Hi all,
Recently Yonatan Sompolinsky and Aviv Zohar have published an important paper in which they suggest a protocol change for Bitcoin, named GHOST: Greedy Heaviest Observed Sub-Tree. Basically the paper shows that the mining rate (or equivalently, the expected interval between consecutive blocks in the chain, which is 10 minutes in Bitcoin) can be much accelerated without compromising the security of the system, by simply accepting the blocks that form the heaviest sub-tree instead of always accepting those who form the longest/heaviest chain. Here is a link to the paper:
http://www.cs.huji.ac.il/~avivz/pubs/13/btc_scalability_full.pdf.
On this thread I would like to propose a different implementation for GHOST than the one described in the paper. My proposal arguably solves a major potential weakness of GHOST that is decently noted in the paper, as well as two other known weaknesses of Bitcoin which are magnified by GHOST: vulnerability to
Block Discarding Attacks (like "selfish mining"), and the expected mining
tragedy of the commons that might cause the honest hash-power to decrease in case the fees won't be able to compensate the decreased basic block rewards.
Basically, although the accelerated mining rate doesn’t (directly) increase the vulnerability to 50% hash-power attacks when using GHOST, it does theoretically increase the decentralization of the system: as there are more forks to the chain, the probability of a miner to get an eventually confirmed block within a certain period of time, is the probability of succeeding to form a valid block within that period, times the probability of a valid block to get eventually confirmed. The first probability is linear as a function of the miner's computational power, while the second isn’t constant as it depends upon the miner's network connectivity.
Thus, 1000 small miners are expected to collectively gain less confirmed blocks than one strong miner with the same total hash-power, simply because the strong miner would be faster informed of any new mined block and faster propagate her/his blocks, in order to improve her/his blocks confirmation probability. Moreover, since Block Discarding Attacks can be much amplified by
network superiority (meaning, the connectivity advantage of the attacker over the average miner), the accelerated mining rate might increases the system vulnerability to those attacks.
I therefore propose to reward (almost) all orphan blocks just a bit less than the confirmed block's reward. In order to do so I suggest having a mandatory tax on transactions, founding the "Bitcoin security reserve" account. Both confirmed and orphaned blocks get rewarded by the security reserve, while miners of the confirmed blocks may collect fees in addition. Since block mining is accelerated, each block contains less transaction, so the income from fees is supposedly negligible compared to the reward.
The specific proposed implementation goes as follows:
Mining rate6 seconds per (confirmed) block, at least. Difficulty is smoothly adjusted according to the formula
Dif_n+1 = dif_n * ( 1 + (time_n – time_n-1) / two weeks - (6 seconds / two weeks) ) where
dif_k and
time_k are correspondingly the difficulty and the timestamp of the k-th block.
Mandatory security taxThe tax on transaction transferring X Bitcoins is
\alpha + x*\beta, meaning a constant minimal tax plus a very small percentage of the transaction.
\alpha and
\beta should be chosen such that the expected total taxes sum within 10 minutes is about 25
BTC, or some other security parameter.
Blocks rewardingWith respect to a certain chain, we say a block is of 0-degree if it is a member of the chain; of 1-degree if its parent is a member of the chain, of 2-degree if its parent's parent is a member of the chain, etc. I suggest rewarding the 0-3 degree blocks with 100%, 90%, 75% and 50% (correspondingly) of the average reward of a confirmed block. Blocks of degree 4 or more should not be rewarded at all.
Inspired by the fork-punishment mechanism of
http://eprint.iacr.org/2013/868.pdf, block headers of 1-3 degree blocks will be included, using a special syntax, within confirmed blocks. Block headers should be changed to include their miners' addresses, and a (confirmed) block is extra rewarded with 1% of the average reward for any valid block header it includes. An orphaned block header might be included only within the 10 consecutive blocks following its 0-degree ancestor.
The average (basic) reward for confirmed blocks is smoothly adjusted as follows: The 100% reward of the k-th block is given by
((Bitcoin security reserve at time_k) / ratio_k )* ((6 seconds) / 4 months) Where
ratio_k, which is the average ratio between the block-chain growth rate and the block-tree growth rate, is recursively calculated by
ratio_n+1 = (1 – (6 seconds / two weeks)) * ratio_n + (6 seconds / two weeks) * q_n Where
q_n is the total percentages of the average confirmed block reward that is rewarded on time
time_n (say 100% + 90% + 50%, in case the n-th blocks contains headers of a single 1-degree block and a single 3-degree block).
Protected GHOSTExtending the current chain is done according to regular GHOST, meaning that the next chosen block is the one having the heaviest known subtree out of all the blocks that are mined on top of the current last block of the chain.
As for replacing a chain-block by an off-chain block that forms heavier subtree, I suggest a slight modification named "Protected GHOST": in calculating the size of a subtree, we shall ignore all blocks that were received suspiciously later than one could have expected. Specifically, when considering a competitive chain that is allegedly heavier, we ignore all off-chain blocks whose headers are not included within blocks of the competitive chain unless their (on-chain) predecessor has been mined during the last hour, or some other security parameter.
And that's it. Quite simple, huh?
Advantages and disadvantages:The tragedy of the commons problem is solved as the total honest network is rewarded about 25BTC per 10 minutes, as it is now. Assuming the market is competitive, the total honest investment in hash-power is just a bit less than 25
BTC per 10 minutes, so the 50% attacker should be *very* rich in order to succeeds.
Smaller miners, whose probability of their valid blocks get eventually confirmed is smaller, will be rewarded just a bit less than the strong miners per a hash-power unite, Thus the network is not about to become more centralized.
The Block Discarding Attack / "Selfish Mining" is conceptually based on artificially forking the chain in order to get higher portion of the block-chain than the attacker's portion of total hash-power (which is equivalent to the attacker's portion of the block-tree). As we reward (almost) all blocks of the tree and not only those of 0-degree, this kind of attacks becomes much harder and less profitable.
We maintain a strong incentive to mine on top of the "right" chain, despite rewarding blocks that are off-chain, as their reward is slightly reduced. Moreover, we provide a strong incentive for miners to report other off-chain blocks by extra rewarding them for doing so. This is helpful not only for rewarding the 1-3 degree blocks, but also for providing the necessary information needed to choose the "right" chain.
The main disadvantage of my proposal is the mandatory tax, which in a sense contradicts the libertarian spirit of Bitcoin. Yet I believe there is no such a thing as ideal currency, and in particular, for security you have to pay. This payment might be explicit as in my proposal, or implicit as currently it is in Bitcoin (the inflation caused by the 25
BTC rewards per block form an implicit tax), but it must somehow exist - or else we shall all suffer lower security because somebody isn’t willing to pay his/her share.
Lear.
P.S. let me just
link my
paper few more times, in case someone have somehow missed it:
http://eprint.iacr.org/2013/868.pdf.
