Incentives for Harvesting Attack in Proof of Work Mining Pools

Abstract

PoW consensus largely depends on mining that mostly happens in the pools where Pay Per Share (PPS) and Pay Per Last N Shares (PPLNS) are the most common reward schemes that are offered to the affiliated miners by pool managers. In this paper, we demonstrate that in the system consisting of PPS and PPLNS pools, manager who governs the both pools may have incentive for a new type of “pool harvesting” attack that is harmful for honest miners. In order to profit from the attack on PPLNS pool manager declares that a non-existent miner A joins that pool. She then collects the portion of reward that corresponds to the mining power of the proclaimed miner A. We demonstrate that for the mining community, such unfavorable outcome is worsened by the manager incentives to misrepresent (or not report) the true power of PPS pools, which complicates unified estimation of the level of decentralization in blockchain.

Appendices

A Theorems

Theorem 1

Let \(M^*\) denote a malicious manager of PPS and PPLNS pools. If \(W_{M^*}(t_{\mathcal {T}})>W_{M}(t_{\mathcal {T}})\) then the manager is incentivized to perform a harvesting attack over her pools.

Proof

Because of the requirement \(U'\big (W\big )>0\) we state that under \(W_{M^*}(t_{\mathcal {T}})>W_M(t_{\mathcal {T}})\) we have \(U\big (W_{M^*}(t_{\mathcal {T}})\big )>U\big (W_M(t_{\mathcal {T}})\big )\). Finally, we state that

$$ E\bigg [U\Big ( W_{M^*}\big ( t\big )\Big )\bigg ] > E\bigg [U\Big ( W_{M}\big ( t\big )\Big )\bigg ]\, . $$

   \(\square \)

Theorem 2

At any continuous time \(t\le t_{\mathcal {T}}\) proposed method for attack guarantees validity of condition

$$ \sum \limits _{j\in \mathbb {M}^{t}}{R_{j}F_A\big (t_{j}\big )f\bigl (t - t_0\bigr )} > \sum \limits _{k\in \mathbb {A}^{t}}{R_{k}\Big ( 1- F_A\big (t\big )\Big )f\bigl (t - t_0\bigr )} $$

under exponential discounting function \(f\bigl (t - t_0\bigr )=e^{-k(t-t_0)}\).

Proof

The proposed method of attack always guarantees validity of (9). We perform the proof of this theorem using induction proof technique. Let us denote the last event that happened in \(\mathbb {A}\cup \mathbb {M}\) prior t as \(t_e\). We then express the questioned inequality as

$$\begin{aligned} \sum \limits _{j\in \mathbb {M}^{t}}{R_{j}F_A\big (t\big )f\bigl (t-t_e+t_e- t_0\bigr )} > \sum \limits _{k\in \mathbb {A}^{t}}{R_{k}\Big ( 1- F_A\big (t\big )\Big )f\bigl (t -t_e+t_e -t_0\bigr )}\, . \end{aligned}$$

(14)

Since \(F_A\big (t\big )\) is non-decreasing it is sufficient to demonstrate that

$$\begin{aligned} \sum \limits _{j\in \mathbb {M}^{t}}{R_{j}F_A\big (t_e\big )f\bigl (t-t_e+t_e- t_0\bigr )} > \sum \limits _{k\in \mathbb {A}^{t}}{R_{k}\Big ( 1- F_A\big (t_e\big )\Big )f\bigl (t -t_e+t_e -t_0\bigr )}\, . \end{aligned}$$

(15)

Claim: There exists a homomorphic function which satisfies the following relation:

$$ f(t-t_e+t_e-t_0)=f(t-t_e)\odot f(t_e-t_0), $$

where \(\odot \) denotes a homomorphic operation. This claim is true if we chose \(f(t-t_0)=e^{-k(t-t_0)}\) and \(\odot \) be a multiplicative operation. Then the condition in (16) is equivalent to

$$\begin{aligned} f(t_e-t_0)\odot \sum \limits _{j\in \mathbb {M}^{t}}{R_{j}F_A\big (t_e\big )f\bigl (t-t_e\bigr )} > f(t_e-t_0)\odot \sum \limits _{k\in \mathbb {A}^{t}}{R_{k}\Big ( 1- F_A\big (t_e\big )\Big )f\bigl (t -t_e\bigr )}\, . \end{aligned}$$

(16)

Canceling out \(f(t_e-t_0)\) yields \(\sum \limits _{j\in \mathbb {M}^{t}}{R_{j}F_A\big (t_e\big )f\bigl (t-t_e\bigr )} > \sum \limits _{k\in \mathbb {A}^{t}}{R_{k}\Big ( 1- F_A\big (t_e\big )\Big )}\)\({f\bigl (t -t_e\bigr )}\).    \(\square \)

B Lemma

Lemma 1

Under exponential discounting, manager reveals set \(\mathbb {L}\) only if condition

$$\begin{aligned} \Bigg (\frac{\mu _R}{\big ( 1-\phi _1\big ) \tilde{R}}-1\Bigg )\big | \mathbb {L}^{t_{\mathcal {T}}}\big |>\big | \mathbb {A}^{t_{\mathcal {T}}}\big | \end{aligned}$$

(13)

is satisfied.

Proof

In the system of PPS and PPLNS pools, manager makes a binary decision \(\mathcal {B}\in \{0,1\}\) that maximizes \(E\bigg [ U\Big ( \mathcal {B}\cdot W^1_M\big ( t_{\mathcal {T}}\big ) +W^2_M\big ( t_{\mathcal {T}}\big )\Big )\bigg ]\). First, \(\mathcal {B}=1\) only if \(E\Big [W^1_M\big ( t_{\mathcal {T}}\big )\Big ]>0\). In acc. to M-V analysis \(E\bigg [U\Big ( W^1_M\big ( t_{\mathcal {T}}\big ) +W^2_M\big ( t_{\mathcal {T}}\big )\Big )\bigg ] \ge E\Big [W^2_M\big ( t_{\mathcal {T}}\big )\Big ]\) requires that either :

$$\begin{aligned} E\Big [W^1_M\big ( t_{\mathcal {T}}\big ) +W^2_M\big ( t_{\mathcal {T}}\big )\Big ]\ge E\Big [W^2_M\big ( t_{\mathcal {T}}\big )\Big ] \; \mathrm {OR}\;var\Big ( W^1_M\big ( t_{\mathcal {T}}\big ) +W^2_M\big ( t_{\mathcal {T}}\big )\Big )\le var\Big ( W^2_M\big ( t_{\mathcal {T}}\big )\Big ). \end{aligned}$$

Further, we consider the first cond. since the second inequality is impossible to satisfy. Because \(W^1_M\big ( t_{\mathcal {T}}\big )\) and \(W^2_M\big ( t_{\mathcal {T}}\big )\) are independent, we demand \(E\Big [W^1_M\big ( t_{\mathcal {T}}\big )\Big ]>0\, .\) Let us substitute² expression for \(W^1_M\big ( t_{\mathcal {T}}\big )\) from Eq. (5):

$$\begin{aligned} \begin{aligned} E\Big [W_{M}^1(t_{\mathcal {T}})\Big ]=E\Bigg [\!\!\sum \limits _{i\in \mathbf {PPS}}\!\!\!{R_{i}f\bigl (t_{i} - t_0\bigr )}-\bigl ( 1-\phi _1\bigr )\frac{\tilde{R}P^*_1}{E_B}\int \limits _{t_0}^{t_{\mathcal {T}}}{f\bigl ( t-t_0\bigr )\mathrm {d}t}\Bigg ]>0\;\Rightarrow \\ \Rightarrow E\Bigg [\!\!\sum \limits _{i\in \mathbf {PPS}}\!\!\!{R_{i}f\bigl (t_{i} - t_0\bigr )}\Bigg ]>\bigl ( 1-\phi _1\bigr )\frac{\tilde{R}P^*_1}{E_B}\int \limits _{t_0}^{t_{\mathcal {T}}}{f\bigl ( t-t_0\bigr )\mathrm {d}t}\, . \end{aligned} \end{aligned}$$

(17)

with the right-hand side of this inequality being constant. In the left-hand side of (17) we observe that

$$\begin{aligned} E\Bigg [\!\sum \limits _{i\in \mathbf {PPS}}\!\!\!{R_{i}f\bigl (t_{i} - t_0\bigr )}\Bigg ]=\!\!\sum \limits _{i\in \mathbf {PPS}}\!\!\!{E\Big [ R_{i}f\bigl (t_{i} - t_0\bigr )\Big ]}=\!\mu _R\!\sum \limits _{i\in \mathbf {PPS}}\!{E\Big [e^{-k(t_{i} - t_0)}\Big ]} \end{aligned}$$

(18)

because variables \(R_i\) and \(t_i\), \(i\in \mathbf {PPS}\), are mutually independent and \(E[R_i]=\mu _R\). We introduce \(\big \{z_j\big \}:=\big \{ t_{i_j} - t_{i_j-1}\big \}\), \(2\le j\le n\). We further notice that

$$\begin{aligned} \!\!\sum \limits _{i\in \mathbf {PPS}}\!\!\!{E\Big [e^{-k(t_i - t_0)}\Big ]}=\!\!\sum \limits _{j=2}^{n}\!{E\Bigg [\prod \limits _{l=2}^{j} {e^{-kz_l}}\Bigg ]}. \end{aligned}$$

(19)

According to PoW mining principle, variable z is i.i.d and, hence, Eq. (19) yields

$$\begin{aligned} \sum \limits _{j=2}^{n}\!{E\Bigg [\prod \limits _{l=2}^{j} {e^{-kz_l}}\Bigg ]}=\sum \limits _{j=2}^{n}\!{\prod \limits _{l=2}^{j} {E\Big [e^{-kz(l-1)}\Big ]}}=\frac{1-\bigg (E\Big [e^{-kz}\Big ]\bigg )^{n}}{1-E\Big [e^{-kz}\Big ]}E\Big [e^{-kz}\Big ]\,, \end{aligned}$$

(20)

where the last equation on the right side of the Eq. (20) follows from geometric series (\(\sum _{i=1}^{n}q^i=\frac{1-q^{n}}{1-q}q\) if we set \(q=e^{-kz}<1\)). Random variable z can be described by it’s density function \(d(z)=\lambda _m e^{-\lambda _m z}\). Then

$$\begin{aligned} E\Big [e^{-kz}\Big ]=\int \limits _{0}^{\infty }f(z)d(z)\mathrm {d}(z)=\lambda _m\int \limits _{0}^{\infty }{e^{-z\big ( k+\lambda _m\big )}\mathrm {d}z}=\frac{\lambda _m}{k+\lambda _m}. \end{aligned}$$

(21)

Now, using result from (19)–(21), the last expression in Eq. (18) is:

$$\begin{aligned} \mu _R\!\sum \limits _{i\in \mathbf {PPS}}\!{E\Big [e^{-k(t_{i} - t_0)}\Big ]}=\mu _R\frac{1-\bigg (\frac{\lambda _m}{k+\lambda _m}\bigg )^{n}}{1-\frac{\lambda _m}{k+\lambda _m}}\frac{\lambda _m}{k+\lambda _m}=\mu _R\frac{\lambda _m}{k}\Bigg (1-\Bigg (\frac{\lambda _m}{k+\lambda _m}\Bigg )^{n}\Bigg )\,. \end{aligned}$$

(22)

For the right-hand side of (17) and the exponential time-discounting \(f(t-t_0)=e^{-k(t-t_0)}\) we have

$$\begin{aligned} \bigl ( 1-\phi _1\bigr )\frac{\tilde{R}P^*_1}{E_B}\int \limits _{t_0}^{t_{\mathcal {T}}}{f\bigl ( t-t_0\bigr )\mathrm {d}t}=\bigl ( 1-\phi _1\bigr )\frac{\tilde{R}P^*_1}{k E_B}\Bigg ( 1-e^{-k\big ( t_{\mathcal {T}}-t_0\big )}\Bigg ). \end{aligned}$$

(23)

Without loss of generality we note that \(\lambda _m=\frac{n}{t_{\mathcal {T}}-t_0}\). As a result, we rewrite Eq. (17) as

$$\begin{aligned} \mu _R\frac{\lambda _m}{k}\Bigg (1-\bigg (\frac{\lambda _m}{k+\lambda _m}\bigg )^{n}\Bigg )\overset{?}{>} (1-\phi _1)\frac{\tilde{R}P_1^*}{kE_B}\Bigg (1-e^{-k\frac{n}{\lambda _m}}\Bigg )\, . \end{aligned}$$

(24)

Let us compare components \(1-\bigg (\frac{\lambda _m}{k+\lambda _m}\bigg )^{n}\) and \(1-e^{-k\frac{n}{\lambda _m}}\) in the expressions for the left-and-right-hand sides of Eq. (24), respectively. We apply Taylor expansion to the function \(e^{k/\lambda _m}\) and derive that \(e^{\frac{k}{\lambda _m}}>1+\frac{k}{\lambda _m}\), meaning that

$$\begin{aligned} 1-\bigg (\frac{\lambda _m}{k+\lambda _m}\bigg )^{n}<1-e^{-k\frac{n}{\lambda _m}}\, , \end{aligned}$$

(25)

which dictates the following necessary condition:

$$\begin{aligned} \mu _R\frac{\lambda _m}{k}> (1-\phi _1)\frac{\tilde{R}P_1^*}{kE_B}\, . \end{aligned}$$

(26)

Alternatively, replacing \(\lambda _m=\frac{n}{t_{\mathcal {T}}-t_0}\) we obtain necessary condition for (17):

$$\begin{aligned} \frac{n E_B}{\big (t_{\mathcal {T}}-t_0\big ) P^*_1}>\bigl ( 1-\phi _1\bigr )\frac{\tilde{R}}{\mu _R}. \end{aligned}$$

(27)

In the left side of (27), numerator represents expected amount of energy that is required to produce set of events \(\mathbf {PPS}\). Denominator expresses the actual energy that is spent in PPS pool by its miners. An obvious observation from the right-hand side of (27) is that inequality can be easier satisfied for larger mining fee \(\phi _1\) and higher transaction fees (which define \(\mu _R\)) in BitCoin network.

In case of pool harvesting attack manager can only report \(\mathbf {PPS}=\mathbb {L}^{t_{\mathcal {T}}}\) events versus \(\mathbb {L}^{t_{\mathcal {T}}}\cup \mathbb {A}^{t_{\mathcal {T}}}\) that can be reported by honest manager. We assume that miners of PPS pool communicate with each other and collectively estimate the total power of PPS pool as \(P^*_1=E_B\frac{\big | \mathbb {L}^{t_{\mathcal {T}}}\big |+\big | \mathbb {A}^{t_{\mathcal {T}}}\big |}{t_{\mathcal {T}}-t_0}\). Substituting this into (27) produces

$$\begin{aligned} \Bigg (\frac{\mu _R}{\big ( 1-\phi _1\big ) \tilde{R}}-1\Bigg )\big | \mathbb {L}^{t_{\mathcal {T}}}\big |>\big | \mathbb {A}^{t_{\mathcal {T}}}\big |\,. \end{aligned}$$

   \(\square \)