Fig. 2: Pool revenue us-
ing the Selfish-Mine strat-
egy for different propaga-
tion factors γ, compared
to the honest Bitcoin min-
ing protocol. Simulation
matches the theoretical
analysis, and both show
that Selfish-Mine results
in higher revenues than
the honest protocol above
a threshold, which de-
pends on γ.
Fig. 3: For a given γ, the thresh-
old α shows the minimum power
selfish mining pool that will trump
the honest protocol. The current
Bitcoin protocol allows γ = 1,
where Selfish-Mine is always supe-
rior. Even under unrealistically fa-
vorable assumptions, the threshold
is never below 1/3.
We illustrate this in Figure
2
, where we see the pool’s revenue for different γ
values with pool size ranging from 0 (very small pool) to 0.5 (half of the miners).
Note that the pool is only at risk when it holds exactly one block secret, and
the honest miners might publish a block that would compete with it. For γ = 1,
the pool can quickly propagate its one-block branch if the others find their own
branch, so all honest miners would still mine on the pool’s block. In this case,
the pool takes no risk when following the Selfish-Mine strategy and its revenue
is always better than when following the honest algorithm. The threshold is
therefore zero, and a pool of any size can benefit by following Selfish-Mine. In
the other extreme, γ = 0, the honest miners always publish and propagate their
block first, and the threshold is at 1/3. With γ = 1/2 the threshold is at 1/4.
Figure
3
shows the threshold as a function of γ.
We also note that the slope of the pool revenue, R
pool
, as a function of
the pool size is larger than one above the threshold. This implies the following
observation:
Observation 2 For a pool running the Selfish-Mine strategy, the revenue of
each pool member increases with pool size for pools larger than the threshold.
5
Pool Formation
We have shown that once a selfish pool’s mining power exceeds the threshold,
it can increase its revenue by running Selfish-Mine (Theorem
1
). At this point,
rational miners will preferentially join the selfish pool to increase their revenues.
Moreover, the pool’s members will want to accept new members, as this would
increase their own revenue (Observation
2
). The selfish pool would therefore
increase in size, unopposed by any mechanism, towards a majority. Once a miner
pool, selfish or otherwise, reaches a majority, it controls the blockchain. The
Selfish-Mine strategy then becomes unnecessary, since the others are no longer
faster than the pool. Instead, a majority pool can collect all the system’s revenue
by switching to a modified Bitcoin protocol that ignores blocks generated outside
the pool; it also has no motivation to accept new members. At this point, the
currency is not a decentralized currency as originally envisioned.
6
Hardening the Bitcoin Protocol
Ideally, a robust currency system would be designed to resist attacks by groups of
colluding miners. Since selfish mining attacks yield positive outcomes for group
sizes above the threshold, the protocol should be amended to set the threshold
as high as possible. In this section, we argue that the current Bitcoin protocol
has no measures to guarantee a low γ. This implies that the threshold may
be as low as zero, and a pool of any size can benefit by running Selfish-Mine.
We suggest a simple change to the protocol that, if adopted by all non-selfish
miners, sets γ to 1/2, and therefore the threshold to 1/4. This change is backward
compatible; that is, any subset of the miners can adopt it without hindering the
protocol. Moreover, it is progressive; that is, any ratio of the miners that adopts
it decreases γ, and therefore increases the threshold.
6.1
Problem
The Bitcoin protocol prescribes that when a miner knows of multiple branches of
the same length, it mines and propagates only the first branch it received. Recall
that a pool that runs the Selfish-Mine strategy and has a lead of 1 publishes its
secret block P once it hears of a competing block X found by a non-pool block.
If block P reaches a non-pool miner before block X, that miner will mine on P .
Because selfish mining is reactive, and it springs into action only after the
honest nodes have discovered a block X, it may seem to be at a disadvantage.
But a savvy pool operator can perform a sybil attack on honest miners by adding
a significant number of zero-power miners to the Bitcoin miner network. These
virtual miners act as advance sensors by participating in data dissemination,
but do not mine new blocks. (Babaioff et al. also acknowledge the feasibility of
such a sybil attack [
4
]). The virtual miners are managed by the pool, and once
they hear of block X, they ignore it and start propagating block P . The random
peer-to-peer structure of the Bitcoin overlay network will eventually propagate
X to all miners, but the propagation of X under these conditions will be strictly
slower than that of block P . By adding enough virtual nodes, the pool operator
can thus increase γ. The result, as shown in Equation
9
, is a threshold close to
zero.
6.2
Solution
We propose a simple, backwards-compatible change to the Bitcoin protocol to
address this problem and raise the threshold. Specifically, when a miner learns
of competing branches of the same length, it should propagate all of them, and
choose which one to mine on uniformly at random. In the case of two branches
of length 1, as discussed in Section
4
, this would result in half the nodes (in
expectancy) mining on the pool’s branch and the other half mining on the other
branch. This yields γ = 1/2, which in turn yields a threshold of 1/4.
Each miner implementing our change decreases the selfish pool’s ability to
increase γ through control of data propagation. This improvement is independent
of the adoption of the change at other miners, therefore it does not require a
hard fork. This change to the protocol does not introduce new vulnerabilities to
the protocol: Currently, when there are two branches of equal length, the choice
of each miner is arbitrary, effectively determined by the network topology and
latency. Our change explicitly randomizes this arbitrary choice, and therefore
does not introduce new vulnerabilities.
7
Related Work
Decentralized digital currencies have been proposed before Bitcoin, starting
with [
11
] and followed by peer-to-peer currencies [
32
,
34
]; see [
22
,
5
] for short sur-
veys. None of these are centered around a global log; therefore, their techniques
and challenges are unrelated to this work.
Several dozen cryptocurrencies have followed Bitcoin’s success [
18
,
17
,
33
],
most prominently Litecoin [
21
]. These currencies are based on a global log, which
is extended by the users’ efforts. We conjecture that the essential technique of
withholding blocks for selfish mining can be directly applied to all such systems.
It was commonly believed that the Bitcoin system is sound as long as a ma-
jority of the participants honestly follow the protocol, and the “51% attack” was
the chief concern [
23
,
1
,
20
]. The notion of soundness for a nascent, distributed,
Internet-wide, decentralized system implies the presence of incentives for adop-
tion of the prescribed protocol, for such incentives ensure a robust system com-
prised of participants other than enthusiastic and altruistic early adopters. Fel-
ten [
15
] notes that “there was a folk theorem that the Bitcoin system was stable,
in the sense that if everyone acted according to their incentives, the inevitable re-
sult would be that everyone followed the rules of Bitcoin as written.” Others [
25
]
have claimed that “the well-known argument – never proven, but taken on intu-
itive faith – that a minority of miners can’t control the network is a special case of
a more general assumption: that a coalition of miners with X% of the network’s
hash power can make no more than X% of total mining revenues.” A survey [
5
]
on the technical features responsible for Bitcoin’s success notes that the Bitcoin
Dostları ilə paylaş: |