0% found this document useful (0 votes)
5 views8 pages

EPoW Solving Blockchain Problems Economically

The document introduces Estimable Proof-of-Work (EPoW), a new consensus protocol aimed at addressing economic and security challenges in blockchain technology, particularly in Bitcoin. EPoW allows for real-time estimation of individual miners' work, potentially improving the efficiency and reliability of blockchain transactions. The authors propose that EPoW can help customize blockchain applications for various organizations and countries while mitigating existing issues related to mining and consensus.

Uploaded by

lol30315orz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
5 views8 pages

EPoW Solving Blockchain Problems Economically

The document introduces Estimable Proof-of-Work (EPoW), a new consensus protocol aimed at addressing economic and security challenges in blockchain technology, particularly in Bitcoin. EPoW allows for real-time estimation of individual miners' work, potentially improving the efficiency and reliability of blockchain transactions. The authors propose that EPoW can help customize blockchain applications for various organizations and countries while mitigating existing issues related to mining and consensus.

Uploaded by

lol30315orz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

EPoW: Solving Blockchain Problems Economically

Chih-Wen Hsueh Chi-Ting Chin


Department of Computer Science and Information Engineering Department of Risk Management and Insurance
National Taiwan University Ming Chuan University
Taipei 106, Taiwan, R.O.C. Taipei 111, Taiwan, R.O.C.
Email: [email protected] Email: [email protected]

Abstract—Blockchain was first implemented in Bitcoin, the A full-node user, called a miner, follows all Bitcoin rules,
first decentralized digital currency, with the hash-chained blocks while other users depend on miners to only send and receive
of data, hash-based proof-of-work, and a peer-to-peer protocol transactions, taking less responsibility and workload. At first,
to reach consensus so as to append new blocks and secure
transactions. Most importantly, it prevents double-spending after miners get a copy of all blocks of the blockchain from full
some confirmation time. However, few countries accept Bitcoin nodes. Users send transactions to each other by broadcasting
as a legal currency because, in addition to being subject to some the transactions as Internet packets to miners for confirmation.
security attacks, there are still problems in economics, politics, Miners simultaneously collect broadcast transactions and each
performance, etc. Many altcoins with different improvements one works on his/her own new block. By completing a hash-
have been proposed, but problems and attacks still remain.
Meanwhile, blockchain, as a trust machine, has been applied based proof of work (PoW), any miner can get the right
to many other areas, such as smart contract, creating a new to append a new block to the blockchain. By a consensus
hype, called “the most significant innovation since the Internet.” protocol, the miners will decide which new blocks will be
However, there are still similar problems and attacks in those accepted in the blockchain. The process is called mining
applications. By changing the original consensus design, instead because the miners get rewards once the block is confirmed. If
of just providing proof of work, we propose EPoW, i.e. estimable
proof-of-work, to estimate how much work is done and a corre- a block is confirmed, fixed amount of bitcoins, decreasing by
sponding protocol to reach consensus. EPoW and the protocol can half every 4 years, and total transaction fees of the transactions
serve as a new instrument such that the problems and attacks recorded in the block will be given to the miner as a block
mentioned above might be relaxed or solved economically. With reward.
EPoW, we believe blockchains and digital currencies can be better By trying a number, nonce, in its own mining block, the
customized by companies, organizations or countries for different
purposes or policies and be employed by any users. PoW asks the miners to find a hash value of the mining block
to be less than a number, target. Once the nonce is found, the
I. I NTRODUCTION new block is mined and waits for confirmation. The smaller
Blockchain was named after the technology was first the target value, the more difficult to mine a block. The target
proposed in the Bitcoin white paper[11]. It was imple- value is adjusted every 2016 blocks mined so that the time
mented later in Bitcoin, the world’s first decentralized to mine a block, called the block interval, has an average
digital currency[1][20], and the source code is open[21]. of 10 minutes. A number proportional to the target value,
Blockchain[22] consists of a distributed database that main- called difficulty, represents the total mining computing power.
tains continuously growing records of data called blocks. Each Another number, hash rate, the estimated total hash rate of the
block contains a timestamp of its birth, a link to a previous blockchain, also indicates the total mining computing power.
block and a hash[33] value of the whole previous block. However, no indicator represents the mining computer power
A hash function in cryptography is a one-way function to of individual miners unless we do long-term statistical analysis
map data of arbitrary size to data of fixed size such that of the blocks mined. As miners race to reach consensus earlier,
it is very difficult to reconstruct the input data from the the difficulty value grows exponentially, and so does the power
output hash value. Therefore, these blocks are hash-chained, consumption. Since the beginning of Bitcoin, the year of 2009,
forming the so-called blockchain, which is inherently resistant until June 2017, the difficulty of Bitcoin grew from 1 to over
to modification of the data. In other words, any modification 5.95 × 1011 [25]. Suppose only one computer was used in the
in a block results in inconsistency of its hash value in the next beginning of Bitcoin network. Nowadays roughly every person
block, as well as in the following blocks. in the world simultaneously uses more than 79 of the same
In Bitcoin, users can run the Bitcoin program at any com- computers for mining. More charts of Bitcoin statistics are
puter nodes on the Internet[6], forming the Bitcoin network. also available online[26].
The program has many options to choose for applying Bitcoin The mined block records the transactions the miner chose
rules. Since the source code is open, users can also customize before mining, e.g. the earlier ones or the ones with higher
their own code as long as it conforms to the Bitcoin rules. transaction fee, and the block might be broadcast to the other
A full node in Bitcoin network downloads every block and miners for confirmation. Note that the mined block might
transaction and checks them against core consensus rules. be later or never broadcast. If the block and its transactions

978-1-5386-0435-9/17/$31.00 ©2017
Authorized licensed use limited IEEE Taiwan University. Downloaded on February 03,2025 at 02:32:20 UTC from IEEE Xplore. Restrictions apply.
to: National
have been verified by a miner, the miner might accept and reflect that there is enough work done to fulfill the original
confirm the block to the blockchain, then continue to mine request, more briefed in Section II. Instead of just serving for
for the next block. The transactions in the confirmed block digital currencies, blockchain was recently applied to many
will be removed from the transaction pool of the verifying other areas, such as smart contract[41] in Ethereum. A smart
miner to mine for the next block. Note that each miner might contract is a computerized transaction protocol that executes
reject the arriving new blocks and continue mining his/her own the terms of a contract. Ethereum blockchain enforces the
block. Confirming a block means appending it to the local correct execution of smart contracts in blockchain transactions
copy of blockchain, allowing for retrieval by other users. A on Ethereum Virtual Machine. Blockchain already creates a
transaction has one confirmation when its block is confirmed. new hype, called “the most significant innovation since the
For each subsequent block confirmed, the transaction has Internet”[28]. However, similar problems and attacks are left
one more confirmation. Because of the concurrency, block to be solved because some influential factors such as how
mining protocol and inevitable network delay, the miners much work has been done by individuals are not known or
might accept more than one blocks before mining the next are inestimable in real-time.
one. Actually, blocks with a timestamp greater than 2 hours To reach consensus, Bitcoin adopts proof of work and how
from the current network time and earlier than the median much work is done individually can only be estimated in
time of the past 11 blocks are rejected. This can reduce the average in a long run. Our main contribution is as follows:
number of confirmation to avoid attacks[19]. • We first propose and prove EPoW, i.e. estimable PoW,
The very first block is called the genesis block. The main where it can quantitatively estimate how much work is
chain of a blockchain is the chain of blocks with the largest done individually in closed formulas in real-time.
accumulative difficulty value from the genesis block. The • We propose a consensus protocol to apply EPoW.
honest miners always choose to append a new block at the • We conduct simulations to measure the variance and
end of the main chain. Therefore, the miners might have standard deviation of estimations.
different views of a blockchain and a blockchain might fork a The new PoW and corresponding consensus protocol might
branch sometimes. However, after some block confirmations, serve as a new instrument such that the blockchain problems
the main chain will be consistent. The forked blocks not in and attacks might be relaxed or solved economically. We have
the main chain will be still kept in the blockchain. Since not found similar related work.
only one main chain is maintained and all transactions are The rest of this paper is organized as follows. Section II
verified by peer users, double-spending [8][17] of a transaction provides a background brief. The EPoW is introduced in Sec-
can be prevented after some confirmations. Therefore, Bitcoin tion III. Section IV describes how to use it. Section V provides
blockchain is an open decentralized ledger that can securely some discussion. The paper is concluded in Section VI. Most
record transactions between any two parties. Of course, the on-line references are ended with the last accessed date. The
less confirmation time, the higher the satisfaction of users. undated are last accessed as of June 10, 2017.
While only few countries accept bitcoin as a legal currency,
most others have banned or restricted it, e.g. as a kind II. BACKGROUND
of expensive goods. Because, in addition to some unsolved This is only a brief. Detail surveys are available[12][13].
attacks, there are still problems in economics, politics, perfor-
mance, etc., more briefed in Section II. To win the mining A. Proof of Work
race, some miners adopt hardware assistance, such as GPU PoW is represented by a piece of data sent from a requester
or ASIC, aggravating the growth of difficulty. The ASIC, to the PoW service provider. The key feature of PoW is the
application-specific IC, runs even faster than GPU, graphics work must be moderately hard (but feasible) on the requester
processing unit. Without constraining the growth of difficulty, side but easy to check for the service provider[36]. It was first
the computing power consumed for mining keeps growing proposed to prevent junk mails[2] by doing some significant
exponentially. Recently, the Bitcoin network consumes over work before sending the email. For the hash-based PoW as in
two million US dollars daily in electricity[29]. By 2020, it Bitcoin, the PoW is to prove that enough computing work has
could consume as much electricity as Denmark[27]. However, been done so that the winner can append a new block. The
most of the time, there are only fewer than 10 transactions per same principle requiring certain amount of “work” applies to
second (TPS)[38]. The computing is very not green at all. proof of space, proof of bandwidth, and proof of ownership as
In Ethereum[31], a new PoW, Ethrash[30], which is ASIC well. However, proof of stake is different in that it just needs
resistant but GPU favorable, was proposed to reduce mining to provide a more deterministic proof of “wealth”, e.g. “age”
racing. A new consensus protocol, GHOST[42], was also of coin or how long a coin has been created.
proposed to shorten block interval into 12 seconds. The confir-
mation time is reduced but the TPS is still low, even fewer than B. Consensus protocol
1. Other altcoins also propose different consensus protocols, With the proof of work, proof of stake, or other means, a
such as proof of stake[37], where altcoins are Bitcoin alter- consensus protocol is to decide who or what wins the right
natives with uninteresting small changes. However, departing to append a block, write a ledger, or do something else. For
from the original definition of proof of work, they might not example, in Bitcoin, the first miner with a low hash value

Authorized licensed use limited to: National Taiwan University. Downloaded on February 03,2025 at 02:32:20 UTC from IEEE Xplore. Restrictions apply.
wins and appends the block on the main chain. Byzantine 5) crime: Eventually, faulty system design or programming
fault tolerance (BFT) is another consensus protocol by voting bugs might be fixed or controlled to reduce illegal
in a faulty distributed system[23]. It might not be very scalable behavior. However, for some behavior, there might be
because there are a lot of voting messages, which might be a legal loophole. For example, coin mixing[35] can
faked, and it needs to wait for most of the messages to arrive to improve privacy but it is legal only if the coin source is
make a decision. Moreover, BFT miners need to be identified, legal.
i.e. they are permissioned.
F. Challenges
C. Types of Blockchains The challenges mostly come from dishonest adversaries.
1) public blockchain: Anyone can participate. For blockchains to be a real trust machine, the permissioned
2) consortium blockchain: The miner is permissioned[9]. approach is questionable because anyone might be somewhat
3) private blockchain: Not anyone can participate. dishonest sometimes, especially when the identification is
known to act in collusion. However, if we allow anyone
To be really trustful and decentralized without colluding,
without identification to participate, we need to know them
any user should be able to participate freely. However, to be
more quickly before they do any damage. Data mining on a
trackable or responsible, user identification might be necessary
blockchain can help a lot to retrieve information to improve
but this is against privacy. Therefore, semi-permissioned where
the security, but it might be too late. How to know participants
the identification can be checked in a decentralized and
better in real-time with little information is challenging. One
encrypted manner is desirable.
metric might be how much they had worked in the PoW
D. Weaknesses system. This is also the motivation of EPoW.
Zero-knowledge proof[44] was applied in blockchain to
For those systems using randomization to reach fairness in enforce honest behavior while maintaining privacy. It is also
the long run, attacks might happen if we do not wait enough challenging because it needs a lot of computing power.
time for confirmation. For example, hashing of PoW in Bitcoin
is similar to random number generating[3]. The PoW has at III. E STIMABLE P ROOF - OF - WORK
least the following weaknesses[43]. EPoW is an estimable PoW such that how much work
1) 51% attack: One party has more than 50% total mining was done can be estimated in closed-form formulas. The
power. Eventually, it can redefine the main chain, where requirement of a closed-form formula arises from the concern
data are still immutable but some could be excluded. that the numbers involved are usually very big. According to
2) double-spending: The same transaction is issued again the source code, Bitcoin uses the hash function SHA256[40],
after the first transaction has finished, e.g. cashout, with hash range 2256 ∼ = 1.158 × 1077 . Since the work is hard
before enough confirmations. It is done by redefining by definition, it is not clear whether there always exists a
the main chain to exclude the first transaction. closed-form estimation.
3) Sybil attack: Divide oneself into more participants. It For the PoW in Bitcoin, the service provider can easily
might forge identification. check that some hard work was done by the service requester
4) Selfish mining: Delay broadcasting of mined block to get but does not know how much work has been done quanti-
more percentage of average reward than honest ones[14]. tatively. If we would like to convert the PoW into EPoW,
5) Eclipse attack: Some nodes might be isolated by neigh- instead of just providing one nonce value as PoW, two nonce
bors delaying new arriving blocks[7][16]. values, i.e. low nonce and high nonce are needed in EPoW.
6) Balance attack: In a consortium blockchain using BFT, The low nonce generates a hash value, called low hash, less
double-spending might happen with much lower than than the other hash value, called high hash, generated by the
50% of mining computing power in two groups of nodes high nonce in the same block mining. The value range from
with about the same computing power[5][12]. low hash to high hash is called trial range. If low hash and
high hash are the lowest hash value and the highest hash value
E. Problems ever generated, respectively, we can estimate how many times
1) politics: The government would not like to be exposed the nonces have been tried, called nonce trials, by trial range.
to attacks, let anyone to participate in operating, or lose It is an estimation of how much work has been done and the
control of a legal currency. estimation can be figured out in closed-form formulas.
2) economics: Terms such as rewards, fees, or taxes lack If the low hash is not the lowest one, the high hash is the
quantifiers of user work, government policies, etc. to not highest one, or the same nonce is tried more than once, the
form a complete economic formula or model. nonce trials might be underestimated. If we grant the miner of
3) performance: Hundreds or thousands of times of TPS larger nonce trials more rewards, honest miners would not like
might be needed[39]. Blockchain size is too big and, for to underestimate the nonce trials. Note that underestimating
general use, it can not keep growing unlimitedly[15][18]. on purpose might be a new attack. Long-term statistics might
4) privacy: Any user can see any data in blockchain but be able to relax the underestimation. Since we need to try
most users would not like to reveal private information. nonces to get the desired hash values, it is very difficult to

Authorized licensed use limited to: National Taiwan University. Downloaded on February 03,2025 at 02:32:20 UTC from IEEE Xplore. Restrictions apply.
⎡ ⎤
fake untried lower or higher hash values. Because nonce trials 1 0 0 0 0 0 0 0 0 0
⎢ 0 2 0 0 0 0 0 0 0 0 ⎥
increase with trial range, it is very unlikely to overestimate ⎢ ⎥
⎢ 0 0 3 0 0 0 0 0 0 0 ⎥
nonce trials. Before we prove the correctness of EPoW, we ⎢ ⎥
⎢ 0 0 0 4 0 0 0 0 0 0 ⎥
need to prove the following Lemma. ⎢ ⎥
⎢ 0 0 0 0 1 0 0 0 0 0 ⎥
L4 = ⎢⎢ ⎥ and
Lemma III.1. Suppose integers 1 to N are uniformly gener- ⎥
⎢ 0 0 0 0 0 2 0 0 0 0 ⎥
ated with the same probability p = 1/N . At the m-th genera- ⎢ 0 0 0 0 0 0 3 0 0 0 ⎥
⎢ ⎥
tion, P (i, j|m), the probability of the minimum ever generated ⎢ 0 0 0 0 0 0 0 1 0 0 ⎥
⎢ ⎥
being i and the maximum being j, where 1 ≤ i ≤ j ≤ N and ⎣ 0 0 0 0 0 0 0 0 2 0 ⎦
 range n = j − i + 1, is
the ⎡0 0 0 0 0 0 0 0 0 1 ⎤
pm , i=j 1 0 0 0 0 0 0 0 0 0
m m m m
. ⎢ 1 2 0 0 1 0 0 0 0 0 ⎥
(n − 2(n − 1) + (n − 2) )p , otherwise ⎢ ⎥
⎢ 1 1 3 0 0 1 0 1 0 0 ⎥
⎢ ⎥
⎢ 1 1 1 4 0 0 1 0 1 1 ⎥
⎢ ⎥
Proof. It is a Markov process with a lot of states but can be ⎢ 0 0 0 0 1 0 0 0 0 0 ⎥
D4 = ⎢ ⎢ ⎥.

solved easier by the following analysis of differential equa- ⎢ 0 0 0 0 1 2 0 1 0 0 ⎥
tions. For the first generation, only one number is generated. It ⎢ 0 0 0 0 1 1 3 0 1 1 ⎥
⎢ ⎥
is trivial i = j and P (i, j|1) = p. These are the initial values of ⎢ 0 0 0 0 0 0 0 1 0 0 ⎥
⎢ ⎥
the differential equations. For the following generations, any ⎣ 0 0 0 0 0 0 0 1 2 1 ⎦
number is generated with a probability p. Starting from the 0 0 0 0 0 0 0 0 0 1
second generation, if n = 1, it is trivial only the same number Note that the matrix dimension is very big when N = 2256 .
is generated and P (i, j|m) = p(P (i, j|m − 1)), otherwise Precisely, let D0 = [], and
dk Rk,k−1
j−1 Dk = 0 k(k−1) Dk−1 k(k+1) k(k+1) , where
 ×k × 2⎤
P (i, j|m) = p(nP (i, j|m − 1)+ P (i, k|m − 1) ⎡⎧ 2 2

k=i

⎨λii,ij , ii = ij
(1) ⎢ ⎥
j dk = ⎣ 1, ii > ij, 2 ≤ ii ≤ k ⎦ and


+ P (k, j|m − 1)). 0, otherwise
k=i+1
 k×k
1, k − l + 1 ≤ ii = ij + 1 ≤ k
Rk,l = Rk,l−1 .
To the right of equal sign in Equation (1), there is a single 0, otherwise
k×l
term (the first part) followed by two summations (the second Since DN is invertible, it can be eigendecomposed as XλX −1 ,

part). The first part accounts for the cases where the next where
 X is the eigenmatrix of DN . X = XN = [Xi,j ] =
generation retains the same range, while the second part X1,1 X1,2 · · · X1,N X2,2 · · · X2,N · · · XN,N .
covers the cases where either the maximum or the minimum Xi,j is⎡a column vector with size N (N2+1) . For example, ⎤
is breached. Let ii and ij stands for the row index and 1 0 0 0 0 0 0 0 0 0
column index of a matrix, respectively. The equations can ⎢ −1 1 0 0 −1 0 0 0 0 0 ⎥
⎢ ⎥
be expressed as the following matrices, where DN is the ⎢ 0 −1 1 0 1 −1 0 0 0 0 ⎥
⎢ ⎥
m =
⎢ 0 0 −1 1 0 1 −1 0 0 0 ⎥
⎡ matrix: P⎤
Markov transition ⎡ ⎤ ⎢ ⎥
P (1, 1|m) P (1, 1|m − 1) ⎢ 0 0 0 0 1 0 0 0 0 0 ⎥
⎢ P (1, 2|m) ⎥ ⎢ P (1, 2|m − 1) ⎥

X4 = ⎢ ⎢ ⎥,
⎢ ⎥ ⎢ ⎥ ⎢ 0 0 0 0 −1 1 0 −1 0 0 ⎥⎥
⎢ .. ⎥ ⎢ .. ⎥ ⎢ 0 0 0 0 0 −1 1 1 −1 0 ⎥
⎢ . ⎥ ⎢ . ⎥ ⎢ ⎥
⎢ ⎥ ⎢ ⎥ ⎢ 0 0 0 0 0 0 0 1 0 0 ⎥
⎢ P (1, N |m) ⎥ ⎢ P (1, N |m − 1) ⎥ ⎢ ⎥
⎢ ⎥ ⎢ ⎥ ⎣ 0 0 0 0 0 0 0 −1 1 −1 ⎦
⎢ ⎥ ⎢ ⎥
[P (i, j|m)] = ⎢ P (2, 2|m) ⎥ = pDN ⎢ P (2, 2|m − 1) ⎥.


.. ⎥



.. ⎥
⎥ ⎡0 0⎤ 0 0 0⎡ 0 ⎤ 0 0 0 1
⎢ . ⎥ ⎢ . ⎥ 1 0
⎢ P (2, N |m) ⎥ ⎢ P (2, N |m − 1) ⎥ ⎢ −1 ⎥ ⎢ 1 ⎥
⎢ ⎥ ⎢ ⎥ ⎢ ⎥ ⎢ ⎥
⎢ .. ⎥ ⎢ .. ⎥ ⎢ 0 ⎥ ⎢ −1 ⎥
⎣ . ⎦ ⎣ . ⎦ ⎢ ⎥ ⎢ ⎥
⎢ 0 ⎥ ⎢ 0 ⎥
P (N, N |m) P (N, N |m − 1) ⎢ ⎥ ⎢ ⎥
⎢ 0 ⎥ ⎢ 0 ⎥
Let L0 = [], and X1,1 = ⎢ ⎢ ⎥ ⎢ ⎥
⎥, X1,2 = ⎢ 0 ⎥, · · · . Precisely, let
λk 0 k(k−1) × k(k−1) ⎢ 0 ⎥ ⎢ ⎥
Lk = 2 2
, ⎢ 0 ⎥ ⎢ 0 ⎥
0 k(k−1) × k(k−1) Lk−1 ⎢ ⎥ ⎢ ⎥
k(k+1) k(k+1) ⎢ 0 ⎥ ⎢ 0 ⎥
2

2
2 × 2 ⎢ ⎥ ⎢ ⎥
ii, ii = ij ⎣ 0 ⎦ ⎣ 0 ⎦
where λk = [λii,ij ] = , to define λ 0 0
0, otherwise
k×k
or LN , the matrix of eigenvalues of DN . For example,

Authorized licensed use limited to: National Taiwan University. Downloaded on February 03,2025 at 02:32:20 UTC from IEEE Xplore. Restrictions apply.
Fig. 1. The probability of less than 100 nonce trials with N = 10. Fig. 2. Normal cases of Figure 1.

TABLE I
xk Xk T HE STATISTICS OF P (i, j|m).
X0 = [], Xk = 0 k(k−1) 
Xk−1 , where
×k k(k+1) k(k+1)
× 2
⎡⎧ 2

2

⎨1, ii = ij
⎢ ⎥
xk = ⎣ −1, 2 ≤ ii = ij + 1 ≤ k ⎦ and


0, otherwise
⎡⎧ ⎤k×k

⎨−1, 2 ≤ ii = ij + 1 ≤ k
⎢ ⎥
Xk = ⎣ 1, 3 ≤ ii = ij + 1 ≤ k ⎦ .


0, otherwise k(k−1)
k× 2
The initial conditions are 
p, i=j
P1 = [P (i, j|1)] = . The differential
0, otherwise
equations can be simplified as follows N P m = pDN Pm−1 =
N
pm−1 Xλm−1 X −1 P1 = pm i=1 j=i ci,j λm−1 i,j Xi,j .
N  N
Solving for m = 1, P1 = p i=1 j=i ci,j Xi,j , we derive
ci,j = λi,j .
N N
Therefore,
 [P (i, j|m)] = pm i=1 j=i ci,j λm−1 i,j Xi,j =
pm (1m ), i=j
=
pm (−2(n − 1)m + nm + (n − 2)m ), otherwise 2017, hash rate of Bitcoin network, 3.4 × 1021 hashes per 10

pm , i=j minutes, can be a good reference value of m. It is relatively
.
m m
(n − 2(n − 1) + (n − 2) )p ,m m
otherwise small compared to N ∼ = 1.58 × 1077 , and we shall focus on
P (i, j|m) is only dependent on n and m, while p is a the very left part of Figures 1 and 2.
constant, 1/N . Note that we add one more item (n − 2)m for For clarity, Figure 2 is Figure 1 scaled after removing the
n = 2 to make the final formula withonly 2 forms for easier rare n = 1 and n = N cases. For each n, the m with the
application later. We can check that i,j P (i, j|m) = 1. highest probability could be a quick estimation of nonce trials.
Since the probability distribution skews a lot, other estimation
Assume the hash function used in PoW is perfect, and it might be more convincing to distinguish how much work has
behaves like a fair random number generator. According to been done. Actually, m̄, the average nonce trials might be a
Lemma III.1, using EPoW, the probability of the trail range better estimation.
after m-th trial has a closed-form formula. As shown in As shown in Table I, we have different statistics by
Figure 1, w.l.o.g. for easier description with N = 10 and P (i, j|m). P (n|m) is the probability
 of a given trial range
m < 100, the general shape will be similar regardless of N n after the m-th trial. Since n P (n|m) = 1, the m value,
N
and with big enough m. where the average n, n̄ = k=1 kP (k|m), is equal to the
Except the biggest range n = N = 10, the other probabil- given trial range, might be a good estimation ofm̄. Un-
N
ities are relatively very low and soon drop near 0 after about fortunately, n̄ contains a Faulhaber’s formula[32], k=1 k m .
50 trials. However, as N increases, if m is relatively small, When N is large, it is not computationally feasible. However,
the probability of n = N are also very low. The current, June approximating in closed-form formulas is still possible, as the

Authorized licensed use limited to: National Taiwan University. Downloaded on February 03,2025 at 02:32:20 UTC from IEEE Xplore. Restrictions apply.
is definitely necessary. For non-hash-based PoW, if the esti-
mation can be in closed-form formulas, EPoW is also feasible.
IV. A PPLICATION TO EPoW
EPoW provides an estimation value indicating how much
work has been done. The value might represent the min-
ing reward directly but in the real world many factors are
not reflected. For example, the Cobb-Douglas production
function[24](CDPF), suggests Y = ALβ K α , where
• Y = total production (the real value of all goods produced
in a year)
• L = labor input (the total number of person-hours worked
in a year)
• K = capital input (the real value of all machinery,
Fig. 3. The work estimation m̄ with N = 100.
equipment, and buildings)
• A = total factor productivity
α and β are the output elasticities of capital and labor,
integral bounds of Sm (x) shown in Table I, providing that respectively. These values are constants determined by
some computation is acceptable. available technology.
Assuming the trials are done uniformly at a fixed rate as Even though the CDPF is a simplification of the real world,
in Lemma III.1, the probability of m-th trial, P (m), is a it is widely used. We further simplify it here for easier
constant. By Bayes’ theorem, the probability of nonce trails discussion. Suppose AK α can be a constant 1 relative to
on given i and j, P (m|i, j) ∼ j|m)P (m)/P  (i, j) =
= P (i,  the labor input Lβ in a period of time, i.e. Y = Lβ , and
 ∞
P (i, j|m)/P (i,j), where P (i, j) =  m=1 P (i, j|m)P (m) the production in PoW can be linearly rewarded (or sold).
∞ ∞
and P (i, j) = m=1 P (i, j|m). m̄ = m=1 mP (m|i, j) is a The work can be linearly quantified as labor input and the
better estimation and a closed formula. As shown in Figure 3, work in Bitcoin blockchain can also be directly measured by
the estimation of trials m̄ grows exponentially, as the trial computing power. Then, the reward and computing power in
range n goes near 100, when N = 100. In practice, N is very Bitcoin blockchain should also follow CDPF. Since Bitcoin
big, so is n. Therefore, there should be enough values of m̄ provides the miners a constant block subsidy and variable
to distinguish how much work was done. transaction fees as reward, it is reasonable that we only control
Since the trials are basically random in nature, the variance the percentage of the reward granted to the miners. Therefore,
is large. In our simulation, N = 2256 , the standard deviation we assume the mining reward is 1 or 100% initially, scaling
of m̄ grows linearly from 0 to 0.63 times of m̄, when n it by a better distribution of the reward afterward. L can thus
goes to N . The 95% confidence interval is around 1 to 4 stand for the estimated nonce trials m̄ and Y stands for the
standard deviations. The variance can be lowered if we allow control percentage.
removing the extreme, too big or too small, samples. Note that Because of the hash-based randomization, the probability
we need to extend the GMP big number library in 64bit Linux to get the reward is linear to computing power in Bitcoin.
to calculate the big numbers because the exponent is only an Therefore, Bitcoin has β = 1. It is an ideal number that miners
unsigned long integer, which is not big enough. would not like dividing their computing power similar to the
Theorem III.2. Hash-based EPoW is feasible and estimable. Sybil attack, nor combining into a mining pool as a monopoly
because the average reward is the same in the long run, no
Proof. For hash-based PoW, it follows Lemma III.1 and the matter how the difficulty grows. However, in reality, miners
probability for estimation is in closed-form formulas. Assum- join mining pools because the facility might be more cost
ing the hash-based trials in proof of work are conducted at effective than individuals and miners can save the maintenance
a constant rate, so that the Bayes’ theorem can be applied to cost.
estimate the average trials. We can map the estimation values In the law of diminishing marginal returns, the marginal
into different groups and assign a new representing value for product initially increases when more of an input (say labor)
each group, so that the number of representing values are is employed, keeping the other input (say capital) constant[34].
limited. In the worst case, a table of the representing values Here, labor is the variable input and capital is the fixed input.
with an acceptable look-up complexity can be built. Therefore, As more and more of variable input (labor) is employed,
it is feasible and estimable. marginal product starts to fall. Therefore, following the law,
0 < β < 1. As shown in Figure 4, β = 0.5. It is just
Since we only would like to estimate how much work was for explanation, otherwise 0.5 might be too harsh in reality.
done, it does not need to be very accurate. Actually, there However, with the same computing power, the Sybil approach
might not exist exact numbers to represent how much work is more advantageous for reward when β < 1 . On the other
was done. However, an instrument to distinguish quantitatively hand, monopoly is more advantageous when β > 1. Since

Authorized licensed use limited to: National Taiwan University. Downloaded on February 03,2025 at 02:32:20 UTC from IEEE Xplore. Restrictions apply.
Fig. 4. Production Y = Lβ when β = 0.5. Fig. 5. Mapping table, L = m̄.

we can not change the probability to get the reward in hash-


based PoW, we can control the grant percentage based on
the estimated number of trials. Since the reward in Bitcoin
is always as β = 1, to achieve any β as grant percentage
for Bitcoin, we can apply a mapping as β − 1 for the grant
percentage. For example, to achieve final grant percentage as
β = 0.5, we can apply mapping as β = −0.5 on Bitcoin.
A mapping table as shown in Figure 5 might be further
applied to divide the trial range into groups or make the
percentage control more sophisticated or artificial, where some
organizations might prefer. To discourage monopoly, we can
zero the percentage for high trials, or even reject the block to
avoid 51% attack directly. On the other hand, to discourage
opportunism, we can also zero the percentage for low trials, Fig. 6. Mapped final reward.
or even reject the block to avoid dishonesty such as selfish
mining. Both grouping to zero above can also reduce the As shown in Figure 2, when the nonce trial m is small, the
variance of trials estimation. The similar grouping at different probability of different trial ranges varies a lot. Attacks taking
levels between 0% and 100% or more smooth curve fitting as advantage of this so that more than 1 confirmations are needed.
in Figure 2 can be applied without significant computation. As we can reject those blocks with low trials, the trails become
We can keep the majority in high percentage, not necessarily more predictable and the number of confirmations needed to
100%, to follow the economic laws such as CDPF or dimin- avoid attacks, such as double-spending, can be lowered. When
ishing marginal return. Actually, this mapping table plays an we reject those block with high trials, the reward still increases
important role in customizing blockchains. The final mapping with the computing power, under certain bound. However, it
combined with β = 0.5 and the mapping table as in Figure 5 is disadvantageous for miners to increase computing power
is shown in Figure 6. Then, we can do scaling and finalize the beyond. Therefore, the difficulty will drop even with the same
reward. The scaling can use up the reward budget or save some block interval, and so will power consumption. The computing
percentage for other usages, such as taxes or extra bonus. power can be saved to support other computation-intensive
work such as zero-knowledge proof. Mining a block will be
V. D ISCUSSION easier for the general public except for the ones with very little
To solve the Sybil attack, we can charge some constant fee computing power and block interval can also be shortened.
for all miners by the duration participating in the blockchain. This does not imply higher TPS but encourages miners with
However, if the attacker would like to pay more for the minimum computing power to participate. Consequently, more
computing power but get less reward, the Sybil attack can miners can be organized into more big enough groups such as
only be relaxed economically. To meet the government need, in sharding[10] or Bitcoin-NG[4] to parallelize blockchain for
we can tax on the scaled reward for each block. However, higher TPS indirectly. With the parallelization, in additional to
to be used in the cyber world, the economist might have using BFT, scalable storage using PoW can also be practically
better solutions by adjusting traditional economic laws. We feasible[15][18] .
believe more sophisticated and feasible mapping functions are Since the probability for a hash-based PoW trial is fixed,
available and it will be more reasonable in the cyber world. lowering difficulty can shorten the block interval but the

Authorized licensed use limited to: National Taiwan University. Downloaded on February 03,2025 at 02:32:20 UTC from IEEE Xplore. Restrictions apply.
average reward might be still the same because block interval [7] E. Heilman, A. Kendler, A. Zohar, S. Goldberg, ”Eclipse attacks on
might not be in the reward formulas. The number of con- bitcoin’s peer-to-peer network,” in 24th USENIX Security Symposium,
USENIX Security 15, Washington, D.C., USA, pp. 129-144, Aug. 2015.
firmations might increase, but the block interval might also [8] G. Karame, E. Androulaki, S. Capkun, ”Two bitcoins at the price of
be shortened. The total confirmation time might be shortened one? Double-spending attacks on fast payments in bitcoin,” in Proc. of
depending on the final reward mapping. Actually, different Conference on Computer and Communication Security, 2012.
[9] J. Kang, R. Yu, X. Huang, S. Maharjan, Y. Zhang, E. Hossain, ”Enabling
combinations of mapping tables or even changing dynamically Localized Peer-to-Peer Electricity Trading Among Plug-in Hybrid Elec-
might further prevent the Sybil or other attacks. This could tric Vehicles Using Consortium Blockchains,” in IEEE Transactions on
also be a good machine learning topic. EPoW makes all these Industrial Informatics, 2017.
[10] L. Luu, V. Narayanan, C. Zheng, K. Baweja, S. Gilbert, and P. Saxena,
possible, and these can be proved mathematically. A secure sharding protocol for open blockchains, in ACM Conference
on Computer and Communications Security, Vienna, Austria, Oct. 2016.
VI. C ONCLUSION [11] S. Nakamoto, ”Bitcoin: A Peer-to-peer Electronic Cash System,” Oct.
2008. https://bitcoin.org/bitcoin.pdf.
We propose EPoW, a simple improvement to hash-based [12] C. Natoli and V. Gramoli, ”The balance attack against proof-of-
PoW. With an estimable proof-of-work, blockchain problems work blockchains: The R3 testbed as an example,” arXiv preprint
and attacks might be relaxed or solved economically. The idea arXiv:1612.09426, Dec. 2016. http://arxiv.org/abs/1612.09426.
[13] C. Natoli and V. Gramoli, ”The blockchain anomaly,” arXiv preprint
can be easily adopted by other consensus protocols. Actually, arXiv:1605.05438, May 2016. http://arxiv.org/abs/1605.05438.
blockchain is just like a distributed real-time operating system [14] K. Nayak, S. Kumar, A. Miller, and E. Shi, ”Stubborn mining: gener-
using priority scheduling with an immutable file system, where alizing selfish mining and combining with an eclipse attack,” Cryptology
ePrint Archive, Report 2015/796, 2015. http://eprint.iacr.org/2015/796.
PoW defines the scheduling priority, consensus protocol does [15] R. Padilha and F. Pedone, ”Scalable byzantine fault-tolerant storage,”
the scheduling, mining is the context switch, block interval in IEEE/IFIP 41st International Conference on Dependable Systems and
is the time slice, and smart contract might be the remote Networks, 2011.
[16] R. Pass, L. Seeman, and A. Shelat, ”Analysis of the blockchain pro-
procedure call. Multiple users work on multiple nodes together tocol in asynchronous networks,” in Cryptology ePrint Archive, Report
as a system service to provide trust in a single-process manner, 2016/454, Sep. 2016. https://eprint.iacr.org/2016/454.
where sharding is to make it multiprocessing. Mining as [17] M. Rosenfeld, ”Analysis of hashrate-based double spending,” arXiv
preprint arXiv:1402.2009, 2014. http:// arxiv.org/abs/1402.2009.
context switch should not take so much computation power, [18] R. Rodrigues and B. Liskov, ”Rosebud: a scalable byzantine-fault-
while transaction processing is the most important real user tolerant storage architecture,” MIT CSAIL, Tech. Report TR/932, 2003.
task. EPoW provides information of individual computing [19] Y. Sompolinsky and A. Zohar, ”Secure high-rate transaction processing
in bitcoin,” in Financial Cryptography and Data Security, pp. 507-527,
power contributed and helps to make this distributed operating 2015.
system easier to be adjusted, manipulated, and optimized. The [20] Bitcoin, https://en.wikipedia.org/wiki/Bitcoin, [10- Jun- 2017]
ideal scenario is that miners can spend ignorable computing [21] Bitcoin Source Code, https://github.com/bitcoin/bitcoin/tree/master/src
[22] Blockchain, https://en.wikipedia.org/wiki/Blockchain, [10- Jun- 2017]
power helping operating the trust machine and the reward is [23] Byzantine fault tolerance, https://en.wikipedia.org/wiki/Byzantine fault
distributed to all participants economically and fairly based on tolerance, [10- Jun- 2017]
estimable contribution. Using EPoW, we believe blockchain [24] Cobb-Douglas production function, https://en.wikipedia.org/wiki/
Cobb%E2%80%93Douglas production function, [10- Jun- 2017]
and digital currency can be easily customized by companies, [25] Blockchain All Time Difficulty, https://blockchain.info/charts/difficulty
organizations or countries for different purposes or policies ?timespan=all, [10- Jun- 2017]
and be participated by any users in scale. [26] Blockchain Chart, https://blockchain.info/charts, [10- Jun- 2017]
[27] S. Deetman (29, Mar, 2016) Bitcoin Could Consume as Much Electricity
as Denmark by 2020, https://motherboard.vice.com/en us/article/bitcoin-
ACKNOWLEDGMENT could-consume-as-much-electricity-as-denmark-by-2020, [10- Jun- 2017]
The authors would like to thank Ja-Ling Wu, Yuh-Dauh [28] Blockchain Could Be Most Significant Innovation Since the Inter-
net: Survey, http://www.eweek.com/enterprise-apps/blockchain-could-be-
Lyuu, Wen-Chin Chen, Pangfeng Liu, Jiun-Ming Chen, Yung- most-significant-innovation-since-the-internet-survey, [10- Jun- 2017]
Chen Hsieh, Ruey-Long Hong, Vivian Huang, and Leon Hsueh [29] Bitcoin Energy Consumption Index, https://digiconomist.net/bitcoin-
for their different kinds of help; otherwise this work would energy-consumption, [10- Jun- 2017]
[30] Ethereum mining, https://github.com/ethereum/wiki/wiki/Mining
not be possible. This research was supported in part by grants [31] Ethereum, https://en.wikipedia.org/wiki/Ethereum, [10- Jun- 2017]
from the Ministry of Science and Technology, R.O.C. MOST [32] Faulhaber’s formula, https://en.wikipedia.org/wiki/Faulhaber%27s
105-2221-E-002-169- and MOST 105-2218-E-002-017-. formula, [10- Jun- 2017]
[33] Hash function, https://en.wikipedia.org/wiki/Hash function
[34] Marginal product, https://en.wikipedia.org/wiki/Marginal product
R EFERENCES [35] Mixing service, https://en.bitcoin.it/wiki/Mixing service
[1] D. Chaum, ”Blind signatures for untraceable payments,” in Advances in [36] Proof-of-work system, https://en.wikipedia.org/wiki/Proof-of-work
Cryptology, pp.199-203, 1983. system, [10- Jun- 2017]
[2] C. Dwork and M. Naor, ”Pricing via processing or combatting junk mail,” [37] Proof-of-stake, https://en.wikipedia.org/wiki/Proof-of-stake
in Advances in Cryptology-CRYPTO’92, pp. 139-147, 1992. [38] Transaction Rate, https://blockchain.info/charts/transactions-per-second
[3] D. Chaum, A. Fiat, N. Naor, ”Untraceable electronic cash,” in Advances [39] Scalability, https://en.bitcoin.it/wiki/Scalability, [10- Jun- 2017]
in Cryptology-CRYPTO’88, pp. 319-327, 1990. [40] Secure Hash Algorithms, https://en.wikipedia.org/wiki/Secure Hash
[4] I. Eyal, A. E. Gencer, E. G. Sirer, and R. van Renesse, ”Bitcoin-NG: a Algorithms, [10- Jun- 2017]
scalable blockchain protocol,” in 13th USENIX Symposium on Networked [41] Smart contract, https://en.wikipedia.org/wiki/Smart contract
Systems Design and Implementation (NSDI), Santa Clara, CA, Mar. 2016. [42] What is the GHOST protocol for Ethereum?, https://github.com/
[5] I. Eyal and E. G. Sirer, ”Majority is not enough: bitcoin mining is ethereum/wiki/wiki/Mining, [10- Jun- 2017]
vulnerable,” in Financial Cryptography, Christ Church, Barbados, 2014. [43] Weaknesses, https://en.bitcoin.it/wiki/Weaknesses, [10- Jun- 2017]
[6] J. Garay, A. Kiayias, N. Leonardos, ”The bitcoin backbone protocol: [44] Zero-knowledge proof, https://en.wikipedia.org/wiki/Zero-knowledge
analysis and applications,” Technical report, 2014. proofs, [10- Jun- 2017]

Authorized licensed use limited to: National Taiwan University. Downloaded on February 03,2025 at 02:32:20 UTC from IEEE Xplore. Restrictions apply.

You might also like