[PPT] - Attacks on PoW systems Yujin Kwon KAIST 1 Various Attacks Double PowerPoint Presentation

SLIDE 1

Attacks on PoW systems

1

Yujin Kwon KAIST

SLIDE 2

Various Attacks

 Double Spending

– Generate forks intentionally

 Selfish mining

– Generate forks intentionally

“Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014

 Block withholding (BWH) attack

– Exploit the pools’ protocol – It is possible to launch the BWH attack each other.

“The Miner’s Dilemma”, SP 2016
“On Power Splitting Games in Distributed Computation: The Case of Bitcoin Pooled Mining”,

CSF 2016

 Fork after withholding (FAW) attack

– Generate forks intentionally through pools

2

SLIDE 3

Various Attacks

 Double Spending

– Generate forks intentionally

 Selfish mining

– Generate forks intentionally

“Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014

 Block withholding (BWH) attack

– Exploit the pools’ protocol – It is possible to launch the BWH attack each other.

“The Miner’s Dilemma”, SP 2016
“On Power Splitting Games in Distributed Computation: The Case of Bitcoin Pooled Mining”,

CSF 2016

 Fork after withholding (FAW) attack

– Generate forks intentionally through pools

3

SLIDE 4

The Miner’s Dilemma

Ittay Eyal Cornell University 2015 IEEE Symposium on Security and Privacy

SLIDE 5

Mining Pool

5 AntPool

l

23% 23% F2Pool 11% 11% BitFury 11% 11% BTCC 11% 11% Slush 7% 7%

BW.COM COM

7% 7%

BTC.COM C.COM

7% 7% Others rs 23% 23%

 Miners can organize pools and mine together to reduce the variance of reward.  Currently, major players are pools.

Bitcoin Ethereum Litecoin

Ethpool

ol

27% 27% F2Pool 23% 23% nano 11% 11% MPH 10% 10% Ethfans ans 8% 8% Others rs 21% 21% AntPool

l

30% 30% F2Pool 30% 30% LTC.top 10% 10% ViaBTC 10% 10%

BW.COM COM

6% 6% Litecoi

in

6% 6% Others rs 8% 8%

SLIDE 6

Mining Pool

6

Workers

1. Give the problem.

Pool manager

𝐼(𝑑𝑝𝑜𝑢𝑓𝑜𝑢𝑡| 𝑜𝑝𝑜𝑑𝑓 < 𝑢𝑏𝑠𝑕𝑓𝑢 ?

SLIDE 7

Mining Pool

7

Workers Pool manager

2. Submit shares.

463 125 352 432

Partial solutions Full solutions

SLIDE 8

Mining Pool

8

Workers Pool manager

3. Pay the reward.

SLIDE 9

Block Withholding (BWH) Attack

9

An Attacker Pool manager Submit only partial solutions.

463 125 352 432

Withhold

SLIDE 10

History

 2011 : Analysis of Bitcoin Pooled Mining Reward Systems (by Meni Rosenfeld)

– “This has no direct benefit for the attacker, only causing harm to the pool

perator or participants. ”

 2014 : On Subversive Miner Strategies and Block Withholding Attack in Bitcoin Digital Currency

– “They showed that an attacker can earn profit by this attack”

 2015 : The miner’s dilemma  On Power Splitting Games in Distributed Computation: The Case of Bitcoin Pooled Mining

– “Attack strategy && game theory”

10

SLIDE 11

Block Withholding (BWH) Attack

 An attacker joins the victim pool.  She should split her computational power into solo mining and malicious pool mining (BWH attack).  She receives unearned wages while only pretending to contribute work to the pool.

11

Solo Pool Pool

BWH Attack Mining Attacker

SLIDE 12

Pool game

 Pools can launch the BWH attack each other through infiltration.

Po Pool

l 1

Po Pool

l 2

Infiltration from Pool 1 into Pool 2 Infiltration from Pool 2 into Pool 1

SLIDE 13

Classical BWH attack

SLIDE 14

BWH attack among pools

𝑛1 𝑛2

SLIDE 15

Analysis

15

SLIDE 16

SLIDE 17

Therefore, the case for no attack is not an equilibrium.

SLIDE 18

Two Pools

𝑛1 𝑛2

SLIDE 19

Analysis

19

SLIDE 20

SLIDE 21

The prisoner’s dilemma

 The priso soner' ner's s dilemm mma is a standard example of a game analyzed in game theory  Two prisoners are separated into individual rooms and cannot communicate with each other.

21

SLIDE 22

The Miners’ dilemma

The equilibrium reward of the pool is inferi nferior

r compared to the no-attack scenario.

The fact that the BWH attack is not

t co

commo mmon n may be explained.

From “The Miner’s Dilemma”

SLIDE 23

The FAW Attack

SLIDE 24

FAW Attack Against One Pool

24

Tar arge get t poo

ol

Pool Pool Solo

Mining Submit an FPoW to the pool only if others generate another block. Otherwise, throw her FPoW. Attacker Others rs

SLIDE 25

FAW Attack Against One Pool

25

Tar arge get t poo

ol

Pool Pool Solo

Mining Attacker Others rs

 An attacker generates forks intentionally through a pool!

Submit an FPoW to the pool only if others generate another block. Otherwise, throw her FPoW.

SLIDE 26

FAW vs BWH

 When an attacker finds an FPoW through solo mining…

26

Blockch

ckchain

ain New Block

ck

(N (N-1) 1)-th th Block

N-th th Bloc

ck

k

(N+1)-th th Block

FAW/ W/ BWH Attack acker er Victim ctim Othe hers rs

SLIDE 27

FAW vs BWH

 When an attacker finds an FPoW through solo mining…

27

Blockch

ckchain

ain New Block

ck

(N (N-1) 1)-th th Block

N-th th Bloc

ck

k

(N+1)-th th Block

FAW/ W/ BWH Attack acker er Victim ctim Othe hers rs

The attacker earns the block reward.

SLIDE 28

FAW vs BWH

 When an honest miner in the victim pool finds an FPoW…

28

Blockch

ckchain

ain New Block

ck

(N (N-1) 1)-th th Block

N-th th Bloc

ck

k

(N+1)-th th Block

FAW/ W/ BWH Attack acker er Victim ctim Othe hers rs

SLIDE 29

FAW vs BWH

 When an honest miner in the victim pool finds an FPoW…

29

Blockch

ckchain

ain New Block

ck

(N (N-1) 1)-th th Block

N-th th Bloc

ck

k

(N+1)-th th Block

FAW/ W/ BWH Attack acker er Victim ctim Othe hers rs

The victim earns the block reward and shares the reward with the attacker.

SLIDE 30

FAW vs BWH

 When only others find an FPoW…

30

Blockch

ckchain

ain New Block

ck

(N (N-1) 1)-th th Block

N-th th Bloc

ck

k

(N+1)-th th Block

FAW/ W/ BWH Attack acker er Victim ctim Othe hers rs

SLIDE 31

FAW vs BWH

 When only others find an FPoW…

31

Blockch

ckchain

ain New Block

ck

(N (N-1) 1)-th th Block

N-th th Bloc

ck

k

(N+1)-th th Block

FAW/ W/ BWH Attack acker er Victim ctim Othe hers rs

Others earn the block reward.

SLIDE 32

FAW vs BWH

 When the attacker finds an FPoW in the victim pool, and

thers also find another FPoW…

32

Blockch

ckchain

ain New Block

ck

(N (N-1) 1)-th th Block

N-th th Bloc

ck

k

(N+1)-th th Block

Victim ctim Othe hers rs

BWH

Attack acker er

SLIDE 33

FAW vs BWH

 When the attacker finds an FPoW in the victim pool, and

thers also find another FPoW…

33

Blockch

ckchain

ain New Block

ck

(N (N-1) 1)-th th Block

N-th th Bloc

ck

k

(N+1)-th th Block

Victim ctim Othe hers rs

Others earn the block reward.

BWH

Attack acker er

SLIDE 34

FAW vs BWH

 When the attacker finds an FPoW in the victim pool, and

thers also find another FPoW…

34

Blockch

ckchain

ain Attacker’s Ne New Block

ck

(N (N-1) 1)-th th Block

N-th th Bloc

ck

k

FAW FAW

Attack acker er Victim ctim Othe hers rs Others’ Ne New Block

ck

(N+1)-th th Block

SLIDE 35

FAW vs BWH

 When the attacker find an FPoW in the victim pool, and

thers also find another FPoW…

35

Blockch

ckchain

ain Attacker’s Ne New Block

ck

(N (N-1) 1)-th th Block

N-th th Bloc

ck

k

FAW FAW

Attack acker er Victim ctim Othe hers rs

If others’ block is selected as the main chain,

thers earn the block reward.

Others’ Ne New Block

ck

(N+1)-th th Block

SLIDE 36

FAW vs BWH

 When the attacker find an FPoW in the victim pool, and

thers also find another FPoW…

36

Blockch

ckchain

ain Attacker’s Ne New Block

ck

(N (N-1) 1)-th th Block

N-th th Bloc

ck

k

FAW FAW

Attack acker er Victim ctim Othe hers rs

If the attacker’s block is selected as the main chain, the victim earns the block reward and shares the reward with the attacker.

Others’ Ne New Block

ck

(N+1)-th th Block

SLIDE 37

FAW vs BWH

 When the attacker find an FPoW in the victim pool, and

thers also find another FPoW…

37

Blockch

ckchain

ain Attacker’s Ne New Block

ck

(N (N-1) 1)-th th Block

N-th th Bloc

ck

k

FAW FAW

Attack acker er Victim ctim Othe hers rs

The attacker can plant many Sybil nodes in the network to win with higher probability.

Others’ Ne New Block

ck

(N+1)-th th Block

SLIDE 38

FAW Attack Against One Pool

 Notation

– 𝛽: Computational power of the attacker – 𝛾: Total computational power of a victim pool – 𝛿: The infiltration mining power divided by 𝛽 – 𝑑: Attacker′s network capability – 𝑆𝑏 𝑆𝑞 : An attacker’s (The victim′s) reward

38

SLIDE 39

Analysis

39

SLIDE 40

FAW vs BWH

At Attac acker ker Victi tim Others ers FAW AW BWH

40

SLIDE 41

Numerical Analysis

41

The case is equivalent to the case of the BWH attack. Increasing Increasing An attacker’s power We can see that the FAW attack is more profitable than the BWH attack numerically.

SLIDE 42

FAW Attack Game

42

 Pools can launch the FAW attack each other through infiltration.

Po Pool

l 1

Po Pool

l 2

Infiltration from Pool 1 to Pool 2 Infiltration from Pool 2 to Pool 1

SLIDE 43

Break Dilemma

43

Poo

ol 1 c

can earn the extra a reward rd in Nash h equilibri rium. um. FAW attacks between two pools lead to a pool size game: the larger pool can always earn the extra reward.

SLIDE 44

Identification

 The FAW attack causes high fork rate.  The FAW attacker leaves a trace of the only victim pools’ identities but not the attacker’s identity.  The manager can suspect a miner who submits FPoWs used for forks.  The attacker may easily launch the FAW attack using many Sybil il nod

des

es in the victim pool.  The attacker’s behavior makes the detection useles less.

44

SLIDE 45

No Silver Bullet

 New reward system

– High variance of rewards

 Change Bitcoin protocol

– Two-phase proof-of-work – Not backward compability

 There ere is no

on
ne sil

ilver ver bull llet. et.

45

SLIDE 46

46