In our setting, the PoW-miners have limited ability to produce proofs of work. To capture this, all PoW-miners are assumed to have access to a physical resource setup FrRO∗ which manages a huge “farm of computing devices”, and these devices are provided by the environment Z through the adversary. In order to utilize the computing power of the functionality, each player needs to register the computing services of FrRO∗ or disconnect the services at some later points. Indeed, this captures the dynamic computing power setting where different players could consume the computing resource for different windows of time. Functionality F∗
rROabstracts out the Bitcoin like mining process; this will simplify the design and analysis of protocols based on such mining ecosystem. Here, each PoW-miner is able to request one search query from FrRO∗ that consumes one unit of computing power granted in each execution round. Besides the computing services, the setup also provides the verification services which allow any player to verify solutions in many times, or computing serviceswhich allow any player to perform regular random oracle queries in many times.
More concretely, at any time, a PoW-minerWi can send a register command(WORK-REGISTER,Wi) to ask for registration. The functionality then asks the adversary to specify whether the player can register or not. If the adversary allowsWi to use the computing resource (Wi is granted the computing resource), the functionality would record(Wi, bi) where bi = 1. If the player unregisters the services, this bit would be reset to0 indicating that the resource will not be granted to this player any longer. Note that, here, we let
the environment Z (through the adversary) specify who will receive the computing resource and who will not.
The functionality proceeds in rounds, and for each round, it sets a bitbwi = 0 for every registered player Wimeaning that the playerWiis granted one unit of computational resource. Note that, if the computational unit has been used byWi by issuing the search query, the bitbwi = 0 is reset to 1, and then this player will not be able to request any other search queries. A registered PoW-minerWimay request the query to search for a PoW solution, and he can only find it with a certain probabilityp. More precisely, once he queried the computing services from the functionality by command(SEARCH, h,Wi), the functionality then checks if there exists a record (Wi, bi); this means the functionality checks if this player is already granted the required computing resource. If the resource is granted, andbwi = 0 meaning that this player has not used the resource allocated in the current round, the functionality would then with probabilityp, choose a random pair (w, h) and record an entry (Wi, hh, wi, h). There, ifWi queries more than one time in this round, the functionality would not perform any search queries since the resource is exploited.
In contrast to the computing services, every player has access to the verification or regular random oracle services many times by sending command(RO-VERIFY, B) or (COMPUTE, B, X) to the functionality where B is a PoW-block and X is a generic payload. In regular random oracle services, the functionality on the command(COMPUTE, B, X), where (B, X) is specified by the environment, executes an ordinary random oracle query (i.e., checks if (B, X) is queried and returns a random string corresponding to (B, X)). In verification services, the functionality FrRO∗ then returns the random string mapped toB = hh, wi if stored.
We emphasize that the regular random oracle queries are independent from the search queries. This implies that the random oracle used for the search query is different from that for the regular query. We then denote h as the random string returned by the random oracle for each regular query, and denote h0 as that for each search query. Please refer to Figure2for more details.
As discussed above, this is an “idealized” interpretation of the setting where all miners have the same amount of computing power; nevertheless, this idealized model does not sacrifice generality. The adversary A is allowed to perform at most t queries per round, where t is the number of corrupted PoW-miners. Thus, the computing power is consumed by querying the functionality in a bounded number of times.
We remark that we are not the first to formulate the setup of computing resources. Earlier efforts can be found in [23,40]. We argue that, our FrRO∗ formulation is more rigorous than the previous efforts; we explicitly model how the computing resource is managed and distributed from the environment to parties. In our model, each party can register and receive the computing resource under the control of the environment.
That said, this model naturally captures the joining of new players or the rejoining of old players.
Furthermore, our FrRO∗ is closely related to, but different from FTreein [40]. In [40], a “per protocol”
approach is taken. That is, for different blockchain protocol, say GHOST protocol [43], a different variant of FTree should be defined. We take a different approach; we abstract the essence of the underlying re-sources, and our resource random oracle functionality FrRO∗ can be used for different PoW-based blockchain protocols, and we don’t need to revise the setup per protocol.
We remark that our FrRO∗ is a very costly setup in the sense that, lots of computing resources can be provided in each time window. In our paper, we will use this physical resource (i.e., computing power) setup together with another virtual resource (i.e., stake) setup FrCERT∗ to design Bitcoin like blockchain.
Note that virtual resource setup FrCERT∗ is much less costly.
2.2.1 How to Implement FrRO∗
As discussed in section2.2, the functionality FrRO∗ is implemented by a random oracle functionality FRO [21]. We denoteφrRO∗ as the ideal protocol for an ideal functionality FrRO∗ andπrROas the protocol in the
FUNCTIONALITYF∗
rRO
The functionality is parameterized by a PoW parameter p, a PoW security parameter κ, and interacts with PoW-miners {W1, . . . ,Wn}, PoS-holders {Sn+1, . . . ,Sn+˜n}, as well as an adversary S.
Computing Resource Registration.
1. Upon receiving a message(WORK-REGISTER,Wi) from partyWi∈ {W1, . . . ,Wn}, if there is an entry (Wi, 1), then ignore the message. Otherwise, pass the message to the adversary. Upon receiving a mes-sage(WORK-REGISTERED,Wi) from the adversary, set bi := 1, record (Wi, bi), and pass the message to the partyWi(the partyWiregistered.)
2. Upon receiving a message(WORK-UNREGISTER,Wi) from partyWi∈ {W1, . . . ,Wn}, if no entry(Wi, 1) is recorded, then return(ERROR) toWiand halt. If there is an entry(Wi, 1) recorded, set bi:= 0, and up-date(Wi, bi), and then send (WORK-UNREGISTERED,Wi) to the partyWi(the partyWiunregistered.) For each round, setbwi := 0 for every registered partyWi (1 ≤ i ≤ n), then proceed as follows.
Regular Query. Upon receiving(COMPUTE, B, X) from a party P , if there is record of the form (B, X, h), send (COMPUTED, h) to the player P . If not, choose random h ∈ {0, 1}κ, send(COMPUTED, h) to the player P and record(B, X, h).
Work Query. Upon receiving(SEARCH,Wi, h) from a PoW-minerWiwhereh ∈ {0, 1}κ, proceed as follows.
1. If(Wi, bi) is recorded where bi= 1 and biw= 0(the partyWiregistered and granted one unit of compu-tational resource), then
• with probabilityp, choose uniformly a pair (w, h0) where w, h0∈ {0, 1}κ. Then setbiw:= 1, and record(Wi, hh, wi, h0). Then send (SEARCHED,Wi, w) to the playerWi (the partyWi discovers the solution,)
• with probability1 −p, set bwi := 1, and send (SEARCHED,Wi, ⊥) to the playerWi (the partyWi does not discover the solution.)
2. Otherwise, if any of the following cases occur:
• if(Wi, bi) is not recorded(the partyWiis not registered yet),
• or if(Wi, bi) is recorded and bi= 0(the partyWiregistered and then unregistered),
• or ifbwi = 1(the partyWialready used the granted computational resource in this round), Then send(SEARCHED,Wi, ⊥) to the playerWi(the partyWi does not discover the solution.)
Work Verification Query. Upon receiving (RO-VERIFY, B) from a party P where P ∈ {W1, . . . ,Wn,Sn+1, . . . ,Sn+˜n}, parse B as hh, wi check if there exists a recorded entry (·, hh, wi, ·) (the partyWi found the solution.) If yes and the entry is(Wi, hh, wi, h0) send (RO-VERIFIED, h0) to the party P . Otherwise, send(RO-VERIFIED, ⊥) to P .
Figure 2: Resource random oracle functionality FrRO∗ .
FRO-hybrid model. In the ideal protocol φ∗rRO, players are dummy since they just forward the messages received from the environment Z to the functionality FrRO∗ , and then forward the messages received from the functionality to the environment. On the other hand, upon receiving messages from the environment, the players inπrROexecute the protocol and then pass the outputs to the environment. Note that, we allow each PoW-miner to receive only one unit of computing power (one chance of querying the random oracle) per round.
Essentially, protocolπrROcaptures the core of PoW-based blockchain (e.g., Bitcoin). Informally,πrRO
carries out the following two main steps: first, each PoW-miner is able to“mine” for a puzzle solution of a hash inequality; after that, any other players (PoW-miners or PoS-holders) can verify the found solution.
The formal description of protocolπrROis given in Figure3.
Let S be the adversary against the ideal protocol φ∗rRO, and A be the adversary against the hybrid protocol πrRO. We now show that πrRO is as “ secure” as φ∗rRO with respect to the adversary S . Let
PROTOCOLπrRO
The protocol is parameterized by a PoW parameterp and a security parameter κ.
Each PoW-minerWi, where1 ≤ i ≤ n, proceeds as follows. (WORK-UNREGISTERED,Wi) to the environment.
2. For each round, each registered party Wi sets bwi := 0 , then proceeds as follows. Upon receiving (SEARCH,Wi, h) from the environment Z,
• If bi = 1 and bwi := 0, choose random w ∈ {0, 1}κ, and then query the functionality FROon input B = (h, w) and then obtain output h0. Ifh0≤ D where D= p · 2κ, send(SEARCHED,Wi, w) to the environment. Otherwise, ifh0> D, send (SEARCHED,Wi, ⊥) to the environment.
• Otherwise, if bi is not recorded, or if bi is recorded and bi = 0, or if bwi = 1, send (SEARCHED,Wi, ⊥) to the environment.
Each playerP ∈ {W1, . . . ,Wn,Sn+1, . . . ,Sn+˜n} proceeds as follows.
1. Upon receiving (COMPUTE, B, X) from the environment Z, send (B, X) to the functionality FRO and receiveh. Then send (COMPUTED, h) to the environment.
2. Upon receiving(RO-VERIFY, B) from the environment Z, send B to the functionality FROand receive h0. Ifh0≤ D, send(RO-VERIFIED, h0) to the environment. Otherwise, ifh0> D, send (RO-VERIFIED, ⊥) to the environment.
Figure 3: Resource random oracle protocolπrRO. EXECFπRO
rRO,A,Zbe the random variable denoting the joint view of all parties in the execution ofπrROwith the adversary A and an environment Z. In addition, let EXECF
∗ rRO
φ∗rRO,S,Zbe the random variable denoting the joint view of all parties in the execution ofφ∗rROwith the adversary S and an environment Z.
We prove the following lemma in AppendixA.3.1.
Lemma 2.1. Consider protocolπrROin Figure3and the ideal protocolφ∗rROdescribed above. It holds that the two ensembles EXECFπRO
In this subsection, we introduce our resource certification functionality FrCERT∗ describing the usage of virtual resource in our system. Please refer to Figure4for more details.
Essentially, at any time step, a PoS-holderSj can send a register command(STAKE-REGISTER,Sj) to F∗
rCERTfor registration. Similarly to FrRO∗ , the functionality then records(Sj, bj) where bj = 1, if permitted by the adversary. If the player discontinues the services, this bit is set to0 indicating that the stake would not be granted to this player any longer. Then, for each execution round, a registered PoS-holderSj is granted one unit of the virtual resource, and he can then request the functionality for leader election in this round.
Specifically, he can send message(ELECT,Sj, B) to the functionality; the functionality then with probability
˜p selects this party as the leader and notifies the player whether he is selected or not. Next, if the partySj
is elected by the functionality as the leader, the elected party then asks the functionality FrCERT∗ to provide the signature of(B, X,Sj). The functionality therefore requests the adversary to produce the signature by