Abstract
PoW consensus largely depends on mining that mostly happens in the pools where Pay Per Share (PPS) and Pay Per Last N Shares (PPLNS) are the most common reward schemes that are offered to the affiliated miners by pool managers. In this paper, we demonstrate that in the system consisting of PPS and PPLNS pools, manager who governs the both pools may have incentive for a new type of “pool harvesting” attack that is harmful for honest miners. In order to profit from the attack on PPLNS pool manager declares that a non-existent miner A joins that pool. She then collects the portion of reward that corresponds to the mining power of the proclaimed miner A. We demonstrate that for the mining community, such unfavorable outcome is worsened by the manager incentives to misrepresent (or not report) the true power of PPS pools, which complicates unified estimation of the level of decentralization in blockchain.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Moment \(t_-\) is defined as \(t_- = \lim \limits _{\Updelta t\rightarrow 0}{( t-\Updelta t)}\).
- 2.
We use notations \(P^*_1\) and \(\mathbf {PPS}, \;|\mathbf {PPS}|=n\) to designate the power and the set of events in PPS pool that are declared by the manager.
References
Angner, E.: A Course in Behavioral Economics. Palgrave Macmillan, New York (2012)
Antpool: Statistics (2019). https://www.antpool.com/poolStats.htm
Arnold, F., Hermanns, H., Pulungan, R., Stoelinga, M.: Time-dependent analysis of attacks. In: Abadi, M., Kremer, S. (eds.) POST 2014. LNCS, vol. 8414, pp. 285–305. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54792-8_16
Bag, S., Ruj, S., Sakurai, K.: Bitcoin block withholding attack: analysis and mitigation. IEEE Trans. Inf. Forensics Secur. 12(8), 1967–1978 (2017)
BITMEX: Trading on BitMEX (2019). https://www.bitmex.com/app/tradingOverview
BlockFi: Earn a 6.2% Annual Yield on Your Crypto (2019). https://blockfi.com/crypto-interestaccount/
Chatterjee, K., Goharshady, A.K., Ibsen-Jensen, R., Velner, Y.: Ergodic mean-payoff games for the analysis of attacks in crypto-currencies. In: 29th International Conference on Concurrency Theory (CONCUR 2018), pp. 11:1–11:17. Schloss Dagstuhl. Leibniz-Zentrum fuer Informatik (2018)
Chávez, J.J.G., Silva Rodrigues, C.K. da: Automatic hopping among pools and distributed applications in the Bitcoin network. In: 2016 XXI Symposium on Signal Processing, Images and Artificial Vision (STSIVA), pp. 1–7 (2016)
Coinlend: Automated Margin Lending: A Possibility for Passive Income with Cryptocurrencies. Press Release (2018)
Courtois, N.T., Emirdag, P., and Wang, Z.: On detection of Bitcoin mining redirection attacks. In: ICISSP 2015 - Proceedings, pp. 98–105. SciTePress (2015)
Explorer, B.: Block Explorer (2019). https://www.blockchain.com/explorer
Eyal, I.: The miner’s dilemma. In: 2015 IEEE Symposium on Security and Privacy, pp. 89–103 (2015)
Eyal, I., Sirer, E.G.: Majority is not enough: Bitcoin mining is vulnerable. Commun. ACM 61(7), 95–102 (2018)
Fisch, B., Pass, R., Shelat, A.: Socially optimal mining pools. In: Devanur, N.R., Lu, P. (eds.) WINE 2017. LNCS, vol. 10660, pp. 205–218. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-71924-5_15
Garay, J., Kiayias, A., Leonardos, N.: The Bitcoin backbone protocol with chains of variable difficulty. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 291–323. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_10
Gervais, A., Karame, G.O., WüNust, K., Glykantzis, V., Ritzdorf, H., Capkun, S.: On the security and performance of proof of work blockchains. In: Proceedings of the 2016 ACM SIGSAC Conference, CCS ’16, pp. 3–16. ACM (2016)
Karame, G.O., Androulaki, E., Capkun, S.: Double-spending fast payments in Bitcoin. In: ACM CCS 2012 - Proceedings, pp. 906–917. ACM (2012)
Karame, G.O., Androulaki, E., Roeschlin, M., Gervais, A., Čapkun, S.: Misbehavior in Bitcoin: a study of double-spending and accountability. ACM Trans. Inf. Syst. Secur. 18(1), 2:1–2:32 (2015)
Kroll, J.A., Davey, I.C., Felten, E.W.: The economics of Bitcoin mining, or Bitcoin in the presence of adversaries. In: Proceedings of WEIS, p. 11 (2013)
Kuchta, V., Zolotavkin, Y.: Detection constraint for Harvesting Attack in Proof of Work mining pools (2019). https://doi.org/10.26180/5d2464e40a00d
Liu, H., Ruan, N., Du, R., Jia, W.: On the strategy and behavior of Bitcoin mining with N-attackers. In: ASIACCS 2018, Proceedings, pp. 357–368. ACM (2018)
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)
Nayak, K., Kumar, S., Miller, A., Shi, E.: Stubborn mining: generalizing selfish mining and combining with an eclipse attack. In: 2016 IEEE European Symposium on Security and Privacy (EuroS P), pp. 305–320 (2016)
von Neumann, J., Morgenstern, O., Kuhn, H., Rubinstein, A.: Theory of Games and Economic Behavior: 60th Anniversary, Commemorative edn. Princeton University Press (2007)
P2Pool: P2Pool Bitcoin Mining Pool Global Statistics (2018). http://p2pool.org/stats/index.php. Accessed 19 March 2018
Qin, R., Yuan, Y., Wang, S., Wang, F.: Economic issues in Bitcoin mining and blockchain research. In: 2018 IEEE Intelligent Vehicles Symposium (IV), pp. 268–273 (2018)
Rosenfeld, M.: Analysis of Bitcoin Pooled Mining Reward Systems. arXiv preprint arXiv:1112.4980 (2011)
Smith, A.: An Inquiry Into the Nature and Causes of the Wealth of Nations. Simon & Brown, New York (2011)
Smith, D.: Reliability, Maintainability and Risk: Practical Methods for Engineers including Reliability Centred Maintenance and Safety-Related Systems. Elsevier Science, New York (2011)
Weerahandi, S.: Exact Statistical Methods for Data Analysis. Springer, New York (2003)
Zolotavkin, Y., García, J., Rudolph, C.: Incentive compatibility of pay per last n shares in Bitcoin mining pools. In: Rass, S., An, B., Kiekintveld, C., Fang, F., Schauer, S. (eds.) Decision and Game Theory for Security, vol. 10575, pp. 21–39. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68711-7_2
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Theorems
Theorem 1
Let \(M^*\) denote a malicious manager of PPS and PPLNS pools. If \(W_{M^*}(t_{\mathcal {T}})>W_{M}(t_{\mathcal {T}})\) then the manager is incentivized to perform a harvesting attack over her pools.
Proof
Because of the requirement \(U'\big (W\big )>0\) we state that under \(W_{M^*}(t_{\mathcal {T}})>W_M(t_{\mathcal {T}})\) we have \(U\big (W_{M^*}(t_{\mathcal {T}})\big )>U\big (W_M(t_{\mathcal {T}})\big )\). Finally, we state that
\(\square \)
Theorem 2
At any continuous time \(t\le t_{\mathcal {T}}\) proposed method for attack guarantees validity of condition
under exponential discounting function \(f\bigl (t - t_0\bigr )=e^{-k(t-t_0)}\).
Proof
The proposed method of attack always guarantees validity of (9). We perform the proof of this theorem using induction proof technique. Let us denote the last event that happened in \(\mathbb {A}\cup \mathbb {M}\) prior t as \(t_e\). We then express the questioned inequality as
Since \(F_A\big (t\big )\) is non-decreasing it is sufficient to demonstrate that
Claim: There exists a homomorphic function which satisfies the following relation:
where \(\odot \) denotes a homomorphic operation. This claim is true if we chose \(f(t-t_0)=e^{-k(t-t_0)}\) and \(\odot \) be a multiplicative operation. Then the condition in (16) is equivalent to
Canceling out \(f(t_e-t_0)\) yields \(\sum \limits _{j\in \mathbb {M}^{t}}{R_{j}F_A\big (t_e\big )f\bigl (t-t_e\bigr )} > \sum \limits _{k\in \mathbb {A}^{t}}{R_{k}\Big ( 1- F_A\big (t_e\big )\Big )}\)\({f\bigl (t -t_e\bigr )}\). \(\square \)
B Lemma
Lemma 1
Under exponential discounting, manager reveals set \(\mathbb {L}\) only if condition
is satisfied.
Proof
In the system of PPS and PPLNS pools, manager makes a binary decision \(\mathcal {B}\in \{0,1\}\) that maximizes \(E\bigg [ U\Big ( \mathcal {B}\cdot W^1_M\big ( t_{\mathcal {T}}\big ) +W^2_M\big ( t_{\mathcal {T}}\big )\Big )\bigg ]\). First, \(\mathcal {B}=1\) only if \(E\Big [W^1_M\big ( t_{\mathcal {T}}\big )\Big ]>0\). In acc. to M-V analysis \(E\bigg [U\Big ( W^1_M\big ( t_{\mathcal {T}}\big ) +W^2_M\big ( t_{\mathcal {T}}\big )\Big )\bigg ] \ge E\Big [W^2_M\big ( t_{\mathcal {T}}\big )\Big ]\) requires that either :
Further, we consider the first cond. since the second inequality is impossible to satisfy. Because \(W^1_M\big ( t_{\mathcal {T}}\big )\) and \(W^2_M\big ( t_{\mathcal {T}}\big )\) are independent, we demand \(E\Big [W^1_M\big ( t_{\mathcal {T}}\big )\Big ]>0\, .\) Let us substituteFootnote 2 expression for \(W^1_M\big ( t_{\mathcal {T}}\big )\) from Eq. (5):
with the right-hand side of this inequality being constant. In the left-hand side of (17) we observe that
because variables \(R_i\) and \(t_i\), \(i\in \mathbf {PPS}\), are mutually independent and \(E[R_i]=\mu _R\). We introduce \(\big \{z_j\big \}:=\big \{ t_{i_j} - t_{i_j-1}\big \}\), \(2\le j\le n\). We further notice that
According to PoW mining principle, variable z is i.i.d and, hence, Eq. (19) yields
where the last equation on the right side of the Eq. (20) follows from geometric series (\(\sum _{i=1}^{n}q^i=\frac{1-q^{n}}{1-q}q\) if we set \(q=e^{-kz}<1\)). Random variable z can be described by it’s density function \(d(z)=\lambda _m e^{-\lambda _m z}\). Then
Now, using result from (19)–(21), the last expression in Eq. (18) is:
For the right-hand side of (17) and the exponential time-discounting \(f(t-t_0)=e^{-k(t-t_0)}\) we have
Without loss of generality we note that \(\lambda _m=\frac{n}{t_{\mathcal {T}}-t_0}\). As a result, we rewrite Eq. (17) as
Let us compare components \(1-\bigg (\frac{\lambda _m}{k+\lambda _m}\bigg )^{n}\) and \(1-e^{-k\frac{n}{\lambda _m}}\) in the expressions for the left-and-right-hand sides of Eq. (24), respectively. We apply Taylor expansion to the function \(e^{k/\lambda _m}\) and derive that \(e^{\frac{k}{\lambda _m}}>1+\frac{k}{\lambda _m}\), meaning that
which dictates the following necessary condition:
Alternatively, replacing \(\lambda _m=\frac{n}{t_{\mathcal {T}}-t_0}\) we obtain necessary condition for (17):
In the left side of (27), numerator represents expected amount of energy that is required to produce set of events \(\mathbf {PPS}\). Denominator expresses the actual energy that is spent in PPS pool by its miners. An obvious observation from the right-hand side of (27) is that inequality can be easier satisfied for larger mining fee \(\phi _1\) and higher transaction fees (which define \(\mu _R\)) in BitCoin network.
In case of pool harvesting attack manager can only report \(\mathbf {PPS}=\mathbb {L}^{t_{\mathcal {T}}}\) events versus \(\mathbb {L}^{t_{\mathcal {T}}}\cup \mathbb {A}^{t_{\mathcal {T}}}\) that can be reported by honest manager. We assume that miners of PPS pool communicate with each other and collectively estimate the total power of PPS pool as \(P^*_1=E_B\frac{\big | \mathbb {L}^{t_{\mathcal {T}}}\big |+\big | \mathbb {A}^{t_{\mathcal {T}}}\big |}{t_{\mathcal {T}}-t_0}\). Substituting this into (27) produces
\(\square \)
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Zolotavkin, Y., Kuchta, V. (2019). Incentives for Harvesting Attack in Proof of Work Mining Pools. In: Sako, K., Schneider, S., Ryan, P. (eds) Computer Security – ESORICS 2019. ESORICS 2019. Lecture Notes in Computer Science(), vol 11735. Springer, Cham. https://doi.org/10.1007/978-3-030-29959-0_34
Download citation
DOI: https://doi.org/10.1007/978-3-030-29959-0_34
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-29958-3
Online ISBN: 978-3-030-29959-0
eBook Packages: Computer ScienceComputer Science (R0)