Majority is not Enough: Bitcoin Mining is Vulnerable
Yüklə 0,67 Mb. Pdf görüntüsü
|
Fig. 2: Pool revenue us- ing the Selfish-Mine strat- egy for different propaga- tion factors γ, compared to the honest Bitcoin min- ing protocol. Simulation matches the theoretical analysis, and both show that Selfish-Mine results in higher revenues than the honest protocol above a threshold, which de- pends on γ. Fig. 3: For a given γ, the thresh- old α shows the minimum power selfish mining pool that will trump the honest protocol. The current Bitcoin protocol allows γ = 1, where Selfish-Mine is always supe- rior. Even under unrealistically fa- vorable assumptions, the threshold is never below 1/3. We illustrate this in Figure 2 , where we see the pool’s revenue for different γ values with pool size ranging from 0 (very small pool) to 0.5 (half of the miners). Note that the pool is only at risk when it holds exactly one block secret, and the honest miners might publish a block that would compete with it. For γ = 1, the pool can quickly propagate its one-block branch if the others find their own branch, so all honest miners would still mine on the pool’s block. In this case, the pool takes no risk when following the Selfish-Mine strategy and its revenue is always better than when following the honest algorithm. The threshold is therefore zero, and a pool of any size can benefit by following Selfish-Mine. In the other extreme, γ = 0, the honest miners always publish and propagate their block first, and the threshold is at 1/3. With γ = 1/2 the threshold is at 1/4. Figure 3
We also note that the slope of the pool revenue, R pool
, as a function of the pool size is larger than one above the threshold. This implies the following observation: Observation 2 For a pool running the Selfish-Mine strategy, the revenue of each pool member increases with pool size for pools larger than the threshold.
5 Pool Formation We have shown that once a selfish pool’s mining power exceeds the threshold, it can increase its revenue by running Selfish-Mine (Theorem 1 ). At this point, rational miners will preferentially join the selfish pool to increase their revenues. Moreover, the pool’s members will want to accept new members, as this would increase their own revenue (Observation 2 ). The selfish pool would therefore increase in size, unopposed by any mechanism, towards a majority. Once a miner pool, selfish or otherwise, reaches a majority, it controls the blockchain. The Selfish-Mine strategy then becomes unnecessary, since the others are no longer faster than the pool. Instead, a majority pool can collect all the system’s revenue by switching to a modified Bitcoin protocol that ignores blocks generated outside the pool; it also has no motivation to accept new members. At this point, the currency is not a decentralized currency as originally envisioned. 6 Hardening the Bitcoin Protocol Ideally, a robust currency system would be designed to resist attacks by groups of colluding miners. Since selfish mining attacks yield positive outcomes for group sizes above the threshold, the protocol should be amended to set the threshold as high as possible. In this section, we argue that the current Bitcoin protocol has no measures to guarantee a low γ. This implies that the threshold may be as low as zero, and a pool of any size can benefit by running Selfish-Mine. We suggest a simple change to the protocol that, if adopted by all non-selfish miners, sets γ to 1/2, and therefore the threshold to 1/4. This change is backward compatible; that is, any subset of the miners can adopt it without hindering the protocol. Moreover, it is progressive; that is, any ratio of the miners that adopts it decreases γ, and therefore increases the threshold. 6.1
Problem The Bitcoin protocol prescribes that when a miner knows of multiple branches of the same length, it mines and propagates only the first branch it received. Recall that a pool that runs the Selfish-Mine strategy and has a lead of 1 publishes its secret block P once it hears of a competing block X found by a non-pool block. If block P reaches a non-pool miner before block X, that miner will mine on P . Because selfish mining is reactive, and it springs into action only after the honest nodes have discovered a block X, it may seem to be at a disadvantage. But a savvy pool operator can perform a sybil attack on honest miners by adding a significant number of zero-power miners to the Bitcoin miner network. These virtual miners act as advance sensors by participating in data dissemination, but do not mine new blocks. (Babaioff et al. also acknowledge the feasibility of such a sybil attack [ 4 ]). The virtual miners are managed by the pool, and once they hear of block X, they ignore it and start propagating block P . The random peer-to-peer structure of the Bitcoin overlay network will eventually propagate X to all miners, but the propagation of X under these conditions will be strictly
slower than that of block P . By adding enough virtual nodes, the pool operator can thus increase γ. The result, as shown in Equation 9 , is a threshold close to zero. 6.2
Solution We propose a simple, backwards-compatible change to the Bitcoin protocol to address this problem and raise the threshold. Specifically, when a miner learns of competing branches of the same length, it should propagate all of them, and choose which one to mine on uniformly at random. In the case of two branches of length 1, as discussed in Section 4 , this would result in half the nodes (in expectancy) mining on the pool’s branch and the other half mining on the other branch. This yields γ = 1/2, which in turn yields a threshold of 1/4. Each miner implementing our change decreases the selfish pool’s ability to increase γ through control of data propagation. This improvement is independent of the adoption of the change at other miners, therefore it does not require a hard fork. This change to the protocol does not introduce new vulnerabilities to the protocol: Currently, when there are two branches of equal length, the choice of each miner is arbitrary, effectively determined by the network topology and latency. Our change explicitly randomizes this arbitrary choice, and therefore does not introduce new vulnerabilities. 7 Related Work Decentralized digital currencies have been proposed before Bitcoin, starting with [
11 ] and followed by peer-to-peer currencies [ 32 ,
]; see [ 22 , 5 ] for short sur- veys. None of these are centered around a global log; therefore, their techniques and challenges are unrelated to this work. Several dozen cryptocurrencies have followed Bitcoin’s success [ 18 , 17 , 33 ], most prominently Litecoin [ 21 ]. These currencies are based on a global log, which is extended by the users’ efforts. We conjecture that the essential technique of withholding blocks for selfish mining can be directly applied to all such systems. It was commonly believed that the Bitcoin system is sound as long as a ma- jority of the participants honestly follow the protocol, and the “51% attack” was the chief concern [ 23 , 1 , 20 ]. The notion of soundness for a nascent, distributed, Internet-wide, decentralized system implies the presence of incentives for adop- tion of the prescribed protocol, for such incentives ensure a robust system com- prised of participants other than enthusiastic and altruistic early adopters. Fel- ten [ 15
in the sense that if everyone acted according to their incentives, the inevitable re- sult would be that everyone followed the rules of Bitcoin as written.” Others [ 25 ]
itive faith – that a minority of miners can’t control the network is a special case of a more general assumption: that a coalition of miners with X% of the network’s hash power can make no more than X% of total mining revenues.” A survey [ 5 ] on the technical features responsible for Bitcoin’s success notes that the Bitcoin Yüklə 0,67 Mb. Dostları ilə paylaş:
|