Majority is not Enough: Bitcoin Mining is Vulnerable
Yüklə 0,67 Mb. Pdf görüntüsü
|
threshold (due to the addition of malicious actors aimed at undermining the system, rational actors wishing to usurp the currency, perhaps covertly, or due to momentum in pool popularity), it can switch to a modified protocol that ignores blocks generated outside the pool, to become the only creator of blocks and reap all the mining revenue. A majority pool wishing to remain covert may remain a benign monopolist, accepting blocks from third-parties on occasion to provide the illusion of decentralization, while retaining the ability to reap full revenue when needed, as well as the ability to launch double-expenditure attacks against merchants. Either way, the decentralized nature of the currency will have collapsed, and a single entity, the selfish pool manager, will control the system. Since a selfish mining pool that exceeds threshold size poses a threat to the Bitcoin system, we characterize how the threshold varies as a function of message propagation speed in the network. We show that, for a mining pool with high connectivity and good control on information flow, the threshold is close to zero. This implies that, if less than 100% of the miners are honest, the system may not be incentive compatible: The first selfish miner will earn proportionally higher revenues than its honest counterparts, and the revenue of the selfish mining pool will increase superlinearly with pool size. We further show that the Bitcoin mining protocol will never be safe against attacks by a selfish mining pool that commands more than 1/3 of the total mining power of the network. Such a pool will always be able to collect mining rewards that exceed its proportion of mining power, even if it loses every single block race in the network. The resulting bound of 2/3 for the fraction of Bitcoin mining power that needs to follow the honest protocol to ensure that the protocol remains resistant to being gamed is substantially lower than the 50% figure currently assumed, and difficult to achieve in practice. Finally, we suggest a simple modification to the Bitcoin protocol that achieves a threshold of 1/4. This change is backwards-compatible and progressive; that is, it can be adopted by current clients with modest changes, does not require full adoption to provide a benefit, and partial adoption will proportionally increase the threshold. In summary, the contributions of this work are: 1. Introduction of the Selfish-Mine strategy, which demonstrates that Bitcoin mining is not incentive compatible (Section 3 ). 2. Analysis of Selfish-Mine, and when it can benefit a pool (Section 4 ). 3. Analysis of majority-pool formation in face of selfish mining (Section 5 ). 4. A simple backward-compatible progressive modification to the Bitcoin pro- tocol that would raise the threshold from zero to 1/4 (Section 6 ).
blockchain. We provide an overview of related work in Section 7 , and discuss the implications of our results in Section 8 . 2 Preliminaries Bitcoin is a distributed, decentralized crypto-currency [ 8 , 7 , 23 , 6 ]. The users of Bitcoin are called clients, each of whom can command accounts, known as ad- dresses. A client can send Bitcoins to another client by forming a transaction and committing it into a global append-only log called the blockchain. The blockchain is maintained by a network of miners, which are compensated for their effort in Bitcoins. Bitcoin transactions are protected with cryptographic techniques that ensure only the rightful owner of a Bitcoin address can transfer funds from it. The miners are in charge of recording the transactions in the blockchain, which determines the ownership of Bitcoins. A client owns x Bitcoins at time t if, in the prefix of the blockchain up to time t, the aggregate of transactions involving that client’s address amounts to x. Miners only accept transactions if their inputs are unspent. 2.1
Blockchain and Mining The blockchain records the transactions in units of blocks. Each block includes a unique ID, and the ID of the preceding block. The first block, dubbed the genesis block, is defined as part of the protocol. A valid block contains a solution to a cryptopuzzle involving the hash of the previous block, the hash of the transactions in the current block, and a Bitcoin address which is to be credited with a reward for solving the cryptopuzzle. This process is called Bitcoin mining, and, by slight abuse of terminology, we refer to the creation of blocks as block mining. The specific cryptopuzzle is a double-hash whose result has to be smaller than a set value. The problem difficulty, set by this value, is dynamically adjusted such that blocks are generated at an average rate of one every ten minutes. Any miner may add a valid block to the chain by simply publishing it over an overlay network to all other miners. If two miners create two blocks with the same preceding block, the chain is forked into two branches, forming a tree. Other miners may subsequently add new valid blocks to either branch. When a miner tries to add a new block after an existing block, we say it mines on the existing block. This existing block may be the head of a branch, in which case we say the miner mines on the head of the branch, or simply on the branch. The formation of branches is undesirable since the miners have to maintain a globally-agreed totally ordered set of transactions. To resolve forks, the protocol prescribes miners to adopt and mine on the longest chain. 1 All miners add blocks to the longest chain they know of, or the first one they heard of if there are branches of equal length. This causes forked branches to be pruned; transactions in pruned blocks are ignored, and may be resubmitted by clients. We note that block dissemination over the overlay network takes seconds, whereas the average mining interval is 10 minutes. Accidental bifurcation is therefore rare, and occurs on average once about every 60 blocks [ 12 ].
This compensation includes a per-transaction fee paid by the users whose trans- 1 The criterion is actually the most difficult chain in the block tree, i.e., the one that required (in expectancy) the most mining power to create. To simplify presentation, and because it is usually the case, we assume the set difficulty at the different branches is the same, and so the longest chain is also the most difficult one.
Yüklə 0,67 Mb. Dostları ilə paylaş:
|