A Study on Superlight Clients under Velvet Fork

Master Thesis

Andrianna Polydouri

Supervised by:

Aggelos Kiayias, Associate Professor NKUA
Dionysis Zindros, PhD NKUA


National and Kapodistrian University of Athens

Department of Informatics and Telecommunications

June 15th, 2020

Bitcoin blockchain

Players in the peer-to-peer network

  • miners
    • generate new blocks by solving the PoW puzzle
  • full nodes
    • store whole blockchain information
  • clients
    • request up-to-date information

Light clients

Simplified Payment Verification (SPV)

Light clients

SPV protocol

  • not efficient enough
    • data grow linearly to |C|

Superlight clients

  • logarithmic data to |C|
    • Superblock NIPoPoWs
    • FlyClient

Superblock NIPoPoWs

H(block) \leq T
  • all valid blocks:
  • "luckier" μ-level superblocks:
H(block) \leq \dfrac{T}{2^μ}

Superblock NIPoPoWs

Ideal superblock distribution

Superblock NIPoPoWs

Synchronization proof

  • security parameter m
  • proof contains at least m superblocks

Example for m = 3:

Superblock NIPoPoWs

Suffix proof π: contains some superblocks...

Superblock NIPoPoWs

Consensus Protocol changes

  • interlink data struture in block header
  • pointers to every most recent superblock

Consensus Protocol Update

Hard fork

  • not backwards compatible
  • change block header contents
  • unupgraded parties do not accept upgraded blocks and vice versa
  • may lead to permanent fork

Soft fork

  • backwards compatible
  • auxiliary data in coinbase transaction
  • unupgraded parties accept upgraded blocks but not vice versa
  • generally believed as less dangerous

Consensus Protocol Update

Velvet fork

  • backwards compatible
  • auxiliary data in coinbase transaction
  • unupgraded parties accept upgraded blocks and vice versa
  • protocol changes come as a recommendation
  • only a minority of miners is needed to upgrade

magic!

Superblocks under Velvet Fork

"Superblocks protocol can be deployed as-is under velvet fork"

Superblocks under Velvet Fork

What if a malicious player adds specious auxiliary data?

  • invalid interlink contents
    • not pointing to the most recent ancestor
    • pointing to a fork chain
    • "thorny" blocks

Superblocks under Velvet Fork

The Chainsewing Attack

cut-and-paste portions of the honest chain

Superblocks under Velvet Fork

The patch

honest miners ignore unupgraded and thorny blocks while updating the interlink

Superblocks under Velvet Fork

Combined Attack

Suppression & Chainsewing

Superblocks under Velvet Fork

Security

velvet honest majority assumption

\dfrac{t}{n_h} < \dfrac{1}{3}

Superblocks under Velvet Fork

Intuition

Superblocks under Velvet Fork

Security

simple chain quality does not suffice!

the adversary may attack only some superblocks...

\dfrac{t}{n_h} < \dfrac{1}{3}

Our contributions

  • revise the security proof for NIPoPoWs under soft fork
    • extract concrete value for security parameter m = 2k + 1
  • velvet NIPoPoWs in depth
    • chainsewing attack on the initial protocol
    • suggested protocol patch
    • formal security proof for (1/4)-bounded adversary
  • velvet FlyClient
    • combined attack on the suggested protocol

Thank you!

Questions time

A Study on Superlight Clients under Velvet Fork

By andrian

A Study on Superlight Clients under Velvet Fork

  • 418