Sarah Azouvi

Ayelet Lotem, Sarah Azouvi, Patrick McCorry et al.

Many prominent smart-contract applications such as payment channels, auctions, and voting systems often involve a mechanism in which some party must respond to a challenge or appeal some action within a fixed time limit. This pattern of challenge-response mechanisms poses great risks if during periods of high transaction volume, the network becomes congested. In this case fee market competition can prevent the inclusion of the response in blocks, causing great harm. As a result, responders are allowed long periods to submit their response and overpay in fees. To overcome these problems and improve challenge-response protocols, we suggest a secure mechanism that detects congestion in blocks and adjusts the deadline of the response accordingly. The responder is thus guaranteed a deadline extension should congestion arise. We lay theoretical foundations for congestion signals in blockchains and then proceed to analyze and discuss possible attacks on the mechanism and evaluate its robustness. Our results show that in Ethereum, using short response deadlines as low as 3 hours, the protocol has >99% defense rate from attacks even by miners with up to 33% of the computational power. Using shorter deadlines such as one hour is also possible with a similar defense rate for attackers with up to 27% of the power.

Sarah Azouvi, Daniele Cappelletti

Single Secret Leader Elections have recently been proposed as an improved leader election mechanism for proof-of-stake (PoS) blockchains. However, the security gain they provide has not been quantified. In this work, we present a comparison of PoS longest-chain protocols that are based on Single Secret Leader Elections (SSLE) - that elect exactly one leader per round - versus those based on Probabilistic Leader Elections (PLE) - where one leader is elected on expectation. Our analysis shows that when considering the private attack - the worst attack on longest-chain protocols - the security gained from using SSLE is substantial: the settlement time is decreased by roughly 25% for a 33% or 25% adversary. Furthermore, when considering grinding attacks, we find that the security threshold is increased by 10% (from 0.26 in the PLE case to 0.36 inthe SSLE case) and the settlement time is decreased by roughly 70% for a 20% adversary in the SSLE case.

Sarah Azouvi, Alexander Hicks

Cryptocurrencies have garnered much attention in recent years, both from the academic community and industry. One interesting aspect of cryptocurrencies is their explicit consideration of incentives at the protocol level. Understanding how to incorporate this into the models used to design cryptocurrencies has motivated a large body of work, yet many open problems still exist and current systems rarely deal with incentive related problems well. This issue arises due to the gap between Cryptography and Distributed Systems security, which deals with traditional security problems that ignore the explicit consideration of incentives, and Game Theory, which deals best with situations involving incentives. With this work, we aim to offer a systematization of the work that relates to this problem, considering papers that blend Game Theory with Cryptography or Distributed systems and discussing how they can be related. This gives an overview of the available tools, and we look at their (potential) use in practice, in the context of existing blockchain based systems that have been proposed or implemented.

Sarah Azouvi, Haaroon Yousaf, Alexander Hicks

Privacy was one of the key points mentioned in Nakamoto's Bitcoin whitepaper, and one of the selling points of Bitcoin in its early stages. In hindsight, however, de-anonymising Bitcoin users turned out to be more feasible than expected. Since then, privacy focused cryptocurrencies such as Zcash and Monero have surfaced. Both of these examples cannot be described as fully successful in their aims, as recent research has shown. Incentives are integral to the security of cryptocurrencies, so it is interesting to investigate whether they could also be aligned with privacy goals. A lack of privacy often results from low user counts, resulting in low anonymity sets. Could users be incentivised to use the privacy preserving implementations of the systems they use? Not only is Zcash much less used than Bitcoin (which it forked from), but most Zcash transactions are simply transparent transactions, rather than the (at least intended to be) privacy-preserving shielded transactions. This paper and poster briefly discusses how incentives could be incorporated into systems like cryptocurrencies with the aim of achieving privacy goals. We take Zcash as example, but the ideas discussed could apply to other privacy-focused cryptocurrencies. This work was presented as a poster at OPERANDI 2018, the poster can be found within this short document.

Sarah Azouvi, Patrick McCorry, Sarah Meiklejohn

Blockchain-based consensus protocols present the opportunity to develop new protocols, due to their novel requirements of open participation and explicit incentivization of participants. To address the first requirement, it is necessary to consider the leader election inherent in consensus protocols, which can be difficult to scale to a large and untrusted set of participants. To address the second, it is important to consider ways to provide incentivization without relying on the resource-intensive proofs-of-work used in Bitcoin. In this paper, we propose a secure leader election protocol, Caucus; we next fit this protocol into a broader blockchain-based consensus protocol, Fantomette, that provides game-theoretic guarantees in addition to traditional blockchain security properties. Fantomette is the first proof-of-stake protocol to give formal game-theoretic proofs of security in the presence of non-rational players.

Sarah Azouvi, Patrick McCorry, Sarah Meiklejohn

Consensus protocols inherently rely on the notion of leader election, in which one or a subset of participants are temporarily elected to authorize and announce the network's latest state. While leader election is a well studied problem, the rise of distributed ledgers (i.e., blockchains) has led to a new perspective on how to perform large-scale leader elections via solving a computationally difficult puzzle (i.e., proof of work). In this paper, we present Caucus, a large-scale leader election protocol with minimal coordination costs that does not require the computational cost of proof-of-work. We evaluate Caucus in terms of its security, using a new model for blockchain-focused leader election, before testing an implementation of Caucus on an Ethereum private network. Our experiments highlight that one variant of Caucus costs only $0.10 per leader election if deployed on Ethereum.

Shehar Bano, Alberto Sonnino, Mustafa Al-Bassam et al.

The blockchain initially gained traction in 2008 as the technology underlying bitcoin, but now has been employed in a diverse range of applications and created a global market worth over $150B as of 2017. What distinguishes blockchains from traditional distributed databases is the ability to operate in a decentralized setting without relying on a trusted third party. As such their core technical component is consensus: how to reach agreement among a group of nodes. This has been extensively studied already in the distributed systems community for closed systems, but its application to open blockchains has revitalized the field and led to a plethora of new designs. The inherent complexity of consensus protocols and their rapid and dramatic evolution makes it hard to contextualize the design landscape. We address this challenge by conducting a systematic and comprehensive study of blockchain consensus protocols. After first discussing key themes in classical consensus protocols, we describe: first protocols based on proof-of-work (PoW), second proof-of-X (PoX) protocols that replace PoW with more energy-efficient alternatives, and third hybrid protocols that are compositions or variations of classical consensus protocols. We develop a framework to evaluate their performance, security and design properties, and use it to systematize key themes in the protocol categories described above. This evaluation leads us to identify research gaps and challenges for the community to consider in future research endeavours.