Cryptology ePrint Archive: Report 2016/545

On Trees, Chains and Fast Transactions in the Blockchain

Aggelos Kiayias and Giorgos Panagiotakos

Abstract: A fundamental open problem in the area of blockchain protocols is whether the Bitcoin protocol is the only solution for building a secure transaction ledger. A recently proposed and widely considered alternative is the \GHOST protocol which, notably, was proposed to be at the core of Ethereum as well as other recent proposals for improved Bitcoin-like systems. % The \GHOST variant is touted as offering superior performance compared to Bitcoin (potentially offering block production speed up by a factor of more than 40) without a security loss. Motivated by this, in this work, we study from a provable security point of view the \GHOST protocol.

We introduce a new formal framework for the analysis of blockchain protocols that relies on trees (rather than chains) and we showcase the power of the framework by providing a unified description of the \GHOST and Bitcoin protocols, the former of which we extract and formally describe. We then prove that \GHOST implements a ``robust transaction ledger'' (i.e., possesses liveness and persistence) and hence it is a provably secure alternative to Bitcoin; moreover, our bound for the liveness parameter is superior to that proven for the bitcoin backbone in line with the original expectation for \GHOST. Our proof follows a novel methodology for establishing that \GHOST is a robust transaction ledger compared to previous works, which may be of independent interest and can be applicable to other blockchain variants.

Category / Keywords: cryptographic protocols / Bitcoin, GHOST, confirmation time, blockchain, robust public transaction ledger, security

Date: received 1 Jun 2016, last revised 5 Jul 2017

Contact author: g panagiotakos at di uoa gr

Available format(s): PDF | BibTeX Citation

Note: Found a mistake in the liveness attack.

Version: 20170705:140604 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]