FedChain: Secure Proof-of-Stake-based Framework for Federated-blockchain Systems
Cong T. Nguyen, Dinh Thai Hoang, Diep N. Nguyen, Yong Xiao, Hoang-Anh Pham, Eryk Dutkiewicz, Nguyen Huynh Tuong
FFedChain: Secure Proof-of-Stake-basedFramework for Federated-blockchain Systems
Cong T. Nguyen, Dinh Thai Hoang, Diep N. Nguyen, Yong Xiao, Hoang-Anh Pham, Eryk Dutkiewicz andNguyen Huynh Tuong
Abstract —In this paper, we propose FedChain, a novel framework for federated-blockchain systems, to enable effective transferring oftokens between different blockchain networks. Particularly, we first introduce a federated-blockchain system together with a cross-chaintransfer protocol to facilitate the secure and decentralized transfer of tokens between chains. We then develop a novel PoS-basedconsensus mechanism for FedChain, which can satisfy strict security requirements, prevent various blockchain-specific attacks, andachieve a more desirable performance compared to those of other existing consensus mechanisms. Moreover, a Stackelberg gamemodel is developed to examine and address the problem of centralization in the FedChain system. Furthermore, the game model canenhance the security and performance of FedChain. By analyzing interactions between the stakeholders and chain operators, we canprove the uniqueness of the Stackelberg equilibrium and find the exact formula for this equilibrium. These results are especiallyimportant for the stakeholders to determine their best investment strategies and for the chain operators to design the optimal policy tomaximize their benefits and security protection for FedChain. Simulations results then clearly show that the FedChain framework canhelp stakeholders to maximize their profits and the chain operators to design appropriate parameters to enhance FedChain’s securityand performance.
Index Terms —Blockchain, Proof-of-Stake, cross-chain transfer, sidechain, multiple-blockchain, and Stackelberg game. (cid:70)
NTRODUCTION
Over the last few years, the development of the blockchaintechnology has attracted massive attention. A blockchainis an append-only ledger of transactions shared amongthe participants in a peer-to-peer network. With the helpof consensus mechanisms, once a transaction enters theblockchain, it cannot be changed without the consensusof the majority of the network. Beside data immutability,the consensus mechanism also plays a key role in ensuringthat such a decentralized network can reach the consensuswithout a central authority, thereby avoiding the single-point-of-failure. Moreover, advanced cryptography tech-niques such as digital signatures and asymmetric keys [1],[7] enable blockchain users to create easily verifiable butimpossible to forge proofs of authentication for assets (i.e.,blockchain tokens) while enhancing the anonymity andprivacy of users. As a result, blockchain can enable trustedtransactions among network participants even in an openand decentralized environment. With such outstanding ben-efits, blockchain has been implemented as the backboneof numerous applications in many areas such as finance,healthcare, and Internet-of-Things (IoT) [1], [7]. • Cong T. Nguyen, Hoang-Anh Pham, and Nguyen Huynh Tuong are withthe Ho Chi Minh City University of Technology, VNU-HCM, Vietnam.E-mail: { ntcong.sdh19, anhpham } @hcmut.edu.vn. • Diep N. Nguyen, Dinh Thai Hoang, and Eryk Dutkiewicz arewith the School of Electrical and Data Engineering, Universityof Technology Sydney, Australia. E-mail: { diep.nguyen, hoang.dinh,eryk.dutkiewicz } @uts.edu.au. • Yong Xiao is with the School of Electronic Information and Communica-tions, Huazhong University of Science and Technology, Wuhan, China.E-mail: [email protected]
Despite its popularity and potential, blockchain hasbeen facing various challenges. The rapid development ofblockchain and the massive popularity of cryptocurrencyhave lead to the creation of a plethora of blockchain net-works. For example, the number of cryptocurrency net-works has increased nearly four times in just one year(from 2000 cryptocurrencies in 2019 to 7400 by the time thisarticle is written, i.e., December 2020 [3]). These blockchainnetworks are currently employing diverse consensus mech-anisms, which results in severe fragmentation since thesenetworks cannot communicate with each other. However,there are many blockchain-based applications where theability to transfer assets between different blockchains isessential, such as coalition loyalty programs and retail pay-ment. For example, in coalition loyalty programs, users needto exchange their loyalty points among different programs,which are stored on different blockchains in the forms ofblockchain tokens. Similarly, in retail payment, vendorsmight only accept a certain type of tokens, and thus theusers need to exchange their tokens to another type. How-ever, for single blockchain networks, users who want to ex-change tokens have to rely on trusted centralized exchangeplatforms, e.g., Binance [4] and Kraken [5], which is againstthe decentralized nature of blockchain and poses serious se-curity threats. Particularly, there have been many attacks onthese exchanges, resulting in a cumulative loss of more than$1 billion [6] over the last few years. Moreover, the trade-offbetween performance and security in consensus mechanismdesigns usually leads to high delay and low processingthroughput. For example, Bitcoin needs 1 hour to confirm atransaction and can only process less than 7 transactions persecond [7], which hinders blockchain applicability in manyscenarios. Thus, this necessitates an effective frameworkthat not only allows the interoperability among blockchains a r X i v : . [ c s . G T ] J a n etworks, but also guarantees the security and performanceof each individual network.To address these problems, the sidechain technology [8]has been developed to enable the formation of the federated-blockchain system, which consists of multiple blockchainsto allow the users to transfer assets to any blockchainwithin. The core mechanism of the sidechain technologythat enables the exchanging of tokens between differentchains is the two-way peg mechanism. Specifically, whena user wants to transfer its assets from one chain to an-other chain, the user first creates a transaction to lock itsassets on the originating chain. Then, a group of validators,selected by the two-way peg mechanism, will verify andconfirm this transaction, and create a corresponding amountof assets on the destination chain. Typically, the two-waypeg mechanism can ensure that the cross-chain transfersare secure and cannot be reverted, i.e., avoid cross-chaindouble-spending attacks [8]. However, the development ofthe sidechain technology is still in a nascent stage, andit does not fully satisfy the security nor the performancerequirements of federated-blockchain systems. Particularly,the ability to transfer assets between multiple chains maylead to centralization to a single chain, e.g., mining powercentralization in Proof-of-Work (PoW) and stakes central-ization in Proof-of-Stake (PoS). This poses a security threatto the other chains in the same federation. Moreover, mostcurrent sidechain applications still employ the PoW mech-anism which requires huge energy consumption and hasvery low processing capabilities [1], [2]. Therefore, a secureand effective framework, which can address both securityand performance issues for cross-chain transfers, is in urgentneed for the future development of blockchain networks. Sidechain technology was first introduced in [8] as a novelmethod to facilitate cross-chain transfers. Particularly, two-way peg and Simplified Payment Verification (SPV) proofmechanisms are developed so that the validators can verifyand confirm transactions between different blockchains. Al-though this work paves the way for many research worksand applications, the security and performance issues ofsidechain are only briefly mentioned and not well investi-gated [8]. After the introduction of the sidechain technology,there have been several notable real-world applications suchas PoA [10], Liquid [11], and RSK [12]. However, these appli-cations are facing several challenges. In particular, the PoAapproach relies on a fixed federation of 23 validators to vali-date the cross-chain transactions between the Ethereum [13]and several sidechains. This results in a low decentralizationlevel for the consensus process. Moreover, these validators’identities are publicly known, making them easier to be tar-geted by attackers. Similarly, the Liquid approach [11] alsorelies on a federation to validate cross-chain transactions.Although these validators are not publicly known, they arechosen only by the network operators, and thus Liquid isnot a public blockchain network. Moreover, Liquid is usinga version of the PoW consensus mechanism which requireseven more computational resources than Bitcoin (Liquidrequires the validators to run a Bitcoin node in parallel witha Liquid node). Similar to Liquid, RSK employs a federa-tion to validate transactions via a PoW-based mechanism. Although RSK is more decentralized, i.e., the federation inRSK is determined by public voting, RSK is still limited bythe huge energy consumption of the PoW mechanism.Different from the PoW mechanism, the PoS mechanismenables the blockchain participants to reach the consensusby proving tokens ownership. As a result, the PoS mecha-nism is much more energy-efficient and can achieve highertransaction processing speed compared to those of the PoWmechanism [1], [2], [7]. Due to those advantages, recentresearch works in the area of the sidechain technologyhave shifted towards the PoS mechanism. In [14], a cross-chain transfer protocol is developed for cross-chain transfersbetween a primary blockchain (main chain) and a secondarychain (sidechain). To validate the cross-chain transactions,the protocol relies on a set of certifiers who are chosenby the main chain. A major advantage of the proposedprotocol is the independence between the side chain andmain chain in terms of security and operations. However,the security of this protocol is not analyzed. In [15], theauthors propose a sidechain system, in which both thesidechain and the main chain employ a PoS mechanism, i.e.,Ouroboros. Unlike the previous works, this work focusesmore on the security aspects of the sidechain technology,providing formal definitions and robust security analyses.Moreover, the proposed system ensures the independence interms of security between the blockchains within. However,the risk of centralization is not addressed. Similar to [14], theauthors in [16] also introduces a cross-chain transfer proto-col to allow interoperability between a main chain and a sidechain. The cross-chain transfer protocol in [16] is proposedwith formal definitions, and a consensus mechanism is alsopresented in a similar way as in [15]. However, there areseveral limitations in this work, such as the lack of formalsecurity analysis and the unaddressed risk of centralization.To the best of our knowledge, the risk of centralizationin federated-blockchain systems has not been addressed inany previous work. Specifically, the ability to transfer tokensbetween blockchains may lead to situations where the userscentralize to a single blockchain in the system. Particularly,in PoS blockchains, a user who participates in the consensusmechanism has a chance to be selected to create new blocksand obtain a reward. That chance is directly proportionalto the tokens the user possesses in the network [1], [2].Therefore, a blockchain with a higher reward might attractmore users and tokens, as the users will transfer their tokensto that blockchain to earn more profits. Such centralizationof tokens and users may have negative impacts on the secu-rity and performance of the other blockchains in the samesystem. This is because the state of each PoS blockchain isdetermined by the majority of stakes (tokens), i.e., users whohave more stakes (tokens) are more likely to be selectedto add new blocks. Consequently, it is easier for attackersto target the blockchains that have fewer tokens. This cansignificantly impact these blockchains’ security and perfor-mance. Furthermore, since the cross-chain transfer requiresthe confirmation of transactions in both the originating anddestination chains, the centralization of stakes also reducesthe overall system performance. More detailed analysis ofthese negative impacts will be presented in Section 3. .3 Contributions and Paper Organization
The main contributions of this paper are summarized asfollows: • Propose FedChain, an effective and secure frame-work for cross-chain transfer in federated-blockchainsystems. Particularly, Fedchain facilitates two-waytransfers of assets between different blockchains inthe system by utilizing the sidechain technology.Moreover, to address the security and performancelimitations of current sidechain technology, we de-velop a PoS consensus mechanism and a Stackelberggame model specifically for FedChain. • Develop a novel PoS-based consensus mechanism forthe individual blockchain in FedChain. By designingnew effective rules, we can significantly improve thesecurity and performance of the consensus mecha-nism. Particularly, through theoretical and numeri-cal analyses, we prove that the proposed consensusmechanism can satisfy the persistence and livenessproperties [24], prevent many blockchain-specific at-tacks, and achieve a more desirable transaction con-firmation time compared to several other mecha-nisms such as the Nakamoto protocol (of Bitcoin) [25]and Ouroboros (of Cardano) [17]. • We develop an incentive mechanism using a Stack-elberg game model [30] for FedChain in order toprovide additional benefits for the users, enhanceFedChain’s security and performance, and addressthe problem of centralization in the sidechain tech-nology. Moreover, we propose a highly effectiveutility function for the chain operators, which canhelp to attract more stakes to the individual chainswhile still ensuring the overall decentralization ofthe system. To the best of our knowledge, this isthe first paper addressing the risk of centralization infederated-blockchain systems. Furthermore, by ana-lyzing interactions between the stakeholders and thechain operators, we can prove the uniqueness of theStackelberg equilibrium and find the exact formulafor this equilibrium. These results are especially im-portant for the stakeholders to determine their bestinvestment strategies and for the chain operators todesign the optimal policy to enhance the system’ssecurity and transaction processing capabilities. • Extensive simulations are performed to evaluate thesystem performance of FedChain. The simulationresults then confirm the analytical results and showthat FedChain can help the users to maximize theirprofit and the blockchain operators to determinetheir optimal blockchain parameters to improve thesystem’s security and performance.The rest of this paper is organized as follows. We firstpresent the federated-blockchain framework in Section 2.We then analyze the proposed consensus mechanism forour framework in Section 3. After that, we introduce andanalyze the Stackelberg game in Section 4. Finally, simula-tions and numerical results are presented in Section 5, andconclusions are drawn in Section 6.
EDERATED - BLOCKCHAIN S YSTEM
Before elaborating on our proposed consensus mechanismand incentive mechanism, we provide a brief overview ofthe federated-blockchain system and the cross-chain trans-fer procedure in this section [8], [9]. As illustrated in Fig. 1,the system is composed of two types of entities as follows: • Chains (blockchains):
In FedChain, individualblockchain networks, managed by blockchain opera-tors, can communicate with each other via the cross-chain transfer protocol. Each chain has its own typeof token and an individual consensus mechanism.When a new blockchain network wants to join thesystem, it only needs to negotiate with the existingchains and create smart contracts accordingly. • Users:
Users are the participants of the chains inthe system. These users can freely exchange differenttypes of tokens by using the smart contracts createdby the operators. They can also participate in the con-sensus mechanism in every chain to earn economicprofits through block rewards.
The SPV mechanism allows tokens from one chain to besecurely transferred to another at a predetermined rate.When a user wants to prove that a transfer transactionfrom an originating chain to a destination chain is valid, anSPV proof is submitted. This proof shows that the transfertransaction belongs to a valid block of the originating chain.Although this process takes a long time for confirmation,it eliminates the risk of centralization and single-point-of-failure compared to those of the centralized and federatedscheme [9]. Therefore, the SPV proof is selected as the cross-chain transfer mechanism in our proposed FedChain. As il-lustrated in Fig. 1, the SPV-based token exchange procedureconsists of several steps as follows: • Step 0:
Two chains negotiate an agreement whichspecifies the exchange rate between the two tokens.The chain operators then create in each chain a smartcontract according to the agreement. • Step 1:
When a user wants to exchange T o tokensinto T o tokens, the user sends a transaction Tx1 ,containing T o tokens, from its account on chain 2to the smart contract SC . • Step 2:
The user then sends a transaction
Tx2 and anSPV proof from its account on chain 1 to SC . Tx2 then triggers SC to validate the SPV proof. • Step 3:
During the confirmation period, SC checks(1) the validation of the SPV proof and (2) anyconflicts of the submitted SPV proof. • Step 4:
After the confirmation period, SC sends anumber of T o tokens to the customer’s address onchain 1 in accordance with the exchange rate.The security features of the SPV proof mechanism areproven in [8]. Generally, the SPV proof points to the blockthat contains the cross-chain transfer transaction in the orig-inating chain. Therefore, the validators only have to validatethe block that contains the transaction. Thus, the security of hain 4Chain 4 Chain 2Chain 2Chain 3Chain 3 Chain 1Chain 1 Cross-chain TransferCross-chain Transfer Cross-chain Transfer
Cross-chain Transfer
Chain 1 operators Create smart contracts SC and SC Chain 1 Chain 2operators
Chain 2 UserUser o to SC
3 SC checks if the SPV proof is valid3 SC checks if the SPV proof is valid 4......Confirmation period0 Store on chain 10 Store on chain 1 SC sends tokens T o to the user ’ s account on chain 1 Cross-chain Transfer
Chain 1 operators Create smart contracts SC and SC Chain 1 Chain 2operators
Chain 2 User o to SC
3 SC checks if the SPV proof is valid 4......Confirmation period0 Store on chain 1 SC sends tokens T o to the user ’ s account on chain 1 User 1User 1 $ Token 1 $ Token 1 $ Token 2 $ Token 2 $ Token 4 $ Token 4 $ Token 1 $ Token 1
Fig. 1. The federated-blockchain system. the SPV proof only relies on the security of the originatingchain, i.e., the SPV proof is secure if the originating chainis secure. However, this leads to a drawback of the SPVproof mechanism, which is the low confirmation speed (thevalidators have to wait until the transaction is confirmedon the originating chain). Moreover, as the stakes can betransferred between chains, if the security of one chain isviolated, the whole system will fail. Therefore, in the nextsection, we will propose an effective consensus mechanismthat can achieve lower transaction confirmation time com-pared to other conventional mechanisms while satisfyingthe persistence and liveness properties [24] and being ableto prevent various blockchain attacks. ED C HAIN ’ S C ONSENSUS M ECHANISM
In this section, we develop an effective consensus mecha-nism for FedChain with four new consensus rules based onthe consensus mechanism proposed in [17]. Compared withother conventional consensus mechanisms such as [17]–[23], our proposed consensus mechanism can satisfy boththe liveness and persistence properties, prevent variousblockchain attacks, and achieve an especially low transac-tion confirmation time as discussed in the following.
As illustrated in Fig. 2, time is divided into epochs, and eachepoch is divided into time slots in FedChain’s consensusmechanism. At the first time slot of epoch e k , a committeeconsisting of some users (stakeholders) executes an electionprotocol to elect the leaders for the epoch e k , such that foreach time slot there is one designated leader who adds onenew block to the chain. Similar to [17], we assume that atime slot duration of 20 seconds is sufficient for the leader tobroadcast a block to every node in the chain. The committeealso select the committee members for the epoch e k +1 . To elect the leaders and committee, the current epoch’scommittee members execute the Publicly Verifiable SecretSharing (PVSS) protocol [26] to create seeds for the Follow-the-Satoshi (FTS) algorithm [2]. The PVSS protocol allowsthe participants to produce unbiased randomness in the
Committee members
Committee and leaders election protocol ...
TimeTime slot Time slot Time slot Time slot
Follow-the-Satoshi Algorithm
PVSS protocol SeedsSeeds
Fig. 2. Epoch-based committee and leader election. form of strings and any network user to verify these strings,as long as the majority (51%) of participants are honest, asproven in [26]. Once the random strings are created, they areused as the seeds for the FTS algorithm. The FTS algorithmis a hash function that takes any string as input and outputstoken indices [2]. The current owners of these tokens arethen chosen as the leaders of this epoch or committeemembers of the next epoch.The probability P n that user n is selected to be the leaderand committee member by the FTS algorithm in a networkof N stakeholders is P n = s n (cid:80) Ni =1 s i , (1)where s n is the number of stakes (tokens) of stakeholder n .As observed in (1), the more stakes a stakeholder has, thehigher chance it can be selected to be the leader. Comparedto [17], we design four new consensus rules as follow: • I : After executing the PVSS protocol, the leader listis broadcast to every node in the chain. • I : If a leader fails to broadcast its block during itsdesignated time slot (e.g., being offline during itstime slot), an empty block will be added to the chain • I : Once a block is broadcast, the designated leaderwill not change the block at any later time. • I : Upon receiving two forks (different versions ofthe chains), an honest user will adopt the longestalid fork, i.e., the longest fork that has no conflictingblocks and each block is signed by a designatedleader.These new consensus rules help to considerably reduce theprobability that an adversary can successfully create analternative version of the chain, thereby significantly im-proving the chain’s security and performance. The detailedanalysis will be discussed in Theorem 1. The incentive mechanism plays a crucial role in ensur-ing that the stakeholders follow the consensus mechanismproperly. To this end, the incentive mechanism needs toincentivize consensus participants via a reward scheme andpenalize malicious behavior via a penalty scheme.For the reward scheme, a leader will receive a fixednumber of tokens when the leader adds a new block tothe chain. This is also to incentivize the leaders to be on-line during their designated time slots. In single-blockchainsettings such as Bitcoin [25] and Cardano [17], the blockreward is set at a fixed value for a long period of time, e.g., 4years in Bitcoin. However, in FedChain, having a fixed blockreward scheme may pose security threats. The reason is thatthe stakes can be transferred between chains in our system,and the total network stakes can also vary in times, e.g.,stakes increase from block rewards, and the stakes decreasefrom cross-chain transfers, etc. Since the probability that astakeholder is elected to be the leader and able to obtaina block reward depends on the individual chain’s stakes,stakeholders may transfer their stakes to a chain with ahigher block reward to earn more profits. Consequently, thismay attract stakes into a single chain and make it easier foradversaries to control the majority of stakes in the otherchains. Therefore, in the following sections, we analyze thestakeholder rational strategy and propose a dynamic rewardscheme to protect the decentralization of the whole system.With our proposed dynamic reward scheme, at the end ofeach epoch, the chains will adjust new block reward valuesfor the next epoch, taking the total network stakes and thefinal stakes distribution among the chains in the currentepoch into account. The dynamic reward scheme will bediscussed in more details in Section 4.For the penalty scheme, the leader is required to makea deposit that will be locked during its designated epoch toprevent nothing-at-stake, bribe [2], and transaction denialattacks [17]. The stakes of committee members are alsolocked during the epoch that they are serving in the com-mittee to prevent long-range attacks [2]. How the proposedpenalty scheme can prevent the mentioned attacks will bediscussed in the following security analysis.
Since the SPV proof mechanism’s security depends on thesecurity of the individual chains, the security of the wholesystem also relies on the security of each chain. We considertwo types of adversaries that target the individual chains,aiming to perform attacks such as double-spending, grind-ing, nothing-at-stakes, bribe, transaction denial, and long-range attacks [2]. As illustrated in Fig. 3, the consideredtypes of adversaries are: • Static Adversary:
This type of adversary uses a stakebudget B A to attack a chain. Let B n and γ denotethe stake budgets of stakeholder n and the honeststake ratio, respectively. Then, the ratio of adversarialstakes is − γ = B A (cid:80) Nn =1 B n + B A . • Adaptive Adversary:
In contrast to the static adver-sary setting, the adaptive adversary does not have afixed number of stakes. However, this type of adver-sary can choose to corrupt N A honest stakeholdersand use their stakes to attack. Let N A denote the setof corrupted stakeholders, the budget of the adaptiveadversary can be defined by B A = (cid:80) i ∈N A B i .The models for the blockchain-specific attacks consid-ered in this paper are as follows: • Double-spending attack:
For such kind of attack, theattacker aims to revert a transaction that has beenconfirmed by the network (to gain back the tokensit has already spent). First, the attacker creates atransaction
Tx1 in block B i and waits until the blockis confirmed. Then, the attacker can either create aconflicting transaction Tx2 or erase the block B i fromthe chain, so that the proof of its spending is gone. • Grinding attack:
In grinding attacks, the attackerattempts to influence the leader and committee elec-tion protocol to unfairly increase its chance to beselected as a leader or a committee member. Gen-erally, in protocols where the seeds of the FTS algo-rithm are derived from the block header, the attackercan check many possible different block contents(because block headers are created by hashing theblock contents) to determine which one can give theattacker the best chance to be elected as a leaderagain. • Nothing-at-stake attacks:
This type of attack specifi-cally targets the PoS blockchains because, in contrastto PoW, blocks in PoS can be created with very littlecomputation. In this attack, the attacker tries to createmany forks or conflicting transactions. For example,the attacker can create two transactions to spend thesame tokens at two vendors, i.e.,
Tx1 in fork C and Tx1 in fork C . At this point, although both thetransactions are not confirmed , they are both valid (notconflicted within their own fork). • Bribe attacks:
For such attacks, the attacker triesto bribe the leaders to create specific blocks, e.g.,to support other types of attacks such as double-spending or transaction denial. • Transaction denial attack:
In this attack, the attackertries to prevent transactions of every or some specificusers from being included in the chain. To achievethis objective, the attacker has to either block theusers’ connection to the blockchain or not includethe transactions when the attacker is the leader. • Long-range attack:
In a long-range attack, a leaderimmediately transfers its stakes to another accountat the beginning of its designated epoch, and thus itcan behave maliciously, e.g., performing attacks, forthe rest of the epoch without consequences. daptive Adversary
Honeststakeholders $ TimeEpoch e t starts Committee and leaders election based on d t-1
Final stake distribution d t-1 at the last block of epoch e t-1
Stakes change during e t Final d t at the last block of epoch e t Committee and leaders election based on d t Epoch e t+1 starts
Chain operators adjust R m based on d t-1 Chain operators adjust R m based on d t $ Adversary corrupts some stakeholders $$ Adversary moves its stakes and corrupted stakes to attack one chain
Static Adversary
Honeststakeholders $ Time
Epoch e t starts Committee and leaders election based on d t-1
Final stake distribution d t-1 at the last block of epoch e t-1 Stakes change during e t Final d t at the last block of epoch e t Committee and leaders election based on d t Epoch e t+1 startsChain operators adjust R m based on d t-1 Chain operators adjust R m based on d t $ Adversary moves its stakes to attack one chain
Static Adversary
Honeststakeholders $ Time
Epoch e t starts Committee and leaders election based on d t-1
Final stake distribution d t-1 at the last block of epoch e t-1 Stakes change during e t Final d t at the last block of epoch e t Committee and leaders election based on d t Epoch e t+1 startsChain operators adjust R m based on d t-1 Chain operators adjust R m based on d t $ Adversary moves its stakes to attack one chain
Fig. 3. Illustrations of the considered adversaries.
To maintain the blockchain’s security, a consensus mecha-nism must satisfy the following properties [24]: • Persistence:
Once a transaction is confirmed by anhonest user, all other honest users will also confirmthat transaction, and the transaction’s position in theblockchain is the same for all honest users. • Liveness:
After a sufficient period, a valid transac-tion will be confirmed by all the honest users.In FedChain, persistence ensures that once a transaction isconfirmed, it cannot be reverted. Without the persistenceproperty, the adversary can successfully perform a double-spending attack by firstly sending a transaction to spendsome tokens. After that transaction is confirmed, the ad-versary can create a fork to erase the transaction from theblockchain. If that fork is accepted by the honest users,the adversary can gain back the tokens it already spent.While the persistence property ensures data immutability,the liveness property ensures that every valid transactionwill eventually be included in the chain. Without liveness,an attacker can block every transaction in a blockchain.The persistence and liveness properties are ensured if theconsensus mechanism satisfies the following properties [24]: • Common prefix (CP) with parameter κ ∈ N : For anypair of honest users, their versions of the chain C , C must share a common prefix. Specifically, assumingthat C is longer than C , removing κ last blocks of C results in the prefix of C . • Chain growth (CG) with parameter ς ∈ N and τ ∈ (0 , : A chain possessed by an honest user at time t + ς will be at least ςτ blocks longer than the chainit possesses at time t . • Chain quality (CQ) with parameter l ∈ N and µ ∈ (0 , : Consider any part of the chain that has at least l blocks, the ratio of blocks created by the adversaryis at most − µ . In the ideal case, − µ equals theadversarial ratio − γ .Let Pr CP , Pr CG , and Pr CQ denote the probabilities thatthe CP, CG, and CQ properties are violated. We provethat FedChain’s consensus mechanism can satisfy the CP,CG, and CQ properties with overwhelming probability, i.e., Pr CP , Pr CG , and Pr CQ are overwhelmingly low ( < . ),in the following Theorem. Theorem 1.
FedChain’s consensus mechanism can satisfy theCP, CG, and CQ properties with overwhelming probabilities.Proof:
See Appendix AFig. 4 illustrates the CP and CQ violation probabilitiesunder different parameter values. As the adversarial ratioincreases (i.e., the adversary controls more stakes in thechain), the attacker has more chances to successfully attack.However, the higher κ is, the lower the CP violation prob-ability is. This means that the longer since a transaction isadded to the chain, the more stable the transaction becomes.For example, if a transaction is at least seven blocks deepin the chain, the adversary has less than 1% chance torevert it, even if the adversary controls nearly 50% of thetotal network stakes. In contrast, if the transaction is onlyfour blocks deep, the adversary with 49% stakes has morethan 5% chance to revert the transaction. This implies thatthe more stakes the adversary controls, the longer it takesto confirm a transaction, which is directly related to theperformance and security of the chain.For the Pr CQ , the more blocks we consider, the higherchance the adversary can create more than (1 − γ ) l blocks.For example, an adversary controlling 30% of networkstakes has less than 0.1% chance to create more than threein ten blocks, but it has around 0.3% chance to create morethan 30 in 100 blocks. This could be harmful to the networkif the adversary wants to reduce the network’s throughput(i.e., blocks/time slot). For example, an adversary with 30%network stakes has 0.3% chance to reduce the networkthroughput by 30% during 100 time slots by creating onlyempty blocks every time it is elected to be the leader. In the following Theorem, we prove that our FedChain’sconsensus mechanism is able to prevent a variety of emerg-ing blockchain attacks such as double spending, grinding,bribe, nothing-at-stakes, and long-range attacks.
Theorem 2.
FedChain’s consensus mechanism can preventdouble-spending, nothing-at-stakes, bribe, transaction denial at-tacks, grinding, and long-range attacks according to the consid-ered adversary models.
Adversarial Ratio C P V i o l a t i on P r obab ili t y Common Prefix Violation Probability =4 =5 =6 =7 =8 =9
Adversarial Ratio C Q V i o l a t i on P r obab ili t y -3 Chain Quality Violation Probability l =10l =50l =100
Fig. 4. Blockchain properties violation probabilities.TABLE 1Transaction confirmation time in minutes
AdversarialRatio Bitcoin Cardano FedChain’sConsensusMechanism
Proof:
See Appendix B
From the security perspective, we prove that the higherthe adversarial ratio is, the higher the probabilities that theadversary can successfully perform attacks on the chain.Similarly, the adversarial ratio also has a negative impact onthe performance of the network. In Table 1, we examine andcompare the transaction confirmation time under differentadversarial ratio (percentage of stakes in PoS or computa-tional power in PoW that the adversary controls) of a PoWblockchain network (Bitcoin), a PoS network with delayedfinality (Cardano), and FedChain’s consensus mechanism.The transaction confirmation time of Bitcoin and Cardanois presented in [17]. The transaction confirmation timeis the time it takes to reach a CP violation probability Pr CP ≤ . . Based on (7), κ can be determined, and then κ is multiplied with the time slot duration to calculate thetransaction confirmation time. Our time slot duration is setto be 20 seconds (the same as that of Cardano [28]).As observed in Table 1, the more stakes the adversarycontrols, the longer the transaction confirmation time is.Moreover, the PVSS protocol no longer ensures unbiasedrandomness if the adversary controls more than 50% stakesin a chain. Therefore, it is critical to attract more participantsto individual chains in order to increase the network’s total stakes and prevent the adversary from controlling morethan 50% of network stakes. In the next section, we will in-troduce an effective incentive mechanism developed basedon a Stackelberg game model that can jointly maximizeprofits for the participants and significantly enhance thenetwork’s performance and security for chain operators. TACKELBERG G AME F ORMULATION
In practice, chains usually announce their block rewardsfirst, and then the stakeholders will decide how much toinvest accordingly. Therefore, the interaction between thechains and stakeholders in FedChain can be formulatedas a multiple-leaders-multiple-followers Stackelberg gamemodel [30]. In this game, the leaders are the chains (man-aged by the chain operators) who first announce their blockrewards, and then the stakeholders, i.e., followers, will maketheir decisions, e.g., how much to invest in each chain.
FedChain consists of a set M of M chains and a set N of N followers. The leaders offers block rewards R =( R , . . . , R M ) . Stakeholders possess stakes with budgets,denoted as B = ( B , . . . , B N ) . The stakeholders can usetheir stakes to take part in the consensus process of everychain to earn additional profits. Particularly, when stake-holder n invests s mn to chain m , its expected payoff U mn is: U mn = s mn s mn + (cid:80) i ∈N − n s mi R m , (2)where N − n is the set of all stakeholders except stakeholder n . The stakeholders can freely invest within their budgetsto any chain, i.e., (cid:80) Mm =1 s mn ≤ B n . Thus, the total payoff ofstakeholder n is U n = M (cid:88) m =1 U mn = M (cid:88) m =1 (cid:18) s mn s mn + T m R m (cid:19) , (3)where T m = (cid:80) i ∈N − n s mi expresses the total stakes investedin chain m by all the other stakeholders. To analyze the game, we first examine the existence of thefollower sub-game equilibrium in Theorem 3.
Theorem 3.
There exists at least one Nash equilibrium in thefollower sub-game.Proof:
See Appendix C.Then, we examine the uniqueness of the equilibrium inTheorem 4.
Theorem 4.
The follower sub-game equilibrium is unique.Proof:
See Appendix D.In this game, the stakeholders can invest any number ofstakes within their budgets. However, as shown in Theorem5, a rational stakeholder will always invest all its budgetto maximize its profits regardless other stakeholders’ strate-gies. heorem 5.
For every follower n , the strategies that investless than its total budget, i.e., (cid:80) Mm =1 s mn < B n , always givelower payoffs than the strategy that invests all the budget, i.e., (cid:80) Mm =1 s mn = B n , regardless of other followers’ strategies.Proof: See Appendix E.An important result from Theorem 5 is that the strategieswhich invest less than the total budget can be removed fromthe strategy space of every follower. Then, we can reformu-late the utility function to reflect the budget constraint asfollow: U n = M − (cid:88) m =1 (cid:18) s mn s mn + T m R m (cid:19) + B n − (cid:80) M − m =1 s mn B n − (cid:80) M − m =1 s mn + T M R M . (4)With the existence and uniqueness guaranteed, the onlyquestion remained is how to find the equilibrium point.Interestingly, for the considered game model, we can provethe exact formula of the equilibrium in Theorem 6. Theorem 6.
The point where every follower’s strategy satisfies s ∗ mn = B n R m (cid:80) Mi =1 R i , ∀ m ∈ M , ∀ n ∈ N is the unique equilib-rium of the follower sub-game.Proof: See Appendix FThen, we can conclude that there is a unique sub-gameequilibrium for every fixed leader strategy set, and at theequilibrium the stakeholders will play their optimal strate-gies, i.e., s ∗ mn = B n R m (cid:80) Mi =1 R i , ∀ m ∈ M , ∀ n ∈ N . (5)This optimal strategy only depends on the stakeholder’stotal budget and the ratios of block rewards between thechains, i.e., (cid:80) Mm =1 s mn = (cid:80) Nn =1 B n R m (cid:80) Mi =1 R i , ∀ m ∈ M .In the next stage, we will analyze the leader strategy todetermine the optimal block reward for the leaders. The proposed incentive mechanism for FedChain has twomain aims. The first one is to attract stakes to improve theindividual chain’s performance and security. The secondaim is to ensure the decentralization of the system, i.e.,encourage the stakeholders to distribute their stakes evenlyacross all the chains. For these two aims, we propose a utilityfunction U m for the leaders as follows: U m = N (cid:88) n =1 ω nm s ∗ mn − R m = N (cid:88) n =1 B n R m (cid:80) Mi =1 R i ln (cid:32) B n R m (cid:80) Mi =1 R i (cid:33) − R m , (6)where ω nm is a weight factor which can be defined by ω nm = ln( s ∗ mn ) . By using the logarithm of the stakes as theweight factor, we can achieve two main aims. In particular,from this designed utility function, a leader can attract morestakes invested to its pool by increasing its block reward.However, at a certain level, if this leader keeps increasing itsblock reward to get more stakes, its utility will be decreased. R m -5051015 U m Leader Utility
Optimal Strategy
Fig. 5. An example of the leader’s utility function.
As a result, this utility function, as illustrated in Fig. 5,encourages the chain operator to set an appropriate levelof block reward such that it can attract sufficient stakes tothe chain while ensuring that individual stakeholders donot control too much of the network stakes. Moreover, thisalso discourages the chain operators from setting a too highblock reward that will cause the centralization of stakes intoa single chain in FedChain. Based on the proposed utilityfunction, we proceed to find the equilibrium of the uppersub-game and the Stackelberg equilibrium of the consideredStackelberg game in Theorem 7.
Theorem 7.
The point where every leader’s strategy is R ∗ m = M − M (cid:80) Nn =1 B n (cid:18) (cid:18) B n M (cid:19)(cid:19) and every follower’s strategysatisfies s ∗ mn = B n R m (cid:80) Mi =1 R i , ∀ m ∈ M , ∀ n ∈ N is the uniqueStackelberg equilibrium of the considered game.Proof: See Appendix G.Interestingly, the result from Theorem 7 shows that theoptimal strategies are the same for all the chain operators.The reason is that since stakes can be transferred, the secu-rity of the whole system is as strong as that of the weakestchain. Therefore, the highest utility can only be achievedwhen every chain is equally secure.
ERFORMANCE E VALUATION
In this section, we conduct experiments and simulationsto (i) show that the proposed Stackelberg game can helpthe stakeholders to maximize their profits, (ii) confirm ouranalytical results, and (iii) demonstrate that the proposedincentive mechanism can enhance FedChain’s security andperformance. To this end, we first examine the utility func-tion of a stakeholder to confirm our results from Theorem6 and show that the Stackelberg game model can help tomaximize the stakeholder’s profit. After that, to evaluatethe security and performance of the FedChain, we imple-ment extensive simulations under various settings. In thesimulations, we first show that the rational stakeholders willact according to our proposed Stackelberg game-theoreticalanalysis. We will then demonstrate that the FedChain’sconsensus mechanism can satisfy the security propertiesand attain reasonable performance even under extreme ad-versarial scenarios. Furthermore, we will show that underthe same simulation setting, the proposed dynamic rewardscheme achieves better security and performance comparedto those of the static reward scheme.
ABLE 2Parameter setting
Parameter Weak Medium StrongAdversary Adversary Adversary N
100 100 100 M LB
50 50 50 UB
100 100 100 ∆ s (0 ,
1) (0 ,
1) (0 , B A
500 1000 1500 N A
10 20 30 n e
10 10 10
First, we examine the utility function of stakeholder 1 ina small case which consists of two stakeholders and threechains. The stakeholders have budgets B = [100 , , andthe chains set block rewards to be R = [10 , , . In thisexperiment, the strategy of stakeholder 2 is fixed accordingto (5). Then, we simulate a system with N stakeholdersand M chains under different adversarial models (staticand adaptive), reward schemes (static and dynamic), anddifferent adversarial levels (weak, medium, and strong). Thesimulation parameters are presented in Table 2.The simulation has several steps as presented in Algo-rithm 1 (see Appendix H). In particular, at the beginning,each stakeholder has a budget B i ∈ [LB , UB] generatedrandomly with uniform distribution. Each chain operatorthen sets a block reward R m based on Theorem 7’s result inthe case of the dynamic reward scheme. In the static rewardscheme, R m are fixed as constants based on several real-world PoS blockchain networks [32]–[34]. After the blockrewards are set, the stakeholders make their decisions. Tofind the best strategies for each stakeholder, we employ theMatlab fmincon function [29], starting from stakeholder 1.Then, the newly found optimal strategy is fixed for thestakeholder, and the algorithm continues to find the bestresponse for player 2 until stakeholder N . After that, theadversary begins to attack. In the static adversary scenario,the adversarial stakes budget B A is constant and predeter-mined. In the adaptive adversary scenario, the adversarychooses a number N A of stakeholders to corrupt, makingtheir stakes to be adversarial stakes, i.e., the adversarialstakes budget is (cid:80) i ∈N SA B i . Then, we measure the impactsof the adversary on Pr CP , Pr CQ , transaction confirmationtime, and transaction throughput. Finally, we simulate thestake changes during the epoch by randomly choosing N ∆ stakeholders and changing their budgets by ± ∆ s B n , ∆ s ∈ (0 , . The epoch is then ended, and the simulation moves tothe next epoch until the stopping criteria are met, i.e., after n e epochs.During the simulation, we measure several important se-curity and performance criteria. First, we measure the stakedistribution at the beginning of each epoch to see if the ra-tional stakeholders invest according to our game-theoreticalanalysis. Then, we examine four different scenarios. In thefirst two scenarios, we simulate a static adversary who will Fig. 6. Stakeholder’s utility function. try to attack the chains under the static and dynamic rewardschemes. In the remaining scenarios, an adaptive adversarywill try to attack the chains. For each type of adversary, wesimulate three different levels of adversary capacity (low,medium, and high) as shown in Table 1.In terms of security, we measure the CP and CQ violationprobabilities. These probabilities can be determined by (7)and (9), respectively. In terms of performance, we measurehow much the adversaries can negatively impact the trans-action confirmation time and transaction throughput. Tocalculate the transaction confirmation time, for each chain,we find the value of κ such that Pr CP < . . For thetransaction throughput, we want to examine the case wherethe adversary wants to reduce the transaction processingcapability of one of the chains. Specifically, the adversarywill move all its stakes to a chain and participate in theleader selection process. For every block the adversary iselected to be the leader, it creates an empty block withoutany transaction, thereby reducing the network’s transactionthroughput. In the simulation, we measure a transactionthroughput reduction threshold Θ , such that the probabilitythat the adversary can reduce the transaction throughputmore than Θ is overwhelmingly low (i.e., Pr CQ < . ). Fig. 6 illustrates the utility function of stakeholder 1 in thecase where stakeholder 2 invest according to (5). As ob-served from the figure, stakeholder 1 can achieve maximumutility when it also invests according to (5). Particularly,stakeholder 1 achieves a utility U ∗ = 15 with the opti-mal strategy s ∗ = [16 . , . , . This result shows thatour Stackelberg game model can help the stakeholders toachieve maximum profits. Moreover, the ratios between s ∗ , s ∗ , and s ∗ are the same as the ratios between R , R , and R , which confirms our results in Theorem 6. Fig. 7 illustrates the stake distribution at the end of eachepoch. As can be seen from the figure, although the to-tal number of stakes vary across the epochs, the ratio ofstakes invested in each chain remains unchanged in both take Distribution-Static Reward
Epoch S t a k e s i n c ha i n Chain 1 Chain 2 Chain 3
Stake Distribution-Dynamic Reward
Epoch S t a k e s i n c ha i n Chain 1 Chain 2 Chain 3
Fig. 7. Stake distribution. the dynamic and static reward schemes. Moreover, we canobserve that the stakes are distributed more evenly in thedynamic reward scheme, which is more beneficial to thechains’ security and performance. Furthermore, the stakeratios in both schemes equal the ratio of the block rewards,which confirms our analytical results in Theorem 6.
Fig. 8 and Fig. 9 illustrate Pr CP of each chain at the endof each epoch under the static and adaptive adversarysettings, respectively. From the figures, we can observe thatthe more stakes the adversary controls, the higher chanceit can violate the security of the system. For example,in the static adversary setting, with a low budget (weakadversary), Pr CP is at most 0.02%, whereas this probabilityincreases to 1.5% in case of an adversary with a high budget(strong adversary). Secondly, the total system stakes havedifferent effects on the chains’ security under the static andadaptive adversary setting. For instance, the system hasthe highest stakes in the last epoch. At this epoch, Pr CP achieve the lowest value under the static adversary becausethe static adversary has a fixed budget. However, Pr CP achieve the highest value under the adaptive adversarysetting because the adaptive adversary can corrupt thestakeholders with the most stakes. Therefore, it is crucialto not only attract more stakes to the system but also toincentivize more diversity, i.e., encourage the stakeholdersto split their stakes across more chains. We can observe theeffect of such diversity between the dynamic and the staticreward schemes. Although the total network stakes are thesame, the dynamic scheme, which encourages equal stakesdistribution, achieves much lower Pr CP , e.g., at most 14%compared to 24% of the static reward scheme.Fig. 10 and Fig. 11 illustrate Pr CQ of each chain under thestatic and adaptive adversary settings, respectively. Similarto the Pr CP , we can draw several conclusions from examin-ing Pr CQ . Firstly, the stronger the adversary is, the higherchance it violates system security. For example, in the weakadaptive adversary scenario, Pr CQ is at most 1.2%, whereasthis probability increases to 2.4% in the case of a strongadaptive adversary. Generally, Pr CQ gets higher in the case Epoch
Weak Static Adversary-Common Prefix
Epoch
Medium Static Adversary-Common Prefix
Epoch P r C P ( % ) Strong Static Adversary-Common Prefix
Chain 1-Static Chain 2-Static Chain 3-StaticChain 1-Dynamic Chain 2-Dynamic Chain 3-Dynamic P r C P ( % ) P r C P ( % ) Fig. 8. Pr CP under static adversary settings. Epoch
Weak Adaptive Adversary-Common Prefix
Epoch
Medium Adaptive Adversary-Common Prefix
Epoch P r C P ( % ) Strong Adaptive Adversary-Common Prefix
Chain 1-Static Chain 2-Static Chain 3-StaticChain 1-Dynamic Chain 2-Dynamic Chain 3-Dynamic P r C P ( % ) P r C P ( % ) Fig. 9. Pr CP under adaptive adversary settings. Epoch P r C Q ( % ) Weak Static Adversary-Chain Quality
Epoch
Medium Static Adversary-Chain Quality
Epoch P r C Q ( % ) Strong Static Adversary-Chain Quality
Chain 1-Static Chain 2-Static Chain 3-StaticChain 1-Dynamic Chain 2-Dynamic Chain 3-Dynamic P r C Q ( % ) Fig. 10. Pr CQ under static adversary settings. of the adaptive adversary. The reason is that accordingto the simulation setting, the adversary can corrupt morestakes compared to B A in the case of the static adversary.Secondly, similar to the results of Pr CP , Pr CQ is inverselyproportional to the total system stakes in the case of thestatic adversary, and it is proportional to the total systemstakes in the case of the adaptive adversary. As a result,we can observe that the dynamic scheme achieves lower Pr CQ , e.g., at most 14% Pr CQ compared to 24%. Moreover,since the security of the system is only as good as that of itsweakest chain (especially with the SPV proof mechanism), itcan be observed that the dynamic reward scheme achievesbetter security compared to the static reward scheme, i.e.,the chains of the dynamic reward scheme always achievebetter Pr CP and Pr CQ compared to those of the weakestchain under the static reward scheme (i.e., Chain 3). Fig. 12 and Fig. 13 illustrate the transaction confirmationtime of each chain under the static and adaptive adversarysettings, respectively. From the figures, we can observe thatthe stronger the adversary is, the more it can negativelyaffect the system performance. For example, the chains takesat most 120 seconds to confirm a transaction in case ofa weak static adversary, but it takes up to 220 secondsin case of a strong static adversary. This is because thetransaction confirmation time is directly related to Pr CP .A stronger adversary has a higher chance to violate theCP property, and thus the users have to wait longer toconfirm a transaction. Moreover, we can also observe thatthe transaction confirmation time is inversely proportionalto the total stakes of the system in the static adversary Epoch
Weak Adaptive Adversary-Chain Quality
Epoch
Medium Adaptive Adversary-Chain Quality
Epoch P r C Q ( % ) Strong Adaptive Adversary-Chain Quality
Chain 1-Static Chain 2-Static Chain 3-StaticChain 1-Dynamic Chain 2-Dynamic Chain 3-Dynamic P r C Q ( % ) P r C Q ( % ) Fig. 11. Pr CQ under adaptive adversary settings. settings, whereas the opposite holds true in the adaptiveadversary settings. The reason is the same as that of the Pr CP scenarios, i.e., the adaptive adversary can corruptmore stakes, whereas B A of the static adversary is fixed.Furthermore, the transaction confirmation time of the threechains under the dynamic reward schemes is always betterthan at least two chains under the static reward scheme.Fig. 14 and Fig. 15 illustrate the transaction throughputreduction percentages of each chain under the static andadaptive adversary setting, respectively. Similar to the pre-vious scenarios, we can observe that a stronger adversarycan cause more negative impacts on the system perfor-mance, e.g., a weak static adversary can reduce the through-put by at most 24%, whereas the strong static adversarycan reduce the throughput by nearly 50%. Moreover, itcan be observed that as the system has more stakes, thestatic adversary becomes weaker, whereas the adaptive ad-versary becomes stronger, similar to the previous scenario.Finally, one can observe that the dynamic reward schemecan achieve a better overall performance compared to thatof the static reward scheme (the performances of the threechains in the dynamic scheme are better than those of atleast two chains in the static scheme). ONCLUSION
In this paper, we have introduced FedChain, an effectiveframework for federated-blockchain systems together witha cross-chain transfer protocol to facilitate the secure anddecentralized transfer of tokens between the blockchains. Inthis framework, we have proposed a novel consensus mech-anism which can satisfy the CP, CG, and CQ properties,
Epoch T x c on f i r m a t i on t i m e ( s ) Weak Static Adversary-Tx Confirmation Time
Epoch T x c on f i r m a t i on t i m e ( s ) Medium Static Adversary-Tx Confirmation Time
Epoch T x c on f i r m a t i on t i m e ( s ) Strong Static Adversary-Tx Confirmation Time
Chain 1-Static Chain 2-Static Chain 3-StaticChain 1-Dynamic Chain 2-Dynamic Chain 3-Dynamic
Fig. 12. Transaction confirmation time under static adversary settings.
Epoch T x c on f i r m a t i on t i m e ( s ) Weak Adaptive Adversary-Tx Confirmation Time
Epoch T x c on f i r m a t i on t i m e ( s ) Medium Adaptive Adversary-Tx Confirmation Time
Epoch T x c on f i r m a t i on t i m e ( s ) Strong Adaptive Adversary-Tx Confirmation Time
Chain 1-Static Chain 2-Static Chain 3-StaticChain 1-Dynamic Chain 2-Dynamic Chain 3-Dynamic
Fig. 13. Transaction confirmation time under adaptive adversary set-tings.
Epoch T h r oughpu t r edu c t i on ( % ) Weak Static Adversary-Throughput
Epoch T h r oughpu t r edu c t i on ( % ) Medium Static Adversary-Throughput
Epoch T h r oughpu t r edu c t i on ( % ) Strong Static Adversary-Throughput
Chain 1-Static Chain 2-Static Chain 3-StaticChain 1-Dynamic Chain 2-Dynamic Chain 3-Dynamic
Fig. 14. Transaction throughput reduction under static adversary set-tings.
Epoch T h r oughpu t r edu c t i on ( % ) Weak Adaptive Adversary-Throughput
Epoch T h r oughpu t r edu c t i on ( % ) Medium Adaptive Adversary-Throughput
Epoch T h r oughpu t r edu c t i on ( % ) Strong Adaptive Adversary-Throughput
Chain 1-Static Chain 2-Static Chain 3-StaticChain 1-Dynamic Chain 2-Dynamic Chain 3-Dynamic
Fig. 15. Transaction throughput reduction under adaptive adversarysettings. revent various blockchain-specific attacks, and achievebetter transaction confirmation time compared to existingconsensus mechanisms. Robust theoretical analyses havebeen then conducted to prove FedChain’s consensus mech-anism security and performance properties. After that, aStackelberg game model has been developed to examine theinteractions between the stakeholders and the blockchainsmanaged by chain operators. This model can provide addi-tional profits for the stakeholders and enhance the securityand performance of the blockchains. Through analyses ofthe Stackelberg game model, we can prove the uniquenessof the Stackelberg equilibrium and find the exact formula forthis equilibrium. These results are especially important forthe stakeholders to determine their best investment strate-gies and for the chain operators to design the optimal policy,i.e., block rewards. Finally, extensive experiments and sim-ulations have been conducted to show that our proposedframework can help stakeholders to maximize their profitsand the chain operator to design appropriate parameters toenhance FedChain’s security and performance. R EFERENCES [1] W. Wang, D. T. Hoang, P. Hu, Z. Xiong, D. Niyato, P. Wang, Y. Wen,and D. I. Kim, “A Survey on Consensus Mechanisms and MiningStrategy Management in Blockchain Networks,”
IEEE Access , vol.7, pp. 22328–22370, Jan. 2019.[2] C. T. Nguyen, D. T. Hoang, D. N. Nguyen, D. Niyato, H. T. Nguyen,and E. Dutkiewicz, “Proof-of-Stake consensus mechanisms for fu-ture blockchain networks: Fundamentals, applications and oppor-tunities,”
IEEE Access , vol. 7, pp. 85727–85745, June 2019.[3] “Global Charts,”
CoinMarketCap . [Online]. Available:https://coinmarketcap.com/charts/. Accessed on: 04-Nov-2020.[4] “Buy & sell Crypto in minutes,”
Binance
Kraken
Selfkey . [Online]. Available: https://selfkey.org/list-of-cryptocurrency-exchange-hacks/. Accessed on: 04-Nov-2020.[7] Y. Xiao, N. Zhang, W. Lou and Y. T. Hou YT, “A survey ofdistributed consensus protocols for blockchain networks,”
IEEECommunications Surveys & Tutorials , vol. 2, no. 22, pp. 1432-1465,Jan, 2020.[8] A. Back et al. (Oct. 2008). Enabling blockchain inno-vations with pegged sidechains. [Online]. Available:http://kevinriggen.com/files/sidechains.pdf[9] A. Singh et al., “Sidechain technologies in blockchain net-works: An examination and state-of-the-art review,”
Journal ofNetwork and Computer Applications , vol. 149, Jan. 2020, doi:https://doi.org/10.1016/j.jnca.2019.102471[10] V. Arasev. (Sep. 2018). POA network whitepaper. [Online]. Avail-able: https://github.com/poanetwork/wiki/wiki/POA-Network-Whitepaper[11] J. Dilley et al., “Strong federations: an interoperableblockchain solution to centralized third-party risks,”2016, arXiv preprint arXiv:1612.05491 . [Online]. Available:https://arxiv.org/abs/1612.05491.[12] S. Lerner. (Jan. 2016). Drivechains, Sidechains and Hybrid 2-wayPeg Designs [Online]. Available: https://docs.rsk.co/DrivechainsSidechains and Hybrid 2-way peg Designs R9.pdf.[13] G. Wood, “Ethereum: A secure decentralised generalised trans-action ledger,” Ethereum Project, Zug, Switzerland, Yellow PaperEIP-150 Rev., Aug. 2017, vol. 151.[14] A. Garoffolo, and R. Viglione, “Sidechains: Decoupled consensusbetween chains,” 2018, arXiv preprint arXiv:1812.05441 . [Online].Available: https://arxiv.org/abs/1812.05441.[15] P. Gaˇzi, A. Kiayias and D. Zindros, “Proof-of-Stake Sidechains,”in , San Francisco,CA, USA, May 18-19, 2019, pp. 139-156. [16] A. Garoffolo, D. Kaidalov and R. Oliynykov, “Zendoo:a zk-SNARK verifiable cross-chain transfer protocolenabling decoupled and decentralized sidechains,” 2020, arXiv preprint arXiv:2002.01847 . [Online]. Available:https://arxiv.org/abs/2002.01847.[17] A. Kiayias, A. Russell, B. David, and R. Oliynykov, “Ouroboros: AProvably Secure Proof-of-Stake Blockchain Protocol,” in
Proc. 37thAnnu. Int. Cryptolog. Conf. (CRYPTO) , Santa Barbara, CA, USA, Aug.2017, pp. 357–388.[18] P. Daian, R. Pass, E. Shi, “Snow white: Robustly reconfigurableconsensus and applications to provably secure proof of stake,” in
International Conference on Financial Cryptography and Data Security ,Saint Kitts and Nevis, Feb. 18-22, 2019, pp. 23-41.[19] V. Buterin and V. Griffith, “Casper the friendly finality gad-get,” 2017, arXiv preprint arXiv:1710.09437 . [Online]. Available:https://arxiv.org/abs/1710.09437[20] E. Buchman, J. Kwon, and Z. Milosevic (Sep 2018)
The latest gossip on BFT consensus . [Online]. Available:https://tendermint.com/static/docs/tendermint.pdf[21] I. Bentov, A. Gabizon, and A. Mizrahi, “Cryptocurrencies withoutproof of work,” in
International Conference on Financial Cryptographyand Data Security . Barbados, Feb. 2016, pp. 142–157.[22] I. Bentov, C. Lee, A. Mizrahi, and M. Rosenfeld, “Proof of activity:Extending bitcoin’s proof of work via proof of stake (extendedabstract),”
ACM SIGMETRICS Performance Evaluation Review , vol.42, no. 3, pp. 34–37, Dec. 2014.[23] Y. Gilad, R. Hemo, S. Micali, G. Vlachos, and N. Zeldovich,“Algorand: Scaling byzantine agreements for cryptocurrencies,” in
Proceedings of the 26th Symposium on Operating Systems Principles ,Oct. 2017, pp. 51–68.[24] J. Garay, A. Kiayias and N. Leonardos “The bitcoin backboneprotocol: Analysis and applications,” in
Annual International Confer-ence on the Theory and Applications of Cryptographic Techniques , Sofia,Bulgaria, April 26-30, 2015, pp. 281-310.[25] S. Nakamoto, (May 2008). “Bitcoin: A peer-to-peer electronic cashsystem”. [Online]. Available: https://bitcoin.org/bitcoin.pdf[26] M. Stadler “Publicly verifiable secret sharing,” in
InternationalConference on the Theory and Applications of Cryptographic Techniques ,Saragossa, Spain, May 12–16, 1996, pp. 190-199.[27] L. Luu, D. Chu, H. Olickel, P. Saxena, and A. Hobor, “Makingsmart contracts smarter,” in
Proc. of the ACM SIGSAC Conference onComputer and Communications Security , Vienna, Austria, Oct. 2016,pp. 254-269.[28] Cardano, “Ouroboros Proof of Stake Algorithm,”
Cardano .[Online]. Available: https://cardanodocs.com/cardano/proof-of-stake/.[29] MathWorks, “Fmincon,”
Mathworks
Gametheory in wireless and communication networks: theory, models, andapplications . Cambridge: Cambridge University Press, 2012.[31] M. Mitzenmacher and E. Upfal,
Probability and computing: Ran-domization and probabilistic techniques in algorithms and data analysis .Cambridge: Cambridge University Press, 2017.[32] StakingRewards, “Cardano,”
Digital Asset ResearchPlatform for Staking & Dividends . [Online]. Available:https://stakingrewards.com/asset/ada. [Accessed: 16-Aug-2020].[33] StakingRewards, “Algorand,”
Digital Asset ResearchPlatform for Staking & Dividends . [Online]. Available:https://stakingrewards.com/asset/algo. [Accessed: 16-Aug-2020].[34] StakingRewards, “Tezos,”
Digital Asset Research Plat-form for Staking & Dividends . [Online]. Available:https://stakingrewards.com/asset/xtz. [Accessed: 16-Aug-2020].[35] J. B. Rosen, “Existence and Uniqueness of Equilibrium Points forConcave N-Person Games,”
Econometrica , vol. 33, no. 3, pp. 520-534,July 1965.
PPENDIX AP ROOF OF T HEOREM We first prove that our FedChain’s consensus mechanismcan satisfy the CP property in Lemma 1.
Lemma 1.
The probability that FedChain’s consensus mechanismviolates the common prefix property with parameter κ ∈ N is lessthan or equal to (1 − γ ) κ .Proof: In order to violate the CP property, the adver-sary must have two forks with at least κ conflicting blocks,and both forks must be accepted by the honest stakeholders.However, an honest stakeholder will accept only one fork inthe same time slot. Therefore, the adversary must (i) createa fork, (ii) have the honest stakeholders accept it, (iii) createanother fork with a conflicting block at a later time slot, and(iv) have the honest stakeholders accept the new fork. Wewill prove that the adversary can only do that if it is electedto be the leader for κ consecutive blocks.Without loss of generality, assume that the adversary iselected to be the leader at time slot s l1 , s l2 , and s l4 . This meansthat at s l3 an honest stakeholder is elected to be the leader.Assume that the adversary wants to create two conflictingforks C , C . Let B ij denote the block from fork C i at timeslot s lj . Firstly, at s l1 and s l2 , the adversary broadcasts blocks B and B . At this point, the adversary can create fork C with different blocks, i.e., B (cid:54) = B and B (cid:54) = B , and hasboth forks accepted by the honest stakeholder (some honeststakeholders will adopt C while some will adopt C ).However, at s l3 , the honest leader will either choose oneof the two forks to adopt. Assume that the leader chooses C , it will add block B to the chain, and the fork C willbe discarded by all honest stakeholders. Next, at s l4 , theadversary is elected to be the leader and can create a forkagain. At this point, the adversary can try to broadcast C to the honest stakeholder again with block B (cid:54) = B (e.g.,to gain back the tokens spent in block B ). Nevertheless,any change in a block’s content results in a different block’shash, and the block’s hash is linked to its previous block.Thus, B cannot be changed unless block B is changed.However, since the leader of B is honest, the block will notbe changed (due to consensus rules I and I ).Moreover, the leader election is conducted at the begin-ning of each epoch, and as long as the PVSS protocol issecure (proven in [26]), any honest stakeholder can obtainand verify the correct leader list if that stakeholder is onlineat least once during the epoch (thanks to consensus rule I ).Since the epoch is long (e.g., 5 days [17]), we can assumethat every honest stakeholder will have the correct leaderlist. Therefore, the adversary also cannot broadcast B (cid:54) = B on its own since it is not the designated leader. Thus, theadversary must include B and every block before that.Otherwise, it will create an invalid fork that will be rejecteddue to due to consensus rule I .As a result, the part of the chain from the first block tothe latest honest block (e.g., until B in the above analysis)is confirmed by every honest user. Therefore, the adversarycan only create forks with κ last blocks different from thehonest fork if it is elected to be the leader for κ consecutiveblocks. Since (1 − γ ) is the ratio of adversarial stakes in the total network stakes, the probability that the adversary iselected to be the leader for κ consecutive blocks is Pr CP = (1 − γ ) κ , (7)which is also the probability that the CP property is violated.Then, we prove that our FedChain’s consensus mecha-nism satisfies the CG property in Lemma 2. Lemma 2.
FedChain’s consensus mechanism satisfies the chaingrowth propertyProof:
Even if a new block is not broadcast duringa time slot, an empty block will be added to the chain.Therefore, the CG property will always be satisfied.Next, we prove that FedChain’s consensus mechanismcan satisfy the CQ property in Lemma 3.
Lemma 3.
The probability that FedChain’s consensus mechanismviolates the ideal chain quality property with parameters l, µ over l blocks is no more than − exp (cid:18) l ( γ − δ (cid:19) .Proof: We can characterize the block adding processamong the honest stakeholders and the adversary as abinomial random walk [31]. During the considered l slots,the leader election processes can be considered indepen-dent Bernoulli trials X , . . . , X l such that, for ≤ i ≤ l , Pr[ X i = 0] = γ and Pr[ X i = 1] = 1 − γ . Then, the expectedvalue of the trials is E [ X ] = (cid:80) li =1 (1 − γ ) . Applying theChernoff bound [31], the probability that the adversary cre-ates less than l (1 − µ ) blocks, i.e., X = (cid:80) li =1 X i < l (1 − µ ) ,is Pr[
X < (1 − δ ) E [ X ]] = exp (cid:18) − E [ X ] δ (cid:19) , Pr[
X < (1 − δ ) l (1 − µ )] = exp (cid:18) ( µ − lδ (cid:19) , (8)where δ is any real number such that < δ ≤ . In the caseof ideal CQ [24], we have µ = γ , and the ideal CQ violationprobability is Pr CQ = 1 − exp (cid:18) l ( γ − δ (cid:19) (9)From Lemma 1, we have the CP violation probability Pr CP = (1 − γ ) κ which decreases exponentially as κ grows.Then, we proved in Lemma 2 that the CG property willalways be satisfied. Finally, from Lemma 3, we have the CQviolation probability Pr CQ = 1 − exp (cid:18) l ( γ − δ (cid:19) whichdecreases exponentially as l and δ grow. Thus, all the threeviolation probabilities can be satisfied with overwhelmingprobabilities, and the proof is completed. A PPENDIX BP ROOF OF T HEOREM We prove FedChain’s consensus mechanism’s ability to pre-vent each attack as follows: • Double-spending attack
To double-spend, the at-tacker has to either create a conflicting transactionn the same fork, i.e., create
Tx1 in B i and Tx2 in B j , or create two transactions in two forks, i.e.,create Tx1 in B i ∈ C and Tx2 in B j ∈ C . Forthe first approach, Tx2 is not a valid transaction andwill be rejected. For the second approach, if the CPproperty is not violated, only one of C and C willbe confirmed. Thus, this attack is prevented. • Grinding attack:
The seeds for leader and committeeselection are created by the committee via the PVSSprotocol in FedChain’s consensus mechanism. There-fore, grinding attacks are prevented. • Nothing-at-stake attacks:
Although the adversarycan create valid forks, they are not confirmed. There-fore, the vendors only have to wait until a transactionis confirmed. Thus, this attack is prevented as long asthe CP property holds. • Bribe attacks:
In the considered adaptive adversarymodel, the adversary can only corrupt honest stake-holders with a delay. Since the adversary cannotknow who is the leader in advance, the adversarycannot bribe the leaders. Thus, this attack is pre-vented. • Transaction denial attack:
With the liveness prop-erty, a transaction will eventually be included ina block created by an honest leader. As a result,this attack can be prevented as long as the livenessproperty (or the CG and CQ properties) holds. • Long-range attack:
FedChain’s consensus mecha-nism can prevent this attack by locking committeemembers’ stakes during their designated epochs. A PPENDIX CP ROOF OF T HEOREM Let S n denote the strategy space of follower n . Then, anystrategy s n = [ s n , . . . , s Mn ] that satisfies M (cid:88) m =1 s mn ≤ B n , (10)is a feasible strategy of follower n , i.e., s n ∈ S n . We firstprove S n to be compact and convex ∀ n ∈ N in Lemma 4. Lemma 4. S n is compact and convex ∀ n ∈ N .Proof: Let s n and s (cid:48) n be any two different strategiesin S n . To prove S n is convex, we prove that any convexcombination of s n and s (cid:48) n is in S n , i.e., λ s n + (1 − λ ) s (cid:48) n = [ λs n + (1 − λ ) s (cid:48) n , . . . , λs Mn +(1 − λ ) s (cid:48) Mn ] ∈ S n , ∀ λ ∈ (0 , , ∀ s n , s (cid:48) n ∈ S n . (11)Since λs mn +(1 − λ ) s (cid:48) mn ≤ max { s mn , s (cid:48) mn } , ∀ m ∈ M , we have M (cid:88) m =1 (cid:18) λs n + (1 − λ ) s (cid:48) n (cid:19) ≤ max (cid:26) M (cid:88) m =1 s mn , M (cid:88) m =1 s (cid:48) mn (cid:27) ≤ B n . (12)From (12), all convex combinations of s n and s (cid:48) n satisfy (10),and thus they all lie in S n . As a result, S n is convex.Moreover, since S n is closed and bounded, it is compact.Then, we prove that U n is concave in Lemma 5. Lemma 5. U n is concave over S n , ∀ n ∈ N .Proof: We have: ∂ U mn ∂ ( s mn ) = − R m T m ( s mn + T m ) ≤ . (13)Thus, U mn is concave over S n . Then, U n = (cid:80) Mm =1 U mn is alsoconcave over S n .According to [30], if S n is compact and convex and U n is quasi-concave ∀ n ∈ N , there exists at least oneNash equilibrium. It follows from Lemma 4 and 5 that thefollower sub-game satisfies these conditions, and thus theproof of this Theorem is complete. A PPENDIX DP ROOF OF T HEOREM According to Rosen’s theorem [35], a sufficient conditionto guarantee the uniqueness of the equilibrium is that thematrix [ G ( s , ω ) + G T ( s , ω )] is negative definite for a fixed ω > . G ( s , ω ) can be calculated by: G ( s , ω ) = ω ∂ U ∂s ∂s ω ∂ U ∂s ∂s · · · ω ∂ U ∂s M ∂s N ω ∂ U ∂s ∂s ω ∂ U ∂s ∂s · · · ω ∂ U ∂s M ∂s N ... ... . . . ... ω N ∂ U N ∂s N ∂s M ω N ∂ U N ∂s N ∂s M · · · ω N ∂ U N ∂s MN ∂s MN (14) Let ω n = 1 , ∀ n ∈ N , G ( s , ω ) can be rewritten as (15).The entries of G ( s , ω ) can then be calculated as follows: Φ mn = 2 R m (cid:80) Nn =1 B n (cid:18) − T m ( s mn + T m ) (cid:19) , (16)and φ mn = 2 R m (cid:80) Nn =1 B n (cid:18) s mn T m ( s mn + T m ) (cid:19) . (17)From (16) and (17), we can calculate ∆ mn = Φ mn − φ mn = 2 R m (cid:80) Nn =1 B n (cid:18) − T m ( s mn + T m )( s mn + T m ) (cid:19) , (18)which is negative. Then, G ( s , ω ) can be expressed as a sumof 2 matrices G = D + E , where: • D is similar to G , except that all the diagonal entriesof D are φ mn instead of Φ mn . Then, D has identicalcolumns (columns i and M + i are identical), andthus it is negative semi-definite. • E is a diagonal matrix with entries equal to ∆ mn .Thus, E is negative definiteAs a result, G ( s , ω ) is the sum of a negative semi-definitematrix and a negative definite matrix ( E ). Thus, G ( s , ω ) isnegative definite. Therefore, [ G ( s , ω ) + G T ( s , ω )] is negativedefinite, and the proof is completed. Φ · · · · · · φ · · · · · · φ · · · m · · · · · · φ m · · · · · · φ m · · ·
00 0 · · · M · · · · · · φ M · · · · · · φ M ... ... ... . . . ... ... ... . . . ... ... ... φ n · · · · · · Φ n · · · · · · φ n · · · φ mn · · · · · · mn · · · · · · φ mn · · ·
00 0 · · · φ Mn · · · · · · Mn · · · · · · φ Mn ... ... ... . . . ... ... ... . . . ... ... ... φ N · · · · · · φ N · · · · · · Φ N · · · φ mN · · · · · · φ mN · · · · · · mN · · ·
00 0 · · · φ MN · · · · · · φ MN · · · · · · MN . (15) A PPENDIX EP ROOF OF T HEOREM Assume that follower n is employing strategy s n whichinvests less than the available budget, i.e., (cid:80) Mm =1 s mn < B n .The utility function in this case is given in (3). Without lossof generality, if the follower chooses a strategy s (cid:48) n whichinvests the remaining budget ∆ s jn into a chain j , its utilityfunction becomes: U (cid:48) n = (cid:88) m ∈M − j (cid:18) s mn s mn + T m R m (cid:19) + s jn + ∆ s jn s jn + ∆ s jn + T j R j , (19)where M − j is the set of all chains except chain j . Then, thedifference in the utilities between the two strategies is: U (cid:48) n − U n = s jn + ∆ s jn s jn + ∆ s jn + T j R j − s jn s jn + T j R j , = ∆ s jn (cid:80) k ∈N − n s jk ( s jn + ∆ s jn + T j )( s jn + T j ) , (20)which is always positive. This means that s n always givesa lower payoff than s (cid:48) n regardless of the other followers’strategies, and the proof is completed. A PPENDIX FP ROOF OF T HEOREM We prove that at the point where every follower’s strategysatisfies s mn = B n R m (cid:80) Mi =1 R i , ∀ m ∈ M , ∀ n ∈ N , everyfollower’s strategy maximizes its utility ( ∂U n ∂s mn = 0 ). There-fore, no rational follower will deviate from this point, and thus this is the Nash equilibrium of this game. Substitute s mn = B n R m (cid:80) Mi =1 R i into ∂U n ∂s mn , we have ∂U n ∂s mn = R m T m ( s mn + T m ) − R M T M ( s Mn + T M ) , = (cid:80) j ∈N − n B j R m (cid:80) Mi =1 R i (cid:80) Nn =1 ( B n R m (cid:80) Mi =1 R i ) − (cid:80) j ∈N − n B j R M (cid:80) Mi =1 R i (cid:80) Nn =1 ( B n R M (cid:80) Mi =1 R i ) , = (cid:88) j ∈N − n B j (cid:18) (cid:80) Mi =1 R i (cid:80) Nn =1 ( B n ) − (cid:80) Mi =1 R i (cid:80) Nn =1 ( B n ) (cid:19) , =0 , ∀ m ∈ M , and ∀ n ∈ N . (21)The proof is now completed. A PPENDIX GP ROOF OF T HEOREM To find the equilibrium of this upper sub-game, we first findthe best response R ∗ m for each leader, i.e., the strategies thatmaximizes U m when the strategies of the other leaders arefixed. To this end, we first take the derivative of U m :d U m d R m = N (cid:88) n =1 B n (cid:80) i ∈M − m R i (cid:18) (cid:32) B n R m (cid:80) Mi =1 R i (cid:33)(cid:19) ( R m + (cid:80) i ∈M − m R i ) (cid:1) − . (22)To find R ∗ m , we solve d U m d R m = 0 , i.e., N (cid:88) n =1 B n (cid:80) i ∈M − m R i (cid:18) (cid:32) B n R m (cid:80) Mi =1 R i (cid:33)(cid:19) ( R m + (cid:80) i ∈M − m R i ) (cid:1) − . (23)ince the leaders’ utility functions are the same, we have (cid:80) i ∈M − m R i = ( M − R m . Then, (23) becomes ∂U m ∂R m = N (cid:88) n =1 B n (cid:80) i ∈M − m R i (cid:18) (cid:32) B n R m (cid:80) Mi =1 R i (cid:33)(cid:19) ( R m + (cid:80) i ∈M − m R i ) − , N (cid:88) n =1 B n (cid:80) i ∈M − m R i (cid:18) (cid:32) B n R m (cid:80) Mi =1 R i (cid:33)(cid:19) ( R m + (cid:80) i ∈M − m R i ) = 1 , N (cid:88) n =1 B n ( M − R m (cid:18) (cid:18) B n R m M R m (cid:19)(cid:19) ( M R m ) = 1 , N (cid:88) n =1 B n ( M − (cid:18) (cid:18) B n M (cid:19)(cid:19) M R m = 1 ,M − M N (cid:88) n =1 B n (cid:18) (cid:18) B n M (cid:19)(cid:19) = R m . (24)Thus, R ∗ m = M − M N (cid:88) n =1 B n (cid:18) (cid:18) B n M (cid:19)(cid:19) , (25)is the optimal strategy of leader m . Since R ∗ m is uniquelydefined by constants, i.e., M and B n , the equilibrium ofthis upper sub-game exists and is unique. As a result, theconsidered Stackelberg game admits a unique Stackelbergequilibrium. A PPENDIX HA LGORITHM Algorithm 1
Simulation Steps k ← repeat if reward scheme = dynamic then /* Chains set block rewards at each epoch */ for m := 1 to M do R ∗ m ← M − M (cid:80) Nn =1 B n (cid:18) (cid:18) B n M (cid:19)(cid:19) end for end if for n := 1 to N do /* Followers make decisions */ for m := 1 to M do Find s ∗ mn using fmincon end for end for if Adversary = Static then /* Static Adversary */ Adversary attacks with fixed B A else /* Adaptive Adversary */ Adversary corrupts N A stakeholders Adversary attacks with B A = (cid:80) i ∈N A B i end if for i := 1 to N ∆ do /* Randomly adjust followers’ budgets */ Adjust a random follower budget by ± ∆ s B n end for k ← k + 1 until k > nk > n