-
Three variations of Heads or Tails Game for Bitcoin
Authors:
Cyril Grunspan,
Ricardo Perez-Marco
Abstract:
We present three very simple variants of the classic Heads or Tails game using chips, each of which contributes to our understanding of the Bitcoin protocol. The first variant addresses the issue of temporary Bitcoin forks, which occur when two miners discover blocks simultaneously. We determine the threshold at which an honest but temporarily ``Byzantine'' miner persists in mining on their fork t…
▽ More
We present three very simple variants of the classic Heads or Tails game using chips, each of which contributes to our understanding of the Bitcoin protocol. The first variant addresses the issue of temporary Bitcoin forks, which occur when two miners discover blocks simultaneously. We determine the threshold at which an honest but temporarily ``Byzantine'' miner persists in mining on their fork to save his orphaned blocks. The second variant of Heads or Tails game is biased in favor of the player and helps to explain why the difficulty adjustment formula is vulnerable to attacks of Nakamoto's consensus. We derive directly and in a simple way, without relying on a Markov decision solver as was the case until now, the threshold beyond which a miner without connectivity finds it advantageous to adopt a deviant mining strategy on Bitcoin. The third variant of Heads or Tails game is unbiased and demonstrates that this issue in the Difficulty Adjustment formula can be fully rectified. Our results are in agreement with the existing literature that we clarify both qualitatively and quantitatively using very simple models and scripts that are easy to implement.
△ Less
Submitted 7 May, 2024;
originally announced May 2024.
-
Proof of reserves and non-double spends for Chaumian Mints
Authors:
Cyril Grunspan,
Ricardo Perez-Marco
Abstract:
E-cash was invented in 1982 by David Chaum as an anonymous cryptographic electronic cash system based on blind signatures. It is not a decentralized form of money as Bitcoin. It requires trust on the server or Mint issuing the e-cash tokens and validating the transactions for preventing double spends. Moreover, the users also need to trust the Mint to not debase the value of e-cash tokens by Minti…
▽ More
E-cash was invented in 1982 by David Chaum as an anonymous cryptographic electronic cash system based on blind signatures. It is not a decentralized form of money as Bitcoin. It requires trust on the server or Mint issuing the e-cash tokens and validating the transactions for preventing double spends. Moreover, the users also need to trust the Mint to not debase the value of e-cash tokens by Minting an uncontrolled number. In particular, this is critical for e-cash tokens representing a note of another asset as a currency, or bitcoin, or another cryptocurrency. Thus it would be suitable to implement a public auditing system providing a proof of reserves that ensures that the Mint is not engaging into a fractional reserve system. In this article we describe how to implement a proof of reserves system for Chaumian Mints. The protocol also provides a proof of non-double spends.
△ Less
Submitted 23 June, 2023; v1 submitted 22 June, 2023;
originally announced June 2023.
-
Proof of Reputation
Authors:
Cyril Grunspan,
Ricardo Perez-Marco
Abstract:
We present the new mining protocol Proof-of-Reputation (PoR) for decentralized Proof-of-Work (PoW) blockchains, in particular for Bitcoin. PoR combines the classical PoW with the new ingredient of cryptographic reputation. The same level of security compared to pure PoW can be achieved with a significant energy consumption reduction (of the order of 30\%) for the same security level. The proper im…
▽ More
We present the new mining protocol Proof-of-Reputation (PoR) for decentralized Proof-of-Work (PoW) blockchains, in particular for Bitcoin. PoR combines the classical PoW with the new ingredient of cryptographic reputation. The same level of security compared to pure PoW can be achieved with a significant energy consumption reduction (of the order of 30\%) for the same security level. The proper implementation of a decentralized reputation protocol is suitable with an extra layer of mining security: Certified Mining.
△ Less
Submitted 14 February, 2023;
originally announced February 2023.
-
Ping-Pong Swaps
Authors:
Cyril Grunspan,
Ricardo Perez-Marco
Abstract:
We propose Ping-Pong Swaps: A secure pure peer-to-peer crosschain swap mechanism of tokens or cryptocurrencies that does not require escrow nor an intermediate trusted third party. The only technical requirement is to be able to open unidirectional payment channels in both blockchain protocols. This allows anonymous cryptocurrency trading without the need of a centralized exchange, nor DEX's in De…
▽ More
We propose Ping-Pong Swaps: A secure pure peer-to-peer crosschain swap mechanism of tokens or cryptocurrencies that does not require escrow nor an intermediate trusted third party. The only technical requirement is to be able to open unidirectional payment channels in both blockchain protocols. This allows anonymous cryptocurrency trading without the need of a centralized exchange, nor DEX's in DeFi platforms, nor multisignature escrow systems with penalties. Direct peer-to-peer crosschain swaps can be performed without a bridge platform. This enables the creation of non-custodial exchanges and also a global peer-to-peer market of pairs of tokens or cryptocurrencies. Ping-pong swaps with fiat currency is possible if banks incorporate simple payment channel functionalities. Some immediate applications are simple and fast rebalancing of Lightning Network channels, and wrapping tokens in smartchains.
△ Less
Submitted 9 January, 2023; v1 submitted 23 November, 2022;
originally announced November 2022.
-
Block withholding resilience
Authors:
Cyril Grunspan,
Ricardo Perez-Marco
Abstract:
It has been known for some time that the Nakamoto consensus as implemented in the Bitcoin protocol is not totally aligned with the individual interests of the participants. More precisely, it has been shown that block withholding mining strategies can exploit the difficulty adjustment algorithm of the protocol and obtain an unfair advantage. However, we show that a modification of the difficulty a…
▽ More
It has been known for some time that the Nakamoto consensus as implemented in the Bitcoin protocol is not totally aligned with the individual interests of the participants. More precisely, it has been shown that block withholding mining strategies can exploit the difficulty adjustment algorithm of the protocol and obtain an unfair advantage. However, we show that a modification of the difficulty adjustment formula taking into account orphan blocks makes honest mining the only optimal strategy. Surprinsingly, this is still true when orphan blocks are rewarded with an amount smaller to the official block reward. This gives an incentive to signal orphan blocks. The results are independent of the connectivity of the attacker.
△ Less
Submitted 14 November, 2022;
originally announced November 2022.
-
Profit lag and alternate network mining
Authors:
Cyril Grunspan,
Ricardo Pérez-Marco
Abstract:
For a mining strategy we define the notion of "profit lag" as the minimum time it takes to be profitable after that moment. We compute closed forms for the profit lag and the revenue ratio for the strategies "selfish mining" and "intermittent selfish mining". This confirms some earlier numerical simulations and clarifies misunderstandings on profitability in the literature. We also study mining pa…
▽ More
For a mining strategy we define the notion of "profit lag" as the minimum time it takes to be profitable after that moment. We compute closed forms for the profit lag and the revenue ratio for the strategies "selfish mining" and "intermittent selfish mining". This confirms some earlier numerical simulations and clarifies misunderstandings on profitability in the literature. We also study mining pairs of PoW cryptocurrencies, often coming from a fork, with the same mining algorithm. This represents a vector of attack that can be exploited using the "alternate network mining" strategy that we define. We compute closed forms for the profit lag and the revenue ratiofor this strategy that is more profitable than selfish mining and intermittent selfish mining. It is also harder to counter since it does not rely on a flaw in the difficulty adjustment formula that is the reason for profitability of the other strategies.
△ Less
Submitted 6 October, 2020;
originally announced October 2020.
-
The mathematics of Bitcoin
Authors:
Cyril Grunspan,
Ricardo Pérez-Marco
Abstract:
We survey recent results on the mathematical stability of Bitcoin protocol. Profitability and probability of a double spend are estimated in closed form with classical special functions. The stability of Bitcoin mining rules is analyzed and several theorems are proved using martingale and combinatorics techniques. In particular, the empirical observation of the stability of the Bitcoin protocol is…
▽ More
We survey recent results on the mathematical stability of Bitcoin protocol. Profitability and probability of a double spend are estimated in closed form with classical special functions. The stability of Bitcoin mining rules is analyzed and several theorems are proved using martingale and combinatorics techniques. In particular, the empirical observation of the stability of the Bitcoin protocol is proved.
This survey article on the mathematics of Bitcoin is published by the Newsletter of the European Mathematical Society, vol.115, 2020, p.31-37. Continuation of arXiv:1601.05254 (EMS Newsletter, 100, 2016 p.32).
△ Less
Submitted 2 March, 2020;
originally announced March 2020.
-
Ant Routing scalability for the Lightning Network
Authors:
Cyril Grunspan,
Gabriel Lehéricy,
Ricardo Pérez-Marco
Abstract:
The ambition of the Lightning Network is to provide a second layer to the Bitcoin network to enable transactions confirmed instantly, securely and anonymously with a world scale capacity using a decentralized protocol. Some of the current propositions and implementations present some difficulties in anonymity, scaling and decentalization. The Ant Routing algorithm for the Lightning Network was pro…
▽ More
The ambition of the Lightning Network is to provide a second layer to the Bitcoin network to enable transactions confirmed instantly, securely and anonymously with a world scale capacity using a decentralized protocol. Some of the current propositions and implementations present some difficulties in anonymity, scaling and decentalization. The Ant Routing algorithm for the Lightning Network was proposed in \cite{GrunspanPerez} for maximal decentralization, anonymity and potential scaling. It solves several problems of current implementation, such as channel information update and centralization by beacon nodes. Ant Routing nodes play all the same role and don't require any extra information on the network topology beside for their immediate neighbors. The goal of LN transactions are completed instantaneously and anonymously. We study the scaling of the Ant Routing protocol. We propose a precise implementation, with efficient memory management using AVL trees. We evaluate the efficiency of the algorithm and we estimate the memory usage of nodes by local node workload simulations. We prove that the number of transactions per second that Ant Routing can sustain is of the order of several thousands which is enough for a global payment network.
△ Less
Submitted 4 February, 2020;
originally announced February 2020.
-
On Profitability of Nakamoto double spend
Authors:
Cyril Grunspan,
Ricardo Pérez-Marco
Abstract:
Nakamoto double spend strategy, described in Bitcoin foundational article, leads to total ruin with positive probability and does not make sense from the profitability point of view. The simplest strategy that can be profitable incorporates a stopping threshold when success is unlikely. We solve and compute the exact profitability for this strategy. We compute the minimal amount of the double spen…
▽ More
Nakamoto double spend strategy, described in Bitcoin foundational article, leads to total ruin with positive probability and does not make sense from the profitability point of view. The simplest strategy that can be profitable incorporates a stopping threshold when success is unlikely. We solve and compute the exact profitability for this strategy. We compute the minimal amount of the double spend that is profitable. For a given amount of the transaction, we determine the minimal number of confirmations to be requested by the recipient such that this double spend strategy is non-profitable. We find that this number of confirmations is only 1 or 2 for average transactions and a small hashrate of the attacker. This is substantially lower than the original Nakamoto numbers that are widely used and are only based on the success probability instead of the profitability.
△ Less
Submitted 12 December, 2019;
originally announced December 2019.
-
Selfish Mining in Ethereum
Authors:
Cyril Grunspan,
Ricardo Pérez-Marco
Abstract:
We study selfish mining in Ethereum. The problem is combinatorially more complex than in Bitcoin because of major differences in the reward system and a different difficulty adjustment formula. Equivalent strategies in Bitcoin do have different profitabilities in Ethereum. The attacker can either broadcast his fork one block by one, or keep them secret as long as possible and publish them all at o…
▽ More
We study selfish mining in Ethereum. The problem is combinatorially more complex than in Bitcoin because of major differences in the reward system and a different difficulty adjustment formula. Equivalent strategies in Bitcoin do have different profitabilities in Ethereum. The attacker can either broadcast his fork one block by one, or keep them secret as long as possible and publish them all at once at the end of an attack cycle. The first strategy is damaging for substantial hashrates, and we show that the second strategy is even worse. This confirms what we already proved for Bitcoin: Selfish mining is most of all an attack on the difficulty adjustment formula. We show that the current reward for signaling uncle blocks is a weak incentive for the attacker to signal blocks. We compute the profitabilities of different strategies and find out that for a large parameter space values, strategies that do not signal blocks are the best ones. We compute closed-form formulas for the apparent hashrates for these strategies and compare them. We use a direct combinatorics analysis with Dyck words to find these closed-form formulas.
△ Less
Submitted 30 April, 2019;
originally announced April 2019.
-
Selfish Mining and Dyck Words in Bitcoin and Ethereum Networks
Authors:
Cyril Grunspan,
Ricardo Pérez-Marco
Abstract:
The main goal of this article is to present a direct approach for the formula giving the long-term apparent hashrates of Selfish Mining strategies using only elementary probabilities and combinatorics, more precisely, Dyck words. We can avoid computing stationary probabilities on Markov chain, nor stopping times for Poisson processes as in previous analysis. We do apply these techniques to other b…
▽ More
The main goal of this article is to present a direct approach for the formula giving the long-term apparent hashrates of Selfish Mining strategies using only elementary probabilities and combinatorics, more precisely, Dyck words. We can avoid computing stationary probabilities on Markov chain, nor stopping times for Poisson processes as in previous analysis. We do apply these techniques to other block withholding strategies in Bitcoin, and then, we consider also selfish mining in Ethereum.
△ Less
Submitted 11 April, 2019;
originally announced April 2019.
-
Bitcoin Selfish Mining and Dyck Words
Authors:
Cyril Grunspan,
Ricardo Pérez-Marco
Abstract:
We give a straightforward proof for the formula giving the long-term apparent hashrate of the Selfish Mining strategy in Bitcoin using only elementary probabilities and combinatorics, and more precisely, Dyck words. There is no need to compute stationary probabilities on Markov chain nor stopping times for Poisson processes as it was previously done. We consider also several other block withholdin…
▽ More
We give a straightforward proof for the formula giving the long-term apparent hashrate of the Selfish Mining strategy in Bitcoin using only elementary probabilities and combinatorics, and more precisely, Dyck words. There is no need to compute stationary probabilities on Markov chain nor stopping times for Poisson processes as it was previously done. We consider also several other block withholding strategies.
△ Less
Submitted 4 February, 2019;
originally announced February 2019.
-
On Profitability of Trailing Mining
Authors:
Cyril Grunspan,
Ricardo Pérez-Marco
Abstract:
We compute the revenue ratio of the Trail Stubborn mining strategy in the Bitcoin network and compare its profitability to other block-withholding strategies. We use for this martingale techniques and a classical analysis of the hiker problem. In this strategy the attacker could find himself mining in a shorter fork, but we prove that for some parameter values it is still profitable to not give up…
▽ More
We compute the revenue ratio of the Trail Stubborn mining strategy in the Bitcoin network and compare its profitability to other block-withholding strategies. We use for this martingale techniques and a classical analysis of the hiker problem. In this strategy the attacker could find himself mining in a shorter fork, but we prove that for some parameter values it is still profitable to not give up. This confirms previous numerical studies.
△ Less
Submitted 22 November, 2018;
originally announced November 2018.
-
On profitability of stubborn mining
Authors:
Cyril Grunspan,
Ricardo Pérez-Marco
Abstract:
We compute and compare profitabilities of stubborn mining strategies that are variations of selfish mining. These are deviant mining strategies violating Bitcoin's network protocol rules. We apply the foundational set-up from our previous companion article on the profitability of selfish mining, and the new martingale techniques to get a closed-form computation for the revenue ratio, which is the…
▽ More
We compute and compare profitabilities of stubborn mining strategies that are variations of selfish mining. These are deviant mining strategies violating Bitcoin's network protocol rules. We apply the foundational set-up from our previous companion article on the profitability of selfish mining, and the new martingale techniques to get a closed-form computation for the revenue ratio, which is the correct benchmark for profitability. Catalan numbers and Catalan distributions appear in the closed-form computations. This marks the first appearance of Catalan numbers in the Mathematics of the Bitcoin protocol.
△ Less
Submitted 2 August, 2018;
originally announced August 2018.
-
Ant routing algorithm for the Lightning Network
Authors:
C. Grunspan,
R. Pérez-Marco
Abstract:
We propose a decentralized routing algorithm that can be implemented in Bitcoin Lightning Network. All nodes in the network contribute equally to path searching. The algorithm is inspired from ant path searching algorithms.
We propose a decentralized routing algorithm that can be implemented in Bitcoin Lightning Network. All nodes in the network contribute equally to path searching. The algorithm is inspired from ant path searching algorithms.
△ Less
Submitted 11 August, 2018; v1 submitted 30 June, 2018;
originally announced July 2018.
-
On profitability of selfish mining
Authors:
Cyril Grunspan,
Ricardo Pérez-Marco
Abstract:
We review the so called selfish mining strategy in the Bitcoin network and compare its profitability to honest mining.We build a rigorous profitability model for repetition games. The time analysis of the attack has been ignored in the previous literature based on a Markov model,but is critical. Using martingale's techniques and Doob Stopping Time Theorem we compute the expected duration of attack…
▽ More
We review the so called selfish mining strategy in the Bitcoin network and compare its profitability to honest mining.We build a rigorous profitability model for repetition games. The time analysis of the attack has been ignored in the previous literature based on a Markov model,but is critical. Using martingale's techniques and Doob Stopping Time Theorem we compute the expected duration of attack cycles. We discover a remarkable property of the bitcoin network: no strategy is more profitable than the honest strategy before a difficulty adjustment. So selfish mining can only become profitable afterwards, thus it is an attack on the difficulty adjustment algorithm. We propose an improvement of Bitcoin protocol making it immune to selfish mining attacks. We also study miner's attraction to selfish mining pools. We calculate the expected duration time before profit for the selfish miner, a computation that is out of reach by the previous Markov models.
△ Less
Submitted 22 January, 2019; v1 submitted 16 May, 2018;
originally announced May 2018.
-
Satoshi Risk Tables
Authors:
Cyril Grunspan,
Ricardo Pérez-Marco
Abstract:
We present Bitcoin Security Tables computing the probability of success p(z,q,t) of a double spend attack by an attacker controlling a share q of the hashrate after z confirmations in time t.
We present Bitcoin Security Tables computing the probability of success p(z,q,t) of a double spend attack by an attacker controlling a share q of the hashrate after z confirmations in time t.
△ Less
Submitted 16 February, 2017; v1 submitted 14 February, 2017;
originally announced February 2017.
-
Double spend races
Authors:
Cyril Grunspan,
Ricardo Pérez-Marco
Abstract:
We correct the double spend race analysis given in Nakamoto's foundational Bitcoin article and give a closed-form formula for the probability of success of a double spend attack using the Regularized Incomplete Beta Function. We give a proof of the exponential decay on the number of confirmations, often cited in the literature, and find an asymptotic formula. Larger number of confirmations are nec…
▽ More
We correct the double spend race analysis given in Nakamoto's foundational Bitcoin article and give a closed-form formula for the probability of success of a double spend attack using the Regularized Incomplete Beta Function. We give a proof of the exponential decay on the number of confirmations, often cited in the literature, and find an asymptotic formula. Larger number of confirmations are necessary compared to those given by Nakamoto. We also compute the probability conditional to the known validation time of the blocks. This provides a finer risk analysis than the classical one.
△ Less
Submitted 6 May, 2020; v1 submitted 5 February, 2017;
originally announced February 2017.
