Lucky transactions (51% attack mitigation) #145
Description
This is another proposal to bolster chain security against 51% attacks. I'm not very convinced that this should be implemented, but I think it can be discussed as an alternative to the finality layer proposal.
A finality layer marks blocks as finalized. Such blocks can never be replaced, they are cemented in the chain forever. It's the ultimate protection from 51% attacks.
However, this comes at a cost. Finality layers must be Byzantine fault tolerant (BFT), so they need a complex P2P protocol. An attacker controlling at least 1/3 of the stake can stall the finality layer or cause a permanent chain split (i.e. two parts of the network will finalize different blocks).
The following table shows the properties of some of the proposed soft-forking mitigation strategies:
| Strategy | stops 51% attack | stops selfish mining | can stall/split | impl. complexity | decentralized |
|---|---|---|---|---|---|
| DNS checkpoints | Yes | No* | Yes | Low | No |
| PoS finality layer | Yes | No* | Yes | High | Yes |
| Publish or Perish | No | Yes | No | Medium | Yes |
| Lucky transactions | Yes** | No* | No | Medium | Yes |
* Cannot stop reorgs of depth 1.
** With assumptions (see the Security section below).
Lucky transactions
Intuitively, given two alternative chains, the "correct" chain should be the one where the majority of the economic value takes place.
However, "economic value" cannot be defined simply as the transaction volume because miners can create their own fake transactions at virtually no cost.
Instead, we define "economic value" in terms of "lucky transactions", which cannot be easily spoofed.
Assuming H(...) is a hash function and || is the concatenation operator, a transaction spending an output created at height input_height with a key image key_image and amount amount is "lucky" if:
H(checkpoint_hash || key_image) < target * amount * (checkpoint_height - input_height)
(Eqn. 1)
Here checkpoint_hash is the hash of a recent block with a height of checkpoint_height and target is a dynamically adjusted value so that the blockchain contains on average 1 lucky transaction per block.
The above formula basically says that a transaction has a higher chance of being "lucky" if it spends an old output or an output with a high amount.
The minimum relay fee doesn't apply to lucky transactions.
Verification
If a transaction is lucky, the sender includes a special field in tx_extra that contains:
- The index of the lucky input.
checkpoint_hashandcheckpoint_heightamountandblinding_factorof the input pseudo-commitment.
This is only about 80 bytes of data.
Before selecting the decoys, the sender calculates:
anchor_height = checkpoint_height - H(checkpoint_hash || key_image) / (target * amount)
(Eqn. 2)
Ring members are selected from heights below anchor_height. Note that by Eqn. 1, anchor_height > input_height, so the ring can always include the lucky input.
To verify that a transaction included in the blockchain at height height is lucky, any chain observer does the following:
- Check that
height - checkpoint_height <= K, whereKis a parameter (the maximum checkpoint age). - Check that the
checkpoint_hashmatches the block at heightcheckpoint_height. - Check that
H(checkpoint_hash || key_image) < target * amount * (checkpoint_height - newest_ring_member_height). - Check that
input_commitment = amount * H + blinding_factor * G.
Fork choice
A new chain weight formula is used for the fork choice rule that replaces the "longest chain" rule. A block at height height has the following weight:
block_weight = (included_lucky_diff + current_lucky_diff / M) * pow_diff
(Eqn. 3)
Here included_lucky_diff is the sum of the difficulties of the valid lucky transactions included in the block, current_lucky_diff is the difficulty of a lucky transaction at height (calculated using the difficulty adjustment formula), pow_diff is the standard Proof of Work difficulty at height and M is a parameter.
Eqn. 3 basically says that a chain with lucky transactions has approximately (M+1)-times higher weight than the same chain without lucky transactions.
The canonical chain is the chain with the highest total weight.
Incentives
Miners have an incentive to include lucky transactions because they increase the weight of their blocks.
Users have an incentive to submit lucky transactions because they can be sent with a zero fee, they take priority over all non-lucky transactions and reduce the chance of their transaction being invalidated by a fork.
Lucky transactions can be "mined" by checking Eqn. 1 for each of the user's unspent outputs everytime a new block is published. However, there is no reward for that. It can be done altrustically to support the chain, as the cost is nearly zero (just a couple of hashes). Wallets could have an option to mine lucky transactions in the background.
Privacy
A lucky transaction leaks the amount spent in one of the inputs and also leaks the minimum age of the input. However, the identity of the spent input is still protected with a ring signature.
Security
With the recommended parameters of K = 3 and M = 3, lucky transactions can commit to one of the previous 3 blocks and a block without lucky transactions has about 1/4 of the weight of a block with 1 lucky transaction.
The new fork choice rule makes 51% attacks harder under the assumption that the majority of lucky transactions come from honest users.
The table below lists the required combinations of lucky transactions and hashrate as a percentage of the total to attack the chain. An attacker without any lucky transactions would need >80% of the network hashrate to overtake the honest chain (this applies to relatively short reorgs where the difficulty adjustment can be ignored).
| Lucky transactions | Hashrate needed |
|---|---|
| 0% | >80% |
| 33% | >60% |
| 50% | >50% |
| 67% | >40% |
| 100% | >20% |