Blockchain Consensus Protocol: Attack and Mitigation

CSEC 604 CRYPTOGRAPHY AND AUTHENTICATION Dr. SUMITA MISHRA PROJECT REPORT --SUBMITTED BY-AYUSHI RATHORE NISHITH LAKHNOTRA Blockchain: Consensus Protocols, Attacks and Mitigation Ayushi Rathore : ar2171@rit.edu1 , Nishith Lakhnotra : nsl6625@rit.edu Abstract— Blockchain is a distributed ledger in which each block uses hash function to link to the previous block.It gained popularity from the cryptocurrency but currently major sectors like banking, business are adapting this technology. The qualities of being distributed, permissioned and immutable make blockchains a robust option. Once a transaction is done it is hard to rollback to the previous state therefore, whether to accept a block or not is a crucial step. Therefore, consensus protocol are used by blockchain to make the decision on the acceptance of transaction. In our work we have studied various consensus protocols, studied how they were implemented, which attacks can be performed on them, and what solution they have provided to prevent those attack. In the end we have suggested solution on the attack which can be performed on proof of stake. We also have discovered that no single consensus algorithm is sufficient, therefore, multiple algorithms or hybrid algorithms should be used according to the application deployed. I. INTRODUCTION A blockchain is a robust security model which at a basic level can be considered a list of records in form of blocks linked to each other using different cryptographic models.Each of the block in the blockchain is linked with the previous block and the block after it. The cryptographic hash of the block is linked to the cryptographic hash of the previous block which is a combination of timestamp, transaction details and the hash of the previous block. Being distributed, permissioned and Immutable, blockchains provide huge scope for implementation in proceedings of major institutions which deal with business, banking, health sector and much more. Blockchains are operated in peer to peer model[1] where each node has a copy of the entire blockchain. As and when a new transaction is proposed and attached to the chain, a new block with parameters say X and Y are created where X is what the block previously was and Y is what it was converted to. This block will also contain a timestamp from 2 which it would be evident as to which point in time the new block was added to the chain. Whenever a new transaction is proposed, all the peer nodes evaluate the transaction and its validity. When all the nodes come to a conclusion that the transaction is valid, it is added to the chain, which again is decided on basis of the consensus protocols. Consensus algorithms are the essence to the operation of the blockchain. There are multiple different consensus algorithms which prove to be the deciding factor to the addition of new blocks to the chain. Blockchains are also classified into two parts namely, permissioned and permissionless [2]. Permissionless blockchains are basically public blockchains wherein any node, who adheres to the consensus algorithms can add to the chain. This type of blockchain are believed to be more inclined towards the idea of original blockchains when they were first proposed. Permissioned blockchains are the one with the restrictions and can be considered as a private ledger. This model is considered so as to respect the privacy of the data in certain institutions where not all nodes are entitled to all the Information circulated within the same. The three pillars of blockchain that make it a model for the next generation are that it is trustless, distributed and scalable. There is no single point of failure when it comes to blockchain as the trust is distributed amongst the nodes in peer to peer model that take part in the chain. In addition to that each node in the network is capable of downloading a copy of the present blockchain and can hence view the transactions that have taken place up and until now. It can also serve the purpose of being scalable as large amount of blocks can be simultaneously added to the chain as long as they meet the requirements of the consensus algorithms. The ledger is therefore shared and synchronized among the network nodes. Apart from these qualities, blockchain has a concept of smart contracts[2,15]. Smart contracts are basically a line of code which execute certain commands when triggered as agreed between the two parties that are involved in the transaction. Fig. 1. Blockchain Operational Flow Diagram Transactions give a purpose to the blockchain which would have been just a placeholder otherwise. When a transaction is requested by one party, it is presented as a block and broadcasted to all the nodes in the peer to peer network. Based on the consensus protocol established in the network, the nodes validate the transaction and hence the block is added to the chain and the transaction is labelled completed. As any security model would have it, these consensus algorithms are susceptible to multiple malicious attacks which are being investigated in this document. There are many attacks which prove to be impractical due to fundamental way of operation of blockchain which points at the robustness of its security model but there are some attacks which need to be regarded to keep the network from malicious practices. This document provides with investigation of those certain attacks and provides with mitigation techniques for the same. II. C ONSENSUS A LGORITHMS Consensus algorithms are the protocols that are followed by the nodes participating in the network to reach to a point of agreement on a deterministic order of transactions and thus filtering invalid transactions. There are multiple blocks that are competing at publishing the next block for getting the incentives out of the transactions. Hence, the consensus algorithms come into picture and the nodes can then work in synchronism in the mutually distributed network. On basis of the need of the institution, the consensus model is implemented for the nodes to come to a conclusion. On some instances, it is possible that the computations to be done by the network nodes are not that resource incentive and hence no consensus model is required to be established[2]. A. Proof of Work In any blockchain model, any node that wishes to take part in the network has to solve a computationally tough puzzle which is called mining[3].In the proof of work consensus model, the user power is directly proportional to the total computation power it possesses. The goal of the proof of work consensus model is to prevent the fraudulent nodes from catching up with the honest nodes. A challenge-response model is proposed wherein the user is required to solve a computationally difficult puzzle, when the essential proof of work is presented, a new block is added to the chain and the node is rewarded with an Incentive. At this point in time, the nodes that are not able to catch up with the timeframe are eliminated from the network labelled as slow. It is now established that the difficulty of the proof of work algorithm depends on the computation power of the CPU. For the proof of work algorithm to be functional, the requirement is that we need a value of hash that is easily possible to be generate and is also easily verifiable. Each block has its own hash which is prepended with certain number of zeroes which define the difficulty level of the proof of work algorithm. For the following block, when mined, the nonce is generated so that the nonce is a combination of the nonce, block value, hash value of the previous block including the required number of prepended zeros. Here, the computation required to mine the next block will be proportional to the exponentiation of the number of prepending zeros[5]. Once this computation is achieved and the block is added to the chain, it is apparently impossible to change the block. If an attempt is made to change the block, a new block with previous transaction X and the new transaction that it was converted into, Y is created along with a timestamp. This points at the tamperevident property of the blockchains. If an attack of similar sorts is planned, the entire blockchain is required to be compromised and redone which is mathematically extremely complex and would require huge amount of computations as well as timeframe which is a major discouragement to the attackers malicious intentions. Here, the longest chain is always considered in the end as it is established that it shall come from the node with highest CPU power[5].The difficulty of this algorithm in practice can be decided on the basis of speed at which the nodes are mining the blocks. If the nodes are able to mine blocks at considerable pace, the difficulty of the algorithm can be increased keeping in perspective the ability of each of the node present in the peer to peer model. B. Proof of Stake The proof of stake model is not based on the difficulty of high computations but the amount of stake a particular node has as compared to the total stake of the blockchain network. In the proof of stake systems, the node that has more stake in the network is more likely to publish the next block. Due to its fundamental property of operation, it is very unlikely that a user with a high stake will compromise the security model as it will have to face major consequences. The stake can be defined as the ratio of the stake that a user has compared to the total stake of the blockchain network.When a particular node presents its capability to mint the next block, it has to spend the coin age accumulated, hence the stake of that particular node is how many coins/ tokens it possesses as compared to that of the entire blockchain network[4]. Therefore, the longer the node has been a part of the blockchain network in proof of stake systems, there is more probability that it has higher coinage. When these nodes intend to perform transactions, the coin age is spent. The main chain over here is one with the most consumed coin age. The total amount that the validator in network would require to mint the next new block is dependent on the following condition[4]: proofhash <coins * age * target Where proofhash is combination of the coin age, stake and the timeframe. Coins is the spending done by the miner to obtain the mining rights and the target is the number of coins specified by the network as a difficulty parameter in proof of stake algorithm. C. Delegated Proof of Stake The Delegated Proof of Stake introduces the concept of democracy in the proceedings of the blockchain security model. There is a list of nodes that can sign the transaction who are also changed periodically based on certain rules[4]. There are certain predetermined nodes that carry out the minting of the next block and are rewarded on successful operation and are punished if malicious practices come to light. These delegates in the network are selected on the basis of their stake in the system. They keep on changing based on the votes of the nodes and if they have a major stake of the total blockchain network. The delegates when selected, need to provide with a security deposit which can be confiscated if malicious behavior is promoted in the network. Here the delegates are provided with incentives to maintain the decorum of the blockchain network. III. ATTACKS Our research is focused on studying the attacks on the consensus algorithm. We studied the attacks on the proof of work and proof of stake. Both the algorithms are prone to 51% attack, double spending attack, Sybil attack and Denial of Service attack [3]. But many researches have claimed that it is practically impossible to perform 51% attack on proof of work as it will need high computational resources to take over 51% of the network. Lets say a node has become capable of controlling 51% nodes of the network, even if the node wants to go back 6 blocks and alter the transaction details, it would have to mine: 6+X+1 / 51 = X / 49 So, X = 172 blocks. Therefore, the node will have to mine in total 172 blocks if it wants to alter a transaction 6 blocks back in the chain. To put this into perspective, a bitcoin chain takes 10 minutes to mine every block[5]. So it would take the attacker 1720 minutes which is above 28 hours which proves to be impractical in real-world scenario. There are many attacks which can be performed on proof of stake systems. But in our research, we have focused on 3 of them: Precomputing attack. • Long Range Attack. • Coinage Attack. Except these three attacks, Attacks like Bribe attack where attacker tries to double spend by offering reward to the users who will mint over the truncated blockchain which dont include payment transactions [3] • A. Precomputing Attack In this attack an adversary tries to precompute which block is going to mint next by calculating their hashes, after which attacker can change the parameters of his own transaction accordingly and try to mint over the block which was supposed to mint in the first place. This is how attacker can take control over the entire chain by minting over the other blocks with the longest chain. The previous research has claimed the solution as using delegated proof of stake algorithm. Another solution which they have provided is to change the stake modifier at every modifier interval[3,4]. The limitation of these approaches is that whole system is dependent on the honestness of modifier. If the modifier has malicious intentions then he can mint over any block he wants. The other issue with the solution is that it is making the system somewhat centralized as all nodes are not equal here and modifier has rights to decide whether to let other users mint or not. B. Long Range Attack In Proof of Stake system, an attacker can create his own blockchain from scratch and replace the main one if he has enough computational power. Basically the attacker is performing the blockchain forking.This type of attack can mostly be performed by the old members of the blockchain as they have more coins to spend i.e. their stake is more than the new members. In PoW system this type of attack is not possible as it needs enough computational power. The solution to this kind of attack given in existing research is to define the maximum depth of a branching point [3,4,6,8] and voting using delegated proof of stake where the stakeholder will vote whether to download a chain or not [7]. The restricted depth is good for the old user but when a new user will join the chain there is no provision for him to know which chain is valid chain.For this purpose they have introduced the concept of voting but this is makes the system semi-centralized and reduces the truthfulness of the system[3,7]. C. Coinage Accumulation Attack In this attack an attacker can wait long enough to accumulate more coinage so that he can potentially take over the network. The consequence of this attack can result in double spending or network deterioration can be performed on a transaction by accumulating enough coinage. The coinage of a coin is calculated as the product of coin and day. For example, if on day one a user has 1 coin whose value is 100 then age of coin on day 1 is product of 1 and 1 which will return 1 as age of coin. Now assume after 100 days the coin value become 80 but age of coin on 100th day will be 100 multiplied by 1 which will give coinage of attack. In this scenario the stake on 100th day is less than the coinage. Now attacker can now spend these coins and can spend more than the stake i.e. he can perform more transaction as he has more coinage than stake. The existing solution has suggested putting a cap of few days and after that doing a reset of the coinage to zero.This is used by peercoin where they keep a cap of 90 days [9].A proof of stake algorithm used by blackcoin has abolished the concept of age of the coin [6] and in the delegated proof of stake, the stakeholder conjugates the coin if transaction is found invalid [3,7]. The problem with these methods is that the capping and removing age diminishes the concept of stake which means that in one mechanism user has to spend coins before the cap and the other is challenging the whole idea of proof of stake algorithm. Using delegated proof of work makes the system centralized and makes transactions dependent on the stakeholders[3]. IV. OUR APPROACH After closely studying these attacks and identifying the weaknesses in the proposed solution we suggested some modification in the existing proof of stake algorithm to prevents these attacks. We also suggested some other concepts which can be used along with PoS to prevent the occurrence of these attacks. A. Precomputing Attack Proof of luck is consensus protocol which is a modification over the proof of work. In this protocol a random value between 0 to 1 is assigned to each block where 1 is the luckiest and 0 is unluckiest. Here the miner will try to append their block with the chain with higher value which is calculated by adding all luck value in each block. This provides degree of randomness to solve the PoW puzzle. This algorithm reduces the computational complexity and increases the throughput where PoW consensus is used[10]. We used a similar concept to solve the problem of precomputing attack. Similar to adding luck, we want to use a random variable between 1 and 0 to the proofhash equation used by proof of stake algorithm. This way which block will mint next will become unpredictable and it will be hard for attacker to build over the next block to be minted as he is not able to precompute it. As mentioned in proof of luck paper it is computationally less intensive and it increases the throughput. Our approach will also inherent these properties making it better than the previous approaches which were used for precomputing attack. Our approach will also be eliminating the problem of blockchain being semicentral using algorithm like Delegated PoS. B. Long Range Attack For the long range attack the proposed solution uses the blend of byzantine fault tolerance and proof of stake algorithm. Byzantine fault tolerance is a concept which is used for distributed networks. According to this concept even if the one third of the nodes in a network are faulty the system will work properly as established by previous research[4,11]. This concept has proven to be more secure until now and is used in airplane engine systems, nuclear power plants and pretty much any system whose actions depend on the results of a large number of sensors. Our approach uses the voting protocol where all nodes within the network will vote for whether the chain that the user wants to download is valid or not. If two third or more nodes vote for the particular chain it is accepted as valid and user can proceed with the same or else user can discard that chain and look for another one. Our approach can be summarized as: • Network will use concept of byzantine fault tolerance. • If two-third of the nodes vote for the validity of a blockchain then it is accepted else not. • All nodes have equal rights. The advantage of our approach over other approach is that as all nodes are treated as equal there is no problem of centralization plus it is also resolving the problem of how new user will determine whether a particular block is valid or not. In this approach we dont need any third party to establish trust between the users. Hence achieving trustlessness. C. Coinage Accumulation Attack We have proposed that the change in percentage value of decrease in amount of stake should be directly proportional to the decrease in age of the coin and vice versa. To better explain this concept we will use the example which we had given in the coinage attack introduction. According to that example on day 1, the stake of one coin is 100 and age of coin is 1. After 100 days the value of coin become 80 and age changes to 100. Now if we change the percentage change in value of coin it will be a decrease in 20 percent. So, according to our solution we will also reduce the coinage by 80% . Our solution will give the user benefit of coinage but will eliminate the problem of network overtaking as coinage can not exceed the stake of coin. V. R ELATED W ORK There are various consensus protocols developed which suggest modification on the previous protocols, some of them are a combination of one or two protocols and all of them are basically trying to mitigate the problems of blockchain transaction validation[3-5]. Bitcoin uses the proof of work algorithm and has proven to be most secure consensus protocol but it has high computational overhead where performing a single transaction can take upto 10 minutes [5]. Peercoin, Blackcoin uses proof of stake which is modification over the PoW but it has its own disadvantages[6]. Proof of activity model is the hybrid form of proof of work and proof of stake consensus where miners race to solve the puzzle but the selection of accepted transaction is determined by proof of stake algorithm. This is built as an alternative incentive of bitcoin[12]. Some of the hybrid algorithms use proof of work for the distribution of the coin as opposed to proof of stake to perform the transaction [3,4]. Blackcoin, a cryptocurrency is based on proof of stake algorithm. It gives the solution to coinage attack by removing the age of coin from the proof of stake[6]. PPCoin, an another hybrid design which uses proof-of-work to initially distribute the coins as opposed to use of proof of stake coin based concept. Here the transaction decisions are taken centrally by broadcasting and signing the blocks [13]. VI. CONCLUSION We have studied the different consensus protocols for blockchain. We have investigated the attacks on these algorithms and limitations of the other already proposed approaches. We also have proposed the mitigation techniques for the PoS consensus attacks. Our approaches are proposed theoretically and result may change in practical scenario.It is safe to Infer after carrying out this investigation that a little modification in existing algorithm can solve the problems. A combination of two or more approaches will give better results in the practical scenarios. R EFERENCES [1] Milojicic, D. S., Kalogeraki, V., Lukose, R., Nagaraja, K., Pruyne, J., Richard, B., & Xu, Z. (2002). Peer-to-peer computing. [2] Yaga, D., Mell, P., Roby, N., & Scarfone, K. (2018). Blockchain technology overview. Draft NISTIR, 8202. [3] BitFury Group, Proof of Stake versus Proof of Work: White Paper. URL:http://bitfury.com/content/5-white-papersresearch/pos-vs-pow-1.0.2.pdf (2015) [4] Bach, L. M., Mihaljevic, B., & Zagar, M. (2018, May). Comparative analysis of blockchain consensus algorithms. In 2018 41st International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO) (pp. 1545-1550). [5] S. Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System, https://bitcoin.org/bitcoin.pdf (28) [6] Vasin, P. (2014). Blackcoins proof-of-stake protocol v2. URL:https://blackcoin.co/blackcoin-pos-protocolv2whitepaper. Pdf. [7] Larimer, D. (2014). Delegated proof-of-stake (dpos). Bitshare whitepaper. [8] NXT Whitepaper, 2014. URL:https://wiki.nxtcrypto.org/wiki Whitepaper:Nxt#Proof of Stake [9] King, S., Nadal, S. PeercoinSecure & Sustainable Cryptocoin. Aug-2012 [Online]. Available: https://peercoin. net/whitepaper (). [10] Milutinovic, M., He, W., Wu, H., & Kanwal, M. (2016, December). Proof of luck: An efficient blockchain consensus protocol. In Proceedings of the 1st Workshop on System Software for Trusted Execution (p. 2). ACM. [11] Sousa, J., Bessani, A., Vukolic, M. (2018, June). A byzantine fault-tolerant ordering service for the hyperledger fabric blockchain platform. In 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (pp. 51-58). IEEE. [12] Bentov, I., Lee, C., Mizrahi, A., & Rosenfeld, M. (2014). proof of activity: Extending bitcoin’s proof of work via proof of stake [extended abstract] y. ACM SIGMETRICS Performance Evaluation Review, 42(3), 34-37. [13] King, S., & Nadal, S. (2012). Ppcoin: Peer-to-peer cryptocurrency with proof-of-stake. self-published paper, August, 19. [14] Mining?, What Is Bitcoin. ”What Is Proof of Work.” Everything You Need to Know about Bitcoin Mining. N.p., 18 June 2015. Web. 09 Dec. 2016. [15] Gao, Z., Xu, L., Chen, L., Shah, N., Lu, Y., & Shi, W. (2017). Scalable Blockchain Based Smart Contract Execution. 2017 IEEE 23Rd International Conference On Parallel And Distributed Systems (ICPADS). [16] Blockgeeks. (2018). What is Blockchain Technology? A Step-by-Step Guide For Beginners. [online] Available at: https://blockgeeks.com/guides/what-is-blockchaintechnology/ [Accessed 28 Nov. 2018]. [17] Mendling, J., Dustdar, S., Gal, A., Garca-Bauelos, L., Governatori, G., & Hull, R. et al. (2018). Blockchains for Business Process Management - Challenges and Opportunities. ACM Transactions On Management Information Systems, 9(1), 116. [18] Blockchain Use Cases - IBM Blockchain. Retrieved from https://www.ibm.com/blockchain/use-cases/. [19] I. Eyal and E. G. Sirer, Majority is not enough: Bitcoin mining is vulnerable, in Proceedings of International Conference on Financial Cryptography and Data Security,Berlin, Heidelberg, 2014, pp. 436 454. [20] A. Biryukov, D. Khovratovich, and I. Pustogarov,Deanonymisation of clients in Bitcoin p2p network, inProceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, New York, NY,USA, 2014, pp. 1529 [21] Wessling, F. and Gruhn, V. (2018). Engineering Software Architectures of Blockchain-Oriented Applications - IEEE Conference Publication. [online] Ieeexplore.ieee.org. Available at:https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=arnumber=8432174 [Accessed 27 Nov. 2018].