Single-Tiered Hybrid PoW Consensus Protocol to Encourage Decentralization in Bitcoin

. We propose a single-tiered hybrid proof-of-work consensus protocol to encourage decentralization in bitcoin. Our new mechanism comprises coupled puzzles from which properties difer from each other; the one is the extant outsourceable bitcoin puzzle while the other is nonoutsourceable. Our new protocol enables miners to solve either puzzle as they want; therefore, blocks can be generated by either puzzle. Our hybrid consensus can be successfully implemented in bitcoin because it is backward-compatible with existing bitcoin mining equipment (more precisely, existing bitcoin mining ASICs).


Introduction
Blockchain is a distributed ledger that is shared and maintained by all participants in the network based on a consensus protocol.Te most widely used consensus mechanism is proof-of-work (PoW) [1], which has been deployed in public blockchain networks like Bitcoin [2] and Ethereum [3].
In PoW, block generation requires solving a cryptographic math puzzle whose solution is easy to verify but extremely hard to solve.Te participants in the blockchain network exhaust their computing resources to solve the puzzle.Here, the generating of blocks is called mining, and the participants are called miners.
Once a miner successfully mines a block, he becomes eligible to receive a reward.For this reason, the miners competitively participate in the mining process.Te time to generate a block is inversely proportional to the miner's computational power.And the difculty of the puzzles is adjusted so that a single block is created at certain intervals.To reduce the average block generation time, individual miners aggregate their computing powers into a mining pool, where all participating miners solve the puzzle together and share the rewards.In a mining pool, a pool manager distributes the partial PoW puzzle (pPoW) of lower difculty than the original full PoW puzzle (fPoW) to individual miners.If enough miners solve pPoW, some of these solutions are likely to become the solution of fPoW because each solution to pPoW has a probability of yielding a solution to the fPoW.Recently, the miners for PoW-based cryptocurrencies are centralized in the mining pool, and so, mining becomes a competition between mining pools.
However, mining pools undermine the decentralization and security of blockchain.Especially, if a single mining pool owns more than half of the entire network mining capacity, this pool can generate the blocks faster than any other pool, reaping all rewards and choosing which transactions to confrm (51% attack).In practice, the mining pool GHash.IO [4] controlled 55% of the bitcoin network from 12 June 2014 to 13 June 2014 and publicly promised to limit their capacity in order to avoid 51% attack.Recently, 8∼9 pools have controlled more than 90% of bitcoin network.Tus, the frst threat to decentralization came from mining pools.To discourage the pooled mining, a number of techniques such as 2-phase proof-of-work (2P-PoW) [5], Sign to Mine [6], Nonoutsourceable Scratch-Of Puzzles [7], PieceWork [8], Autolykos [9,10], and SmartPool [11] have been proposed.SmartPool implements a decentralized mining pool through an Ethereum smart contract whereas the others discourage mining pools through the nonoutsourceable PoW puzzles, in which the entity solving the puzzle can steal rewards from the pool manager.
Another threat to decentralization came from the fact that ASIC-equipped miners are able to fnd PoW solutions much faster and more efciently than miners equipped with the commodity hardware such as CPU and GPU.To reduce the disparity between the ASICs and regular hardware, studies on memory-bound computations have been carried out [9,12,13].Te most interesting practical examples are two asymmetric memory-hard PoW schemes in which memory required to verify a solution is signifcantly less than to fnd it [12,13].
Meanwhile, in order to be used in bitcoin practically, any solution to the centralized mining problem must preserve the existing blockchain; preserve large investments many miners have made and are planning to make in their equipment; provide a seamless transition from the existing system to the new one, providing adjustable knobs that can be fne-tuned for a desired trade-of that fts the community's needs [5].However, none of the proposals of [5][6][7][8][9][10][11] satisfes all the requirements above.In other words, the preceding techniques require some changes in the design of the cryptocurrency, and so, they are not compatible with the current bitcoin system.
Te aim of the present work is to propose a practical solution to the centralized mining problem that satisfes every requirement above.We frst propose a nonoutsourceable PoW puzzle that is simple and based on the hash rate of individual miners.Our scheme works by adding PubKey (public key) and HeaderSig (signature) felds to the original bitcoin block header.In this scheme, miners should repeatedly produce a signature (HeaderSig) for the contents of the block header (everything except the public key and signature feld), which is verifed by the public key (PubKey), and double hash the entire block header (including PubKey and HeaderSig felds) until the resulting hash is less than the difculty.In this case, the block reward of the coinbase transaction must be sent to only one Pay-to-Public-key-Hash (P2PKH) address which is produced from PubKey.
Transactions in blockchain systems such as Bitcoin and Ethereum use the Elliptic Curve Digital Signature Algorithm (ECDSA) as authentication of a transaction.Meanwhile, ECDSA is the randomized signature scheme, so, it is possible to generate many signatures for a single message and key pair.In other words, the miners can generate many signatures without changing the nonce feld in our scheme.However, we leave the nonce and extra nonce in the block header and coinbase transaction, respectively.Te reason is that in order to generate a large number of ECDSA signatures for the double hash test, it is efcient for the miner to vary only the message through the nonce and extra nonce felds (see Section 2 for more details.).
Second, we propose a single-tiered hybrid PoW consensus protocol by mixing our nonoutsourceable PoW with the original bitcoin PoW.In our hybrid scheme, only one of the original bitcoin PoW and proposed nonoutsourceable PoW is used to mine a single block.
Our hybrid PoW consensus enables original bitcoin ASIC miners to participate in mining without changing their hardware.Moreover, it enables the competition between solo miners in mining.Now, bitcoin mining is a competition between mining pools, but not solo miners.In other words, in the original bitcoin puzzle, the competition between solo miners is practically impossible.Meanwhile, nonoutsourceable puzzle prevents miners from aggregating.Hence, in our nonoutsourceable puzzle, the competition only between solo miners is possible.Consequently, in our hybrid scheme, the competition between solo miners can be done through the nonoutsourceable puzzle mining (see Sections 2.2 and 2.3 for more details).
Te rest of this paper is organized as follows.Section 2 introduces a nonoutsourceable PoW puzzle and hybrid consensus.Section 3 presents the difculty adjustment algorithm in hybrid consensus.Section 4 analyzes the security of the proposed scheme.Section 5 provides the simulation results.Discussion is given in Section 6.Finally, we conclude with Section 7. Let G be an Elliptic curve group of order q with generator point P. Te private key is a random integer (0 < d < q), and the public key is Q � d•P.H denotes a cryptographic hash function whose outputs have a bit length of no more than |q|, where |q| is the bit-length of q.

Proposed Scheme
Te ECDSA signing operation on a message m is defned as follows: Step 1. Choose a random integer k(0 Step 3. Compute r � r x mod q.If r � 0, go to Step 2. Step 4. Compute s � k − 1 (H(m) + rd) mod q.If s � 0, go to Step 1.
Te ECDSA verifying operation on a message m and signature (r, s) is defned as follows: Step 1. Verify that r and s are integers in the interval [1, q − 1].If any verifcation fails, then return "Reject."

2
Security and Communication Networks Step 2. Compute w � s − 1 mod q, u 1 � w H (m) mod q and u 2 � r w mod q.

Proposed Nonoutsourceable
where Heade rSig(m‖n, privKey CB ) is an ECDSA signature for m‖n, and privKey CB is the coinbase transaction (CB)'s private key corresponding to PubKey CB which produces the address of coinbase transaction.In our scheme, the coinbase transaction must include only one P2PKH address as a reward address.In the block header, PubKey CB is used to verify the signature.Meanwhile, in the coinbase transaction, it is used to verify the receiving (P2PKH) address.Tis is a nonoutsourceable puzzle [5,6].By defning mining problem can be considered as the process to fnd X that satisfes H(X) ≤ Target.
Miner can fnd a block by iterating through the nonce and extra nonce until the resulting hash is below the target.Meanwhile, miner can change X by repeatedly signing the fxed m‖n (i.e., without changing nonce and extra nonce) because the ECDSA signature utilizes randomization in the signature generation.
From equation ( 4), it can be seen that it is possible to change X by altering M � m‖n for fxed r.In this case, signature process requires only one hash (i.e., H(M)) and one modular multiplication (k − 1 H(M) mod q).However, if r is changed for fxed M, signature process requires at least one elliptic curve point multiplication (k•P), one modular inverse (k − 1 mod q), and two modular multiplication (k − 1 H(M) mod q andk − 1 r privKey CB mod q).From the facts above, miner would rather change only M through the nonce and extra nonce than repeatedly sign the fxed M for the many trials of X values in the given time.
Meanwhile, it is well known that for every valid signature (r, s), the pair (r, −s) is also a valid signature in EC-DSA.In order to make (r, s) unique, Step5 of EC-DSA signing can be modifed as follows: Step 5.If s ≤ (q − 1)/2, then outputs (r, s); else outputs (r, q − s).
In this case, Step 1 of verifying EC-DSA is modifed as follows: Step1.Verify that 1 ≤ r ≤ q − 1 and 1 ≤ s ≤ (q − 1)/2.If any verifcation fails, then return "Reject."Modifed EC-DSA as above or Schnorr signature [23] which is known to be strongly secure can be used in our scheme (more precisely, in equation ( 2)).
Compared to the PoW algorithm of Ergo [9], our nonoutsourceable Pow algorithm is not resistant to ASICs.Tis is needed to ensure the seamless and secure transition from the existing bitcoin system to our system (mentioned in Section 4.3).
Even our nonoutsourceable scheme is based on the application of a digital signature, only one modular multiplication (k − 1 H(M) mod q) is added to the original bitcoin Pow calculation.Tis gives the possibility to make the ASIC that can be used to solve both nonoutsourceable and outsourceable Pow puzzle.To remove this probability, in our nonoutsourceable puzzle, KECCAK-256 [24] is used instead of SHA-256 as a hash function in equation ( 2) and Merkle root generation.

Hybrid Consensus. Bitcoin PoW involves fnding a valid solution n to the following problem:
SHA − 256 2 (m‖n) ≤ Target SHA . (5) Meanwhile, our nonoutsourceable Pow involves fnding a valid solution n to the following problem:

Security and Communication Networks
We let H 1 (•) represents the PoW function of the original bitcoin and H 2 (•) represents the PoW function of our nonoutsourceable scheme.Let T 1 � Target SHA and T 2 � Target KECCAK .
If our hybrid consensus protocol is applied to starting from the k-th block generation, the blockchain can be denoted as follows: where B j (∈ B: 0 ≤ j < k) is the original bitcoin block and T j (∈ B or C: j ≥ k) is block generated by our scheme.In this case, B is the set of blocks generated by Puzzle1, and C is the set of blocks generated by Puzzle2.
Our hybrid consensus protocol causes some problems.First, the headers of bitcoin blocks difer from each other in relation to the puzzles generating block (Tables 1 and 2).However, blocks in C are backward compatible to bitcoin's legacy blocks in B because hash of the header of the previous block is 256 bits regardless of the type of block.Note that SHA256 is identical to KECCAK256 in the aspect that both of them compress arbitrary-length inputs to 256-bit outputs.
Second, our scheme requires a little addition to the way current client software interprets the information stored in the blockchain because of the blocks generated by our nonoutsourceable puzzle.However, this does not infuence the existing bitcoin ASIC miners who have solved traditional bitcoin puzzle (i.e., Puzzle1).In other words, our scheme does not require the bitcoin ASIC miners to make changes in their hardware, so, it can be easily adopted by bitcoin miners.
Let N 1 be a number of blocks generated by Puzzle1 and N 2 be a number of blocks generated by Puzzle2.And let Tird, the difculty targets T 1 and T 2 should be adjusted every 2016 blocks such that a block is generated approximately every 10 minutes and θ(� N 2 /N 1 ) ≈ 1 is satisfed.Tis will be described in the following section.Target is usually discussed in terms of the network difculty.

Difculty Adjustment in Bitcoin. Te block creation rate λ is given by
where R denotes the hash rate and D denotes the difculty.Let t 0 and t be the desired time and actual time consumed to create N(� 2016) blocks, respectively.Ten, and are satisfed where λ 0 is the desired block creation rate.
From equations ( 10)-( 12), and where D + and λ + are the difculty and block creation rate which are adapted in the next round.
From equation ( 14), Equation ( 15) ensures that the block creation rate is stable even if the hash rate is changed.From the defnition of block creation rate, following equations are satisfed:

Difculty Adjustment in
In this case, λ is the total block creation rate in hybrid consensus.From this, Tus, we can derive the relation between λ, λ 1 , and λ 2 as On the other hand, from equation (10), we have Assume that Ten, equation ( 20) can be written as follows: 4 Security and Communication Networks Equation (22) shows that it is always possible to adjust We will now show the method to control the difculties D 1 and D 2 so that N 1 � N 2 (i.e., λ 1 � λ 2 ) and From the assumption, N 1 ≠ N 2 (i.e., λ 1 ≠ λ 2 ) and N � N 1 + N 2 (� 2016) blocks are generated in time t( ≠ t 0 ).
First, we make the number of blocks generated by Puzzle2 equal to N 1 by regulating the difculty of Puzzle2.In other words, we set is the block creation rate of Puzzle2 corresponding to D 2 * , which is the updated difculty of Puzzle2.
From equations ( 28) and (32), and as a result, is satisfed.And from equations ( 26) and ( 34), From the facts above, the difculty retargeting algorithm of our hybrid scheme can be described as follows.
Let N 1 + and N 2 + be the number of blocks generated by Puzzle1 and Puzzle2 of the next round in time t 0 .
In order to satisfy N 1 , and μ + have to be regulated as follows.
Such a regulation ensures that in Puzzle1 and 2, the block creation rates are equal even if the hash rates are not.Besides, it ensures that the total block creation rate is stable in hybrid consensus.Equations ( 34) and (35) show that D 1 and D 2 are  34) and (35).However, we used μ and μ + in the description of Algorithm 1 because μ is used in the security analysis and simulation.
Note.We assume that hash rates R, R 1 and R 2 are constant over each single difculty adjustment interval.Tis is reasonable when considered as the average hash rate.

Security Analysis of Bitcoin.
Let R 1 be the total hash rate of Puzzle1.Ten, R 1 can be written as follows: where η is the number of pools, R 1i is the hash rate of the i-th pool, and R 1i > R 1i+1 for all i(0 < i < η).
When α 1 � R 11 /R 1 > 0.5, 51% attack is possible.In current bitcoin mining, α 2 � R 1 sub /R 1 > 0.5 is satisfed for π � 4 ∼ 5, when In other words, a few pool operators can control more than 51% of the total network's hashing power in bitcoin.Of course, such problems have already been known, and no practical solutions have been implemented in bitcoin.

Security Analysis of Proposed Scheme.
From equations ( 21) and (22), the proposed hybrid consensus can be seen as a single puzzle with difculty D 1 and hash rate R � R 1 +μR 2 .And from Section 3, R 1 � μR 2 is satisfed, and so, R � 2R 1 .
Hence, from equations ( 36) and (37), and From equations ( 38) and ( 39), both α 1 and α 2 are restricted to be in the interval (0, 1/2].From this, it can be seen that in our hybrid consensus, a few pool operators cannot control more than 51% of the total network's hashing power. As mentioned previously, the proposed scheme seems to be a double puzzle consensus, but it is essentially bitcoin.Our scheme only increases the total hashing power of the bitcoin network by adding the nonoutsourceable hashing power which cannot participate in pool formation.Such an increase of total hashing power would arguably weaken the pool's forces.In other words, there is no possible way for a single pool or combination of a few pools to control more than 51% of the total mining power, and all known attacks caused by pool such as selfsh mining [25][26][27][28][29][30] and block withholding [31] could be weakened.(Consider the possibility of 51% attack, selfsh mining attack, and block withholding attack by the other pools except the large pool who owns approximately 50% of the entire network mining capacity).

Initial Difculty Adjustment for the Security. R 1i of equation (
where A 1i is the hash rate of nonprogrammable mining hardware (e.g., ASIC) and B 1i is that of programmable mining hardware (e.g., GPU).It is obvious that A 1i is much larger than B 1i ; however, A 1i will never be able to participate in solving Puzzle2, and only B 1i might try to solve Puzzle2.Now, assume that ALGORITHM 1: Difculty retargeting in hybrid consensus.

Security and Communication Networks
From the target regulation of Section 3, it can be shown that and the total block creation rate λ can be denoted as follows: and R 2 may be expressed as follows: where A 2 is the hash rate of nonprogrammable mining hardware and B 2 is the hash rate of programmable mining hardware.It is trivial that A 2 is much greater than B 2 because Puzzle2 is not designed to be ASIC resistant.
If B 1j > 2R 2 , which would be possible only in the initial stage when our hybrid consensus is frst applied to bitcoin, then j-th mining pool of Puzzle1 will have a potentiality to cause the 51% attack by solving Puzzle2 since the following equation is satisfed: Puzzle2 is nonoutsourceable, and B 1j is the hash rate of the GPU pool.Hence, attack to Puzzle2 by B 1j is theoretically impossible.However, j-th mining pool has the possibility to generate the longest chain by using B 1j and R 1j (i.e., the possibility of selfsh mining) as follows: More precisely, C k+i (1 ≤ i < z) is mined by B 1j and B k+z is mined by R 1j .Of course, Puzzle2 is nonoutsourceable, and so, GPU miners of the pool seem to have no incentive to mine Puzzle2 blocks, C k+i (1 ≤ i < z).However, in fact, they have an incentive to mine Puzzle2 blocks because they can obtain revenue from the last mined Puzzle1 block, B k+z (z > 2).
In order to break the attempt for creating Puzzle2 blocks by GPU miners of Puzzle1 pool, we should not only allow Puzzle2 ASICs but also encourage them to participate in Puzzle2 mining.Hence, the Puzzle2 must have no resistance to ASIC.
Suppose that Ten, it is self-evident that 2R 2 > B 1j , and this shows that Puzzle 2 must encourage A 2 to increase rapidly so that it overpowers the hash rate of the massive GPU pool (i.e., B 1j ).
Of course, at frst, B 1j might be remarkably greater than A 2 .However, when considering the fact that a small pool of the latest ASIC miners can surpass the large pool of GPU miners in speed, A 2 will become larger than B 1j within a short period of time, and if equation (47) is once satisfed, there would be no possibility of 51% attack by B 1j .
From the facts above, while R 2 < B 1j is satisfed (i.e., the initial stage of hybrid consensus), target regulation must ensure that and so, N 1 > N 2 would be satisfed.In other words, Algorithm 1 of Section 3 cannot be used in the initial stage of hybrid consensus.Hence, the initial difculty adjustment would have to be considered.Let A 1 and B 1 be the hash rate of nonprogrammable and programmable mining hardware, respectively, in Puzzle1.Ten, Assume that the relationship between R 1 and B 1 can be approximately estimated.In other words, ε � R 1 /B 1 and In this case, the total block creation rate λ can be denoted as follows: and from equation (13), where D 1 + , D 2 + and λ + are the difculty of Puzzles and block creation rate which are adapted in the next round.
From equation (49), and Let N 1 + and N 2 + be the number of blocks generated by Puzzle1 and Puzzle2 of the next round in time t 0 .
In order to satisfy N 1 have to be regulated as follows.Such a regulation ensures that the total block creation rate is stable, and our hybrid consensus is secure from 51% attack in the initial stage.We assume that R 1 /ε > B 1j is satisfed during the whole period of transition (i.e., τ ≤ 1).Tis is reasonable because, in the current bitcoin, A 1 is much larger than B 1 (i.e., R 1 � εB 1 > εB 1j ) and disparity between A 1 and B 1 goes on increasing (i.e., R 1 /B 1 becomes larger than 8 Security and Communication Networks ε) as time advances (see Figure 1(a) of Section 5).If τ > 1 (i.e., R 2 > B 1j ) is once satisfed, then A 1 > A 2 > B 1 > B 2 would be satisfed, and Algorithm 1 would be used instead of Algorithm 2. Te only diference between Algorithms 1 and 2 is the way that D 1 /D 2 is chosen.

Simulation Result
We evaluated our hybrid consensus scheme with 1000-node experiments on the emulated network.We denote a round as the difculty retarget period of 2016 blocks.Hence, PoW difculty is constant in a round (i.e., the difculty is not adjusted for 2016 blocks) and is adjusted dynamically when the round is switched.
In practice, the hash rate of the total network is continuously changed during a single round, but it is constant during the short period of time from any given moment even if round is being switched.However, in simulation, we assumed that the hash rate is constant during the whole period of a single round and is changed only when the round is switched.Of course, this does not contravene the practice when considered as the average hash rate of the round (mentioned in Section 3).
For simplicity, we set ε � 6 and measured N 1 /N 2 , t 0 /t, and u changing R 1 and R 2 (more precisely, R 1 /R 2 ). Figure 1 shows the simulation result of our hybrid scheme.B * denotes B 1 of middle round (i.e., Round15).As can be seen, real crossover point at which Algorithm 2 is replaced by Algorithm 1 is in Round 12.In the rounds before Round 12, u is equal to ε, and in the rounds after Round 12, u is close to R 1 /R 2 of previous round.And, by Algorithm 1, N 1 /N 2 and t 0 /t are kept close to 1. On the other hand, the ideal crossover point at which εR 2 becomes larger than R 1 is in Round 9. Tus, it would be possible to replace Algorithm 2 by Algorithm 1 in Round 10.However, unlike simulation, R 1 and R 2 are not known (only N 1 and N 2 are known) in practice, so the real point at which N 2 becomes larger than N 1 is used instead of ideal point.From lottery property of blockchain mining, the real point can be placed before the ideal point, but it can be ignored when considered the fact that both are placed after the point at which R 2 becomes larger than B 1 (i.e., Round 3).Overall, simulation result shows the possibility of seamless transition from original bitcoin to our hybrid scheme.In simulation, we changed R 1 and R 2 drastically (e.g., Round 15,16), but Algorithm 1 ensured the smooth regulation.However, in the real world, such sudden changes of R 1 and R 2 which are the average hash rates of a round (approximately 2 weeks) are not possible.
Recently, bitcoin hash rate, which is the average hash rate of retargeting interval, has never increased more than two times (or decreased less than one half ) within a period of 2 weeks.Tis can be seen from the analysis of the bitcoin hash rate over a period of four or fve years.
Of course, it is obvious that a rapid increase in hash rate in a short period of time is technically not possible.On the other hand, a rapid decrease in hash rate might be theoretically possible when the majority of miners hop of the bitcoin network.However, in practice, this is possible only in the mining of one or several blocks and cannot be held in the whole period to mine 2016 blocks because it requires that the majority of bitcoin miners secedes from mining and keeps up their seceding state for about entire 2 weeks.In other words, a signifcant decrease in hash rate is practically not possible in bitcoin mining.Meanwhile, in Puzzle2 mining, there is no possibility of pooled mining, and so, it is not possible for the majority of miners to secede from mining.From this, signifcant decrease of hash rate is not possible in Puzzle2 mining, too.
Following Figure 2 shows the simulation result which presents the change of individual block mining time when the majority of miners secedes from Puzzle1 mining in bitcoin and our hybrid scheme, respectively.In a simulation, we fxed R 2 and changed only R 1 .Of course, R 2 was used in the simulation of our scheme but not in the simulation of bitcoin.
Let w and w be the real time and desired time to mine one block, respectively (i.e., 2 16 w � t ).As shown in Figure 2, by pool hopping attack, w/w varies rapidly in bitcoin but varies smoothly in our hybrid scheme.Of course, the value of t/t does not vary rapidly in not only our scheme but bitcoin.

Discussion
Until now, we considered only the case of θ(� N 2 /N 1 ) � 1.However, diferent values of θ can be used in our hybrid scheme.
In other words, our solution is highly tunable.If θ is small (e.g., θ < 0.02), then hybrid PoW becomes outsourceable PoW as the original bitcoin.If θ is large (e.g., θ > 50), then hybrid PoW becomes nonoutsourceable PoW which uses Puzzle2.With the increase of θ, the work of our hybrid consensus can be smoothly shifted from outsourceable PoW to nonoutsourceable PoW.
When θ ≠ 1, difculty adjustment can be described as follows.Security and Communication Networks Equations ( 52) and ( 53) are identical to equations ( 26) and (34), respectively, for θ � 1.When θ ≠ 1, equations (38) and (39) can be described as follows: It is an open problem to fnd an optimum value of θ at which the hybrid consensus system is efcient and secure from all known attacks.
Te following facts would add the incentive for the miners to participate in Puzzle2 mining.
First, similar to the nonoutsourceable Puzzle of [9], Puzzle2 mining seems to be a race of signing power, but it is essentially the race of hashing power.Hence, it is not difcult to build the mining hardware for Puzzle2.
Let AS 1 be the Puzzle1 ASIC with hash rate R 3 .And let AS 2 be the Puzzle2 ASIC with the same hash rate of AS 1 .Ten, the block creation rates of AS 1 and AS 2 can be denoted as follows: From equations ( 56) and (57), λ AS 2 � μ λ AS 1 is satisfed, and so, it would be well advised to solve the Puzzle2 with lower difculty than Puzzle1.Especially, μ is much larger than 1 in initial stage of hybrid consensus, and μ > 1 is satisfed as long as Of course, it still remains an open problem that Puzzle2 solo miners would actually appear in our hybrid scheme.However, the only clear thing is that regardless of the appearance of Puzzle2 solo miners, in hybrid consensus, extant bitcoin pool miners will still be able to continue Puzzle1 mining by using hardware such as ASIC and GPU which they have used.When Puzzle2 solo miners appear, the only impact on extant Puzzle1 mining is that the revenue gain of every miner of Puzzle1 is reduced by a factor of 1/(1 + θ).
Unlike all previous works, in our hybrid PoW scheme, both pool miners and solo miners could have a practical opportunity for block generation through Puzzle1 and 2, respectively.

Conclusion
In this paper, we have presented a hybrid PoW consensus protocol in order to discourage centralization and tackle the 51% attack.In the proposed scheme, blocks can be generated by solving either the original outsourceable bitcoin puzzle or our nonoutsourceable puzzle.
Te main feature of our scheme is that it is fully compatible with current bitcoin designs; i.e., it can be implemented right now because it preserves both the existing blockchain and investments which have been made in mining hardware (Section 2.3).
Especially, our scheme gives a possibility of seamless transition from the existing bitcoin system to new one (Sections 3.2, 4.3, and 5) and a possibility that tunes tradeof between outsourceable and nonoutsourceable mining (Section 6).In contrast to the current bitcoin system and any other preceding protocols, our scheme presented two puzzles, but still is single-tired.
Finally, other puzzles which are known to be nonoutsourceable could be used with original bitcoin puzzle in our hybrid consensus protocol.

Figure 2 :
Figure 2: Comparison of single block mining time under the pool hopping attack (simulation).

10
TR 1 , • • • , TR t )‖T s ‖ Target, where v is a (software) version number, prevBlockHash is the hash value of the previous block, CB is a coinbase transaction for the miner who frst publishes a valid block, TR 1 , • • • , TR t is a set of valid transactions not yet confrmed, MR(x) denotes the root of the Merkle tree over transactions x, and T s is the time stamp.
Hybrid Consensus.Let us denote difculty, hash rate, and block creation rate of Puzzle1 by D 1 , R 1 , λ 1 and those of Puzzle2 by D 2 , R 2 , and λ 2 .Assume that N 1 and N 2 are the numbers of blocks generated by Puzzle1 and Puzzle2 in time t and N 1 + N 2 � N � 2016.

Table 1 :
Header of a block generated by Puzzle1.

Table 2 :
Header of a block generated by Puzzle2.