Professional Documents
Culture Documents
Moshe Babaio
Shahar Dobzinski
Sigal Oren
Aviv Zohar
d
i=1
A
s
v
(y
i
)
. .
v authorizes
+
d
i=1
(l y
i
) A
s
v
(y
i
)
k +
d
i=1
A
s
v
(y
i
)
. .
a decedent of v authorizes
where k is the number of nodes which are aware of the transaction outside the subtree which v is the
root of (this number includes v itself). We show that (c
1
, . . . , c
d
), where c
d
= l(v) 1 is dominated
by (c
1
, . . . , c
d
1). For this purpose, it is sucient to show the following claim:
Claim 2.7 Let T
v
be the set of strategy proles of all nodes other than v in which:
1. The subtree rooted at vs dth child spans a complete d-ary tree of height y
d
when v duplicates itself
c
d
times, or of a height y
d
+ 1 when v duplicates itself c
d
1 times.
2. There are at least k 2
1
+ 6d
d
y
d1
d1
+ 6 nodes that are not descendants of v that are aware of
the transaction.
Then: s
v
T
v
U
s
v
v
(c
1
, . . . , c
d
1) > U
s
v
v
(c
1
, . . . , c
d
)
Notice, that in any -subgame, both of the conditions for the lemma hold in every prole: in a
-subgame we have that if node v clones itself at most l(v) 2 times then his child will span a
tree that contains a full d-ary tree of height , and we are guaranteed k nodes that are aware of the
transaction.
7
We therefore turn to prove the claim.
Proof: The new strategy (c
1
, . . . , c
d
1) in eect distributes the message to one additional layer of the
subtree rooted at the dth child of v. That extra layers contains d
y
d
nodes. The utility of this strategy
is therefore:
U
s
v
v
(y
1
, . . . , y
d1
, y
d
+ 1) =
1 + l +
d1
i=1
(l y
i
) A
s
v
(y
i
) + (l y
d
1)(A
s
v
(y
d
) + d
y
d
)
k +
d
i=1
A
s
v
(y
i
) + d
y
d
So we have to show that:
s
v
U
s
v
v
(y
1
, . . . , y
d1
, y
d
+ 1) > U
s
v
v
(y
1
, . . . , y
d
)
For convenience, we will drop the index s
v
, but remember that we must check for every possible
strategy prole of the other nodes that:
1 + l +
d1
i=1
(l y
i
) A(y
i
) + (l y
d
1)(A(y
d
) + d
y
d
)
k +
d
i=1
A(y
i
) + d
y
d
>
1 + l +
d
i=1
(l y
i
) A(y
i
)
k +
d
i=1
A(y
i
)
multiplying by the denominator and dividing both sides by :
_
k +
d
i=1
A(y
i
)
_
(ly
d
1)(A(y
d
)+d
y
d
) >
_
k +
d
i=1
A(y
i
)
_
(ly
d
)A(y
d
)+d
y
d
1
+ l +
d
i=1
(l y
i
) A(y
i
)
_
_
k +
d
i=1
A(y
i
)
_
(l y
d
1) d
y
d
_
k +
d
i=1
A(y
i
)
_
A(y
d
) > d
y
d
1
+ l +
d
i=1
(l y
i
) A(y
i
)
_
_
k +
d
i=1
A(y
i
)
_
_
l y
d
1
A(y
d
)
d
y
d
_
>
_
1
+ l +
d
i=1
(l y
i
) A(y
i
)
_
Note that l y
d
1
A(y
d
)
d
y
d
> 0 since l y
d
2 and
A(y
d
)
d
y
d
< 1. Therefore we can divide by
l y
d
1
A(y
d
)
d
y
d
, after some rearranging we get that:
k >
1
+ l +
d
i=1
(l y
i
) A(y
i
)
l y
d
1
A(y
d
)
d
y
d
i=1
A(y
i
)
k >
1
+ l +
d
i=1
(l y
i
l + y
d
+ 1 +
A(y
d
)
d
y
d
) A(y
i
)
l y
d
1
A(y
d
)
d
y
d
k (l y
d
1
A(y
d
)
d
y
d
) >
1
+ l +
d
i=1
(y
i
+ y
d
+ 1 +
A(y
d
)
d
y
d
) A(y
i
) = ()
Recall that that the ds child spans a full tree of height y
d
: A(y
d
) =
d
y
d1
d1
. We bound the right hand
side of Equation 2.3.1 as follows:
()
1
+ l +
d
i:y
i
=y
d
_
1 +
A(y
d
)
d
y
d
_
A(y
i
) +
d
i:y
i
=y
d
+1
_
A(y
d
)
d
y
d
_
A(y
i
)
+
d
i:y
i
>y
d
+1
_
1 +
A(y
d
)
d
y
d
_
A(y
i
)
8
The last summation is negative because
A(y
d
)
d
y
d
< 1, and once we substitute A(y
d
) into the expression
we have that:
()
1
+ l +
d
i:y
i
=y
d
_
1 +
A(y
d
)
d
y
d
_
A(y
d
) +
d
i:y
i
=y
d
+1
A(y
d
)
d
y
d
A(y
d
+ 1)
Now notice that:
_
1 +
A(y
d
)
d
y
d
_
A(y
d
) =
A(y
d
) + d
y
d
d
y
d
A(y
d
) =
A(y
d
+ 1) A(y
d
)
d
y
d
and so we can write:
()
1
+ l +
i:y
i
=y
d
y
i
=y
d
+1
(1 +
A(y
d
)
d
y
d
) A(y
d
)
1
+ l +
i:y
i
=y
d
y
i
=y
d
+1
2 A(y
d
) (1)
1
+ l + 2 d A(y
d
) (2)
Therefore, we are looking for k such that:
k >
1
+ l + 2 d A(y
d
)
l y
d
1
A(y
d
)
d
y
d
= ()
We now divide into two cases.
Case I: l 2y
d
+ 4. In this case By using the fact
A(y
d
)
d
y
d
< 1 and continuing from Equation (2) we
can write:
() <
1
+ l + 2 d A(y
d
)
l y
d
2
1
+ l + 2 d A(y
d
)
l
2
2
1
l
+2+
4 d A(y
d
)
l
1
2
1
+2+dA(y
d
)
where the last transition relies on the fact that l 4.
Case II: l 2y
d
+ 3. Notice that by denition l is always at least y
d
+ 2. Therefore, by continuing
from Equation (2) we have:
()
1
+ l + 2 d A(y
d
)
2 1
A(y
d
)
d
y
d
1
+ l + 2 d A(y
d
)
1
1
d1
=
d 1
d 2
_
1
+ l + 2 d A(y
d
)
_
where for the second transition we used:
A(y
d
)
d
y
d
=
d
y
d
1
(d 1)d
y
d
<
1
d 1
Notice that A(y
d
) y
d
, hence, l 2A(y
d
) + 3. Recall that d 3 we can continue to bound ():
()
d 1
d 2
_
1
+ (2 d + 2) A(y
d
) + 3
_
2
1
+ 6 d A(y
d
) + 6
From Case I, and case II combined, we have that:
() 2
1
+ 6d A(y
d
) + 6
Thus, if k 2
1
+ 6d A(y
d
) + 6, for any node v the strategy of choosing c
i
= l(v) 1 for
some child i is dominated by the strategy (c
1
, . . . , c
i1
, c
i
1, c
i+1
, . . . , c
d
). Since k is the number of
nodes outside the tree rooted by v then for the lemma to hold it is sucient to have 7 seeds (each with
d children that span trees at height y
d
), and 2
1
+ 6 additional nodes.
9
3 A Lower Bound on Dominant Strategy Schemes
In the previous sections, we presented several reward schemes and analyzed their behavior in equilibrium.
The solution concept we analyzed was iterated removal of dominated strategies. Although iterated
removal of dominated strategies is a strong solution concept, a natural goal is to seek good reward
schemes that use even stronger solution concepts. We now show that there does not exist reward schemes
that guarantee both low overhead and low payment, if the solution concept is dominant strategies.
Theorem 3.1 Fix any H
s
H for each seed s. Let R be a reward scheme such that no duplication
and information propagation is a dominant strategy equilibrium for every node up to depth H
s
that is
in a tree rooted by a seed s. Suppose that at least half of the nodes are aware of the transaction at the
end of the distribution phase. The expected payment of R is at least
1
10
_
2
H4
t
2
+
1
t
_
H3
te
_
H3
_
where t
is the number of initial seeds.
As a corollary we get that for the total payment to be constant then the number of seeds must be
(2
H
2
). Moreover, for a constant t and large H the payment will be huge, at least ((H/c)
H3
) for
some constant c.
3.1 Proof of Theorem 3.1
Consider a reward scheme as in the statement. We claim that in a dominant strategy equilibrium,
at least
1
10
of the nodes that are aware of the transaction are in trees rooted by a seed s such that
H
s
H 2. Otherwise, the number of nodes that are aware of the transaction is at most:
t
10
d
H
1
d 1
+
9t
10
d
H3
1
d 1
<
t
2
d
H
1
d 1
A contradiction to the assumption that at least half of the nodes are aware of the transaction. We
will show that the expected payment (conditioned on a node in this tree hashing the transaction) of
every tree with H H
s
H 2 is at least
2
Hs2
t
2
+
1
t
_
Hs1
te
_
Hs1
2
H4
t
2
+
1
t
_
H3
te
_
H3
, and the
theorem will follow. From now on we x such a tree and denote its payment simply by r
i,h
(dropping
the superscript s). We start with several claims.
Claim 3.2 r
i,h
r
i,h+1
+ r
i+1,h+1
.
Proof: Consider a node v and suppose that every child of v uses the strategy of cloning itself (hi1)
times and does not distribute the message to its children. In case one of vs children authorizes the
transaction, the child declares that its last clone was the authorizer. Then, by Sybil proofness, v must
not gain by duplicating itself another time and then sending the transaction to its children.
In the appendix we prove the following two claims. The rst statement is similar to Pascals triangle.
Claim 3.3 r
1,1
Hs1
i=0
_
Hs1
i
_
r
i+1,Hs
Claim 3.4 Let v be some node at position h < H
s
that received the transaction. Let w be the number
of nodes that are not descendants of v that are aware of the transaction. If v has a dominant strategy
of transmitting the transaction without duplication then for every 1 k H
s
h,
r
1,h
w
r
1+k,h+k
.
In the appendix we use Claim 3.2 and Claim 3.4 to prove the following lemma:
Lemma 3.5 For any m 1 it holds that: r
m,Hs
1
2
_
1
t 1
+
(m 1)!
(t 1)
m1
_
10
We are now ready to prove Theorem 3.1. Let t be the number of seeds. Suppose that t 1 of
them do not distribute the transaction, and consider the tree of the only seed that does distribute the
transaction. By Lemma 3.5 it holds that for any i 1 it holds that r
i,Hs
1
2
_
1
t 1
+
(i 1)!
(t 1)
i1
_
.
Now, by Claim 3.3
r
1,1
Hs1
i=0
_
H
s
1
i
_
r
i+1,Hs
1
2
Hs1
i=0
_
H
s
1
i
_
_
1
t 1
+
i!
(t 1)
i
_
1
2
_
2
Hs1
t
+
(H
s
1)!
t
Hs1
_
2
Hs2
t
+
2(H
s
1)
2
_
H
s
1
t e
_
Hs1
2
Hs2
t
+
_
H
s
1
t e
_
Hs1
By applying Claim 3.4, we get that l r
h,h
r
1,1
t
2
Hs2
t
2
+
1
t
_
H
s
1
t e
_
Hs1
r
h,h
is the payment to the root in case the length of the winning chain was h, and so is a lower
bound on the overall payment of the scheme in that case.
Acknowledgements
We thank Jon Kleinberg for helpful discussions and valuable comments.
References
[1] The Bitcoin wiki. Available online at https://bitcoin.it.
[2] The DARPA network challenge. Available online at http://archive.darpa.mil/networkchallenge/.
[3] Joshua Davis. The crypto-currency: Bitcoin and its mysterious inventor. The New Yorker, October
10, 2011.
[4] Kirill Dyagilev, Shie Mannor, and Elad Yom-Tov. Generative models for rapid information propa-
gation. In Proceedings of the First Workshop on Social Media Analytics, SOMA 10, pages 3543,
New York, NY, USA, 2010. ACM.
[5] Yuval Emek, Ron Karidi, Moshe Tennenholtz, and Aviv Zohar. Mechanisms for multi-level mar-
keting. In Proceedings of the 12th ACM conference on Electronic commerce, EC 11, pages 209218,
New York, NY, USA, 2011. ACM.
[6] Jon Kleinberg and Prabhakar Raghavan. Query incentive networks. In FOCS 05: Proceedings of
the 46th IEEE Symposium on Foundations of Computer Science, pages 132141, 2005.
[7] Paul Krugman. Golden cyberfetters. Available online at
http://krugman.blogs.nytimes.com/2011/09/07/golden-cyberfetters/.
[8] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. Available online at
http://bitcoin.org/bitcoin.pdf, 2008.
[9] Galen Pickard, Iyad Rahwan, Wei Pan, Manuel Cebrian, Riley Crane, Anmol Madan, and Alex
Pentland. Time critical social mobilization: The darpa network challenge winning strategy. CoRR,
abs/1008.3172, 2010.
[10] Fergal Reid and Martin Harrigan. An analysis of anonymity in the Bitcoin system. CoRR,
arXiv/1107.4524, 2011.
11
[11] James Surowiecki. Cryptocurrency. Technology Review, MIT. September/October, 2011. Available
online: http://www.technologyreview.com/computing/38392/.
A A Formal Model
In our game, one transaction needs to be authorized. There are n = t
d
H
1
d1
nodes (players), organized
in t complete d-ary trees each of height H, that are all directed towards the leaves. We call each root
of a tree a seed. The depth of a node is the number of nodes on the path from the root of the nodes
tree to the node (the depth of the root is 1).
In the most general denition of the strategy space, a strategy of a node v is to specify for each x 1
two things. First it species p
x,v
0, the number of fake identities (duplicates) of itself v has added
before trying to authorize the transaction with the last identity (it pretends that a node in a lower level
succeeds in authorizing the transaction). Secondly, for every child i it species a pair (b
x,v
i
, c
x,v
i
). The
meaning of the pair is that if v received the transaction from his parent and had x 1 predecessors
(including clones): b
x,v
i
{0, 1} species whether v sends the transaction to its ith child or not. In case
v does send the transaction to its i-th child, c
x,v
i
0 species how many fake identities of itself v has
added before sending the transaction.
Given a strategy prole S, a player v is aware of the transaction if v is a seed, or if v is the ithe
child of u that has x 1 predecessors, u is aware of the transaction, and pass it to v, that is b
x,u
i
= 1.
Once a node authorizes the transaction it determines the winning chain, this is a sequence of iden-
tities on the path from a root node to the authorizing identity. Every reward scheme is completely
dened by non-negative rewards r
s
i,h
for every seed s and every 1 i h. The reward r
s
i,h
is the reward
given to the i-th identity on the winning chain of length h that starts at authorizing node.
In this paper we consider reward schemes in which we want to motivate nodes not to duplicate
themselves. Therefore, from now on we restrict our attention to schemes that never reward nodes with
more than H predecessors, eectively implying that we only need to consider x H. Hence, we can
dene a more concise representation of the strategy space that will be used throughout the paper.
Formally, the strategy S
v
of a node v is represented as follows: for every 1 l H, there is a tuple
S
v
(l) = (c
l,v
1
, . . . , c
l,v
d
) where 0 c
l,v
i
l 1. In addition, for every 1 l H each node has a number
0 p
l,v
l 1.
We say that a node v propagates information and does not duplicate at l in strategy prole S if
S
v
(l) = (0, . . . , 0) and p
l,v
= 0.
Given a strategy prole S, dene the level l(v) of a node v that is the ith child of u in the tree in a
recursive way: if l(u) = 0 then l(v) = 0, and if l(u) > 0 then l(v) = l(u) 1 c
l(u),u
i
(note that c
l(u),u
i
is the is element of S
u
(l)). The level of each seed is dened to be H. Informally, if v is aware of the
transaction, then H l(v) + 1 is the length of the chain from the seed to v (including clones).
Given a strategy prole S and a reward scheme we can dene the utility of each node. An authorizer
w is chosen uniformly at random among the players that are aware of the transaction and try to authorize
it. Then, we allocate rewards to w and its ancestors. For each ancestor u of w let q(u) be the number
of duplicates of u in the path leading to w from the seed (that is for u which its ith child is in the path:
q(u) = c
l(u),u
i
). For w, let q(w) = p
l(w),w
. Let c(w) = H l(w) + q(w) + 1. The reward of any u in the
path to w (including w) is
q(u)
i=0
r
s
c(w)(i+Hl(u)+1),c(w)
, where s is the seed that roots the subtree that
w belongs to.
A reward scheme is individually rational for H in a tree rooted by s if for every 1 h H we have
that r
s
1,h
1. We assume that all players are expectation maximizers, so the utility of a player in a
given prole is its expected utility, where expectation is taken over the selection of the authorizer w.
All logarithms in this paper have base d, so throughout the paper we write log H to denote log
d
H.
12
B A Brief Overview of Bitcoin
In this section we give a brief overview of the Bitcoin protocol. This is by no means a complete
description. The main purpose of this section is to help understanding our modeling choices, and why
our proposed reward schemes can be implemented within the context of the existing protocol. The
reader is referred to [8, 1] for a complete description.
B.1 Signing Transactions and Public Key Cryptography
The basic setup of electronic transactions relies on public key cryptography. When Alice wants to
transfer 50 coins to Bob, she signs a transaction using her private key. Hence, everyone can verify that
Alice herself initiated this transaction (and not someone else). Bob, in turn, is identied as the target
of the transfer using his public key. For the money to be actually transferred from Alices account to
Bobs account, some entity has to keep track of the lastest owner of the coins, and to change this owner
from Alice to Bob. Otherwise, Alice could double spend her money First transfer the coins to Bob,
then transfer the same coins again to Charlie. Traditionally, this role was fullled by banks. In return,
banks tended to charge high fees, for example in international transfers.
B.2 Agreeing on the History by Majority of CPU power
Bitcoin suggests a dierent solution to this problem. A peer to peer network is used to validate all
transactions. Nodes in the network agree on a common history using a majority of CPU power
mechanism. A mechanism can not rely on a numerical majority of the nodes, as it is relatively easy
to create additional identities in a network, for example by spoong IP addresses. We rst describe the
protocol that the network implements and then explain why the history is accepted only if it is agreed
upon by nodes that together control a majority of the CPU power.
Let us assume again that Alice wants to transfer 50 coins to Bob. Alice will send her signed
transaction to some of the nodes in the network. Next, these nodes will forward the transaction to all
of their neighbors in the network and so on. A node that receives the transaction rst veries that this
is a valid transaction (e.g. that the money being transferred indeed belongs to Alice). If successful,
the node adds this transaction to the block of transactions it attempts to authorize (the specic details
on the structure of this block are omitted). To authorize a block, a node has to solve an inverse Hash
problem. More specically, its goal is to add some bits (nonce) to the block such that the Hash value
of the new block begins with some predened number of zeroes.
The number of zeroes is adjusted such that the average time it takes the network to sign a block is
xed. The protocol uses a clever method to aggregate transactions (a Merkle tree) which assures that
the size of the block to be hashed is also xed. Additional information that is included in the block is
the hash of the previously authorized block. So, in fact, the authorized blocks form a chain in which
each block identies the one the preceded it.
When a node authorizes a block it broadcasts to the network the new block and the proof of work (the
string which is added to the block to get the desired hash). If a node receives two dierent authorized
blocks it adopts the one which is part of the longer chain.
Let us argue briey and informally why the history is determined by the majority of the CPU power
([8]). That is, the probability that a group of malicious nodes manages to change the history decreases
as the fraction of CPU they control decreases. Assume that a group of malicious nodes, that does not
have the majority of the CPU power, wants to change the chain that has currently been adopted by
the other nodes. Since the malicious nodes own less CPU power, their authorization rate is slower than
the authorization rate of the majority of the network, which is honest. Therefore, the longer chains will
be signed by the majority of the network (with high probability) and these are the ones that will be
adopted by the honest nodes in the network. In fact, once a block has been accepted into the chain,
13
the probability that a longer chain that displaces it will appear decreases exponentially with time (as
the chain that follows it grows longer it is harder to manufacture a longer alternative one). See [8] for
a more formal argument.
B.3 Transaction Fees
To incentivize nodes to participate in the peer to peer network and invest eort in authorizing trans-
actions, rewards have to be allocated. Currently, in the initial stages of the protocol this is done by
giving the authorizer of a block a xed amount of bitcoins (this also the only method for printing new
bitcoins). This xed amount will be reduced every few years at a rate determined by the protocol.
As the money creation is slowly phased out, there will be a need to reward the nodes dierently. The
protocol has been designed with this in mind. It already allows the transaction initiator to specify a
fee for authorizing her transaction. As we explained in the introduction this introduces an incentive
problem since nodes prefer to keep the transaction to themselves instead of broadcasting it.
B.4 On Implementing the Hybrid Scheme
We start with a rough description of how fees for authorizing transactions in Bitcoin are currently
implemented. Alice produces a transaction record in which she transfers some of her coins to Bob. She
species the fee (if any) for authorizing this transaction in a eld in the transaction record, and then
cryptographically signs this record. When Victor authorizes a transaction, the implication is that Alice
transferred some amount of money to Bob, and some amount of money (specied in the fee eld) to
Victor.
Any (, H)-almost uniform scheme can be implemented similarly (and thus, the Hybrid scheme can
be implemented similarly). Alice produces a dierent transaction record for every seed, in which she
species , H, and some amount of coins f (we normalized f = 1 in the previous sections the total
fee if a node in tree rooted by the seed authorizes the transaction will be (1 + H) f). We modify
the protocol so that every node that transfers the transaction to its children cryptographically signs
the transaction, and specically identies the child to whom the information is being sent using that
childs public key. The transaction information, therefore includes a chain of custody for the message
which will be dierent for every node that tries to authorize the transaction. The implication of Victor
authorizing a transaction is that Alice transferred some amount of money to Bob, a fee of f to every
node in the path (as it appears in the authorized message), and a fee of f + (Hh +1) f to Victor
if the path was of length h H. Payments will not be awarded if the chain of custody is not a valid
chain that leads from Alice to Victor.
C Missing Proofs
C.1 Missing Proof of Lemma 2.6
Let us assume that some elimination order ends with a sub-game that does not contain any prole
with full propagation and no duplication. Let T
, the strategy s
i
of full propagation and no duplication is
dominated by another strategy s
i
in which this player either duplicates or does not fully distribute. In
particular, let us x the behavior of the other players to be the prole s
i
in which they fully distribute
and do not duplicate (such a prole exists in T
by assumption). For s
i
to dominate s
i
, it must be that
u
i
(s
i
, s
i
) u
i
(s
i
, s
i
).
We will however show that the opposite holds, and thereby reach a contradiction. We dene a series
of strategies s
1
i
, s
2
i
, s
3
i
, . . . , s
m
i
such that s
1
i
= s
i
, and s
m
i
= s
i
for which we shall show:
14
u
i
(s
i
, s
i
) = u
i
(s
1
i
, s
i
) < u
i
(s
2
i
, s
i
) < . . . < u
i
(s
m
i
, s
i
) = u
i
(s
i
, s
i
). Note, that the strategies
s
2
i
, s
3
i
, . . . , s
m1
i
may or may not be in T
, and that we are merely using them to establish the utility for
s
i
, s
i
.
The strategy s
j+1
i
is simply the strategy s
j
i
, with one change: player i replicates itself one less time
to one of its children. Specically, if player i replicates itself (c
1
, . . . , c
d
) times correspondingly for each
of its d children, let = argmax
j
(c
j
) it will instead replicate itself (c
1
, . . . , c
1, . . . , c
d
) times in the
new strategy.
We establish the fact that u
i
(s
j
i
, s
i
) < u
i
(s
j+1
i
, s
i
) by a direct application of Claim 2.7. The claim
shows that replicating one less time is better given sucient external computation power, and given
that the nodes children fully distribute with no replication. Both of these are guaranteed in the prole
s
.
C.2 Missing Proof of Claim 3.3
By induction on H
s
. The base case is trivial r
1,1
r
1,1
. Next we assume that the claim holds for H
s
and
show it also holds for H
s+1
. By the induction hypothesis, we have that: r
1,1
Hs1
i=0
_
Hs1
i
_
r
i+1,Hs
.
We can now use Claim 3.2 to extend it to H
s+1
. We have that for every i: r
i,Hs
r
i,Hs+1
+ r
i+1,Hs+1
and also r
i1,Hs
r
i1,Hs+1
+ r
i,Hs+1
. This implies that the coecient of r
i,H
s+1
equals the sum of
coecients of r
i,Hs
+ r
i1,Hs
which we have by the induction assumption. Hence, the coecient of
r
i,H
s+1
is
_
Hs1
i2
_
+
_
Hs1
i1
_
=
_
Hs
i1
_
and the claim follows.
C.3 Missing Proof of Claim 3.4
If v does not distribute the transaction then it alone competes with w other nodes. If it does distribute
to all of its children, the children use the following strategy: each child duplicates itself exactly k 1,
and does not distribute the transaction further. In case a child u hashes the transaction then u declares
itself as the end of a chain of length h +k: h nodes of v and k nodes that belong to u. In this case, the
reward of v is r
1+k,h+k
. Therefore, by the assumption that for every k, v prefers to distribute to all of
his children even if they use the above strategies we have that:
r
1,h
w
r
1,h
+dr
1+k,h+k
w+d
. By rearranging
the previous inequality we have that
r
1,h
w
r
1+k,h+k
.
C.4 Missing Proof of Lemma 3.5
The proof is by induction on m. Recall that r
1,Hs
1 then the claim holds trivially for m = 1. We
assume for smaller values of m and prove for m + 1. Our proof relies on the following claim:
Claim C.1 For any h H
s
:
r
Hsh+1,Hs
1
t1
Hsh
j=1
r
j,h+j
r
1,h
1 +
1
t1
Hsh
j=1
r
j,h+j
Proof: By Claim 3.4 for any k such that h + k H
s
it holds that
r
1+k,h+k
r
1,h
t
.
which implies that
t r
Hsh+1,Hs
r
1,h
.
By Claim 3.2 for any i h < H
s
it holds that
r
i,h
r
i+1,h+1
+ r
i,h+1
15
which implies that
r
1,h
Hsh
j=1
r
j,h+j
+ r
Hsh+1,Hs
Now we can combine the above and derive that
t r
Hsh+1,Hs
r
1,h
Hsh
j=1
r
j,h+j
+ r
Hsh+1,Hs
and thus
r
Hsh+1,Hs
1
t 1
Hsh
j=1
r
j,h+j
and additionally by recalling that for every h, r
1,h
1
r
1,h
1 + r
Hsh+1,Hs
1 +
1
t 1
Hsh
j=1
r
j,h+j
We are now ready to prove Lemma 3.5. By Claim C.1 we have that:
r
m+1,Hs
1
t 1
m
j=1
r
j,Hsm+j
Notice that for all 0 j m: r
j,Hsm+j
r
m,Hs
, by a simple generalization of the sybil proofness of
Claim 3.2. We can now use the induction hypothesis and get that:
r
m+1,Hs
1
t 1
_
r
1,Hsm+1
+ (m 1)
_
1
2
_
1
t 1
+
(m 1)!
(t 1)
m1
___
(3)
Also by using the second part of Claim C.1 we have that r
1,Hsm+1
_
1 +
1
t 1
_
m1
j=1
r
j,Hsm+1+j
.
r
1,Hsm+1
1 +
1
t 1
(m 1)
_
1
2
_
1
t 1
+
(m 2)!
(t 1)
m2
__
(4)
1 +
_
1
2
_
(m 1)!
(t 1)
m1
__
By plugging in the bound from (4) in (3) we get that:
r
m+1,Hs
1
t 1
_
1 +
_
1
2
_
(m 1)!
(t 1)
m1
__
+ (m 1)
_
1
2
_
(m 1)!
(t 1)
m1
___
1
t 1
_
1 +
1
2
_
m!
(t 1)
m1
__
1
2
_
1
t 1
+
m!
(t 1)
m
_
16