- Incentive compatible: the incentives that motivate the actions of individual participants are consistent with following the rules established by the group. If a blockchain system is incentive compatible, the participants could not make profit by deviating from the protocol.
- Block race:
- Profit threshold: minimal 𝛼 for which employing dishonest mining strategies becomes profitable.
- Chain quality: High chain quality means malicious miners could not alter the public ledger.
- Block propagation:
- Block withholding:
- Consensus Block: The last block recognized by all miners.
Reference: Majority is not Enough link
In this paper, the authors came up with the "selfish mining" attack, which showed that the bitcoin system is not incentive compatible.
Comparing the result of simulation and theoritical result of simulation using
Simulation Result:
In this figure, the black line is the return if mining honestly, while the red line is an upper bound for selfish mining (see in 3.1). The blue and green line indicates the theoritical revenue of selfish mining model 1, with gamma = 0.2, 0.8. The dots show the simulated average revenue.
Reference: Optimal Selfish Mining Strategies in Bitcoin link
Consider an extreme case: If every block mined by the selfish miner could override one block of honest miner, the revenue of selfish miner would be:
- There is only one attacker in the network.
- Communication of newly generated blocks is much faster than block creation, so no blocks are generated while others are being transmitted.
- Blocks are created in the network according to a Poisson process.
- Mining power of attacker: 𝛼, fraction of the whole network Block race winning rate: 𝛾
- Which block to extend at any time t.
- Which block to release at any time t.
- Action space: {Adopt, Override, Match, Wait}
- State space: {a, h, fork}
- a: length of private chain
- h: length of public chain
- fork: {relevant, irrelevant, active}
- State of the form (a, h, relevant) means that the previous state was of the form (a, h − 1, ·); this implies that if a ≥ h, match is feasible.
- Conversely, (a, h, irrelevant) denotes the case where the previous state was (a − 1, h, ·), rendering match now ineffective, as all honest nodes received already the h’th block.
- The third label, active, represents the case where the honest network is already split, due to a previous match action; this information affects the transition to the next state, as described below. We will refer to states as (a, h) or (a, h,·), in contexts where the fork label plays no effective role.
- Transtion and reward:
- Maximize relative revenue: 𝑘(𝑥, 𝑦)=𝑥/(𝑥+𝑦)=1/(1+𝑦/𝑥). Note that the objective function is non-linear.
- To construct a linear function, we use the following function:
𝜔_𝜌 (𝑥, 𝑦)=(1−𝜌)∙𝑥− 𝜌∙𝑦
The objective function is constructed as:
Reference: Lay Down the Common Metrics: Evaluating Proof-of-Work Consensus Protocols’ Security link
- Bitcoin's Nakamoto Consensus (NC) Protocol fails to achieve perfect chain quality.
- Ethereum, Bitcoin-NG, DECOR+, Byzcoin and Publish or Perish, aim to solve the problem by raising the chain quality. (Better-chain-quality protocol)
- Other designs, represented by Fruitchains, DECOR+ and Subchains, claim to successfully defend against the attacks in the absence of perfect chain quality. (Attack-resistant protocol)
However, the effectiveness of these design remained self-claimed. So, it is necessary to introduce a multi-metric quantitative evaluation framework to evaluate the security of them.
Metic | Explanation |
---|---|
Chain Quality | This metric measures the difficulty to substitute the honest main chain blocks. |
Incentive compatibility | This metric measures a protocol’s selfish mining resistance. |
Subversion gain | This metric measures the profitability of double-spending attacks |
Censorship susceptibility | Maximum fraction of income loss the attacker incur on compliant miners in a censorship retaliation attack. |
Whenever it is infeasible to model the exact system, we choose to favor the compliant miners and limit the attacker’s ability, ensuring the attacker’s utility is achievable in reality to better demonstrate the protocols’ weaknesses.
Tie-breaking Methods | Modeling |
---|---|
Uniform Tie-Breaking | MDP, split the hash value space into a small number of regions to reduce number of states |
Smallest Hash Tie-breaking | MDP |
Unpredictable Derministic Tie-breaking | |
Publish or Perish |
We attribute NC’s poor chain quality to the protocol’s in- capability in distinguishing the honest chain from the attacker chain, due to information asymmetry. Unfortunately, we believe it is difficult to solve this infor- mation asymmetry within PoW protocols’ security assump- tions.
Protocol | Subversion Gain Analysis | Censorship Susceptibility Analysis |
---|---|---|
Fruitchains | ||
Reward-Splitting Protocol | ||
Subchains |
- Complexity is the enemy of security: As demonstrated by our results, despite the simplicity of NC, to date there is no protocol that surpasses NC in all our security metrics when the attacker has no network propagation advantage.
- Introducing and realizing practical assumptions to raise the chain quality: Such assumptions may include:
- Awareness of network conditions: identify block withholding behaviors with a higher level of confidence.
- A loosely synchronized clock: With a loosely synchronized clock, participants can use the gap between a block’s receiving time and its timestamp as an indicator of malicious behaviors.
- Responsible parties with large deposits or public real-world identities: demanding a large deposit before performing certain actions to increase the amount of penalty, or limiting these actions to parties with publicly verified real-world identities in order to put their reputation at stake.
- Outsourcing liability to raise attack resistance
- Introducing additional punishment rules.
- Relying on “layer 2” protocols to protect against specific attacks.
- Security vs. Performance
- “Rewarding the Bad” vs. “Punishing the Good”:
- Reward-all protocols improve censorship resistance by increasing the difficulty to invalidate other miners’ rewards, at the price of removing the risk to fork the blockchain, thus encouraging double-spending attacks.
- Punishment protocols improve selfish mining and double-spending resistance by discouraging malicious behaviors, at the price of lowering the attacker’s diffi- culty to damage the compliant miners’ income, thus facilitating censorship.
- Reward-lucky protocols, contrary to their design- ers’ intention, allow the attacker to invalidate the compliant miners’ “lucky” blocks with the attacker’s “unlucky” units in a risk-free manner, leaving them more vulnerable to all three attacks.
- We conclude that none of the three approaches can improve the security of PoW against three major attacks; they only offer different trade-offs in resistance.