Weight-Based Nakamoto-Style Blockchains

Abstract

We propose a framework for building Nakamoto-style proof-of-work blockchains where blocks are treated differently in the “longest chain rule”. The crucial parameter is a weight function assigning different weights to blocks according to their hash value. Our framework enables the analysis of different weight functions while proving all statements at the appropriate level of abstraction. This allows us to quickly derive protocol guarantees for different weight functions. We exemplify the usefulness of our framework by capturing the classical Bitcoin protocol as well as exponentially growing functions as special cases. We show the typical properties—chain growth, chain quality and common prefix—for both, and further show that the latter provide an additional guarantee, namely a weak form of optimistic responsiveness. More precisely, we prove for a certain class of exponentially growing weight functions that in periods without corruption, the confirmation time only depends on the unknown actual network delay instead of the known upper bound.

A Weight-Based Chain Quality and Common Prefix

In this section we state the weighted variant of the chain quality and common prefix theorems. We start with chain quality and we use Theorem 2 together with the fact that the amount of weight produced during a time period is bounded; moreover, we use the collective mining rate to do this mapping, which is by no means a tight bound.

Corollary 1

(Weighted chain quality). Let P be an honest party, let R be any consecutive list of blocks from the best chain of this party, and let \(\rho \in \mathbb {N}\), \(\rho \ge 2\varDelta _{\mathsf {Net}}\) be the largest value such that \(\hat{W}_{q}(\rho ) \le \mathsf {Weight}(R)\). Further, let \(h_0 \in \mathcal {H}\) and \(X\in \mathbb {R}\) such that the weight function is \(\Bigl (\check{W}_{\mathsf {LeftIso}^{h_0}}, \check{p}_{\mathsf {LeftIso}^{h_0}} \Bigr )\)-left-isolated-lower-bounding and \(\bigl (\hat{W}_{q\beta }, \hat{p}_{q \beta }\bigr )\)-upper-bounding such that for any \(\rho ' \ge \rho \), we have \(\check{W}_{\mathsf {LeftIso}^{h_0}}(\rho ' - 2 \varDelta _{\mathsf {Net}}+ 1) \ge \hat{W}_{q\beta }(\rho ') + X\). Let \(p_{\mathsf {bad}}\) be the probability that the fraction of honest weight in R is less than \(\frac{X}{\mathsf {Weight}(R)}\). Then,

$$\begin{aligned} p_{\mathsf {bad}}\le \check{p}_{\mathsf {LeftIso}^{h_0}}(\rho - 2 \varDelta _{\mathsf {Net}}+ 1) + \hat{p}_{q \beta }(\rho ) + \hat{p}_{q} (\rho ). \end{aligned}$$

Proof

By our assumption on the weight function, it took at least \(\rho \) rounds to produce R, except with probability \(\hat{p}_{q}(\rho )\). We can thus apply Theorem 2 to conclude the proof of the corollary.    \(\square \)

We next show the weighted common-prefix property.

Corollary 2

(Weighted common prefix). Let \(\omega \in \mathbb {R}\), and let \(\rho \in \mathbb {N}\) be the largest value such that \(\hat{W}_{q}(\rho ) \le \omega \) and \(\rho \ge 2 \varDelta _{\mathsf {Net}}- 1\). Further let \(h_0 \in \mathcal {H}\) such that the weight function is \(\Bigl (\check{W}_{\mathsf {LeftIso}^{h_0}}, \check{p}_{\mathsf {LeftIso}^{h_0}} \Bigr )\)-left-isolated-lower-bounding and \(\bigl (\hat{W}_{q}, \hat{p}_{q}\bigr )\)-upper-bounding, and for all \(\rho ' \ge \rho \), we have \(2 \cdot \check{W}_{\mathsf {LeftIso}^{h_0}}(\rho ' - 2 \varDelta _{\mathsf {Net}}+ 1) \ge \hat{W}_{q}(\rho ')\). Let \(P _1,P _2\) be (not necessarily different) honest parties, let \(r_1 \le r_2\) be rounds, and let \(C_1\) be the best chain of \(P _1\) in round \(r_1\). Then, the probability that \(P _2\) has a best chain \(C_2\) in round \(r_2\) with \({C_1}^{^{\mathrm {W}}\lceil \omega } \not \preceq C_2\) is at most

$$\begin{aligned} 2 \check{p}_{\mathsf {LeftIso}^{h_0}}(\rho - 2 \varDelta _{\mathsf {Net}}+ 1) + 2 \hat{p}_{q}(\rho ). \end{aligned}$$

Proof

By our assumption on the weight function, there is at most \(\hat{W}_{q}(\rho ) < \omega \) weight produced in \(\rho \) rounds, except with probability \(\hat{p}_{q}(\rho )\). In this case, all blocks on \({C_1}^{^{\mathrm {W}}\lceil \omega }\) are mined before round \(r_1 - \rho \), i.e., \({C_1}^{^{\mathrm {W}}\lceil \omega } \preceq {C_1}^{^{\mathrm {R}>}\lceil r_1 - \rho }\). Therefore, we have \({C_1}^{^{\mathrm {R}>}\lceil r_1 - \rho } \not \preceq C_2\). We can thus apply Theorem 3 to conclude the proof of the theorem.    \(\square \)