Diego Nehab,Augusto Teixeira

DOI: https://doi.org/10.48550/arXiv.2212.12439

2022-12-23

Cryptography and Security

Abstract:Scalability problems in programmable blockchains have created a strong demand for secure methods that move the bulk of computation outside the blockchain. One of the preferred solutions to this problem involves off-chain computers that compete interactively to prove to the limited blockchain that theirs is the correct result of a given intensive computation. Each off-chain computer spends effort linear on the cost of the computation, while the blockchain adjudicates disputes spending only logarithmic effort. However, this effort is multiplied by the number of competitors, rendering disputes that involve a significant number of parties impractical and susceptible to Sybil attacks. In this paper, we propose a practical dispute resolution algorithm by which a single honest competitor can win disputes while spending effort linear on the cost of the computation, but only logarithmic on the number of dishonest competitors. This algorithm is a novel, stronger primitive for building permissionless fraud-proof protocols, which doesn't rely on complex economic incentives to be enforced.

Yujin Kwon,Jian Liu,Minjeong Kim,Dawn Song,Yongdae Kim

DOI: https://doi.org/10.1145/3318041.3355463

2019-01-01

Abstract:Bitcoin uses the proof-of-work (PoW) mechanism where nodes earn rewards in return for the use of their computing resources. Although this incentive system has attracted many participants, power has, at the same time, been significantly biased towards a few nodes, called mining pools. In addition, poor decentralization appears not only in PoW-based coins but also in coins that adopt proof-of-stake (PoS) and delegated proof-of-stake (DPoS) mechanisms. In this paper, we address the issue of centralization in the consensus protocol. To this end, we first define (m, epsilon, delta)-decentralization as a state satisfying that 1) there are at least m participants running a node, and 2) the ratio between the total resource power of nodes run by the richest and the delta-th percentile participants is less than or equal to 1 + epsilon. Therefore, when m is sufficiently large, and epsilon and delta are 0, (m, epsilon, delta)-decentralization represents full decentralization, which is an ideal state. To ascertain if it is possible to achieve good decentralization, we introduce conditions for an incentive system that will allow a blockchain to achieve (m, epsilon, delta)-decentralization. When satisfying the conditions, a blockchain system can reach full decentralization with probability 1, regardless of its consensus protocol. However, to achieve this, the blockchain system should be able to assign a positive Sybil cost, where the Sybil cost is defined as the difference between the cost for one participant running multiple nodes and the total cost for multiple participants each running one node. Conversely, we prove that if there is no Sybil cost, the probability of achieving (m, epsilon, delta)-decentralization is bounded above by a function of f(delta), where f(delta) is the ratio between the resource power of the delta-th percentile and the richest participants. Furthermore, the value of the upper bound is close to 0 for small values of f(delta). Considering the current gap between the rich and poor, this result implies that it is almost impossible for a system without Sybil costs to achieve good decentralization. In addition, because it is yet unknown how to assign a Sybil cost without relying on a TTP in blockchains, it also represents that currently, a contradiction between achieving good decentralization in the consensus protocol and not relying on a TTP exists.

Shang-En Huang,Seth Pettie,Leqi Zhu

DOI: https://doi.org/10.1145/3639454

IF: 2.269

2024-01-02

Journal of the ACM

Abstract:Since the mid-1980s it has been known that Byzantine Agreement can be solved with probability 1 asynchronously, even against an omniscient, computationally unbounded adversary that can adaptively corrupt up to f < n /3 parties. Moreover, the problem is insoluble with f ≥ n /3 corruptions. However, Bracha’s [13] 1984 protocol (see also Ben-Or [8]) achieved f < n /3 resilience at the cost of exponential expected latency 2 Θ ( n ) , a bound that has never been improved in this model with f = ⌊( n − 1)/3⌋ corruptions. In this paper, we prove that Byzantine Agreement in the asynchronous, full information model can be solved with probability 1 against an adaptive adversary that can corrupt f < n /3 parties, while incurring only polynomial latency with high probability . Our protocol follows an earlier polynomial latency protocol of King and Saia [33,34], which had suboptimal resilience, namely f ≈ n /10 9 [33,34]. Resilience f = ( n − 1)/3 is uniquely difficult, as this is the point at which the influence of the Byzantine and honest players are of roughly equal strength. The core technical problem we solve is to design a collective coin-flipping protocol that eventually lets us flip a coin with an unambiguous outcome. In the beginning, the influence of the Byzantine players is too powerful to overcome, and they can essentially fix the coin’s behavior at will. We guarantee that after just a polynomial number of executions of the coin-flipping protocol, either (a) the Byzantine players fail to fix the behavior of the coin (thereby ending the game) or (b) we can “blacklist” players such that the blacklisting rate for Byzantine players is at least as large as the blacklisting rate for good players. The blacklisting criterion is based on a simple statistical test of fraud detection .

computer science, information systems, theory & methods, software engineering, hardware & architecture

Mizanur Rahman,Ruben Recabarren,Bogdan Carbunar,Dongwon Lee

DOI: https://doi.org/10.1145/3091478.3091507

2017-06-06

Abstract:The profitability of fraud in online systems such as app markets and social networks marks the failure of existing defense mechanisms. In this paper, we propose FraudSys, a real-time fraud preemption approach that imposes Bitcoin-inspired computational puzzles on the devices that post online system activities, such as reviews and likes. We introduce and leverage several novel concepts that include (i) stateless, verifiable computational puzzles, that impose minimal performance overhead, but enable the efficient verification of their authenticity, (ii) a real-time, graph-based solution to assign fraud scores to user activities, and (iii) mechanisms to dynamically adjust puzzle difficulty levels based on fraud scores and the computational capabilities of devices. FraudSys does not alter the experience of users in online systems, but delays fraudulent actions and consumes significant computational resources of the fraudsters. Using real datasets from Google Play and Facebook, we demonstrate the feasibility of FraudSys by showing that the devices of honest users are minimally impacted, while fraudster controlled devices receive daily computational penalties of up to 3,079 hours. In addition, we show that with FraudSys, fraud does not pay off, as a user equipped with mining hardware (e.g., AntMiner S7) will earn less than half through fraud than from honest Bitcoin mining.

Social and Information Networks,Cryptography and Security

Giuliano Losa,Eli Gafni

2023-10-08

Abstract:We propose a new distributed-computing model, inspired by permissionless distributed systems such as Bitcoin and Ethereum, that allows studying permissionless consensus in a mathematically regular setting. Like in the sleepy model of Pass and Shi, we consider a synchronous, round-by-round message-passing system in which the set of online processors changes each round. Unlike the sleepy model, the set of processors may be infinite. Moreover, processors never fail; instead, an adversary can temporarily or permanently impersonate some processors. Finally, processors have access to a strong form of message-authentication that authenticates not only the sender of a message but also the round in which the message was sent. Assuming that, each round, the adversary impersonates less than 1/2 of the online processors, we present two consensus algorithms. The first ensures deterministic safety and constant latency in expectation, assuming a probabilistic leader-election oracle. The second ensures deterministic safety and deterministic liveness assuming irrevocable impersonation and eventually-stabilizing participation. The model is unrealistic in full generality. However, if we assume finitely many processes and that the set of faulty processes remains constant, the model coincides with a practically-motivated model: the static version of the sleepy model.

Distributed, Parallel, and Cluster Computing

Khandakar Md Shafin,Saha Reno

DOI: https://doi.org/10.1049/2024/6874055

2024-10-12

IET Software

Abstract:The ongoing challenge in the world of blockchain technology is finding a solution to the trilemma that involves balancing decentralization, security, and scalability. This paper introduces a pioneering blockchain architecture designed to transcend this trilemma, uniting advanced cryptographic methods, inventive security protocols, and dynamic decentralization mechanisms. Employing established techniques such as elliptic curve cryptography, Schnorr verifiable random function, and zero‐knowledge proof (zk‐SNARK), alongside groundbreaking methodologies for stake distribution, anomaly detection, and incentive alignment, our framework sets a new benchmark for secure, scalable, and decentralized blockchain ecosystems. The proposed system surpasses top‐tier consensuses by attaining a throughput of 1700+ transactions per second, ensuring robust security against all well‐known blockchain attacks without compromising scalability and demonstrating solid decentralization in benchmark analysis alongside 25 other blockchain systems, all achieved with an affordable hardware cost for validators and an average CPU usage of only 16.1%.

computer science, software engineering

Eric Budish,Andrew Lewis-Pye,Tim Roughgarden

2024-06-24

Abstract:The purpose of a consensus protocol is to keep a distributed network of nodes "in sync," even in the presence of an unpredictable communication network and adversarial behavior by some of the participating nodes. In the permissionless setting, these nodes may be operated by unknown players, with each player free to use multiple identifiers and to start or stop running the protocol at any time. Establishing that a permissionless consensus protocol is "secure" thus requires both a distributed computing argument (that the protocol guarantees consistency and liveness unless the fraction of adversarial participation is sufficiently large) and an economic argument (that carrying out an attack would be prohibitively expensive for an attacker). There is a mature toolbox for assembling arguments of the former type; the goal of this paper is to lay the foundations for arguments of the latter type. An ideal permissionless consensus protocol would, in addition to satisfying standard consistency and liveness guarantees, render consistency violations prohibitively expensive for the attacker without collateral damage to honest participants. We make this idea precise with our notion of the EAAC (expensive to attack in the absence of collapse) property, and prove the following results: 1. In the synchronous and dynamically available setting, with an adversary that controls at least one-half of the overall resources, no protocol can be EAAC. 2. In the partially synchronous and quasi-permissionless setting, with an adversary that controls at least one-third of the overall resources, no protocol can be EAAC. 3. In the synchronous and quasi-permissionless setting, there is a proof-of-stake protocol that, provided the adversary controls less than two-thirds of the overall stake, satisfies the EAAC property. All three results are optimal with respect to the size of the adversary.

Distributed, Parallel, and Cluster Computing

Mengfan Xu,Diego Klabjan

2024-07-26

Abstract:We study a robust, i.e. in presence of malicious participants, multi-agent multi-armed bandit problem where multiple participants are distributed on a fully decentralized blockchain, with the possibility of some being malicious. The rewards of arms are homogeneous among the honest participants, following time-invariant stochastic distributions, which are revealed to the participants only when certain conditions are met to ensure that the coordination mechanism is secure enough. The coordination mechanism's objective is to efficiently ensure the cumulative rewards gained by the honest participants are maximized. To this end, we are the first to incorporate advanced techniques from blockchains, as well as novel mechanisms, into such a cooperative decision making framework to design optimal strategies for honest participants. This framework allows various malicious behaviors and the maintenance of security and participant privacy. More specifically, we select a pool of validators who communicate to all participants, design a new consensus mechanism based on digital signatures for these validators, invent a UCB-based strategy that requires less information from participants through secure multi-party computation, and design the chain-participant interaction and an incentive mechanism to encourage participants' participation. Notably, we are the first to prove the theoretical regret of the proposed algorithm and claim its optimality. Unlike existing work that integrates blockchains with learning problems such as federated learning which mainly focuses on optimality via computational experiments, we demonstrate that the regret of honest participants is upper bounded by $\log{T}$ under certain assumptions. The regret bound is consistent with the multi-agent multi-armed bandit problem, both without malicious participants and with purely Byzantine attacks which do not affect the entire system.

Machine Learning,Multiagent Systems

Alejandro Ranchal-Pedrosa,Vincent Gramoli

2023-05-04

Abstract:The problem of Byzantine consensus has been key to designing secure distributed systems. However, it is particularly difficult, mainly due to the presence of Byzantine processes that act arbitrarily and the unknown message delays in general networks. Although it is well known that both safety and liveness are at risk as soon as n/3 Byzantine processes fail, very few works attempted to characterize precisely the faults that produce safety violations from the faults that produce termination violations. In this paper, we present a new lower bound on the solvability of the consensus problem by distinguishing deceitful faults violating safety and benign faults violating termination from the more general Byzantine faults, in what we call the Byzantine-deceitful-benign fault model. We show that one cannot solve consensus if $n \leq 3t + d + 2q$ with t, d, and q are Byzantine, deceitful, and benign processes. We show that this bound is tight by presenting the Basilic class of consensus protocols that solve consensus when $n > 3t + d + 2q$. These protocols differ in the number of processes from which they wait to receive messages before progressing. Then, we build upon the Basilic class in order to present Zero-Loss Blockchain (ZLB), the first blockchain that tolerates an adversary controlling more than half of the system, with up to less than a third of them Byzantine. ZLB is an open blockchain that combines recent theoretical advances in accountable Byzantine agreement to exclude undeniably faulty processes. Interestingly, ZLB does not need a known bound on the delay of messages but progressively reduces the portion of faulty processes below 13 , and reaches consensus. Geo-distributed experiments show that ZLB outperforms HotStuff and is almost as fast as the scalable Red Belly Blockchain that cannot tolerate n/3 faults.

Distributed, Parallel, and Cluster Computing,Cryptography and Security

Junchao Chen,Suyash Gupta,Alberto Sonnino,Lefteris Kokoris-Kogias,Mohammad Sadoghi

2024-07-19

Abstract:Decentralized systems built around blockchain technology promise clients an immutable ledger. They add a transaction to the ledger after it undergoes consensus among the replicas that run a Proof-of-Stake (PoS) or Byzantine Fault-Tolerant (BFT) consensus protocol. Unfortunately, these protocols face a long-range attack where an adversary having access to the private keys of the replicas can rewrite the ledger. One solution is forcing each committed block from these protocols to undergo another consensus, Proof-of-Work(PoW) consensus; PoW protocol leads to wastage of computational resources as miners compete to solve complex puzzles. In this paper, we present the design of our Power-of-Collaboration (PoC) protocol, which guards existing PoS/BFT blockchains against long-range attacks and requires miners to collaborate rather than compete. PoC guarantees fairness and accountability and only marginally degrades the throughput of the underlying system.

Cryptography and Security,Databases,Distributed, Parallel, and Cluster Computing

Sebastian Müller,Andreas Penzkofer,Darcy Camargo,Olivia Saa

DOI: https://doi.org/10.48550/arXiv.2012.08313

2020-12-15

Abstract:Voting algorithms have been widely used as consensus protocols in the realization of fault-tolerant systems. These algorithms are best suited for distributed systems of nodes with low computational power or heterogeneous networks, where different nodes may have different levels of reputation or weight. Our main contribution is the construction of a fair voting protocol in the sense that the influence of the eventual outcome of a given participant is linear in its weight. Specifically, the fairness property guarantees that any node can actively participate in the consensus finding even with low resources or weight. We investigate effects that may arise from weighted voting, such as loss of anonymity, centralization, scalability, and discuss their relevance to protocol design and implementation.

Distributed, Parallel, and Cluster Computing,Probability

David Cerezo Sánchez

DOI: https://doi.org/10.3390/fintech1040025

2022-10-31

FinTech

Abstract:The latest developments in blockchain technology have conceptualised very efficient consensus protocols that have not yet been able to overcome older technologies. This paper presents Pravuil, a robust, secure, and scalable consensus protocol for a permissionless blockchain suitable for deployment in an adversarial environment such as the Internet. Using zero-knowledge authentication techniques, Pravuil circumvents previous shortcomings of other blockchains: Bitcoin’s limited adoption problem (as transaction demand grows, payment confirmation times grow much less than that of other PoW blockchains); higher transaction security at a lower cost; more decentralisation than other permissionless blockchains; impossibility of full decentralisation; the blockchain scalability trilemma (decentralisation, scalability, and security can be achieved simultaneously); and Sybil resistance for free implementation of the social optimum. Pravuil goes beyond the economic limits of Bitcoin and other PoW/PoS blockchains, leading to a more valuable and stable cryptocurrency.

Clinton Ehrlich,Anna Guzova

DOI: https://doi.org/10.48550/arXiv.1909.07433

2020-10-06

Abstract:This paper applies biomimetic engineering to the problem of permissionless Byzantine consensus and achieves results that surpass the prior state of the art by four orders of magnitude. It introduces a biologically inspired asymmetric Sybil-resistance mechanism, Proof-of-Balance, which can replace symmetric Proof-of-Work and Proof-of-Stake weighting schemes. The biomimetic mechanism is incorporated into a permissionless blockchain protocol, Key Retroactivity Network Consensus ("KRNC"), which delivers ~40,000 times the security and speed of today's decentralized ledgers. KRNC allows the fiat money that the public already owns to be upgraded with cryptographic inflation protection, eliminating the problems inherent in bootstrapping new currencies like Bitcoin and Ethereum. The paper includes two independently significant contributions to the literature. First, it replaces the non-structural axioms invoked in prior work with a new formal method for reasoning about trust, liveness, and safety from first principles. Second, it demonstrates how two previously overlooked exploits, book-prize attacks and pseudo-transfer attacks, collectively undermine the security guarantees of all prior permissionless ledgers.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Computer Science and Game Theory

Vittorio Capocasale

DOI: https://doi.org/10.7717/peerj-cs.1815

2024-01-20

PeerJ Computer Science

Abstract:Consensus algorithms play a crucial role in facilitating decision-making among a group of entities. In certain scenarios, some entities may attempt to hinder the consensus process, necessitating the use of Byzantine fault-tolerant consensus algorithms. Conversely, in scenarios where entities trust each other, more efficient crash fault-tolerant consensus algorithms can be employed. This study proposes an efficient consensus algorithm for an intermediate scenario that is both frequent and underexplored, involving a combination of non-trusting entities and a trusted entity. In particular, this study introduces a novel mining algorithm, based on chameleon hash functions, for the Nakamoto consensus. The resulting algorithm enables the trusted entity to generate tens of thousands blocks per second even on devices with low energy consumption, like personal laptops. This algorithm holds promise for use in centralized systems that require temporary decentralization, such as the creation of central bank digital currencies where service availability is of utmost importance.

computer science, information systems, artificial intelligence, theory & methods

Aixian Deng,Qian Ren,Yingjun Wu,Hong Lei,Bangdao Chen

DOI: https://doi.org/10.1109/tifs.2024.3451355

IF: 7.231

2024-09-14

IEEE Transactions on Information Forensics and Security

Abstract:Blockchain has been widely used in various industries for providing trustworthy data. On-chain data can be regarded as trusted after it is finalized by blockchain consensus, namely after the data is believed to be immutable. Unfortunately, nodes with poor/isolated network conditions are still susceptible to data spoofing attacks of blockchain view, spawning kinds of severe attacks. For example, a light node newly joining a blockchain network may request the blockchain view from a malicious full node and accept a spoof view, leading to a double spending attack. Besides, a Trusted Execution Environment (TEE), the network stack of which is fully controlled by its host, may be fed spoofed blockchain data as input, undermining the trustworthiness of TEE-based computation by cheating inputs. To resist data spoofing, existing methods rely on a trusted authority to identify trusted data, or timely provide sufficient confirmation blocks for a block b to prove the finalization of b (since the adversary holding less hash power than the honest blockchain node cannot generate the confirmation blocks timely). These methods either suffer the risks caused by centralized trust base or are only PoW-oriented and high-latency. As promising blockchains including Ethereum migrate to energy-saving consensus, e.g., PoS, designing consensus-agnostic approaches against data spoofing becomes an urgent need of the industries. In this paper, we introduce a Proof of Finalization (PoF) problem for proving the finalization of blockchain to prevent data spoofing attacks of blockchain. We also contrive a novel PoF scheme, which leverages the chain quality property of blockchain to establish a trustworthy committee for proof generation. The scheme is chain-agnostic, non-interactive, non-authority-involved, and with negligible latency. Once blockchain data is finalized, the latency of proof generation in our scheme is only 106 milliseconds. Therefore, our scheme paves the way for any system, e.g., light nodes, cross-chain bridges, and layer-2 systems, to read blockchains with various consensus securely.

computer science, theory & methods,engineering, electrical & electronic

Danny Bickson,Tzachy Reinman,Danny Dolev,Benny Pinkas

DOI: https://doi.org/10.1007/s12083-009-0051-9

2009-01-18

Abstract:We propose an efficient framework for enabling secure multi-party numerical computations in a Peer-to-Peer network. This problem arises in a range of applications such as collaborative filtering, distributed computation of trust and reputation, monitoring and other tasks, where the computing nodes is expected to preserve the privacy of their inputs while performing a joint computation of a certain function. Although there is a rich literature in the field of distributed systems security concerning secure multi-party computation, in practice it is hard to deploy those methods in very large scale Peer-to-Peer networks. In this work, we try to bridge the gap between theoretical algorithms in the security domain, and a practical Peer-to-Peer deployment. We consider two security models. The first is the semi-honest model where peers correctly follow the protocol, but try to reveal private information. We provide three possible schemes for secure multi-party numerical computation for this model and identify a single light-weight scheme which outperforms the others. Using extensive simulation results over real Internet topologies, we demonstrate that our scheme is scalable to very large networks, with up to millions of nodes. The second model we consider is the malicious peers model, where peers can behave arbitrarily, deliberately trying to affect the results of the computation as well as compromising the privacy of other peers. For this model we provide a fourth scheme to defend the execution of the computation against the malicious peers. The proposed scheme has a higher complexity relative to the semi-honest model. Overall, we provide the Peer-to-Peer network designer a set of tools to choose from, based on the desired level of security.

Cryptography and Security,Networking and Internet Architecture

Klaus Kursawe

DOI: https://doi.org/10.48550/arXiv.2007.08303

2020-07-16

Abstract:The advent of decentralized trading markets introduces a number of new challenges for consensus protocols. In addition to the `usual' attacks -- a subset of the validators trying to prevent disagreement -- there is now the possibility of financial fraud, which can abuse properties not normally considered critical in consensus protocols. We investigate the issues of attackers manipulating or exploiting the order in which transactions are scheduled in the blockchain. More concretely, we look into relative order fairness, i.e., ways we can assure that the relative order of transactions is fair. We show that one of the more intuitive definitions of fairness is impossible to achieve. We then present Wendy, a group of low overhead protocols that can implement different concepts of fairness. Wendy acts as an additional widget for an existing blockchain, and is largely agnostic to the underlying blockchain and its security assumptions. Furthermore, it is possible to apply a the protocol only for a subset of the transactions, and thus run several independent fair markets on the same chain.

Cryptography and Security

Hanwen Feng,Tiancheng Mai,Qiang Tang

DOI: https://doi.org/10.1145/3658644.3690253

2024-10-07

Abstract:The classical distributed key generation protocols (DKG) are resurging due to their widespread applications in blockchain. While efforts have been made to improve DKG communication, practical large-scale deployments are still yet to come due to various challenges, including the heavy computation and communication (particularly broadcast) overhead in their adversarial cases. In this paper, we propose a practical DKG for DLog-based cryptosystems, which achieves (quasi-)linear computation and communication per-node cost with the help of a common coin, even in the face of the maximal amount of Byzantine nodes. Moreover, our protocol is secure against adaptive adversaries, which can corrupt less than half of all nodes. The key to our improvements lies in delegating the most costly operations to an Any-Trust group together with a set of techniques for adaptive security. This group is randomly sampled and consists of a small number of individuals. The population only trusts that at least one member in the group is honest, without knowing which one. Moreover, we present a generic transformer that enables us to efficiently deploy a conventional distributed protocol like our DKG, even when the participants have different weights. Additionally, we introduce an extended broadcast channel based on a blockchain and data dispersal network (such as IPFS), enabling reliable broadcasting of arbitrary-size messages at the cost of constant-size blockchain storage.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Moritz Platt,Peter McBurney

DOI: https://doi.org/10.3390/a16010034

2023-01-07

Algorithms

Abstract:Consensus algorithms are applied in the context of distributed computer systems to improve their fault tolerance. The explosive development of distributed ledger technology following the proposal of "Bitcoin" led to a sharp increase in research activity in this area. Specifically, public and permissionless networks require robust leader selection strategies resistant to Sybil attacks in which malicious attackers present bogus identities to induce byzantine faults. Our goal is to analyse the entire breadth of works in this area systematically, thereby uncovering trends and research directions regarding Sybil attack resistance in today's blockchain systems to benefit the designs of the future. Through a systematic literature review, we condense an immense set of research records (N = 21,799) to a relevant subset (N = 483). We categorise these mechanisms by their Sybil attack resistance characteristics, leader selection methodology, and incentive scheme. Mechanisms with strong Sybil attack resistance commonly adopt the principles underlying "Proof-of-Work" or "Proof-of-Stake" while mechanisms with limited resistance often use reputation systems or physical world linking. We find that only a few fundamental paradigms exist that can resist Sybil attacks in a permissionless setting but discover numerous innovative mechanisms that can deliver weaker protection in system scenarios with smaller attack surfaces.

Aditya Asgaonkar,Bhaskar Krishnamachari

DOI: https://doi.org/10.48550/arXiv.1806.08379

2018-06-21

Cryptography and Security

Abstract:A fundamental problem for electronic commerce is the buying and selling of digital goods between individuals that may not know or trust each other. Traditionally, this problem has been addressed by the use of trusted third-parties such as credit-card companies, mediated escrows, legal adjudication, or reputation systems. Despite the rise of blockchain protocols as a way to send payments without trusted third parties, the important problem of exchanging a digital good for payment without trusted third parties has been paid much less attention. We refer to this problem as the Buyer and Seller's Dilemma and present for it a dual-deposit escrow trade protocol which uses double-sided payment deposits in conjunction with simple cryptographic primitives, and that can be implemented using a blockchain-based smart contract. We analyze our protocol as an extensive-form game and prove that the Sub-game Perfect Nash Equilibrium for this game is for both the buyer and seller to cooperate and behave honestly. We address this problem under the assumption that the digital good being traded is known and verifiable, with a fixed price known to both parties.