2. The Difficulty of Quantifying Security
Security analysis of cryptocurrency protocols is complicated by many factors.
One such complicating factor is the rational self-interested nature of participants.
The ideal protocol is an incentive compatible Nash equilibrium such that deviating
from the protocol does not result in a net gain [5]. Recent work by Eyal and Sirer
[6] showed that the Bitcoin protocol is susceptible to a minority collusion group
that can grow to become a centralized majority. They propose a modification to
the Bitcoin protocol such that it can tolerate colluding groups that control up to
1
/4
of the mining power – less than the previously assumed bound of
1
/2 of Byzantine
mining power which requires an honest mining majority that follows the prescribed
protocol.
Another complicating factor is whether the power to achieve or disrupt con-
sensus is extrinsic in origin (e.g. access to the production of mining equipment or
access to cheap electricity) or intrinsic in origin (e.g. the “stake” of validators in
proof-of-stake protocols) and whether the disruption of consensus – especially via a
successful double-spend attack – is associated with a commensurate penalty. The
problem with extrinsic factors of security is that they are not easily quantifiable
for analysis. For example, the depreciation costs of Bitcoin mining hardware in the
event of a successful double-spend attack may not be significant compared to the
running costs of electricity. On the other hand existing proof-of-stake protocols do
not have a well defined intrinsic penalty for instigators of a double-spend attack.
This is commonly called, ironically, the “nothing at stake” problem. Newer protocols
like the BitShares delegated-proof-of-stake protocol attempt to address this prob-
lem by placing the role of ranked-delegate at stake [3], but security is dependant on
the extrinsic ability of stakeholders to accurately predict the future performance of
delegates.
Security analysis is much simpler for an intrinsically secure cryptocurrency
protocol when it can be proved that launching a double-spend attack necessarily
results in a very high intrinsic penalty compared to the possible intrinsic gains.
Then, the protocol may be considered resistant to double-spent attacks assuming
no further extrinsic complications.
3. Terms
Nodes are connected to each other in a peer-to-peer network and relay new
information by gossip. Each node keeps a complete copy of a totally ordered se-
quence of events in the form of a blockchain as in Bitcoin. Users keep an account
in the system, where the user’s account is identified by the user’s public key or
address. Each account can hold a sum of coins that can change with new transac-
tions. Nodes relay new transactions as they are signed and submitted by users to
2