Bitcoin Mining is Vulnerable Ittay Eyal and Emin G un Sirer - - PowerPoint PPT Presentation

Majority is not Enough: Bitcoin Mining is Vulnerable

1

Ittay Eyal and Emin G¨un Sirer

2019.03.25

Ittay Eyal

2

Cryptocurrencies

Popular algorithm: PoW

4

Proof-of-Work Mining

 They use blockcha kchain to run without a trusted third party.  Miners generate blocks by spending their comp mputatio utationa nal power er.  If a miner generates a valid block, he earns re rewar ard d for t r the block.  This process is competi etiti tive ve.

12.5 5 BTC

Block

• ckch

chain ain New Block

• ck

(N (N-1) 1)-th th Block

N-th th Bloc

• ck

k

(N+1)-th th Block

Miner ner

Mining Difficulty

Ti Time Di Diffic iculty ulty

Inc ncrease! rease!

From “https://blockchain.info”

Can we earn the extra reward through fork?

 The change of mining difficulty  Validators consider the expected relative revenue per one round (10 mins) as their payoff.

7

Can we earn the extra reward through fork?

 The change of mining difficulty  Validators consider the expected relative revenue per one round (10 mins) as their payoff.

8

If a miner possesses 10% of the total computational power?

Can we earn the extra reward through fork?

 The change of mining difficulty  Validators consider the expected relative revenue per one round (10 mins) as their payoff.

9

If a miner possesses 10% of the total computational power? He earns ns 10% of

• f t

the tota tal l reward. ard.

Poisson distribution

 The Poisson distribution expresses the probability of a given number of events occurring in a fixed interval of time or space if these events occur with a known constant rate and indepen ependently dently of the time since the last event.

10

Pr[𝑙 events in one interval]=𝑓−𝜇 𝜇𝑙 𝑙!

Poisson distribution

 The Poisson distribution expresses the probability of a given number of events occurring in a fixed interval of time or space if these events occur with a known constant rate and indepen ependently dently of the time since the last event.

11

Pr[𝑙 events in one interval]=𝑓−𝜇 𝜇𝑙 𝑙!

In the he Bi Bitco coin in sy syst stem em, , one event nt means ns a ge generat ration ion of o

• ne block

ck.

The 51% Attack

12

51% Attack

 Majority of hashing power has voted for transactions on longest chain.

– It is costly to increase voting power – Players are not motivated to cheat

 If any party controls majority of hashing power, they can:

– Undo the past – Deny mining rewards – Undermine the currency

Goldfinger Attack

 In the James Bond movie….  The attacker’s goal is to destroy Bitcoin by executing the 51% attack.  Is a realistic attack?

Selfish Mining

15

Selfish Mining

Forks

– Due to the nonzero block propagation delay, nodes can have different views. – When a fork occurs, only one block becomes valid.

(N (N-1) 1)-th th Block (N+1)-th th Bl Block

N-th th Bloc

• ck

k

(N+1)-th th Block

Fork

Which of two blocks should I choose as a main chain?

Selfish Mining

 Generate intentional forks adaptively.

– An attacker finds a valid block and propagates the block when en anot

• ther

her bloc

• ck

k is found d by an honest est node.

Force the honest miners into wasting victims’ computations on the stale public branch.

Strategy

18

Strategy

19

Strategy

20

Strategy

21

Strategy

22

Analysis

 The states of the system represent the lead of the selfish pool; that is, the difference between the number of unpublished blocks in the pool’s private branch and the length of the public branch.

23

State Probabilities

24

Simulation

 𝛿: An attacker’s network capability  When an attacker possesses more than 33% computational power, the attacker can always earn extra rewards.

Observation

26

Observation

27

The e selfi lfish sh poo

• ol

l wou

• uld

ld there refor fore e increa rease se in size, e, unop

• pposed

posed by any y mechan chanism ism, , tow

• wards

ards a majo ajori rity ty.

Countermeasure

 When a miner learns of competing branches of the same length, it should propagate all of them, and choose which one to mine on unif iform

• rmly

ly at rand ndom.

28

𝛿=

1 2 , Threshold= 1 4

Selfish Mining

Selfish Mining

Im Impra practical! ctical!

Concurrent paper

 Theoretical Bitcoin Attacks with less than Half of the Computational Power

31

Impractical

 The value of γ cannot be 1 because when the intentional fork occurs, the honest miner who generated a block will select his block, not that of the selfish miner.  Honest miners can easily detect that their pool manager is a selfish mining attacker.

– If the manager does not propagate blocks immediately when honest miners generate blocks, the honest miners will know that their pool manager is an attacker. – The blockchain has an abnormal shape when a selfish miner exists.

Optimal selfish mining

 Optimal selfish mining strategies in bitcoin  Stubborn mining: Generalizing selfish mining and combining with an eclipse attack …..

33

Yu Yujin jin Kwon

• n

dbwls872 wls8724@kaist 4@kaist.ac .ac.kr .kr