Abstract. Proof-of-work blockchains must implement a difficulty adjust-
ment algorithm (DAA) in order to maintain a consistent inter-arrival time
between blocks. Conventional DAAs are essentially feedback controllers,
and as such, they are inherently reactive. This approach leaves them
susceptible to manipulation and often causes them to either under- or
over-correct. We present Bonded Mining, a proactive DAA that works
by collecting hash rate commitments secured by bond from miners. The
difficulty is set directly from the commitments and the bond is used to
penalize miners who deviate from their commitment. We devise a statisti-
cal test that is capable of detecting hash rate deviations by utilizing only
on-blockchain data. The test is sensitive enough to detect a variety of
deviations from commitments, while almost never misclassifying honest
miners. We demonstrate in simulation that, under reasonable assump-
tions, Bonded Mining is more effective at maintaining a target block
time than the Bitcoin Cash DAA, one of the newest and most dynamic
DAAs currently deployed. In this preliminary work, the lowest hash rate
miner our approach supports is 1% of the total and we directly consider
only two types of fundamental attacks. Future work will address these
limitations.
Keywords: Difficulty adjustment · protocols · cryptocurrencies
1 Introduction
Blockchain protocols maintain a public ledger of account balances that are
updated by authorized transactions. Proof-of-work (PoW) mining is the process
of assembling transactions into blocks and earning the right to add the block to
a growing chain [24]. PoW mining involves repeatedly cryptographically hashing
the assembled block, each time with a different nonce. The hashes are generated
uniformly at random from a space with maximum value S. When a hash falls
below a target t, the corresponding block is said to be mined, and it is added to
the blockchain. Closely related to target is the difficulty3 D, which is equal to S/t.
3 Technically D = t0/t, where t0 ≈ S is the target with highest possible difficulty, but this
detail is not important for our analysis.
The expected time required to mine a block is a function of D and the rate that
hashes are generated, or hash rate h. Hash rate fluctuates (sometimes rapidly)
over time, and therefore PoW blockchains must adjust D to ensure that the
expected block time remains roughly constant. Currently, all PoW blockchains
use a difficulty adjustment algorithm (DAA) to adjust D as h fluctuates.
Although implementations vary widely, each DAA is essentially a feedback
controller analogous to a thermostat. The DAA uses previous block creation
times to detect a change in h, and then it makes an adjustment to D in order
to move the expected times toward the desired value T. There are three major
limitations to this reactive approach.
1. There is a tendency to either over or under correct, which can cause oscillations
in block time [29, 30].
2. Contentious hard forks create significant instability in block times for mi-
nority hash rate blockchains, which must resort to a backup controller that
compensates for swings in miner hash rate allocation preference [31].
3. Most control algorithms can be gamed by miners without consequence in
order to extract higher rewards [18, 21], causing fluctuations in block time as
a result.
4. Feedback control is inherently reactionary; it only uses historical block time
and difficulty data to produce future difficulty values.
Contributions. We present Bonded Mining, a protocol that enhances PoW
mining with a proactive approach to difficulty adjustment so that inter-block
times are always near their desired value despite sudden hash rate changes. The
idea is to ask miners to commit to their individual hash rate and financially bind
them to it by holding bond. Difficulty is adjusted based on these self-reported
commitments. Miners are incentivized to commit to a realistic estimate of their
future hash rate and honor their commitment, even if it becomes nominally more
profitable to direct their hash rate elsewhere. The protocol is flexible: miner
commitments last until they mine their next block; and they can deviate from
the commitment (incurring a penalty commensurate with their deviation) as long
as they are truthful about the deviation.
For security, we derive a statistical test (using on-blockchain data only) that
is capable of detecting both short- and long-term deception from miners. Miners
who fail the test suffer a significant financial penalty. The test is sensitive enough
to detect a miner who drops to 20% of her commitment for a week or more, and
it can also detect when she strays from her commitment by as little as 1% every
block over the course of 70 days or more. This sensitivity comes with very little
risk for honest miners. Even when a miner deviates from her commitment, if she
truthfully reports that deviation, then the probability of failing any test over the
course of a year is less than 0.3%.
Because of its proactive design and the penalties associated with deception,
Bonded Mining is better capable of maintaining the desired expected block times
than are conventional, reactive approaches. In Bonded Mining, the extent to
which block times remain close to desired time T is the extent to which miners
value their bond more than a change in their hash rate.