区块链弹性告警协议 (Resilient Alerting Protocols for Blockchains)

Smart contracts are stateful programs deployed on blockchains; they secure over a trillion dollars in transaction value per year. High-stakes smart contracts often rely on timely alerts about external events, but prior work has not analyzed their resilience to an attacker suppressing alerts via bribery. We formalize this challenge in a cryptoeconomic setting as the \emph{alerting problem}, giving rise to a game between a bribing adversary and~$n$ rational participants, who pay a penalty if they are caught deviating from the protocol. We establish a quadratic, i.e.,~$O(n^2)$, upper bound, whereas a straightforward alerting protocol only achieves~$O(n)$ bribery cost. We present a \emph{simultaneous game} that asymptotically achieves the quadratic upper bound and thus asymptotically-optimal bribery resistance. We then present two protocols that implement our simultaneous game: The first leverages a strong network synchrony assumption. The second relaxes this strong assumption and instead takes advantage of trusted hardware and blockchain proof-of-publication to establish a timed commitment scheme. These two protocols are constant-time but incur a linear storage overhead on the blockchain. We analyze a third, \emph{sequential alerting} protocol that optimistically incurs no on-chain storage overhead, at the expense of~$O(n)$ worst-case execution time. All three protocols achieve asymptotically-optimal bribery costs, but with different resource and performance tradeoffs. Together, they illuminate a rich design space for practical solutions to the alerting problem.

翻译：智能合约是部署在区块链上的有状态程序；它们每年保障着超过万亿美元的交易价值。高风险的智能合约通常依赖对外部事件的及时告警，但先前的研究并未分析其对攻击者通过贿赂压制告警的弹性。我们在加密经济学环境中将这一挑战形式化为\emph{告警问题}，从而引出了贿赂对手与~$n$个理性参与者之间的博弈，其中参与者若被发现偏离协议将受到惩罚。我们建立了二次（即~$O(n^2)$）的上界，而一种直接的告警协议仅能达到~$O(n)$的贿赂成本。我们提出了一种\emph{同步博弈}，其渐近地达到了二次上界，从而实现了渐近最优的贿赂抵抗性。随后，我们提出了两种实现该同步博弈的协议：第一种利用了强网络同步性假设。第二种协议放宽了这一强假设，转而利用可信硬件和区块链的发布证明来建立定时承诺方案。这两种协议均为常数时间，但会在区块链上产生线性存储开销。我们分析了第三种\emph{顺序告警}协议，该协议乐观情况下不产生链上存储开销，但代价是~$O(n)$的最坏情况执行时间。所有三种协议都实现了渐近最优的贿赂成本，但在资源和性能上存在不同的权衡。它们共同为告警问题的实际解决方案揭示了一个丰富的设计空间。