcast \(\alpha \) post-fork blocks) with the exception that

2. (ii)

   If the chain that is first to broadcast \(\alpha \) blocks after a fork-block \(f_{n}\) is subject to an active penalty at the time of the broadcast, then no penalty assignment is made at fork-block \(f_{n}\).   \(\square \)

Generalized Penalty Function

1. (i)

   Apply the ADESS Penalty Function to each penalized chain at fork-block \(f_{n}\).

2. (ii)

   At the time a chain \(B_{m}\) has overcome every penalty assigned to it, it has no active penalties and the protocol for \(B_{m}\) reverts to the Nakamoto criteria of comparing cumulative mining puzzle difficulty with other chains that do not face active penalties. When it has overcome its last penalty, the score of \(B_{m}\) is re-set to equal the cumulative mining puzzle difficulty of the baseline chain for the last penalty, plus a small additional amount \(\epsilon \). For example, if \(<B_{m}:f_{n}:B_{m'}:t>\) is the last penalty to become inactive, \(B_{m}\) is assigned an adjusted cumulative mining puzzle difficulty = (\(B_{m'}\) cumulative puzzle difficulty at t) + \(\epsilon \). If \(B_{m}\) has more than one active penalties and all are overcome at the same time, the baseline chain with the highest score is used for the re-set.   \(\square \)

The Canonical Chain. At any time the set of chains can be partitioned into two groups. One group are chains that have been assigned at least one penalty that has not been overcome. These chains are not eligible to be canonical. Among chains in the other group, those ranked by (possibly adjusted) cumulative mining puzzle difficulty, one will be canonical - provided there is at least one chain in this group. Proposition 2 establishes that there is at least one chain that is eligible to be canonical.

Proposition 2

Under the generalized ADESS Protocol, there is at least one chain to which no penalty has ever been applied at any time.

Proof

We prove the proposition by construction. Start at the Genesis block and proceed to the first fork-block \(f_{1}\). There will be at least one post-fork chain that is not penalized. Choose one of the non-penalized chains and proceed to the next fork-block. There will be at least one post-fork chain that is not penalized. Choose one of the non-penalized chains and proceed to the next fork-block, and so forth until a head \(B_{m}\) is reached. The chain \(B_{m}\) is not penalized at any fork.   \(\square \)

The example in the proof is displayed in Fig. 6 when comparing chains \(B_{1}\) and \(B_{2}\). If \(B_{1}\) is the un-penalized chain at \(f_{1}\), then either \(B_{1}\) or \(B_{2}\) must be un-penalized.

Corollary 2

There is exactly one canonical chain under generalized ADESS.

Proof

Proposition 2 states that there is at least one chain to which no penalty has ever been applied at any time. Such a chain is eligible to be canonical. Suppose there is more than one chain without active penalties at a point in time. These chains are compared on the basis of cumulative mining puzzle difficulty. Under Nakamoto the chain with the most work is canonical.   \(\square \)

Finally, ADESS applies to a circumstance where there is only one fork-block with actively mined descendant chains and none of those chains have forks. ADESS is the application of generalized ADESS in the case where there is one fork-block, two fork chains and neither chain has an active penalty from a prior fork. In that case, chain \(\mathcal {A}\) is penalized relative to chain \(\mathcal{I}\mathcal{C}\).

Relaxing the Restriction on Growth Rate of Chain \(\boldsymbol{\mathcal {A}}\)

The model limits the attacker to choosing a constant growth rate \(\gamma \) for chain \(\mathcal {A}\). We now relax that restriction and allow the attacker to choose the growth rate of each block n on chain \(\mathcal {A}\) as the function \(\gamma (n,\xi )\). Equation 11 becomes

We do not evaluate all possible functional forms of \(\gamma (n,\xi )\). We show that Theorem 1 and Corollary 1 continue to hold if the growth rate is a affine function of \(\xi \). Let \(\gamma (n,\xi ) = \rho + \xi f(n)\) for some scalar \(\rho > 0\) and function \(f(n) > 0\). The derivative for the discounted cost of an attack at nth block on chain \(\mathcal {A}\) is

$$\begin{aligned} & d/d\xi (\delta ^{n/(1+\gamma (\xi ,n))}(1+ \gamma (\xi ,n))^{n}) =\\ & \qquad \qquad \qquad \qquad \,\,\,\, nf(n)(\xi f(n)+\rho )^{n-1}\delta ^{n/(\xi f(n) + \rho +1)} \\ & \qquad \qquad \,\,\,\, - nf(n)log(\delta )[(\xi f(n) + \rho )^{n} + 1]\delta ^{n/(\xi f(n) + \rho + 1)}[\xi f(n) + \rho +1]^{-2} \end{aligned}$$

The expression is positive, noting that \(log(\delta ) < 0\), since \(\delta \in (0,1)\). Therefore Equation 10’ is negative. Noting that n, \(\delta \) and \(\xi \) are strictly positive, the expression is bounded away from zero, which implies that there is no upper bound to the expression. It follows that there is a value \(\underline{\xi }\) for which \(\pi (\underline{\xi }) < 0\), which proves Theorem 1 and Corollary 1.