Saar Tochner

Maya Dotan, Saar Tochner

Many blockchain systems today, including Bitcoin, rely on Proof of Work (PoW). Proof of work is crucial to the liveness and security of cryptocurrencies. The assumption when using PoW is that a lot of trial and error is required on average before a valid block is generated. One of the main concerns raised with regard to this kind of system is the inherent need to "waste" energy on "meaningless" problems. In fact, the Bitcoin system is believed to consume more electricity than several small countries. In this work we formally define three properties that are necessary for wasteless PoW systems: (1) solve "meaningful" problems (2) solve them efficiently and (3) be secure against double-spend attacks. These properties aim to create an open market for problem-solving, in which miners produce solutions to problems in the most efficient way (wasteless). The security of the system stems from the economical incentive created by the demand for solutions to these problems. We analyze these properties, and deduce constraints that must apply to such PoW systems. In our main result, we conclude that under realistic assumptions, the set of allowed problems must be preimage resistant functions in order to keep the system secure and efficient.

Saar Tochner, Stefan Schmid, Aviv Zohar

Off-chain transaction networks can mitigate the scalability issues of today's trustless electronic cash systems such as Bitcoin. However, these peer-to-peer networks also introduce a new attack surface which is not well-understood today. This paper identifies and analyzes, a novel Denial-of-Service attack which is based on route hijacking, i.e., which exploits the way transactions are routed and executed along the created channels of the network. This attack is conceptually interesting as even a limited attacker that manipulates the topology through the creation of new channels can navigate tradeoffs related to the way it attacks the network. Furthermore, the attack also highlights a fundamental design tradeoff for the defender (who determines its own routes): to become less predictable and hence secure, a rational node has to pay higher fees to nodes that forward its payments. We find that the three most common implementations for payment channels in Bitcoin (lnd, C-lightning, Eclair) approach routing differently. We begin by surveying the current state of the Lightning network and explore the routes chosen by these implementations. We find that in the current network nearly 60\% of all routes pass through only five nodes, while 80\% go through only 10 nodes. Thus, a relatively small number of colluding nodes can deny service to a large fraction of the network. We then turn to study an external attacker who creates links to the network and draws more routes through its nodes by asking for lower fees. We find that just five new links are enough to draw the majority (65\% - 75\%) of the traffic regardless of the implementation being used. The cost of creating these links is very low. We discuss the differences between implementations and eventually derive our own suggested routing policy, which is based on a novel combination of existing approaches.

Saar Tochner, Aviv Zohar

A major limitation of open P2P networks is the lack of strong identities. This allows any agent to attack the system by creating multiple false personas, thereby disrupting the overlay network's connectivity and sabotaging its operation. In this paper, we explore practical ways to defend P2P networks from such attacks. To do so, we employ a game theoretic approach to the management of each peer's list of known nodes and to the overlay construction mechanisms that utilize this list. We consider the interaction between defender and attacker agents as a zero-sum game. We show that the cost of attacks can be driven up substantially if the defender utilizes available information about peers it chooses to connect to, such as their IP address. In addition to theoretical analysis of the underlying game, we apply our approach to the Bitcoin P2P network and derive effective strategies that guarantee a high safety level against attacks.