Selfish Mining

The original white paper of Bitcoin [5] claimed that the security of transactions in the system can be guaranteed as long as more than 50% of the network miners are honest. The main intuition here is that, in case of conflict or fork in the blockchain, then honest peers will adopt the longest Bitcoin chain—which is backed up by the majority of the computing power in the system. As long as honest peers control the majority of computing power in the system (i.e., they control more than 50% of the hash rate), then they can sustain the prolongation of the longest chain and ensure that only valid transactions are confirmed in this chain.

On the other hand, an adversary that controls more than 50% of the computing power in the system can, in theory, double-spend transactions, prevent transactions from being confirmed, prevent honest miners from mining valid blocks, and so on. This clearly invalidates the entire security of Bitcoin.

Eyal and Sirer [6] have shown that this limit can be considerably reduced. Namely, the authors showed that selfish miners which command more than 33% of the total computing power of the network can acquire a considerable mining advantage in the network. In [7], Sapirshtein et al. extended these results and provided even lower bounds on the computational power an attacker needs in order to benefit from selfish mining. Namely, in the selfish mining strategy of [6], a selfish miner does not directly announce its newly mined blocks in the network and instead keeps them secret until the remaining network finds new blocks. This strategy aims at wasting the computing power invested by other honest miners in the system; these miners will be investing their computing power toward building a block that is unlikely to be part of the longest chain.

To deter this misbehavior, Eyal and Sirer propose the following countermeasure: when a miner is aware of two competing blocks, the miner should propagate both blocks and select a random block to mine on.

Recent analysis has shown that this countermeasure can be easily circumvented by the adversary. For instance, it was recently shown in [4,8] that a resource- constrained adversary can deny the delivery of blocks in the system for a considerable amount of time. Namely, by exploiting the object request management system of Bitcoin as described in Section 4.1.3, a resource-constrained adversary can prevent the delivery of blocks for at least 20 minutes (since the time-out of block reception in the request management system of Bitcoin is 20 minutes). By doing so, an adversary can subvert the aforementioned countermeasure indicated by Eyal and Sirer against selfish mining [4].

Several other recent works examined the game theoretic consequences of attacks and cooperation between pools. For instance, Eyal [9] has shown that pools can gain additional advantage in the network by infiltrating into other pools. Namely, by registering with the victim pool, the attacking pool will then receive tasks and transfer them to some of its own miners. Although the attacker mining power is reduced, since some of its miners are used for block withholding, the attacker earns additional revenue by infiltrating into the other pool—which might increase the revenue of the attacker (and decrease the mining difficulty in the Bitcoin protocol).

Even worse, recent results show that by combining the aforementioned mining attacks with network-level attacks, the adversary can considerably increase its advantage in the selfish mining game [4,10]. For instance, the findings of Gervais et al. [4] suggest that an adversary who performs selfish mining and denies block delivery from other miners can acquire considerable advantage in the network if he or she commands more than 26.5% of the computing power. Moreover, the authors showed that an adversary that commands less than 34% of the computing power can effectively sustain the longest blockchain and therefore control the entire network.

< Prev   CONTENTS   Source   Next >