<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta>
      <journal-title-group>
        <journal-title>Distributed Ledger Technology Workshop, June</journal-title>
      </journal-title-group>
    </journal-meta>
    <article-meta>
      <title-group>
        <article-title>Analysis of a Blockchain Protocol Based on LDPC Codes</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Massimo Battaglioni</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Paolo Santini</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Giulia Rafaiani</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Franco Chiaraluce</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Marco Baldi</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>Department of Information Engineering, Università Politecnica delle Marche</institution>
          ,
          <addr-line>Ancona, 60131</addr-line>
          ,
          <country country="IT">Italy</country>
        </aff>
      </contrib-group>
      <pub-date>
        <year>2022</year>
      </pub-date>
      <volume>20</volume>
      <issue>2022</issue>
      <fpage>0000</fpage>
      <lpage>0002</lpage>
      <abstract>
        <p>In a blockchain Data Availability Attack (DAA), a malicious node publishes a block header but withholds part of the block, which contains invalid transactions. Honest full nodes, which can download and store the full ledger, are aware that some data are not available but they have no formal way to prove it to light nodes, i.e., nodes that have limited resources and are not able to access the whole blockchain data. A common solution to counter these attacks exploits linear error correcting codes to encode the block content. A recent protocol, called SPAR, employs coded Merkle trees and low-density parity-check codes to counter DAAs. In this paper, we show that the protocol is less secure than claimed, owing to a redefinition of the adversarial success probability. As a consequence we show that, for some realistic choices of the parameters, the total amount of data downloaded by light nodes is larger than that obtainable with competing solutions.</p>
      </abstract>
      <kwd-group>
        <kwd>eol&gt;Blockchain</kwd>
        <kwd>data availability attacks</kwd>
        <kwd>LDPC codes</kwd>
        <kwd>SPAR protocol</kwd>
      </kwd-group>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>1. Introduction</title>
      <p>
        A blockchain can be seen as an ordered list of blocks, each containing a set of transactions
occurred among the participants of a peer-to-peer network. The recent discovery of Data
Availability Attacks (DAAs) represents a new threat against blockchain security. Since the
DAA introduction in [
        <xref ref-type="bibr" rid="ref2">2</xref>
        ], there has been a growing research interest in finding efficient
countermeasures to this type of attacks, possibly leading to new blockchain models with improved
scalability and security (e.g., [
        <xref ref-type="bibr" rid="ref1 ref13 ref5 ref8">13, 8, 1, 5</xref>
        ]).
      </p>
      <p>
        In fact, scalability, which is related to the ability of supporting large transaction rates,
represents one of the main issues in most existing blockchains [
        <xref ref-type="bibr" rid="ref14">14</xref>
        ]. The straightforward solution of
increasing the block size raises a series of further concerns. In fact, the larger the block size
the smaller the number of nodes able to download the full blockchain and, indeed, to
participate in the network as full nodes, verifying the validity of new blocks and of every contained
transaction. More peers would rather participate in the network as light nodes, which, due to
their limited resources, store only a squeezed version of the blockchain [
        <xref ref-type="bibr" rid="ref10">10</xref>
        ] and, consequently,
cannot autonomously verify the validity of transactions.
      </p>
      <p>
        Light nodes aim at downloading as less data as possible. For instance, they may store only
the block headers, which unambiguously identify the content of the blocks. However, in a
setting with relatively few full nodes, collusion among them is more probable; this makes light
nodes more susceptible to DAAs. In fact, the aim of a DAA is to make at least one light node
accept a block which has not been fully disclosed to the network. This can happen if and only if
honest full nodes are prevented from preparing fraud proofs, i.e., demonstrations that the block
is invalid [
        <xref ref-type="bibr" rid="ref13 ref3">13, 3</xref>
        ].
      </p>
      <p>
        One of the most promising countermeasures to DAAs consists in encoding the blocks through
some error correcting code. Encoding introduces redundancy and distributes the information
of each transaction across all the codeword symbols, so that recovering a small portion of
an encoded block may be enough to retrieve the entirety of its contents through decoding.
This strategy, combined with a sampling process in which light nodes ask for fragments of
an encoded block and then gossip them to the connected full nodes, ensures that malicious
block producers are forced to reveal enough pieces of the invalid block [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ]. An alternative
to transactions encoding is to change the protocol in such a way that a group of light nodes
can collaboratively (among themselves) and autonomously (from full nodes) verify blocks [
        <xref ref-type="bibr" rid="ref5">5</xref>
        ].
Another option is to decouple the consensus rules from the transaction validity rules [
        <xref ref-type="bibr" rid="ref1 ref4">1, 4</xref>
        ].
      </p>
      <p>
        In a recent paper [
        <xref ref-type="bibr" rid="ref13">13</xref>
        ], Yu et al. proposed SPAR, a blockchain protocol which uses Low-Density
Parity-Check (LDPC) codes to counter DAAs; LDPC codes for this specific application have
then been studied in [
        <xref ref-type="bibr" rid="ref8 ref9">8, 9</xref>
        ]. SPAR comes as an improvement of the protocol in [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ], the latter
using two-dimensional Reed-Solomon codes, whose parameters have been optimized in [
        <xref ref-type="bibr" rid="ref12">12</xref>
        ].
The authors of SPAR study the protection against DAAs in case the adversary aims to prevent
honest full nodes from successfully decoding the block, which is a strict requirement to settle a
proper fraud proof. In [
        <xref ref-type="bibr" rid="ref13">13</xref>
        ], this situation is investigated assuming the adversary operates by
withholding pieces of the encoded block; under a coding theory perspective, this gets modeled
as a transmission over an erasure channel. They conclude that, unless the adversary is able
to find stopping sets (which is an NP-hard problem [
        <xref ref-type="bibr" rid="ref6">6</xref>
        ]), SPAR guarantees that the success
probability of a DAA is sufficiently small even when light nodes download a small amount of
data besides the block header. As a consequence, SPAR claims improvements in all the relevant
metrics [13, Table 1].
      </p>
      <p>
        Our contribution In this paper we study the security of the SPAR protocol. Namely, we
recompute the adversarial success probability with the consideration that deceiving at least a
single light node is a success for the attacker, which is the same scenario considered in [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ]. This
yields a sampling cost that is much larger than the expected one, thus penalizing the light nodes
participating in the network. Moreover, we show that the total amount of data that light nodes
have to download (header size plus sampling cost) is actually larger than that of competing
solutions such as [
        <xref ref-type="bibr" rid="ref3">3</xref>
        ].
      </p>
      <p>Paper organization The paper is organized as follows. In Section 2 we describe the notation
and some background. In Section 3 we introduce a general framework to study DAAs. In Section
4 we provide some numerical results. Finally, in Section 5 we draw some conclusions.</p>
    </sec>
    <sec id="sec-2">
      <title>2. Notation and background</title>
      <p>In this section we establish the notation used throughout the paper, and recall some background
notions.</p>
      <sec id="sec-2-1">
        <title>2.1. Mathematical notation</title>
        <p>Given two integers a and b, we use [a, b] to indicate the set of integers x such that a ≤ x ≤ b.
For a set A, we use |A| to denote its cardinality. We denote with Fq the finite field with q
elements. Given a vector v, we use supp(v) to denote its support, i.e., the set containing the
positions of its non-zero entries and wH(v) to denote its Hamming weight, that is, the size of
its support. Given an integer l and a set A, Al is the set of vectors of length l taking entries
in A. Given a matrix M, mi,j denotes its entry at row i and column j, Mi,: denotes the i-th
row, and M:,j denotes the j-th column. Given a set A, M:,A (respectively, MA,:) represents the
matrix formed by the columns (respectively, rows) of M indexed by A.</p>
        <p>We denote by Concat the string concatenation function and by Hb(·) the binary entropy
function. Moreover, we denote by Hash a cryptographic hash function, with codomain D. Given
some vector a, we use T (a) to denote a generic hash tree structure constructed from a and
using Hash as underlying function. The root of the tree is denoted as T .Root(a); it generically
takes values in Dt and is a one-way function. With analogous notation, by T .Proof(a, i) we
refer to the proof that the i-th entry of a is a leaf in the base layer of the tree. Notice that, when
Hash is properly chosen, then for any pair of strings a 6= a′ we have T .Root(a) 6= T .Root(a′)
and, for any index i, T .Proof(a, i) 6= T .Proof(a′, i) with overwhelming probability (say, not
lower than 1 − 2−256 for modern hash functions); therefore, for the sake of simplicity, in the
following we assume the absence of root and proof collisions.</p>
      </sec>
      <sec id="sec-2-2">
        <title>2.2. LDPC codes</title>
        <p>LDPC codes are a family of linear codes characterized by parity-check matrices having a
relatively small number of non-zero entries compared to the number of zeros. Namely, if an
LDPC H ∈ Fr×n has full rank r &lt; n and row and column weight in the order of log(n) and
q
log(r), respectively, then it defines an LDPC code with length n and dimension k = n − r,
with code rate R = nk . If all the rows (columns, respectively) of H have the same Hamming
weight, we denote it as w (v, respectively). The associated code is C = c ∈ Fqn cH⊤ = 0 ,
where ⊤ denotes transposition. The rows of the parity-check matrix define the code parity-check
equations, that is,
n
X cj hi,j = 0, ∀i ∈ [1, r], ∀c ∈ C.
j=1
(1)
Equivalently, any code can be represented in terms of a generator matrix G ∈ Fk×n, which
q
forms a basis for C.</p>
        <p>
          In an Erasure Channel (EC), some of the codeword symbols are replaced with the erasure
symbol ǫ. To this end, we express the action of an EC as c + e′, where c is the input sequence
and e′ ∈ {0, ǫ}n, with ǫ such that, conventionally, ǫ + a = ǫ, ∀a ∈ Fq. A decoding algorithm
for the EC aims to obtain a codeword by substituting each erasure with an element from Fq. In
the case of LDPC codes, the most common decoder used over the EC is the peeling decoder [
          <xref ref-type="bibr" rid="ref7">7</xref>
          ].
This algorithm works by expressing (1) as a linear system, where the unknowns are exactly the
erased symbols. Due to the sparsity of H, with large probability the linear system will include
several univariate equations, i.e., containing only one erasure. Each of these equations can be
solved to compute the corresponding unknown, which is then substituted into all the other
equations. This procedure is iterated until all the unknowns are found or, at some point, the
linear system does not contain any univariate equation, i.e., all the unsolved equations contain
at least two unknowns. In the former case we have a decoding success, while in the latter case
we have a failure, due to a stopping set [
          <xref ref-type="bibr" rid="ref11">11</xref>
          ], i.e., a set of symbols participating to parity-check
equations that contain at least two unknowns each. If all the symbols forming a stopping set are
erased, peeling decoding fails. The stopping ratio β of an LDPC code is defined as the minimum
stopping set size divided by n.
        </p>
      </sec>
      <sec id="sec-2-3">
        <title>2.3. Components of the SPAR protocol</title>
        <p>SPAR is based on a novel hash tree called Coded Merkle Tree (CMT), combined with an ad-hoc
hash-aware peeling decoder.</p>
        <p>Coded Merkle Tree A CMT is a hash tree which is constructed from ℓ linear codes
{C(1), · · · , C(ℓ)} over Fq; the i-th code has length ni and dimension ki. Each code C(i) is
defined by the systematic generator matrix G(i) = [Iki | Ai], with Ai ∈ Fqki×(ni−ki) and Iki
being the identity matrix of size ki. The CMT uses an integer b which must be a divisor of all
codelength values n1, · · · , nℓ. Furthermore, one needs to have partitions for the sets [1, ni],
for i ∈ [1, ℓ − 1]. Namely, we have Si = nS1(i), · · · , Sk(ii)+1 o which is a partition of [1, ni], such
that the S(i) are all disjoint and each one contains b elements, since ki+1 = ni/b. Starting from
j
c ∈ C(1), we build the associated CMT T ′(c) as follows:
1. set i = 1;
2. for j ∈ {1, · · · , ki+1}, set
with {z1, · · · , zb} = Sj(i);
uj = Concat Hash c(zi1) , · · · , Hash c(zib)
3. encode u = [u1, · · · , uki+1 ] as1 c = uG(i+1);
4. if i &lt; ℓ − 1, increase i and restart from step 2), otherwise set T ′.Root(c) = u.
1Notice that, when LDPC codes are considered, encoding is conveniently performed using the parity-check matrix
rather than the generator matrix. This implementation detail does not affect the conclusions of our analysis but,
considering encoding with the parity-check matrix, we would unnecessarily burden the notation. Therefore, we
stick to encoding with the generator matrix.
Hash-aware peeling decoder A hash-aware peeling decoder, described in [13, Section 4.3],
is an algorithm that decodes a set of ℓ words which are expected to constitute a CMT. Namely,
let {x(1), · · · , x(ℓ)}, where x(i) ∈ {Fq ∪ {ǫ}}ni, be the words to be decoded. The hash-aware
peeling decoder works in a top-down fashion and, at every iteration, uses the peeling decoder
strategy (i.e., recover erasures that participate in univariate parity-check equations) for any
layer of the CMT. Additionally, the hash-aware peeling decoder verifies the consistency between
symbols of connected layers of the tree via hash functions, whilst the symbols are recovered.
Decoding fails whenever a stopping set or a failed parity-check equation is met, just like the
conventional peeling decoder. Furthermore, the hash-aware peeling decoder fails in case check
consistency fails for some layer. Finally, an undetected error is met (but not recognized by the
decoder) if the decoded sequence is a codeword, but not the original one.</p>
      </sec>
    </sec>
    <sec id="sec-3">
      <title>3. A general framework to study DAAs</title>
      <p>
        In this section we present a general framework to study DAAs, and then apply it to the SPAR
protocol. For brevity, we only give the fundamentals of the model; for further details concerning
DAAs, we refer the interested reader to [
        <xref ref-type="bibr" rid="ref13 ref3">13, 3</xref>
        ].
      </p>
      <sec id="sec-3-1">
        <title>3.1. A general model for DAAs</title>
        <p>We consider a game in which an adversary A exchanges messages with m players P 1, · · · , P m,
who cannot communicate among themselves. Each player has access to an oracle O , who can
only perform polynomial time operations. Every list of transactions is seen as a vector u ∈ Fqk.
We assume that the following information is publicly available:
- a validity function f : Fqk 7→ {False, True}, which depends on the blockchain rules and
on its current status;
- a k-dimensional code C ⊆ Fqn with generator matrix G;
- two hash trees T , T ′ (the former is constructed upon the uncoded data u, while the latter
is constructed upon the codeword c = uG).</p>
        <p>The game proceeds as follows:
1. A chooses u ∈ Fqk such that f (u) = False and a vector c˜ ∈ Fn;
q
2. A challenges the players with (hu, hc), where hu = T .Root(u), hc = T ′.Root(c˜);
3. each player Pi selects Ji ⊆ [1, n] with size s;
4. A receives U = Sim=1 Ji;
5. to reply to a query containing the index i, A must send {˜ci, T .Proof(c˜, i)}; A is free to
choose which queries to reply and which ones to ignore;
6. if a player does not receive a valid reply for any of his queries, then he discards (hu, hc);
7. the players gossip all the valid answers to O , that aims to produce a proof for one of the
following facts:
a) ∃c˜ 6∈ C, such that T ′.Root(c˜) = hc;
b) ∃c˜ ∈ C such that T ′.Root(c˜) = hc, c˜ = u˜G and T .Root(u˜) 6= hu;
c) ∃c˜ ∈ C such that T ′.Root(c˜) = hc, c˜ = u˜G, T .Root(u˜) = hu and f (u˜) = False.</p>
        <p>Let us also define two properties.</p>
        <p>Property 1. Soundness: if a player accepts (hu, hc), then O will be able to recover c˜ (and u˜)
within a finite maximum delay.</p>
        <p>Property 2. Agreement: if a player accepts (hu, hc), then all the other players will accept (hu, hc)
within a finite maximum delay.</p>
        <p>Clearly, if A wins the game, which happens with probability γ, soundness and agreement
are caused to fail. We denote by γ the Adversarial Success Probability (ASP), i.e., the probability
that A wins a random execution of the game.</p>
        <p>
          It can be easily seen that, in our model, the players P 1, · · · , P m correspond to the light nodes
connected to a malicious node modeled by A . The oracle O instead represents the fact that we
assume any light node must be connected to at least one honest full node wishing to broadcast
fraud proofs. We remark that the hypotheses and properties that underlie our model are the
same under which DAAs have been studied in the literature [
          <xref ref-type="bibr" rid="ref12 ref13 ref3 ref8">13, 3, 8, 12</xref>
          ]. Finally, our model
does not fix any hash tree, nor code family; thus, it can be used to study several blockchain
networks. We now proceed by describing how SPAR adapts to such a model, but it can be easily
seen that also the protocol proposed in [
          <xref ref-type="bibr" rid="ref3">3</xref>
          ] fits into the model.
        </p>
      </sec>
      <sec id="sec-3-2">
        <title>3.2. DAAs in the SPAR protocol</title>
        <p>
          In SPAR, the CMT is instantiated using the code design procedure considered in [
          <xref ref-type="bibr" rid="ref7">7</xref>
          ], which
produces an ensemble of LDPC codes whose parity-check matrices have at most column weight
v and at most row weight w. As mentioned in Section 2.3, besides the CMT, SPAR requires the
use of another hash tree, denoted by T and considered as a standard Merkle tree.
        </p>
        <p>Let u ∈ Fqk denote the list of transactions of a new block. Then, a correctly constructed
header contains hu = T .Root(u) and hc = T ′.Root(c), with c = uG(1). However, in case of
a DAA, the word c˜ = c + e upon which hc is constructed may be any vector picked from Fn.
q
The authors of SPAR study the protection of the protocol against DAAs; namely, they initially
consider the following two cases:
a) if c˜(i) 6∈ C(i), then the proof consists in sending the value of all the symbols that participate
in a failed parity-check equation, except for one of them, together with their CMT proofs;
we refer to such a proof as parity-check equation incorrect-coding proof ;
b) if c˜ = c but f (u) = False, the adversary succeeds only if the samples received by the
oracle are not enough to allow the recovery of u from c˜ through decoding.</p>
        <p>The scenario where the oracle finds a hash inconsistency is also considered, in which case O can
broadcast a fraud proof to the light nodes, called here hash inconsistency incorrect-coding proof.</p>
        <p>
          The following bound for the ASP is derived [13, Theorem 1]:
γ ≤ max n(1 − αmin)s , 2maxi{Hb(αi)ni+ms log2(1−αi)}o
(2)
where αi is the undecodable ratio of C(i), that is, the minimum fraction of coded symbols
the adversary needs to make unavailable in order to prevent the oracle from full decoding,
αmin = mini(αi), and s is the number of queries performed by each light node. Therefore, if
the oracle is not able to decode due to the presence of a stopping set, the adversarial success
probability computed in [
          <xref ref-type="bibr" rid="ref13">13</xref>
          ] is the probability that exactly one player receives an answer to all
its queries.
        </p>
        <p>
          We argue here, instead, that a sufficient condition to break the soundness and agreement
as defined in [
          <xref ref-type="bibr" rid="ref13 ref3">3, 13</xref>
          ], and recalled in Section 3.1 is actually that at least one player accepts an
invalid block.
        </p>
        <p>Proposition 1. In SPAR, an adversary cannot cause the soundness and agreement to fail with
probability
γ ≤ min{1, max{1 − [1 − (1 − αmin)s]m , t2}},
(3)
where t2 = 2maxi{b(αi)ni+ms log(1−αi)}.</p>
        <p>Proof. According to Property 1, the soundness fails if at least one player accepts the block header,
but the oracle will not be able to dispatch a fraud proof. The probability that exactly one player
accepts the challenge is lower than or equal to (1 − αmin)s and, therefore, the probability that
exactly one player discards the challenge is larger than or equal to 1 − (1 − αmin)s. Considering
that there are m players, the probability that all of them discard the block is larger than or
equal to [1 − (1 − αmin)s]m. So, finally, the probability that at least a player accepts the block
is lower than or equal to</p>
        <p>1 − [1 − (1 − αmin)s]m .</p>
        <p>The rest of the proof is as in [13, Theorem 1].</p>
      </sec>
    </sec>
    <sec id="sec-4">
      <title>4. Numerical examples</title>
      <p>
        Let us consider the code parameters proposed in [
        <xref ref-type="bibr" rid="ref13">13</xref>
        ] as a benchmark. It is shown in [13, Table
2] that the most favourable value of the stopping ratio of the constructed ensemble (β∗) is
obtained when w = 8 and the code rate is R = 1/4, from which v = 6 easily follows. As in
[
        <xref ref-type="bibr" rid="ref13">13</xref>
        ] we consider two cases: a strong adversary (SA) able to find stopping sets and erase the
corresponding symbols, and a weak adversary (WA) unable to find them and hence forced to
erase random symbols. For the SA, the undecodable ratio is α∗ = β∗ = 12.4%; instead, in case
of WA we have α∗ = 47% [
        <xref ref-type="bibr" rid="ref13">13</xref>
        ]. According to [13, Table 2], when n = 4096, the probability
that the code stopping ratio α is smaller than the ensemble stopping ratio is relatively small
(3.2 · 10−4).
      </p>
      <p>In Table 1 we report the upper bound (2) and the newly assessed upper bound (3) on the ASP,
for some values of s, considering n = 4096 and m = 1024; notice that the new value is never
smaller than the previously computed upper bound. Clearly, this may have severe security
consequences.</p>
      <p>As obvious and expected, the upper bound on ASP is a decreasing function of the number of
samples s. So, once a target adversarial success probability is chosen, it is possible to compute
a lower bound for the value of s each player needs to ask in order to stay below it, simply by
inverting (2) and (3). Considering the same parameters as above (n = 4096 and m = 1024) we
obtain the results in Table 2.
where B is the block size, y is the hash size and b, introduced in Section 2.3, is the number of
batched hashes in each layer. Finally, t is the number of hashes in the root and determines the
header size H = tℓH, where ℓH = 256 is the binary length of the digests.</p>
      <p>
        In Table 3, we assess the sampling cost S, normalized with respect to the block size B,
assuming m = 1024, R = 1/4, k = 1024 symbols, B = 1 MB, b = 8, t = 256 hashes and
some different values of the ASP γ. A comparison with the optimized ASBK protocol [
        <xref ref-type="bibr" rid="ref12">12</xref>
        ],
named after the original authors’ initials, is also reported, for which we have considered the
same block size, and codes defined over a field of size 2256. As expected, the optimized ASBK
protocol results in smaller sampling costs than the SPAR protocol (this also held true for the
original ASBK protocol [13, Fig. 4]).
      </p>
      <p>However, it should be noticed that SPAR has the advantage of relying on a fixed header
size whereas in ASBK the header size increases as the square root of the block size. Therefore,
considering the same setting, in Tables 4, 5 and 6 we have compared the total amount of
downloaded data D (sampling cost plus header size) using SPAR, to that obtained using the
optimized ASBK protocol, The tables also report the header size H for the optimized ASBK
protocol, when B = 1 MB, B = 10 MB and B = 100 MB, respectively. The header size for
SPAR does not depend on the block size and its value is tℓH = 8.192 kB. Notice that this
amount of data must be downloaded by any light node during the regular course of the protocol,
independently of the malicious behaviour of some full nodes, possibly resulting in the additional
download of fraud proofs.</p>
      <p>We observe that, for relatively small and moderate values of the block size, despite the larger
header size, the use of the ASBK protocol is preferable even if a weak adversary is taken into
account. Instead, when the block size is large, SPAR is very convenient in the presence of a
weak adversary, but still more costly than ASBK if the adversary is strong.</p>
    </sec>
    <sec id="sec-5">
      <title>5. Conclusion</title>
      <p>By carefully analyzing the SPAR protocol we have shown that the actual sampling cost required
by the scheme, in order to achieve target security guarantees, is much larger than that initially
expected. Moreover, it is shown that, in many practical scenarios, the amount of data that light
nodes have to download is larger than that of other well-known schemes.</p>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          [1]
          <string-name>
            <given-names>Mustafa</given-names>
            <surname>Al-Bassam</surname>
          </string-name>
          .
          <article-title>Lazyledger: A distributed data availability ledger with client-side smart contracts</article-title>
          . https://arxiv.org/pdf/
          <year>1905</year>
          .09274.pdf ,
          <year>2019</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          [2]
          <string-name>
            <given-names>Mustafa</given-names>
            <surname>Al-Bassam</surname>
          </string-name>
          ,
          <string-name>
            <given-names>Alberto</given-names>
            <surname>Sonnino</surname>
          </string-name>
          , and
          <string-name>
            <given-names>Vitalik</given-names>
            <surname>Buterin</surname>
          </string-name>
          .
          <article-title>Fraud and data availability proofs: Maximising light client security and scaling blockchains with dishonest majorities</article-title>
          . https://arxiv.org/pdf/
          <year>1809</year>
          .09044.pdf ,
          <year>2019</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          [3]
          <string-name>
            <given-names>Mustafa</given-names>
            <surname>Al-Bassam</surname>
          </string-name>
          , Alberto Sonnino, Vitalik Buterin, and
          <string-name>
            <given-names>Ismail</given-names>
            <surname>Khoffi</surname>
          </string-name>
          .
          <article-title>Fraud and data availability proofs: Detecting invalid blocks in light clients</article-title>
          . In N. Borisov and C. Diaz, editors,
          <source>Financial Cryptography and Data Security, FC</source>
          <year>2021</year>
          , volume
          <volume>12675</volume>
          of Lecture Notes in Computer Science, pages
          <fpage>279</fpage>
          -
          <lpage>298</lpage>
          . Springer, Berlin, Heidelberg,
          <year>2021</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          [4]
          <string-name>
            <given-names>Matteo</given-names>
            <surname>Bernardini</surname>
          </string-name>
          , Diego Pennino, and
          <string-name>
            <given-names>Maurizio</given-names>
            <surname>Pizzonia</surname>
          </string-name>
          .
          <article-title>Blockchains meet distributed hash tables: Decoupling validation from state storage</article-title>
          .
          <source>In CEUR Workshop Proceedings, 2nd Distributed Ledger Technology Workshop (DLT)</source>
          , volume
          <volume>2334</volume>
          , pages
          <fpage>43</fpage>
          -
          <lpage>55</lpage>
          , Pisa, Italia,
          <year>February 2019</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          [5]
          <string-name>
            <given-names>Steven</given-names>
            <surname>Cao</surname>
          </string-name>
          , Swanand Kadhe, and Kannan Ramchandran.
          <article-title>CoVer: Collaborative light-nodeonly verification and data availability for blockchains</article-title>
          .
          <source>In Proceedings of the 2020 IEEE International Conference on Blockchain (Blockchain</source>
          <year>2020</year>
          ), pages
          <fpage>45</fpage>
          -
          <lpage>52</lpage>
          , Rhodes, Greece,
          <year>November 2020</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          [6]
          <string-name>
            <given-names>Karunakaran</given-names>
            <surname>Murali</surname>
          </string-name>
          Krishnan and
          <string-name>
            <given-names>Priti</given-names>
            <surname>Shankar</surname>
          </string-name>
          .
          <article-title>Computing the stopping distance of a Tanner graph is NP-hard</article-title>
          .
          <source>IEEE Transactions on Information Theory</source>
          ,
          <volume>53</volume>
          (
          <issue>6</issue>
          ):
          <fpage>2278</fpage>
          -
          <lpage>2280</lpage>
          ,
          <year>2007</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          [7]
          <string-name>
            <surname>Michael</surname>
            <given-names>G.</given-names>
          </string-name>
          <string-name>
            <surname>Luby</surname>
            ,
            <given-names>Michael</given-names>
          </string-name>
          <string-name>
            <surname>Mitzenmacher</surname>
            ,
            <given-names>M. Amin</given-names>
          </string-name>
          <string-name>
            <surname>Shokrollahi</surname>
          </string-name>
          , and
          <string-name>
            <surname>Daniel</surname>
            <given-names>A.</given-names>
          </string-name>
          <string-name>
            <surname>Spielman</surname>
          </string-name>
          .
          <article-title>Efficient erasure correcting codes</article-title>
          .
          <source>IEEE Transactions on Information Theory</source>
          ,
          <volume>47</volume>
          (
          <issue>2</issue>
          ):
          <fpage>569</fpage>
          -
          <lpage>584</lpage>
          ,
          <year>2001</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          [8]
          <string-name>
            <given-names>Debarnab</given-names>
            <surname>Mitra</surname>
          </string-name>
          , Lev Tauz, and
          <string-name>
            <given-names>Lara</given-names>
            <surname>Dolecek</surname>
          </string-name>
          .
          <article-title>Concentrated stopping set design for coded Merkle tree: Improving security against data availability attacks in blockchain systems</article-title>
          .
          <source>In Proceedings of the International Symposium on Information Theory (ISIT</source>
          <year>2020</year>
          ), pages
          <fpage>136</fpage>
          -
          <lpage>140</lpage>
          , Los Angeles, CA, USA,
          <year>June 2020</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref9">
        <mixed-citation>
          [9]
          <string-name>
            <given-names>Debarnab</given-names>
            <surname>Mitra</surname>
          </string-name>
          , Lev Tauz, and
          <string-name>
            <given-names>Lara</given-names>
            <surname>Dolecek</surname>
          </string-name>
          .
          <article-title>Concentrated stopping set design for coded Merkle tree: Improving security against data availability attacks in blockchain systems</article-title>
          . https://arxiv.org/pdf/
          <year>2010</year>
          .07363.pdf ,
          <year>2021</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref10">
        <mixed-citation>
          [10]
          <string-name>
            <given-names>Satoshi</given-names>
            <surname>Nakamoto</surname>
          </string-name>
          .
          <article-title>Bitcoin: A peer-to-peer electronic cash system</article-title>
          . : https://bitcoin.org/bitcoin.pdf,
          <year>2008</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref11">
        <mixed-citation>
          [11]
          <string-name>
            <given-names>Tom</given-names>
            <surname>Richardson</surname>
          </string-name>
          and
          <string-name>
            <given-names>Rüdiger</given-names>
            <surname>Urbanke</surname>
          </string-name>
          .
          <source>Modern Coding Theory</source>
          . Cambridge University Press,
          <year>2008</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref12">
        <mixed-citation>
          [12]
          <string-name>
            <surname>Paolo</surname>
            <given-names>Santini</given-names>
          </string-name>
          , Giulia Rafaiani, Massimo Battaglioni, Franco Chiaraluce, and
          <string-name>
            <given-names>Marco</given-names>
            <surname>Baldi</surname>
          </string-name>
          .
          <article-title>Optimization of a Reed-Solomon code-based protocol against blockchain data availability attacks</article-title>
          .
          <source>In Proceedings of IEEE International Conference on Communications (ICC)</source>
          <year>2022</year>
          , Seoul, South Korea and virtual, May
          <year>2022</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref13">
        <mixed-citation>
          [13]
          <string-name>
            <surname>Mingchao</surname>
            <given-names>Yu</given-names>
          </string-name>
          , Saeid Sahraei,
          <string-name>
            <given-names>Songze</given-names>
            <surname>Li</surname>
          </string-name>
          ,
          <string-name>
            <given-names>Salman</given-names>
            <surname>Avestimehr</surname>
          </string-name>
          , Sreeram Kannan, and
          <string-name>
            <given-names>Pramod</given-names>
            <surname>Viswanath</surname>
          </string-name>
          .
          <article-title>Coded Merkle tree: Solving data availability attacks in blockchains</article-title>
          .
          <source>In J. Bonneau and N. Heninger</source>
          , editors,
          <source>Financial Cryptography and Data Security, FC</source>
          <year>2020</year>
          , volume
          <volume>12059</volume>
          of Lecture Notes in Computer Science, pages
          <fpage>114</fpage>
          -
          <lpage>134</lpage>
          . Springer, Cham,
          <year>2020</year>
          .
        </mixed-citation>
      </ref>
      <ref id="ref14">
        <mixed-citation>
          [14]
          <string-name>
            <surname>Qiheng</surname>
            <given-names>Zhou</given-names>
          </string-name>
          , Huawei Huang, Zibin Zheng, and
          <string-name>
            <given-names>Jing</given-names>
            <surname>Bian</surname>
          </string-name>
          .
          <article-title>Solutions to scalability of blockchain: A survey</article-title>
          .
          <source>IEEE Access</source>
          ,
          <volume>8</volume>
          :
          <fpage>16440</fpage>
          -
          <lpage>16455</lpage>
          ,
          <year>2020</year>
          .
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>