2. The Difficulty of Quantifying Security Security analysis of cryptocurrency protocols is complicated by many factors. One such complicating factor is the rational self-interested nature of participants. The ideal protocol is an incentive compatible Nash equilibrium such that deviating from the protocol does not result in a net gain [5]. Recent work by Eyal and Sirer [6] showed that the Bitcoin protocol is susceptible to a minority collusion group that can grow to become a centralized majority. They propose a modification to 1 the Bitcoin protocol such that it can tolerate colluding groups that control up to /4 1 of the mining power – less than the previously assumed bound of /2 of Byzantine mining power which requires an honest mining majority that follows the prescribed protocol. Another complicating factor is whether the power to achieve or disrupt con- sensus is extrinsic in origin (e.g. access to the production of mining equipment or access to cheap electricity) or intrinsic in origin (e.g. the “stake” of validators in proof-of-stake protocols) and whether the disruption of consensus – especially via a successful double-spend attack – is associated with a commensurate penalty. The problem with extrinsic factors of security is that they are not easily quantifiable for analysis. For example, the depreciation costs of Bitcoin mining hardware in the event of a successful double-spend attack may not be significant compared to the running costs of electricity. On the other hand existing proof-of-stake protocols do not have a well defined intrinsic penalty for instigators of a double-spend attack. Thisiscommonlycalled, ironically, the “nothing at stake” problem. Newer protocols like the BitShares delegated-proof-of-stake protocol attempt to address this prob- lem by placing the role of ranked-delegate at stake [3], but security is dependant on the extrinsic ability of stakeholders to accurately predict the future performance of delegates. Security analysis is much simpler for an intrinsically secure cryptocurrency protocol when it can be proved that launching a double-spend attack necessarily results in a very high intrinsic penalty compared to the possible intrinsic gains. Then, the protocol may be considered resistant to double-spent attacks assuming no further extrinsic complications. 3. Terms Nodes are connected to each other in a peer-to-peer network and relay new information by gossip. Each node keeps a complete copy of a totally ordered se- quence of events in the form of a blockchain as in Bitcoin. Users keep an account in the system, where the user’s account is identified by the user’s public key or address. Each account can hold a sum of coins that can change with new transac- tions. Nodes relay new transactions as they are signed and submitted by users to 2
Tendermint: Consensus without Mining Page 1 Page 3