Author: Jameson Lopp
Author: Jameson Lopp
Translation & Proofreading: Min Min & A Jian
Controversy often arises when people discuss the consensus mechanisms of different cryptocurrencies, mainly because of a lack of understanding (definition) of the security model that these cryptocurrencies use to protect the historical data of the ledger. While all consensus models are designed to protect against various theoretical attacks, it is important to understand the purpose of these models.
The security model can be divided into two parts: assumption (assumption) and guarantee (guarantee). If the assumptions used as inputs hold, the guarantees for the outputs of the safety model should also hold.
Let’s explore in depth the security model Bitcoin provides for its full node operators.
seek the truth
“Minimizing the need for trust between users is one of Bitcoin’s strengths. I personally even think this is Bitcoin’s biggest strength.” — Pieter Wuille
Distributed ledgers are designed to provide an ordered record of events, because in a distributed system you cannot simply trust timestamps.
When new participants first join a blockchain network, they will download all available blocks starting from the genesis block hard-coded in the software, and then verify the validity of the entire blockchain.
One of the most important assumptions of the Bitcoin security model is that the vast majority of miners are honest—they are working hard to keep the blockchain secure, not trying to break it. In fact, throughout the development history of Bitcoin, thanks to the effective miner incentive mechanism, this assumption has not been broken so far, although some people have doubted whether it can be maintained for a long time.
With this assumption as a premise, full-node operators can be sure that:
No one but miners can issue additional bitcoins, and the supply of bitcoins will increase strictly according to the issuance schedule.
The corresponding bitcoins cannot be spent without the private key.
Under the strong guarantee of the Bitcoin blockchain, full-node operators can also be sure of the following two points:
Any Bitcoin block is created within approximately two hours of its timestamp.
Technically speaking, Bitcoin blocks go through a lot of checks:
All blocks obey consensus rules:
Each block is connected to its parent block
Every block reaches the target difficulty value and there is sufficient proof of work
The block timestamp is within the time window from the last latest block
The Merkle root matches the transaction recorded in the block
The block size does not exceed the upper limit
The first (and only first) transaction of each block is a coinbase transaction
Coinbase output does not exceed the block reward
The signature operations contained in the block do not exceed the permission range
All transactions obey the consensus rules:
Both input and output values are reasonable
Transactions only spend outputs that have not yet been spent
All inputs to be spent have valid signatures
Within 100 blocks after the coinbase transaction is created, the output of the coinbase transaction cannot be spent
When a transaction is still in the block confirmation window, its output cannot be spent
No one can spend the same bitcoin twice.
What they are syncing is the "real" blockchain history.
The space is limited, and the rest of the rules will not be repeated
thermodynamic safety
As long as no attacker has more than 50% of the computing power of the entire network, and honest nodes can communicate quickly, the probability of transaction rollback will decrease exponentially with the number of transaction confirmations. Other types of attacks (for example, selfish mining) do not have such high energy requirements, but are difficult to implement.
image description
picture
image description
- Source: http://bitcoin.sipa.be -
Let's calculate the cost of a 51% attack:
10^26 hash * 0.1 J / 10^9 hash = 10^15 J
10^15 J = 2,777,777,778 kw/h * $0.10 kw/h = $277,777,The power consumption of an Antminer S9 is 0.1 J/GH (10^9 hash).
778 (electricity cost to rewrite the entire blockchain)
253,618,246,641 * 2^48 / 65535 = 1.09 * 10^21 hash
1.09 * 10^21 hash * 0.1 J / 10^9 hash = 1.09 * 10^11 J
1.09 * 10^11 J = 30,278 kw/h * $0.10 kw/h = $3,As of this writing, a block must reach a target difficulty value of 253,618,246,641, which takes approximately:
028 (cost of electricity required to create each block)
Therefore, we can say that Bitcoin is thermodynamically secure.
You can adjust some of the variables in the above calculations to reduce the cost, but we can be sure that just rewriting the entire blockchain would require millions of dollars worth of electricity. However, in a worst-case scenario, an attacker with such powerful computing power is able to roll back transactions to 2014 - we'll dig into why soon.
Also note that the cost required to buy and run a mining rig is not taken into account.
Anti-Sybil attack
This is also known as an anti-Sybil attack, which means that an attacker cannot provide false information to a certain peer node by running multiple dishonest peer nodes.
picture
The graph above shows a near-worst-case scenario: your node suffers a massive Sybil attack, but remains connected to an honest node through which it can connect to the real blockchain. As long as there is an honest peer transmitting real blockchain data to your full node, your node will see through Sybil attempts to trick you and ignore them.
real-time consensus
When your node is synchronized to the top of the blockchain, you will find that the Bitcoin protocol maintains consensus across the network through some other interesting properties.
The authors of "Research Perspectives and Challenges of Bitcoin and Other Cryptocurrencies" point out that the following properties are critical to the stability of cryptocurrencies:
final consensus. At any point in time, all nodes following the rules must reach consensus on the latest block of the final "legitimate" blockchain.
Exponential convergence. The probability of a fork at depth n is O(2−n). This allows users to firmly believe that their transactions can be permanently settled after "k confirmations".
active. New blocks are generated continuously, and valid transactions paying the appropriate transaction fees are packaged on-chain within a reasonable amount of time.
correctness. All transactions contained in blocks are valid on the chain with the most cumulative proof-of-work.
fairness. A miner with X % of the total computing power of the entire network can mine about X % of the blocks.
The authors point out that Bitcoin appears to have the above properties, at least assuming that most miners are honest. This is what block rewards and proof-of-work mechanisms are intended to achieve.
There are many other algorithms that can be used to maintain consensus in distributed systems, such as:
Proof of Stake (PoS)
Proof of Coin Age
Proof of Deposit
Proof of Burn
Proof of Activity
Proof of Elapsed Time
Federated Consensus
The above algorithms create a different security model - the most obvious difference from Proof of Work is that systems based on these algorithms all consume internal resources (coin or reputation) rather than external resources (electricity) to achieve consensus. As a result, these systems vary in their incentives and trust needs for validators in the network, dramatically changing the security model.
Security Model Misunderstandings
Security Model Misunderstandings
A common misconception is that Bitcoin has a well-defined security model.
In fact, neither the Bitcoin protocol, nor the present, has a formally defined specification or security model. The best we can do is to study the motivations and behavior of system participants in order to better understand and describe Bitcoin's security model.
Nonetheless, some features of the Bitcoin protocol are often misunderstood.
Some blockchains are seriously vulnerable because developers add arbitrary signed checkpoints in node software, saying "the developers have confirmed that block X is on the correct chain". This is a single point of problem with extreme centralization.
6,119,726,089 * 2^48 / 65535 = 2.62 * 10^19 hash
2.62 * 10^19 hash * 0.1 J / 10^9 hash = 2.62 * 10^9 J
It is worth mentioning that Bitcoin has 13 hardcoded checkpoints, but these checkpoints do not change the security model as much as arbitrarily set checkpoints. The last checkpoint was added in Bitcoin Core 0.9.3 at block height 295000 (created on April 9, 2014). The difficulty value of this block is 6,119,726,089, and the required electricity cost is approximately:
2.62 * 10^9 J = 728 kw/h * $0.10 kw/h = $73 (cost of electricity required to create this block)
So, if Sybil fences a newly joined node (which needs to be synced from scratch), it costs almost nothing to create a shorter blockchain at a lower block height, but cannot exceed the checkpoint.
If Sybil forked a node from a network that synced past block height 295,000, it could start serving fake blocks at a cost of $73 per block, at least until a difficulty adjustment occurs. However, the longer the chain the victim node is syncing to, the more expensive it is for the attacker to create a chain with more cumulative proof-of-work.
Both Greg Maxwell and Pieter Wuille said they hope to remove checkpoints entirely someday. Wladimir van der Laan, head of maintenance at Bitcoin Core, noted that checkpoints are often confusing for those who want to understand Bitcoin's security model.
Arguably, the checkpoint at block height 295,000 means that the full nodes "believe" that the Bitcoin Core developers say that blocks prior to April 9, 2014 are valid. However, the full node will still check the Merkle hash value in each block header, that is, the validity of the transaction history is still protected by the proof of work. These old checkpoints can improve performance (skip signature verification) when syncing the historical blockchain for the first time, although the introduction of libsecp256k1 makes the performance difference less noticeable.
Checkpoints exist for three main purposes:
Prevents a node's memory from filling up with valid but low proof-of-work block headers.
Skip signatures in earlier blocks (improves performance).
picture
image description
- Source: Blockchain.info -
1.16 * 10^20 hash * 0.1 J / 10^9 hash = 1.16 * 10^10 J
1.16 * 10^10 J = 3,When the difficulty value is 27,000,000,000, mining needs to calculate about 27,000,000,000 * 2^48 / 65535 = 1.16 * 10^20 hash functions.
222 kw/h * $0.10 kw/h = $322 (average cost of electricity required to create each block)
(unfinished)
(unfinished)
Original link:
https://blog.lopp.net/bitcoins-security-model-a-deep-dive/
