From blockchain consensus back to Byzantine consensus

https://doi.org/10.1016/j.future.2017.09.023Get rights and content

Highlights

  • We compare the different consensus problems tackled by blockchains, the distributed computing literature and a more recent definition.

  • We propose a formalization of Bitcoin and Ethereum consensus algorithms.

  • We warn about the dangers of using these blockchains without understanding precisely the guarantees their consensus offers.

  • We present a survey of attacks against proof-of-work blockchain systems.

Abstract

Consensus is a fundamental problem of distributed computing. While this problem has been known to be unsolvable since 1985, existing protocols were designed these past three decades to solve consensus under various assumptions. Today, with the recent advent of blockchains, various consensus implementations were proposed to make replicas reach an agreement on the order of transactions updating what is often referred to as a distributed ledger. Very little work has however been devoted to explore its theoretical ramifications. As a result existing proposals are sometimes misunderstood and it is often unclear whether the problems arising during their executions are due to implementation bugs or more fundamental design issues.

In this paper, we discuss the mainstream blockchain consensus algorithms and how the classic Byzantine consensus can be revisited for the blockchain context. In particular, we discuss proof-of-work consensus and illustrate the differences between the Bitcoin and the Ethereum proof-of-work consensus algorithms. Based on these definitions, we warn about the dangers of using these blockchains without understanding precisely the guarantees their consensus algorithm offers. In particular, we survey attacks against the Bitcoin and the Ethereum consensus algorithms. We finally discuss the advantage of the recent Blockchain Byzantine consensus definition over previous definitions, and the promises offered by emerging consistent blockchains.

Introduction

The blockchain technology [1] promises to radically transform the way individuals and companies exchange digital assets and track securely ownership of these assets without the control of a central authority. At its heart lies a distributed ledger that is consistent with high probability when particular assumptions are fulfilled. In particular, the distributed set of participants guarantee its consistency despite potentially malicious participants that behave arbitrarily, also called Byzantine failures [2].

The novelty of blockchain is a genuine combination of well-known research results taken from distributed computing, cryptography and game theory. Its distributed nature guarantees the persistence of the ledger data. Its public key crypto-system offers the capabilities for a user to sign transactions that transfer assets from her account to other accounts. Its incentive mechanisms guarantee that a subset of participants maintain the validity of the transactions. And finally, a Byzantine tolerant consensus protocol aims at guaranteeing the integrity of the ledgers by defining a total order on newly appended blocks of transactions.

Put into the blockchain context, the consensus problem is for the non-faulty or correct processes of a distributed system to agree on one block of transaction at a given index of a chain of block. This consensus problem can be stated along three properties: (i) agreement: no two correct processes decided different blocks; (ii) validity: the decided block is a block that was proposed by one process; (iii) termination: all correct processes eventually decide. A protocol solving the consensus problem is necessary to guarantee that blocks are totally ordered, hence preventing concurrently appended blocks from containing conflicting transactions.

Today, with the recent advent of blockchains, various consensus implementations were proposed to make replicas reach an agreement on the order of blocks of transactions updating the distributed ledger. However, consensus has been known to be unsolvable since 1985. While existing protocols were designed these past three decades to solve consensus under various assumptions, it remains unclear what are the guarantees offered by blockchain consensus algorithms and what are the necessary conditions for these guarantees to be satisfied. While the source code of most blockchain protocols is publicly available, the theoretical ramifications of the blockchain abstraction are rather informal. As main blockchain systems, like Bitcoin [1] and Ethereum [3], are now used to trade millions of US$ every day,1 it has become crucial to precisely identified its theoretical ramifications to anticipate the situations where large volume of assets could be lost.

In this paper, we illustrate the danger of using proof-of-work blockchain without understanding precisely their guarantees by listing vulnerabilities that affect the predominant proof-of-work blockchain systems, namely Bitcoin and Ethereum.2 To this end, we describe the consensus algorithms at the heart of these two blockchain systems. We also relate these consensus algorithms to decades of research on the topic of distributed computing. More precisely, we identify situations where proof-of-work blockchain consensus is violated by: (i) presenting a survey of existing attacks against the Bitcoin consensus protocol and (ii) showing how Ethereum, which copes with some of these attacks, may suffer from recent attacks, namely the blockchain anomaly [4] and the balance attack [5]. We elaborate on the risks for users to misconfigure proof-of-work blockchain systems when deploying them as a private and consortium blockchains and our own experience with the settings of the R3 Ethereum testbed. The fact that both main proof-of-work blockchains are vulnerable allows us to conclude that more research is necessary to design safe consensus algorithms suited for blockchains.

The rest of the paper is organized as follows. Section 2 presents the general blockchain model. Section 3 introduces the classic Byzantine consensus problem and the probabilistic variant of it. Section 4 specifies the differences of the consensus algorithms used in Bitcoin and Ethereum. Section 5 describes the attacks against Bitcoin and two recent attacks against the Ethereum consensus algorithm. Section 6 redefines the Byzantine consensus in the light of the blockchain context. Section 7 discusses the consortium model and recent reliable consensus proposals. Section 8 concludes.

Section snippets

The general proof-of-work blockchain model

In this section we model a simple distributed system as a communication graph that implements a blockchain abstraction as a directed acyclic graph. We propose a high-level pseudocode representation of proof-of-work blockchain protocols in this model.

The consensus problem for the general model

Blockchain systems resemble replicated state machine [10] and aim at solving the consensus problem, so that for a given index all correct processes agree on a unique block of transactions at this index. Note that nodes may propose different blocks at the same index because remote miners solve cryptopuzzles in the time it takes to exchange their new resulting block—this is generally observed with a fork as we will explain in Section 4.2. The classic definition of consensus in the Byzantine

Main blockchain consensus algorithms

In this section we build upon Algorithm 1 to explore the differences and similarities of the consensus algorithms of Bitcoin and Ethereum, which are today’s predominant blockchain systems.

How proof-of-work blockchains can be unsafe

As a drawback of randomized consensus with deterministic termination, the safety properties of main blockchain systems can be violated. Research efforts were devoted to understand the impact of network delays and mining power distribution on the probability of agreement violations in Bitcoin and Ethereum, leading potentially to double spending, a formalization of which can be find in [27], [28], respectively. Building upon the tradeoff between termination and agreement mentioned in Section 3.3,

Defining the Blockchain Byzantine consensus

Perhaps the main reasons why large-scale blockchain systems suffer from such inconsistencies is that the existing consistent consensus solutions are inefficient due to the restrictive problem that they solve. In particular, safe blockchain typically use off-the-shelf algorithms (e.g., PBFT, BFTSmart) that solves the classic Byzantine consensus (Definition 1) as a blackbox. This typically prevents them from scaling to tens of nodes.

In the light of this limitation, we revisited the Byzantine

Refining the blockchain model for consortiums

As we discussed previously, the risk of safety violation of main blockchain systems stems from the impossibility of solving consensus deterministically in the general case, which also applies to the more general Blockchain Byzantine consensus ( Definition 4). There are however solutions that consist of restricting the model by listing additional assumptions under which an alternative blockchain system could be made both safe and live. The consortium model is getting traction for allowing a

Conclusion

While the blockchain technology is reshaping ownership tracking through distributed ledgers, it remains difficult for blockchain users to understand the guarantees this technology has to offer. This paper describes the causes of this difficulty in mainstream proof-of-work blockchain systems, namely Bitcoin and Ethereum. One cause is the probabilistic nature of its consensus algorithms: although it appears that one should wait longer to increase the probability of agreement in case of network

Vincent Gramoli is an academic at the University of Sydney and a senior researcher at Data61-CSIRO, Australia. Prior to this, he was affiliated with INRIA, University of Connecticut, Cornell University, University of Neuchâtel and EPFL, and received his Ph.D. from Université de Rennes and his Habilitation from UPMC Sorbonne University.

References (47)

  • S. Nakamoto, Bitcoin: A peer-to-peer electronic cash system, 2008. URL...
  • LamportL. et al.

    The Byzantine Generals Problem

    ACM Trans. Program. Lang. Syst.

    (1982)
  • G. Wood, ETHEREUM: A secure decentralised generalised transaction ledger, Yellow paper,...
  • C. Natoli, V. Gramoli, The blockchain anomaly, in: Proceedings of the 15th IEEE International Symposium on Network...
  • C. Natoli, V. Gramoli, The Balance Attack Against Proof-Of-Work Blockchains: The R3 Testbed as an Example, Tech. Rep....
  • A. Black, Hashcash - A denial of service counter-measure, Tech. rep.,Cypherspace, 2002. URL...
  • CastroM. et al.

    Practical byzantine fault tolerance and proactive recovery

    ACM Trans. Comput. Syst.

    (2002)
  • K. Croman, C. Decker, I. Eyal, A.E. Gencer, A. Juels, A. Kosba, A. Miller, P. Saxena, E. Shi, E.G. Sirer, D. Song, R....
  • M. Vukolíc, The quest for scalable blockchain fabric: Proof-of-work vs. BFT replication, in: Proceedings of the IFIP WG...
  • X. Xu, C. Pautasso, L. Zhu, V. Gramoli, A. Ponomarev, A.B. Tran, S. Chen, The blockchain as a software connector, in:...
  • FischerM.J. et al.

    Impossibility of distributed consensus with one faulty process

    J. ACM

    (1985)
  • M.O. Rabin, Randomized byzantine generals, in: Proceedings of the 24th Annual Symposium on Foundations of Computer...
  • AspnesJ.

    Randomized protocols for asynchronous consensus

    Distrib. Comput.

    (2003)
  • Ben-OrM.

    Another advantage of free choice (extended abstract): Completely asynchronous agreement protocols

  • C. Cachin, K. Kursawe, F. Petzold, V. Shoup, Secure and efficient asynchronous broadcast protocols, in: Proc. 21st...
  • MostéfaouiA. et al.

    Signature-free asynchronous binary Byzantine consensus with t<n3, O(n2) messages, and O(1) expected time

    J. ACM

    (2015)
  • A. Miller, Y. Xia, K. Croman, E. Shi, D. Song, The honey badger of BFT protocols, in: Proc. of the 2016 ACM SIGSAC...
  • V. Gramoli, On the danger of private blockchains, in: Workshop on Distributed Cryptocurrencies and Consensus Ledgers,...
  • WeberI. et al.

    On availability for blockchain-based systems

  • I. Eyal, A.E. Gencer, E.G. Sirer, R. van Renesse, Bitcoin-NG: A scalable blockchain protocol, in: 13th USENIX Symposium...
  • I. Bentov, R. Pass, E. Shi, Snow White: Provably Secure Proofs of Stake, Tech. Rep. 919, IACR Cryptology ePrint Archive...
  • J.A. Garay, A. Kiayias, N. Leonardos, The Bitcoin backbone protocol: Analysis and applications, in: Proceedings of the...
  • J. Aspnes, Faster randomized consensus with an oblivious adversary, in: ACM Symposium on Principles of Distributed...
  • Cited by (188)

    View all citing articles on Scopus

    Vincent Gramoli is an academic at the University of Sydney and a senior researcher at Data61-CSIRO, Australia. Prior to this, he was affiliated with INRIA, University of Connecticut, Cornell University, University of Neuchâtel and EPFL, and received his Ph.D. from Université de Rennes and his Habilitation from UPMC Sorbonne University.

    View full text