A Study on Superlight Clients under Velvet Fork
Master Thesis
Andrianna Polydouri
Supervised by:
Aggelos Kiayias, Associate Professor NKUA
Dionysis Zindros, PhD NKUA
National and Kapodistrian University of Athens
Department of Informatics and Telecommunications
June 15th, 2020
Bitcoin blockchain
Players in the peer-to-peer network
-
miners
- generate new blocks by solving the PoW puzzle
-
full nodes
- store whole blockchain information
-
clients
- request up-to-date information
Light clients
Simplified Payment Verification (SPV)
Light clients
SPV protocol
- not efficient enough
- data grow linearly to |C|
Superlight clients
-
logarithmic data to |C|
- Superblock NIPoPoWs
- FlyClient
Superblock NIPoPoWs
- all valid blocks:
- "luckier" μ-level superblocks:
Superblock NIPoPoWs
Ideal superblock distribution
Superblock NIPoPoWs
Synchronization proof
- security parameter m
- proof contains at least m superblocks
Example for m = 3:
Superblock NIPoPoWs
Suffix proof π: contains some superblocks...
Superblock NIPoPoWs
Consensus Protocol changes
- interlink data struture in block header
- pointers to every most recent superblock
Consensus Protocol Update
Hard fork
- not backwards compatible
- change block header contents
- unupgraded parties do not accept upgraded blocks and vice versa
- may lead to permanent fork
Soft fork
- backwards compatible
- auxiliary data in coinbase transaction
- unupgraded parties accept upgraded blocks but not vice versa
- generally believed as less dangerous
Consensus Protocol Update
Velvet fork
- backwards compatible
- auxiliary data in coinbase transaction
- unupgraded parties accept upgraded blocks and vice versa
- protocol changes come as a recommendation
- only a minority of miners is needed to upgrade
magic!
Superblocks under Velvet Fork
"Superblocks protocol can be deployed as-is under velvet fork"
Superblocks under Velvet Fork
What if a malicious player adds specious auxiliary data?
- invalid interlink contents
- not pointing to the most recent ancestor
- pointing to a fork chain
- "thorny" blocks
Superblocks under Velvet Fork
The Chainsewing Attack
cut-and-paste portions of the honest chain
Superblocks under Velvet Fork
The patch
honest miners ignore unupgraded and thorny blocks while updating the interlink
Superblocks under Velvet Fork
Combined Attack
Suppression & Chainsewing
Superblocks under Velvet Fork
Security
velvet honest majority assumption
Superblocks under Velvet Fork
Intuition
Superblocks under Velvet Fork
Security
simple chain quality does not suffice!
the adversary may attack only some superblocks...
Our contributions
- revise the security proof for NIPoPoWs under soft fork
- extract concrete value for security parameter m = 2k + 1
- velvet NIPoPoWs in depth
- chainsewing attack on the initial protocol
- suggested protocol patch
- formal security proof for (1/4)-bounded adversary
- velvet FlyClient
- combined attack on the suggested protocol
Thank you!
Questions time
A Study on Superlight Clients under Velvet Fork
By andrian
A Study on Superlight Clients under Velvet Fork
- 418