SmartPool: practical decentralized pool mining. Loi Luu, Yaron Velner, Jason Teutsch, and Prateek Saxena August 18, 2017

Similar documents
Bitcoin and Blockchain

Blockchain. CS 240: Computing Systems and Concurrency Lecture 20. Marco Canini

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Problem: Equivocation!

Bitcoin Mining. A high-level technical introduction. Konstantinos Karasavvas

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Bitcoin. CS6450: Distributed Systems Lecture 20 Ryan Stutsman

Ergo platform: from prototypes to a survivable cryptocurrency

ENEE 457: E-Cash and Bitcoin

Bitcoin (and why it uses SO much energy)

Radix - Public Node Incentives

Who wants to be a millionaire? A class in creating your own cryptocurrency

Consensus & Blockchain

Ergo platform overview

SCP: A Computationally Scalable Byzantine Consensus Protocol for Blockchains

Ergo platform. Dmitry Meshkov

CONSENSUS PROTOCOLS & BLOCKCHAINS. Techruption Lecture March 16 th, 2017 Maarten Everts (TNO & University of Twente)

Reliability, distributed consensus and blockchain COSC412

Computer Security. 14. Blockchain & Bitcoin. Paul Krzyzanowski. Rutgers University. Spring 2019

A Gentle Introduction To Bitcoin Mining

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

Be Selfish and Avoid Dilemmas: Fork After Withholding (FAW) Attacks on Bitcoin

arxiv: v1 [cs.cr] 31 Aug 2017

What is Proof of Work?

Smalltalk 3/30/15. The Mathematics of Bitcoin Brian Heinold

Fruitchains: A Fair Blockchain?

Candidates Day Modeling the Energy Consumption of. Ryan Cole Liang Cheng. CSE Department Lehigh University

Blockchain, Cryptocurrency, Smart Contracts and Initial Coin Offerings: A Technical Perspective

On Power Splitting Games in Distributed Computation: The Case of Bitcoin Pooled Mining

The Blockchain. Josh Vorick

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

BlockFin A Fork-Tolerant, Leaderless Consensus Protocol April

Countering Block Withholding Attack Efficiently

Sharding. Making blockchains scalable, decentralized and secure.

Security Analysis of Bitcoin. Dibyojyoti Mukherjee Jaswant Katragadda Yashwant Gazula

Hyperledger fabric: towards scalable blockchain for business

Transactions as Proof-of-Stake! by Daniel Larimer!

University of Duisburg-Essen Bismarckstr Duisburg Germany HOW BITCOIN WORKS. Matthäus Wander. June 29, 2011

Hijacking Bitcoin: Routing Attacks on Cryptocurrencies

Analyzing Bitcoin Security. Philippe Camacho

Blockchain Bitcoin & Ethereum

BITCOIN MECHANICS AND OPTIMIZATIONS. Max Fang Philip Hayes

How Bitcoin achieves Decentralization. How Bitcoin achieves Decentralization

CS 251: Bitcoin and Crypto Currencies Fall 2015

Key concepts of blockchain

Bitcoin, a decentralized and trustless protocol

ICO Review: Raiden Network (RDN)

BLOCKCHAIN CADEC Pär Wenåker & Peter Larsson

Hyperledger Fabric v1:

P2P BitCoin: Technical details

Proof-of-Stake Protocol v3.0

Introduction to Cryptoeconomics

EECS 498 Introduction to Distributed Systems

Vladimir Groshev. COO, Project Coordinator.

Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts. Yashar Dehkan Asl

Bitcoin (Part I) Ken Calvert Keeping Current Seminar 22 January Keeping Current 1

Introduction to Bitcoin I

Applied cryptography

Burstcoin Technical information about mining and block forging

A Perspective on Bitcoin and Blockchain

Introduction to Blockchain

I. Introduction. II. Security, Coinage and Attacks

Accelerating Blockchain Search of Full Nodes Using GPUs

ZILLIQA / ZILIKƏ/ NEXT GEN HIGH-THROUGHPUT BLOCKCHAIN PLATFORM DONG XINSHU, CEO JIA YAOQI, BLOCKCHAIN ZILLIQA.

Ethereum. Campbell R. Harvey* Duke University and NBER. Ashwin Ramachandran Duke University. Brent Xu ConsenSys. Innovation and Cryptoventures

Matt Howard and Ajay Patel CIS 556: Cryptography University of Pennsylvania Fall DriveCoin: A Proof of Space Cryptocurrency

Alternative Consensus Algorithms. Murat Osmanoglu

Biomedical and Healthcare Applications for Blockchain. Tiffany J. Callahan Computational Bioscience Program Hunter/Kahn Labs

The power of Blockchain: Smart Contracts. Foteini Baldimtsi

1 General Principles; Scope of Application

Viacoin Whitepaper. Viacoin Dev Team September 12, Abstract

Upgrading Bitcoin: Segregated Witness. Dr. Johnson Lau Bitcoin Core Contributor Co-author of Segregated Witness BIPs March-2016

Whitepaper Rcoin Global

Technical White Paper 1. Revision 1.2

BitBill: Scalable, Robust, Verifiable Peer-to-Peer Billing for Cloud Computing

Software Security. Final Exam Preparation. Be aware, there is no guarantee for the correctness of the answers!

GRADUBIQUE: AN ACADEMIC TRANSCRIPT DATABASE USING BLOCKCHAIN ARCHITECTURE

SpaceMint Overcoming Bitcoin s waste of energy

DEV. Deviant Coin, Innovative Anonymity. A PoS/Masternode cr yptocurrency developed with POS proof of stake.

Proof of Stake Made Simple with Casper

A Lightweight Blockchain Consensus Protocol

Darkcoin: Peer to Peer Crypto Currency with Anonymous Blockchain Transactions and an Improved Proof of Work System

Previous Name: D3. Fourth Estate. A secure, decentralized news data storing and sharing solution for journalists

The ZILLIQA Technical Whitepaper

Blockchain: Past, Present and Future

ICS 421 & ICS 690. Bitcoin & Blockchain. Assoc. Prof. Lipyeow Lim Information & Computer Sciences Department University of Hawai`i at Mānoa

Introduction to Cryptocurrency Ecosystem. By Raj Thimmiah

The security and insecurity of blockchains and smart contracts

EVALUATION OF PROOF OF WORK (POW) BLOCKCHAINS SECURITY NETWORK ON SELFISH MINING

BBc-1 : Beyond Blockchain One - An Architecture for Promise-Fixation Device in the Air -

CRUDE COINS.

Technical Analysis of Established Blockchain Systems

Distributed Ledger Technology & Fintech Applications. Hart Montgomery, NFIC 2017

Adapting Blockchain Technology for Scientific Computing. Wei Li

Adapting Blockchain Technology for Scientific Computing. Wei Li

DIGITAL ASSET RESEARCH

Using Chains for what They re Good For

Alternatives to Blockchains. Sarah Meiklejohn (University College London)

Yada. A blockchain-based social graph

Proof-of-Work & Bitcoin

Transcription:

SmartPool: practical decentralized pool mining Loi Luu, Yaron Velner, Jason Teutsch, and Prateek Saxena August 18, 2017

Mining pools

Miners role in cryptocurrencies Definition: A cryptocurrency is a decentralized network which maintains a permanent, public ledger. The ledger is called a blockchain. Bitcoin s blockchain contains financial transactions. Ethereum s blockchain contains stateful programs called smart contracts. Anonymous miners maintain the integrity of the blockchain in exchange for protocol-generated block rewards.

The mining process Miners race to solve a hard, computational problem. 1. The first miner who successfully solves this problem broadcasts his answer to the network. 2. The miner appends a block of new transactions to the blockchain and receives a block reward. 3. The race begins again on top of this new block. Block Problem: Let D 0 be some fixed difficulty. Find a nonce such that A block satisfying the above property is valid. Bitcoin block rewards as of August 2017 are 12.5 BTC ( 43,000 USD).

Pooled mining The probability of a given miner finding the next block is: New blocks occur, on average, every 10 minutes on Bitcoin and 15--20 seconds on Ethereum, but: an ASIC hardware may take years to mine a single block, and most miners prefer more steady income. Therefore miners join hands. Mining pools: share CPU power and rewards among miners, reduce reward variance, and add security through increased participation.

Measuring pool member contributions A valid share solves a Block Problem with relaxed difficulty (d >> D). Valid block hash(block, nonce, data) D Valid share hash(block, nonce, data) d Every valid block is a valid share. d/d fraction of valid shares are valid blocks. Pool (roughly) pays d/d block reward per share.

Mining network overview Network (Bitcoin, Ethereum) block Pool Pool operator solo miner solo miner share pool members Pool members must submit shares such that block rewards are payable to pool operator. solo miner

Centralization in Bitcoin and Ethereum 95% of Bitcoin s hash power lies in 10 pools. 80% of Ethereum s hash power lies in 6 pools. Bitcoin s mining power distribution Ethereum s mining power distribution (https://blockchain.info, 28 Jul 2017) (https://etherscan.io, 28 Jul 2017)

Censorship Centralized mining pool operators can: influence which transactions enter the blockchain, control Ethereum s gas limit, inflate gas prices, and collude with each other (e.g. selfish mining, 51% attack). F2Pool Allegedly Prevented Users From Investing in Status ICO

Other single points of failure Network partition vulnerability [Apostolaki, Zohar, Vanbever IEEE S&P 17] Geopolitical consolidation Pool members must trust their operator to pay fairly for shares Protocol upgrades (e.g. failure to activate Segwit)

Decentralized pool operators

Smart contracts users consensus via blockchain tokens smart contracts Storage data Code Diagram credit: Andrew Miller

Turning a smart contract into a pool operator Ethereum Blockchain Miner s Local environment getwork() submitshares GPU1 GPU2 Work responded Pool s Gateway Pool Smart Contract submitwork() User s address Reward sent when a block mined Miner uses the pool s address as the coinbase address in their blocks.

SmartPool properties Unique to SmartPool: Decentralized. No central point of failure. No censorship. Individual miners choose shares. Low cost. Miners pay only Ethereum transaction fees. Trustless, automatic payouts. Smart contracts eliminate social contracts. Preserved from traditional mining pools: Low variance. Miners choose share difficulty. Fair. All participants receive rewards in proportion to their contributions. Open. Anyone can join or leave at any time. Anonymous. Mining addresses are untraceable. Retrofitting. SmartPool works in Ethereum. No security deposits. Switch on a computer and start mining!

Protocol idea #1: substitution What s wrong with this picture? Number of submitted shares is large. Ethereum network cannot handle high transaction volume. Cost to verify a share on-chain may exceed share reward.

Protocol idea #2: reduce the number of shares P2Pool s sharechain takes the following approach: Adjust share difficulty so that shares occurs once every 30 seconds. This scales poorly: more miners implies greater payout variance. Other sharechain complications: High variance payouts (due to infrequent blocks) Many orphan shares (due to short block time) Poor security at small scale Need to check for redundant shares and incentivize block submission

Protocol idea #3: probabilistically sample shares SmartPool batch submission: 4 valid shares passed Sample one share! 2 invalid shares error detected Get 6 rewards with 4/6 probability Get 0 rewards with 2/6 probability 4 expected rewards Adding invalid shares to submission does not change expected rewards. Problem: What about duplicate shares? Solution: Force miners to sort their shares using augmented Merkle trees!

Augmented Merkle trees

Merkle trees 1 3 [1,hash(1,3), 3] 2 4 [2, hash(2,4), 4] hash(1, hash[hash(1,3), hash(2,4)], 4) Definition: In a Merkle tree, every child is the hash of its parents. Data at the root forces commitment at the leaves.

Augmented Merkle trees 1 3 [1,hash(1,3), 3] 2 4 [2, hash(2,4), 4] hash(1, hash[hash(1,3), hash(2,4)], 4) Definition: An augmented Merkle tree contains additional min and max values at each non-leaf node where min is the minimum of its parent s min (and similarly for max). The root witnesses a sorting error.

Sorted augmented Merkle trees 1 2 [1,hash(1,3), 2] 3 4 [3, hash(3,4), 4] hash(1, hash[hash(1,2), hash(3,4)], 4) Definition: An augmented Merkle tree is sorted if its leaves occur in strictly ascending order from left to right. In SmartPool, leaves are shares. Share batches are ordered by timestamp.

Submitting share batches in SmartPool 1 2 [1,hash(1,3), 2] 3 4 [3, hash(3,4), 4] hash(1, hash[hash(1,2), hash(3,4)], 4) Protocol steps: The Miner and Smart contract interact as follows: M S: Root of sorted, augmented Merkle tree (batch submission). S M: Request for a random leaf (containing a share). M S: Path to leaf.

Security analysis

Sorting error example Definition: An element x in an array is out of order if there exists a witness to the left which is greater than or equal to x, or there exists a witness to the right which is less than or equal to x. 1 3 2 4 5 5 Example: An array with 4 elements out of order.

Impact of sorting on deeper tree levels Proposition: For any augmented Merkle tree A, the following are equivalent: (i) A is sorted. (ii) For every node x A, the max of x s left parent is less than the min of x s right parent. Proof: (i) (ii): Induction on tree depth. (ii) (i): min(x) takes the minimum among all nodes above x. Definition: A node which satisfies (ii) is called valid. A path from a root to a leaf is valid if all its constituents are valid. A path which is not valid is invalid.

Counting sorting errors Theorem: Let A be an augmented Merkle tree. (i) If A is sorted, then all paths in A are valid (see previous slide). (ii) If A is not sorted, then every leaf which is out of order lies on an invalid path. Corollary: Every augmented Merkle tree has at least as many invalid paths as leaves out of order. In particular, there are at least as many invalid paths as there are duplicate values among the leaves. Sampling works :)

Attack strategies An adversary who deviates from intended claim submission behavior does not obtain greater rewards. Block withholding. Sampling two shares per submission suffices to deter rational miners (with < 50% power) from dropping blocks. Rearrangements. Permuting leaves does not increase expected profits. Bogus nodes. Falsifying nodes in the augmented Merkle tree submission does not provide an advantage. Repeating shares across submissions. Later submissions must have later timestamps.

Implementation

Verifying the unverifiable: Ethash Problem: Ethereum has a memory-hard proof-of-work puzzle. Each Ethash instance queries 64 random elements from a 1GB dataset. Smart contract storage costs 2,500,000 USD per GB (July 2017). 1 GB dataset changes every week. Infeasible to store dataset on-chain! Solution: Store the Merkle root of each (precomputable) 1 GB dataset in SmartPool s smart contract! Miners can verify the roots before joining the pool. Miner include a Merkle proof of the 64 element set in submissions.

Operating in Bitcoin Ethereum-based SmartPool protocol supports Bitcoin mining. Bitcoin coinbase transactions specify whom to pay block reward. SmartPool shares indicate coinbase payees. SmartPool maintains an ever-growing list of recent pairs: (accepted batch, payee Bitcoin address) Accepted SmartPool share must reference payees from recent pairs in its coinbase field. Recent pairs list updates periodically. SmartPool miners submit blocks directly to Bitcoin, and payees from recent pairs receive reward in Bitcoin.

SmartPool is LIVE! ETH mined: 86 blocks 2200 USD/day (June - July 2017) SmartPool operating cost: 0.6% fee (compared to 3% for F2Pool) Number of miners: 5 (not yet open to public) Hashrate: 30 GHs (200 mining rigs, 6 GPU each) Ethereum gas cost per submission: 2.6 million gas (gaslimit 6.7 million, Aug. 2017)

Project website: http://smartpool.io Interested in building Web 3.0? TrueBit is hiring! jt@truebit.io

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback