Exploring Incentives in Blockchain Protocols
by Aikaterini-Panagiota Stouka
Special thanks to Michał Zając, Jorge Arce Garro, and Yevgeny Zaytman for reviewing, and to Laura Pietragallo and Carla Segvic for their comments.
Table of contents
- Introduction
- Game theoretic notions
- Coalition-safe equilibria with virtual payoffs
- Blockchain Nash Dynamics and the Pursuit of Compliance
- Conclusion
- References
In our previous cryptography blog posts, the operators of a pool — or parties in cryptographic or consensus protocols — were assumed to be either honest or malicious. Honest parties always follow the protocol, regardless of whether this is the best option for increasing their profits. In contrast, the malicious parties can deviate arbitrarily from the protocol even when the deviation is not profitable — but what happens when the parties are rational and do not explicitly belong to these categories?
A rational party has a utility that it wants to maximize (e.g., its profit) and decides whether to follow the protocol based on the option that maximizes its utility. The examination of protocols from this perspective corresponds to the field of incentives.
In this blog post, we will:
- Discuss what we consider “incentives’’ in (blockchain) protocols
- Explain a few notions and commonly used terms: Nash equilibrium, Nash dynamics, utilities, strategies game, etc.
- Give an overview of the following two frameworks/notions that are suitable for examining incentives in blockchain protocols and have been used to give valuable results for incentives in various Proof of Work and/or Proof of Stake blockchain protocols:
- Coalition-safe equilibria with virtual payoffs
Aggelos Kiayias and Aikaterini-Panagiota Stouka. 2021. Coalition-safe equilibria with virtual payoffs. In Proceedings of the 3rd ACM Conference on Advances in Financial Technologies (AFT ‘21). Association for Computing Machinery, New York, NY, USA, 71–85.
A preprint can be found here: https://arxiv.org/abs/2001.00047
2. Blockchain Nash Dynamics and the Pursuit of Compliance
Dimitris Karakostas , Aggelos Kiayias , Thomas Zacharias. 2022. Blockchain Nash Dynamics and the Pursuit of Compliance. Presented in AFT’22.
A preprint can be found here: https://arxiv.org/abs/2201.00858
Introduction
As previously mentioned, when we study incentives in a protocol, we work on the rational setting. This means that we assume that some or all the users — we will call them players — are rational, or utility maximizers, in the sense that they react in a way that maximizes a quantity they find important, called utility. An example of a utility is profit or gross revenue.
Protocols that are interesting to analyze, in terms of incentives, usually involve monetary rewards or penalties. One example is given by blockchain protocols that offer rewards to the players who participate in the extension or the validation of the blockchain ledger or impose monetary penalties to the players who provably violate the instructions of the protocol (e.g., slashing conditions.)
Research on incentives includes (but is not limited to):
- studying protocols from a game-theoretic point of view. To do this, we analyze if the protocol’s instructions align with the rational players’ economic incentives. Namely, we analyze whether following the protocol “honestly” is the best option for players who care only about maximizing their utility, or if there are deviations that can offer them higher utility.
- designing reward mechanisms for systems that incentivize players to behave in a way that will keep the system safe and with some desirable properties — e.g., decentralized or resistant to censorship.
But why is studying incentives useful?
As already mentioned, when we examine if a protocol satisfies some cryptographic properties, we assume that there are players who are honest — which means that they strictly follow the guidelines of the protocol — and players who are malicious and want to disrupt the protocol for any reason. This analysis does not examine what will happen to the system when players want to maximize their profit (or another utility). Even if a protocol is proven cryptographically secure, without a game theoretical analysis, we cannot predict if the security properties of the protocol will be violated in a scenario where all or most players act in a way that maximizes their profit.
Other cases where studying incentives can be useful are when a protocol cannot prevent malicious users from performing an attack or an undesirable action (e.g., centralization). In this scenario, an appropriate reward or penalty mechanism design could ensure that performing this attack or engaging in this undesirable action is very expensive or less profitable than playing honestly.
Game-theoretic Notions
In this section, we describe some notions and terms that are commonly used in incentives and game theory.
We begin with a simple game that enables us to explain these notions.
Normal-Form Game
In this type of game, every player simultaneously chooses an action called strategy. At the end of the game, each player earns some rewards based on its choice and the choices of the others. We will need the following definitions:
- A set of strategies Sᵢ is a set that includes all the possible strategies that a player i can choose.
- The strategy profile or joint strategy A=(s₁,…,sₙ) is a tuple where sᵢ is the strategy of a player i and n is the number of players.
- The utility of a player i is a function, denoted by Uᵢ , that takes as input a strategy profile and outputs the profit of player i for this strategy profile (or the value of the quantity the player wants to maximize).
A normal-form game with n players consists of a tuple (F,𝒮,U) where:
- F is the set of all the players
- 𝒮=S₁ × S₂…× Sₙ
- U=(U₁,…,Uₙ)
Nash Equilibrium
A strategy profile A=(s₁,…,sₙ) is a Nash equilibrium when it satisfies the following property:
For every player i and for every strategy sᵢ’ ∈ Sᵢ, it holds that:
Uᵢ(A) ≥ Uᵢ(s₁,…,sᵢ’,…sₙ)
This means that if the players choose the strategy indicated by A, then no player has incentives to change strategy and move from A.
Nash equilibrium can be used to examine if the players in a protocol have incentives to follow the instructions of the protocol. Namely, we can express the protocol as a strategy profile and examine if it constitutes a Nash equilibrium.
Approximate Nash Equilibrium
The notion of approximate Nash equilibrium can capture cases where the players can increase their utility by deviating but by just a tiny amount ϵ that they may find insignificant.
A strategy profile A=(s₁,…,sₙ) is an ϵ-Nash equilibrium when it holds that:
For every player i and for every strategy sᵢ’ ∈ Sᵢ, we have
Uᵢ(A) ≥ Uᵢ(s₁,…,sᵢ’,…sₙ)-ϵ
Note that the above notions can be generalized: instead of examining if one player can increase its utility by unilaterally deviating from A, we examine coalitions.
For example, one approach examines if a coalition can increase its joint utility by unilaterally deviating, where joint utility is the sum of the utilities of the players in the coalition.
Another approach that will lead to a stricter notion is examining if at least one player in a coalition can increase its utility if the coalition unilaterally deviates from the indicated strategy A.
When we say that “a coalition deviates unilaterally”, we mean that all the players that do not belong to the coalition follow the indicated strategy, and at least one player in the coalition deviates and chooses a strategy that is different than what is indicated by the strategy profile A.
Some examples of papers that follow the first approach are FruitChains: A Fair Blockchain, and Coalition-safe equilibria with virtual payoffs (we will give an overview of this paper later). An example of a paper that follows the second approach is Distributed computing meets game theory: robust mechanisms for rational secret sharing and multiparty computation.
Nash Dynamics
Nash dynamics is used to investigate if the players starting from an arbitrary strategy profile will converge quickly to a Nash equilibrium (if one exists). This mechanism progresses in steps, whereby in each step, one player decides to switch strategy (or not) to a new one if it is better in that the new strategy increases its utility by at least ϵ. The initial step is an arbitrary strategy profile. How a player is chosen in each step can vary. Nash dynamics has been used in various contexts; one example is a type of game called congestion games.
We will now give an overview of two frameworks that have been used to give valuable results for incentives in various Proof of Work and/or Proof of Stake blockchain protocols. We should note that this area of research is highly active, and many works propose suitable frameworks and/or study various aspects of blockchain protocols that are related to incentives. For more on this topic, read the research paper A Survey on Applications of Game Theory in Blockchain and the Ph.D. thesis Incentives in blockchain protocols. Additionally, you can find a reference list at the end of this article.
Coalition-Safe Equilibria with Virtual Payoffs
Before we give an overview of the framework Coalition-safe equilibria with virtual payoffs (henceforth EVP) [AFT’21], we will first explain what virtual means in this context and why it’s related to blockchain protocols.
The classic notion of Nash equilibrium implies that a trusted party assigns the rewards to the players honestly at the end of the game. Thus their utilities are well-determined and “universal”.
However, in a few blockchain protocols, this is not the case because the rewards are recorded in the blockchain and are “virtual”. This means that each player may have a different view on the rewards and utility of each other player that is based on its local chain.
We note that when there is consensus among the players on which blocks and which chain constitute the blockchain ledger, then the utility of the players is also well-determined. For example, blockchain protocols that satisfy the common prefix property guarantee that if the honest players are more than the malicious ones, then with overwhelming probability, all the honest players will share the same view on the initial part of their local chains and, thus, on the rewards recorded there. However, as mentioned earlier, when we are in a rational setting, we cannot assume any security properties that are proved under the honest/malicious setting.
Note: The definition of “overwhelming” that we have used is given below:
(In the context above, the probability is overwhelming in the security parameter of the system, which equals the length of the output of the hash value.)
Components of the Framework
The framework includes:
- A finite execution that abstracts and describes the procedures of a blockchain protocol. This execution model is based on the “real-world” execution model described in the Universally Composable Paradigm [FOCS 01] and generalizes the execution model of The bitcoin backbone protocol [EUROCRYPT 2015].
- A definition of the rewards, costs, and utility functions of coalitions in this execution model. In this framework, the rewards of a coalition are the sum of the rewards of its members. The same holds for the costs and the utilities. In addition, as each player may have a different view on the rewards of a coalition, the rewards and the utility of a coalition are indexed by player j, whose local chain is used to compute the rewards.
- A notion of Nash equilibrium that generalizes the notion presented in Fruitchains [PODC 17] makes it possible to examine the incentives in a blockchain protocol without assuming any security properties for the protocol.
This framework can be used to examine if rational players, who want to maximize various utilities, have incentives to follow the instructions of an arbitrary blockchain protocol. For example, in the same paper, this framework was used to examine if coalitions of rational players have incentives to follow Bitcoin and Fruitchain protocol under various utilities; it was also used to address centralization issues in Bitcoin.
Types of Utilities
Here are some examples of some meaningful types of utilities that have been considered in various research works (some of which are included in the reference list):
- Absolute Rewards: this utility is based on the rewards that a coalition accrues until the end of the execution. For example, in Bitcoin, a coalition of miners that has produced 10 blocks in a chain will have a utility (for this chain) equal to 10 ⋅ B where B is the fixed block’s reward. Depending on the setting, this utility may or may not consider (i) the transaction fees that the miners will earn from the transactions they included in the blocks they produced and (ii) external rewards that the miner will receive.
- Absolute Rewards minus Absolute Cost: this utility is based on the absolute rewards of a coalition minus the cost it incurred during the execution (for example, electricity for mining in Proof of Work blockchain protocols or the cost to retain a server in Proof of Stake blockchain protocols, respectively).
- Relative Rewards: this utility is based on the absolute rewards a coalition accrues until the end of the execution divided by the total rewards of all the players.
Note that the choice of utility is crucial in the analysis and can give different results; for example, the above paper (Coalition-safe equilibria with virtual payoffs) shows that for utility absolute rewards, Bitcoin is an equilibrium with virtual payoffs (EVP), but for utility relative rewards, Bitcoin is not an EVP.
Execution Model
The execution model includes n players, environment Z (reflecting the external world to the blockchain protocol Π we examine), and adversary A. The execution of the blockchain protocol Π in this model progresses in rounds; the number of rounds is determined by Z.
At the beginning of the execution, the adversary selects a set T of players to corrupt whose cardinality is upper bounded by t. In each round, the environment gives inputs to all the players and activates them one after the other. The communication between the players is determined by a functionality called Diffuse Functionality, presented in The bitcoin backbone protocol [EUROCRYPT 2015].
At a high level, the Diffuse Functionality works as follows: during each round, every honest player specifies the message they want to send to the other players. For example, in a blockchain protocol, the message can be the block that the player has produced. Then the functionality asks the adversary if and to which players it allows the message to be delivered. At the end of the round, the functionality sends all the honest players all the messages that were interrupted by the adversary during the round.
This functionality reflects a synchronous network where the adversary can reorder or delay messages. Still, at the end of each round, all the honest players receive all the messages sent by all the other honest players.
During the execution, the players that do not belong to T are honest, which means they follow the protocol’s instructions. On the other hand, the players that belong to T form a rational coalition controlled by A that deviates from the protocol if this deviation can increase their utility, with non-negligible probability, based on the view of at least one honest player.
The execution model abstracts the ‘’real-world’’ blockchain protocol using oracles that allow us to analyze it and assign costs. The oracles in this setting abstract the procedures of the protocol that cause some cost to the players. Examples include mining, signing blocks, verifying transactions, and more. For example, the Proof of Work procedure can be abstracted by a Random Oracle (see also here). Each oracle Oᵢ is queried qᵢ times by each honest player. The adversary can ask each oracle Oᵢ at most t ⋅ qᵢ queries (qᵢ queries for every corrupted player).
EVP Notion
This notion of Nash equilibrium examines the utility of the coalition/set T in two executions. In both executions, the environment is the same, but the adversary follows different strategies.
In the first execution, adversary A can instruct the corrupted players to deviate arbitrarily, compared to the second execution, where the adversary instructs the corrupted players to follow the honest strategy (but still deliver their blocks first when they are able to).
Recall that the rewards and the utilities of T are a matter of consensus and may vary among the local chains of honest players. To solve this, the paper suggests that for the execution where the corrupted players can deviate (first execution) the notion uses the highest utility of T among the view of all the honest players.
On the other side, the utility that is used for the execution where the corrupted players follow the instructions of the protocol (second execution) is the lowest utility of T among the view of all the honest players. Here is the notation for these utilities:
The paper takes this approach in order to provide a stricter equilibrium notion in the sense that when the adversary deviates, its utility is computed in the best-case scenario, and when the adversary follows the honest strategy, its utility is computed in the worst-case scenario. Note that the utility of the adversary or the set T is the sum of the utilities of all the players included in T.
At a high level, a protocol is (t,ϵ, ϵ’)-equilibrium with virtual payoffs (EVP) when the following holds with overwhelming probability in the security parameter: for every execution where the adversary deviates, its utility is not significantly higher than its utility when the corrupted players follow the instructions of the protocol (how much higher depends on ϵ,ϵ’). This means that the adversary with a very high probability cannot convince any honest party that its utility when it deviates is significantly higher compared to its utility when it follows the protocol.
On the other hand, according to this notion, a protocol will not be (t,ϵ, ϵ’)-equilibrium with virtual payoffs (EVP) when the adversary can instruct T to deviate in a way that can significantly increase its utility compared to following the protocol, with non-negligible probability, based on the view of at least one honest player.
The formal description of the notion is as follows:
A protocol Π is (t,ϵ, ϵ’)-equilibrium with virtual payoffs (EVP) if for every PPT static adversary A that corrupts a set T including at most t players, and for every r-admissible environment Z it holds that:
with overwhelming probability in the security parameter.
An adversary is considered static when it does not change the set of corrupted players during the execution. Also, an r-admissible environment Z is an environment that performs an execution of r rounds.
EVP and Nash Equilibrium
Some questions that may arise are: what is the correlation between the above framework and the classic notion of Nash equilibrium, and why does the above setting include honest players and not only rational players?
Recall that to examine if a protocol/strategy profile is a Nash equilibrium, we assume that all the players except a player or a coalition follow the strategies indicated by the strategy profile, and we examine if this player/coalition can increase its utility by deviating. The correlation is that, in the EVP framework, the players that follow the protocol are the honest players, and the coalition whose utility we examine are the corrupted players in set T.
As mentioned, the above framework can be used to examine whether a blockchain protocol is an equilibrium. It can also identify undesirable equilibria of a protocol (e.g., centralized equilibria with huge pools).
But what happens when following the protocol is not an equilibrium? For example, there may be a case where following a blockchain protocol is not an equilibrium, but still, the rational players do not have incentives to choose strategies that can disrupt the security or the decentralization of the protocol. What framework can we use in this scenario?
Blockchain Nash Dynamics and the Pursuit of Compliance
Recall that Nash dynamics is a mechanism that examines how quickly players can reach Nash equilibrium (if one exists), beginning from an arbitrary strategy profile (for example, see congestion games). In each step one player is selected and it changes strategy if there exists another strategy that can increase its utility by at least ϵ, assuming that the other players retain their current strategies.
Blockchain Nash Dynamics and the Pursuit of Compliance [AFT’22] adapts this mechanism to blockchain protocols in a way that checks if the rational players starting from the honest strategy will ever adopt a deviant (undesirable) strategy that belongs to an infraction X. The paper introduces the notion of compliance. A protocol is considered X-compliant when the rational players do not adopt deviant strategies expressed by infraction X.
Note that even if a blockchain protocol is not a Nash equilibrium (which means that rational players may deviate from the honest strategy), using this notion of compliance, we can check if the players have incentives to “pass” across strategy profiles that are “dangerous” for the system.
Moreover, apart from identifying profitable deviations, this tool is useful for parameterizing protocols that impose economic penalties to disincentivize specific deviations. Many blockchain protocols use economic penalties when the players responsible for validating the ledger misbehave in a provable way. One example is Ethereum’s Beacon Chain.
Next is an overview of the notion of compliance and its components introduced in the paper.
Components of the Notion of Compliance
Assume a directed graph, where the vertices reflect the strategy profiles and the edges reflect the moves of the players. Let n be the total number of players.
The first vertex is the protocol Π, which is the honest strategy profile that describes the protocol we want to examine.
In this graph, there is an edge (A,A’) when a player i moves from a strategy profile A=(s₁,…,sᵢ,…sₙ) to a strategy profile A’=(s₁,…,sᵢ’,…sₙ) . A player i moves from a strategy profile A to a strategy profile A’, if uᵢ(s₁,…,sᵢ,…sₙ)+ ϵ <uᵢ(s₁,…,sᵢ’,…sₙ) and also sᵢ’ is the best response for i. This means that a player will move only if it can increase its utility by at least ϵ, assuming that the other players do not change strategy. If more than one strategy profile increases its utility by at least ϵ, then the player will move to the best one (the strategy profile that offers the highest utility). Note that a player can move only to strategy profiles where all the other players remain on their current strategy. This means that the vertices are connected via edges only if the associated strategy profiles differ in exactly one position, which is the strategy of the player who moves.
Given the above graph, we can define the cone of a strategy profile.
The cone of the honest strategy profile Π is defined as the set of all the vertices that are reachable from Π, including Π. A vertex is considered reachable if there is a path in the graph leading to it starting from the first vertex. The cone of Π reflects all the possible strategy profiles across which rational players can pass if they start from the honest strategy and move as described above.
Note that, as the authors prove in the paper, when a protocol Π is a Nash equilibrium, then its cone includes only the honest strategy profile because the players do not have incentives to move. Conversely, when the protocol is not a Nash equilibrium, then its cone includes more vertices.
The notion of compliance examines if the cone of the protocol Π includes deviations that are of interest. Infraction predicates will abstract the deviations. Some deviations the paper examines are (i) if a player in a Proof of Stake protocol signs two conflicting blocks when it is elected and (ii) if a player abstains from participation.
An infraction predicate takes as input (i) an execution trace of the protocol (an execution with specific randomness) and (ii) a player P and outputs 1 if the player employs the deviation the predicate abstracts, and 0 elsewhere.
Given an infraction predicate X, a strategy is characterized as compliant or not according to the following definition.
A strategy S is X-compliant if and only if for every player P and for every execution trace in which P employs S, the output of the predicate is 0.
Armed with the above definitions, we can discuss the notion of compliance.
The Notion of Compliance
Let X be an infraction predicate that abstracts a deviation, and ϵ be the minimum amount a rational player needs to switch strategy.
At a high level, when a protocol is compliant according to a predicate X, then we know that the players starting from the honest strategy will not adopt strategies that are abstracted by X.
More formally, a protocol is (ϵ,X)-compliant if the cone of the honest strategy profile Π includes only vertices that correspond to strategy profiles that consist only of X-compliant strategies.
As already mentioned, this notion helps us to examine if rational players have incentives to perform specific attacks and to quantify the penalties needed to mitigate these attacks.
Below is an example of how we can use this notion.
Assume that we want to examine if rational players have incentives to follow a protocol Π. If we prove that following the protocol is a Nash equilibrium, then we know that if all the players start from the honest strategy, then no player has incentives to perform any attack. However, what happens when the protocol is not a Nash equilibrium? What can we conclude about the protocol?
We can conclude that rational players have incentives to deviate from the protocol, but we do not know exactly which deviations will follow. For example, we do not know if they will perform a dangerous attack on the system or not. In this scenario, we can define infraction predicates that abstract attacks which are dangerous for the system and examine if the protocol is compliant according to these attacks. If the protocol is not compliant according to a specific attack (e.g., signing two conflicting blocks), then we can check if imposing penalties solves the problem and eliminates the attack, and we can quantify the severity of the penalty needed.
The Notion of Compliance and Nash Equilibrium
The notion of compliance is a strictly weaker notion than the notion of Nash equilibrium. In the paper, the authors prove that a strategy profile is a ϵ-Nash equilibrium if and only if it is (ϵ,X)-compliant for every possible infraction predicate X.
This means that if a protocol is (ϵ,X)-compliant for a specific infraction predicate X, then it may or not be a ϵ-Nash equilibrium. The authors show that some Proof of Stake protocols can be compliant according to an infraction but not compliant according to another infraction, which means that they do not constitute a Nash equilibrium.
Finally, the authors use this notion to study the compliance of various Proof of Work and Proof of Stake blockchain protocols according to various utilities and to quantify the benefits that arise from imposing penalties for specific deviations.
Conclusion
In this post, we explained the term “incentives” and gave examples of what the research on incentives in blockchain protocols includes. We also explained basic terms and game-theoretic notions that are commonly used in the area of incentives. Moreover, we gave an overview of two frameworks that are used as a tool to examine incentives in blockchain protocols.
As previously mentioned, the research on incentives in blockchain protocols is very active, and many research works propose frameworks and/or study incentives. Please find a list of references below. For more references, you can check the research paper A Survey on Applications of Game Theory in Blockchain and the Ph.D. thesis Incentives in blockchain protocols.
References
- Aggelos Kiayias and Aikaterini-Panagiota Stouka. 2021. Coalition-safe equilibria with virtual payoffs. In Proceedings of the 3rd ACM Conference on Advances in Financial Technologies (AFT ‘21). Association for Computing Machinery, New York, NY, USA, 71–85. https://doi.org/10.1145/3479722.3480795 .A preprint can be found at https://arxiv.org/abs/2001.00047.
- Dimitris Karakostas , Aggelos Kiayias , Thomas Zacharias. 2022. Blockchain Nash Dynamics and the Pursuit of Compliance. Presented in AFT’22. A preprint can be found at https://arxiv.org/abs/2201.00858.
- Ittai Abraham, Danny Dolev, Rica Gonen, and Joe Halpern. 2006. Distributed Computing Meets Game Theory: Robust Mechanisms for Rational Secret Sharing and Multiparty Computation. In Proceedings of the Twenty-fifth Annual ACM Symposium on Principles of Distributed Computing (Denver, Colorado, USA) (PODC ’06). ACM, New York, NY, USA, 53–62. https://doi.org/10.1145/1146381.1146393
- Ittai Abraham, Dahlia Malkhi, Kartik Nayak, Ling Ren, and Alexander Spiegelman. 2016. Solidus: An Incentive-compatible Cryptocurrency Based on Permissionless Byzantine Consensus. CoRR abs/1612.02916 (2016). arXiv:1612.02916 http://arxiv.org/abs/1612.02916
- Amitanand S. Aiyer, Lorenzo Alvisi, Allen Clement, Mike Dahlin, Jean-Philippe Martin, and Carl Porth. 2005. BAR Fault Tolerance for Cooperative Services. In Proceedings of the Twentieth ACM Symposium on Operating Systems Principles (Brighton, United Kingdom) (SOSP ’05). ACM, New York, NY, USA, 45–58. https://doi.org/10.1145/1095810.1095816
- V. Anantharam, “On the Nash dynamics of congestion games with player-specific utility,” 2004 43rd IEEE Conference on Decision and Control (CDC) (IEEE Cat. №04CH37601), 2004, pp. 4673–4678 Vol.5, doi: 10.1109/CDC.2004.1429526.
- Moshe Babaioff, Shahar Dobzinski, Sigal Oren, and Aviv Zohar. 2012. On Bitcoin and Red Balloons. In Proceedings of the 13th ACM Conference on Electronic Commerce (Valencia, Spain) (EC ’12). ACM, New York, NY, USA, 56–73. https://doi.org/10.1145/2229012.2229022
- Christian Badertscher, Juan Garay, Ueli Maurer, Daniel Tschudi, and Vassilis Zikas. 2018. But Why Does It Work? A Rational Protocol Design Treatment of Bitcoin. In Advances in Cryptology — EUROCRYPT 2018, Jesper Buus Nielsen and Vincent Rijmen (Eds.). Springer International Publishing, Cham, 34–65.
- Iddo Bentov, Pavel Hubácek, Tal Moran, and Asaf Nadler. 2017. Tortoise and Hares Consensus: the Meshcash Framework for Incentive-Compatible, Scalable Cryptocurrencies. IACR Cryptology ePrint Archive 2017 (2017), 300. http://eprint.iacr.org/2017/300
- Bleumer, G. (2011). Random Oracle Model. In: van Tilborg, H.C.A., Jajodia, S. (eds) Encyclopedia of Cryptography and Security. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-5906-5_220.
- Lars Brünjes, Aggelos Kiayias, Elias Koutsoupias, and Aikaterini-Panagiota Stouka. Reward sharing schemes for stake pools. In 2020 IEEE European Symposium on Security and Privacy, pages 256 − 275, Los Alamitos, CA, USA, sep 2020. IEEE Computer Society. Full version available at arXiv, CoRR, abs/1807.11218, 2018.
- Ran Canetti. 2000. Universally Composable Security: A New Paradigm for Cryptographic Protocols. Cryptology ePrint Archive, Report 2000/067. https://eprint.iacr.org/2000/067.
- R. Canetti. 2001. Universally Composable Security: A New Paradigm for Cryptographic Protocols. In Proceedings of the 42Nd IEEE Symposium on Foundations of Computer Science (FOCS ’01). IEEE Computer Society, Washington, DC, USA, 136–145. http://dl.acm.org/citation.cfm?id=874063.875553
- Miles Carlsten, Harry Kalodner, S. Matthew Weinberg, and Arvind Narayanan. 2016. On the Instability of Bitcoin Without the Block Reward. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (Vienna, Austria) (CCS ’16). ACM, New York, NY, USA, 154–167. https://doi.org/10.1145/2976749.2978408
- Ittay Eyal and Emin Gün Sirer. 2014. Majority Is Not Enough: Bitcoin Mining Is Vulnerable. In Financial Cryptography and Data Security, Nicolas Christin and Reihaneh Safavi-Naini (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 436–454
- Juan Garay, Jonathan Katz, Ueli Maurer, Björn Tackmann, and Vassilis Zikas. 2013. Rational Protocol Design: Cryptography Against Incentive-Driven Adversaries. In Proceedings of the 2013 IEEE 54th Annual Symposium on Foundations of Computer Science (FOCS ’13). IEEE Computer Society, Washington, DC, USA, 648–657. https://doi.org/10.1109/FOCS.2013.75
- Juan Garay, Aggelos Kiayias, and Nikos Leonardos. 2015. The Bitcoin Backbone Protocol: Analysis and Applications. In Advances in Cryptology — EUROCRYPT 2015, Elisabeth Oswald and Marc Fischlin (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 281–310.
- Jonathan Katz and Yehuda Lindell. 2007. Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series). Chapman & Hall/CRC.
- Aggelos Kiayias, Elias Koutsoupias, Maria Kyropoulou, and Yiannis Tselekounis. 2016. Blockchain Mining Games. In Proceedings of the 2016 ACM Conference on Economics and Computation (Maastricht, The Netherlands) (EC ’16). ACM, New York, NY, USA, 365–382. https://doi.org/10.1145/2940716.2940773
- Aggelos Kiayias, Elias Koutsoupias and A. -P. Stouka, “Incentives Against Power Grabs or How to Engineer the Revolution in a Pooled Proof of Stake System,” 2021 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPS), 2021, pp. 1–10, doi: 10.1109/DAPPS52256.2021.00006.
- Kevin Liao and Jonathan Katz. 2017. Incentivizing Blockchain Forks via Whale Transactions. In Financial Cryptography and Data Security, Michael Brenner, Kurt Rohloff, Joseph Bonneau, Andrew Miller, Peter Y.A. Ryan, Vanessa Teague, Andrea Bracciali, Massimiliano Sala, Federico Pintore, and Markus Jakobsson (Eds.). Springer International Publishing, Cham, 264–279
- Ziyao Liu, Nguyen Cong Luong, Wenbo Wang, Dusit Niyato, Ping Wang, YingChang Liang, and Dong In Kim. 2019. A Survey on Applications of Game Theory in Blockchain. arXiv:1902.10865 [cs.GT]
- Z. Liu et al “A Survey on Blockchain: A Game Theoretical Perspective,” in IEEE Access, vol. 7, pp. 47615–47643, 2019, doi: 10.1109/ACCESS.2019.2909924.
- Shashank Motepalli, Hans-Arno Jacobsen: Reward Mechanism for Blockchains Using Evolutionary Game Theory. BRAINS 2021: 217–224.
- Rafael Pass and Elaine Shi. 2017. FruitChains: A Fair Blockchain. In Proceedings of the ACM Symposium on Principles of Distributed Computing (PODC ‘17). Association for Computing Machinery, New York, NY, USA, 315–324. https://doi.org/10.1145/3087801.3087809
- Yoav Shoham Kevin Leyton-Brown. Essentials of Game Theory: A Concise Multidisciplinary Introduction (Synthesis Lectures on Artificial Intelligence and Machine Learning). Morgan & Claypool Publishers, 2008.
- Aikaterini-Panagiota Stouka. Incentives in Blockchain Protocols. University of Edinburgh https://era.ed.ac.uk/handle/1842/38227
Disclaimer:
- This post has been prepared for the general information and understanding of the readers. The views and strategies described may not be suitable for all readers. Both past performance and yield may not be a reliable guide to future performance. All case studies are shown for illustrative purposes only and should not be relied upon as advice or interpreted as a recommendation.
- This post is based on the scope of materials and documentation publicly available to Nethermind. It does not indicate Nethermind’s endorsement of any particular project or team, nor guarantee its security. No third party should rely on this post in any way, including for the purpose of making any decisions to buy or sell a product, service or any other asset. To the fullest extent permitted by law, Nethermind disclaims any liability in connection with this post, its content, and any related services and products and your use thereof, including, without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. Nethermind does not warrant, endorse, guarantee, or assume responsibility for any product or service advertised or offered by a third party through the product, any open source or third-party software, code, libraries, materials, or information linked to, called by, referenced by or accessible through the post, its content, and the related services and products, any hyperlinked websites, any websites or mobile applications appearing on any advertising, and Nethermind will not be a party to or in any way be responsible for monitoring any transaction between you and any third-party. You should use your best judgment and exercise caution where appropriate. FOR AVOIDANCE OF DOUBT, THE POST, ITS CONTENT, ACCESS, AND/OR USAGE THEREOF, INCLUDING ANY ASSOCIATED SERVICES OR MATERIALS, SHALL NOT BE CONSIDERED OR RELIED UPON AS ANY FORM OF FINANCIAL, INVESTMENT, TAX, LEGAL, REGULATORY, OR OTHER ADVICE.
Nethermind is a team of world-class builders and researchers. We empower enterprises and developers worldwide to access and build upon the decentralized web. Our work touches every part of the Web3 ecosystem, from our Nethermind node to fundamental cryptography research and application-layer protocol development. We’re always looking for passionate people to join us in solving Ethereum’s most difficult challenges. Are you interested? Check out our job board https://nethermind.io/company/
