Why the 25% Bitcoin Attack is not a Problem
Recently, there was a paper which outlined a vulnerability in the Bitcoin protocol. This paper claimed that with a share of the computing power of the network adding up to only 25%, "Selfish" Miners could take advantage of the rest of the network and take more bitcoins from the block reward than their fair share.
The paper is wrong. They fail to take into consideration the extra amount of time it takes to generate blocks.
Let's assume for a moment that a pool has 25% of the mining power. If this is true, then they expect to finish 25% of the blocks everyday, which yields an expected daily income of 900 BTC from block rewards. While it is true that more or fewer blocks can be finished in one day, the assumption of the 25% computing power share renders that irrelevant.
The paper states "We assume that miners are rational; that is, they try to maximize their revenue, and may deviate from the protocol to do so."
If this is true, then a strategy which yields an expected daily income of less than 900 BTC would not be followed by a rational miner, selfish or not.
This is a simplification of Selfish Mining. Circles are blocks and vertices are the periods of time between completed blocks. The paper assumes that each round takes 10 minutes. This is false. By this false assumption, the expected daily income of a Selfish Miner is 1,008 BTC, which we can see is bigger than 900 BTC.
As said before, the paper does not take into account the extra time for blocks to finish if you're not following the protocol in this manner.
Here's what the strategy actually yields:
The 3 minutes and 20 seconds extra on the 4th block is when the 25% selfish pool is waiting for the rest of the network to catch up in order to cause a fork event. The 6 extra minutes on the 5th block is because on average, they will force half of the network to work on their "false" fork.
While they expect to receive 25 BTC on the 4th block, they can only expect to receive 40% of the revenue from the 5th block. Not only this, but 37.5% of the time they won't get anything because the public block finished first, causing everyone to continue to work on it.
As a result, their expected earnings per event are 21.875 BTC, and due to the extra time, we can expect ~24.27 of these events to occur per day, which leaves an expected daily income of ~530.90 BTC, which is ~369.10 BTC less than if they were honest.
Conclusion: Miners can be expected to not follow this strategy since it yields less income.
Comment? Concerns? Leave a comment below.
tl;dr Miners lose by following the "Selfish Mining" technique by about a 41% decrease in expected income if they control 25% of the network.
After 2 weeks the difficulty will adjust and blocks will be found every 10 minutes on average.
ReplyDeleteThis does not change the fact that the attacking pool's expected income is larger for an honest strategy than for their proposed "Selfish Mining" strategy. The difficulty changing simply does not matter for this contention.
DeleteI've also investigated this angle, and may publish something soon.
DeleteYou're absolutely right that the selfish-mining-paper authors (hereafter "ES") haven't accounted for this slowdown in revenue. And, since miners are paying their expenses (power/rent and depreciating hardware) by calendar-period, it is their net profit per period, not their raw percentage-of-all-revenue, that matters for their strategy decisions.
But Bugefun is also correct, in that the difficulty adjustment eventually shifts things to the attacker's favor. In the long run, the self-adjusting nature of the mining competition means that the rate of blocks will increase to the target rate, so the raw percentage the miners have won matters, *after* the startup costs during the initial period.
A spreadsheet I made with the ES formulas, but adjusting for the block slowdown, suggests that during the initial period (before difficulty adjustment), the revenue hit shifts the thresholds for instant profitability out. For the case of gamma=1 (attacker wins all ties), ES-mining is still profitable at any size. For gamma=1/2, alpha (attacker hashpower percentage) must be around 35% (instead of the paper's 25%) for immediate profitability. For gamma=0, alpha muse be around 39% (instead of the paper's 33%) for immediate profitability.
Thus there's an initial loss-making period, in those ranges between the ES-reported thresholds and these slowdown-adjusted thresholds, before the strategy shifts into profitability. In the ES toy model, that won't matter: that loss can be amortized against the future profits which never end.
In the real network, that could be fatal. It means there are 2+ weeks where the strategy's activity is evident (by the big jump in the rate of orphaned blocks), while the net profits are negative (no inducement can be offered to recruit more hashpower, without additional attacker investment). If other pools adopt effective countermeasures in that time, there may be no profits, ever. Also, if at any point the attacker *stops* selfish-mining, the resulting accelerated block rate (for the whole network) can mean they'd make more, per calendar/energy-billing period and until the next difficulty adjustment, even with a smaller portion of the pie.
This means there's an extra barrier to turning the strategy on, and an extra inducement to turn it off, over any short-term (~2 week) horizon. And, Bitcoin value volatility and the inrushing of hashpower may imply a very high 'discount rate' for miners (strongly preferring BTC now over BTC weeks or months from now).
So there's a real effect here, but it's very dependent on timeframes and dynamic subtleties of the real network.
Even though I am still trying to grasp it all, thanks for the explanation! I was hoping to find a response to that paper :)
ReplyDelete"While they expect to receive 25 BTC on the 4th block, they can only expect to receive 40% of the revenue from the 5th block"
ReplyDeleteDon't get that part. Why is it so? Also, at what point (how many blocks into your private chain) do you decide to make it publish to earn the revenue? If your chain is larger, you get all the 25 BTC for each block.Why 40%?
In this example, I'm assuming a 1-block bifurcation. on the 5th block, their expected income is 40% of that block because they're competing with some of the honest nodes.
Delete> If your chain is larger, you get all the 25 BTC for each block.Why 40%?
It's true that if you wait two blocks, you'll get the full 25 for each private block, but after you publish, your goal is to fork the blockchain and hope that the network splits its efforts. My example here did not cover the strategy of waiting more than one block, and I'd be happy to do the math, but I'd wager that the expected income is even worse, since the likelihood of finishing two blocks before everyone else is that much lower than finishing one before them, so the payouts are not only negligible, but worse since you're adding even MORE time to total mining output (fewer total blocks per day means less bitcoin to go around).
Thanks, but sorry I still don't get the 40% part. If the pool you're part of finds a block, it gets 100% of the reward, even though it's competing with the other pools.
DeleteAh, okay, yes, well by block 5 in my diagram there are two possibilities. Either the public branch finishes block 5 first or the private branch does. Let's spell out three groups. Group A is the selfish pool (25%), group B is the half of the honest miners that are on the private branch (37.5%), and group C will be the rest of the network that's on the honest branch (37.5%). If block 5 completes on the private branch, then it will be due to groups A and B working on it. Well, on average group A will finish that 5th block 40% of the time, since they represent 40% of the computing power on the 5th block on the private branch, and group B will finish it 60% of the time. So if you take all the times the 5th block is finished on the private branch, and you put them into a bag, 40% of those blocks will have been finished by group A, and 60% of that bag by group B.
Delete> If the pool you're part of finds a block, it gets 100% of the reward
Yes, but if your pool finds 4 in 10 blocks, then on average you'll get 40% of the reward of all the blocks over time.
Interesting ok. But are you counting the fact that all of those 25% of selfish miners will be making sure their block is the one being broadcasted (ignoring all the others from the honest pools). Whilst normal/honest miners will accept and broadcast any valid block? I think this is the assumption in the paper that kind of makes the math go slightly in favor of selfish pools. Let me know!
DeleteNonsense. The attacker continues to work on solving the next block while hiding it, and continues working on blocks that others solve. Your post could only be mathematically true if the attacker stopped working on a solution for any period of time.
ReplyDeleteI'm one of the two co-authors on the original paper. This analysis is incorrect -- it makes the incorrect assumption that the selfish mining attacker stops mining and waits for the honest pool to catch up with its block. Instead, a selfish miner continues to mine on his private fork.
ReplyDeleteThe attacker's rate of block generation will be no different than what it would have been had he been mining honestly. This makes sense, because he will be using the same hardware and will be keeping it just as busy as with the honest strategy.
The attacker's returns will be higher, as explained in the analysis section of the paper.
The probability calculation in this blog post was opaque to me (you can see that I'm being polite here), but the premise and analysis in this blog post are incorrect. Those of you wishing to play with empirical simulator of selfish mining should check out this simulator, written by a community member: http://ebfull.github.io Set it to a threshold, like 40%, click on "faster" and check the total revenue on the right side. It'll climb over 40%, into 60% territory.
Selfish mining can be counterintuitive. Hope this is useful.