Communications of the ACM

longest, although other approaches have been suggested. 25

As a result, there is always some uncertainty whether a transaction on the blockchain is permanent, although the probability that a block, once on the blockchain, will be replaced decreases exponentially with the number of blocks that follow it. 9, 20 If Bob uses Alice’s cryptocoupons to buy a car from Carol, Carol would be prudent to wait until Bob’s transaction is fairly deep in the blockchain to minimize the chances that it will be displaced by a fork.

Although Po W is currently the basis for the most popular cryptocurrencies, it is not the only game in town. There are multiple proposals where cryptocurrency ownership assumes the role of costly signaling, such as Ethereum’s Casper2 or Algorand. 10 Cachin and Vukolic3 give a comprehensive survey of blockchain consensus protocols.

Discussion. The distinction between private (or permissioned) blockchain systems, where parties have reliable identities, and only vetted parties can participate, and public (or permissionless) blockchain systems, where parties cannot be reliably identified, and anyone can participate, is critical for making sense of the blockchain landscape.

Private blockchains are better suited for business applications, particularly in regulated industries, like finance, subject to know-your customer and anti-money-laundering regulations. Private blockchains also tend to be better at governance. For example, the lack of any orderly procedure for updating the ledger protocol in response to changing circumstances has caused feuding factions to split both Ethereum6 and Bitcoin12 into distinct, incompatible currencies. Most prior work on distributed algorithms has focused on systems where participants have reliable identities.

Public blockchains are appealing for applications such as Bitcoin, which seek to ensure nobody can control who can participate, and participants may not be eager to have their identities known. Although PoW was invented by Dwork and Naor7 as a way to control spam, Nakamoto’s application of Po W to large-scale consensus was a genuine innovation, one that launched the entire blockchain field.

work. Every miner, and everyone else who cares, keeps a local copy of the ledger, kept more-or-less up-to-date over the gossip network.

Alice is still worried that crooked miners could cheat her customers. Most miners are probably honest, content to collect their fees, but there is still a threat that even a small number of dishonest miners might collude with one another to cheat Alice’s investors. Alice’s first idea is to have miners, identified by their IP addresses, vote via the Byzantine fault-tolerant consensus algorithm4 used in the frozen yogurt example.

Alice quickly realizes this is a bad idea. Alice has a nemesis, Sybil, who is skilled in the art of manufacturing fake IP addresses. Sybil could easily overwhelm any voting scheme simply by flooding the protocol with “ sock-puppet” miners who appear to be independent, but are actually under Sybil’s control.

We noted earlier that the frozen yo-
gurt supply chain blockchain was not
vulnerable to this kind of “Sybil attack”
because parties had reliable identities:
only Alice, Bob, and Carol were allowed
to participate, and even though they
did not trust one another, each one
knew they would be held accountable
if caught cheating. By contrast, Alice’s
Restaurant’s cryptocoupon miners do
not have reliable identities, since IP ad-
dresses are easily forged, and a victim
would have no recourse if Sybil were to
steal his coupons.

Essentially the same problem arises when organizing a street gang: how to ensure someone who wants to join the gang is not a plainclothes police officer, newspaper reporter, or just a freeloader? One approach is what sociologists call costly signaling: 29 the candidate is required to do something expensive and difficult to fake, like robbing a store, or getting a gang symbol tattoo.

In the public blockchain world, the most common form of costly signaling is called proof of work (Po W). In Po W, consensus is reached by holding a self-administered lottery among the miners to decide which transaction is appended next to the ledger. Here is the clever part: buying a lottery ticket is a form of costly signaling because, well, it is costly: expensive in terms of time wasted and electricity bills. Sybil’s talent for impersonation is useless to her if each of her sock puppet miners must buy an expensive, long shot lottery ticket.

Specifically, in the Po W lottery, miners compete to solve a puzzle, where solving the puzzle is difficult, but proving one has solved the puzzle is easy (see sidebar “Proof of Work Puzzles”). Simplifying things for a moment, the first miner to solve the puzzle wins the consensus, and gets to choose the next block to append to the ledger. If that block is valid, that miner also receives a reward (another coupon), but the other miners receive nothing, and must start over on a new puzzle.

As hinted, the previous paragraph was an oversimplification. In fact, PoW consensus is not really consensus. If two miners both solve the puzzle at about the same time, they could append blocks to the blockchain in parallel, so that neither block precedes the other in the chain. When this happens, the blockchain is said to fork. Which block should subsequent miners build on? The usual answer is to build on the block whose chain is

Figure 1. Pseudocode for DAO-like contract.

function withdraw(unit amount){ client = msg.sender: if (balance[ client ] >=amount}{ if (client . call . sendMoney(amount)){ balance[ client ] ¬–=amount;

}}}

Figure 2. Pseudocode for DAO-like exploit.

function sendMoney(unit amount){ victim = msg.sender; balance += amount; victim.withdraw(amount)

}

A cryptographic hash function H(∙) has the property that for any value v, it is easy to compute H(v), but it is infeasible to discover a v ′ ≠ v such that H(v ′) = H(v).