Abstract
Bitcoin and hundreds of other cryptocurrencies employ a consensus protocol called Nakamoto consensus which rewards miners for maintaining a public blockchain. In this paper, we study the security of this protocol with respect to rational miners and show how a minority of the computation power can incentivize the rest of the network to accept a blockchain of the minority’s choice. By deviating from the mining protocol, a mining pool which controls at least 38.2% of the network’s total computational power can, with modest financial capacity, gain mining advantage over honest mining. Such an attack creates a longer valid blockchain by forking the honest blockchain, and the attacker’s blockchain need not disrupt any “legitimate” non-mining transactions present on the honest blockchain. By subverting the consensus protocol, the attacking pool can double-spend money or simply create a blockchain that pays mining rewards to the attacker’s pool. We show that our attacks are easy to encode in any Nakamoto-consensus-based cryptocurrency which supports a scripting language that is sufficiently expressive to encode its own mining puzzles.
J. Teutsch and P. Saxena’s research is supported by Singapore Ministry of Education Grant No. R-252-000-560-112. S. Jain is supported in part by NUS grant Nos. R252-000-534-112, R146-000-181-112 and C252-000-087-001.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
It further assumes a favorable broadcast network between miners.
- 2.
Since the time required to solve these script puzzles is modest, Ethereum’s gaslimit function does not hinder their execution.
- 3.
In the following discussions, we assume that the total number of processors on the network is fixed.
- 4.
The puzzle M chooses may be identical to the nonce he needs to solve in order to extend his private blockchain, and this choice may help M to mine faster on his private chain. We do not attempt to quantify the advantage of implementing this strategy, however, as latency from network broadcasts and puzzle reward commitment schemes make the benefit difficult to estimate.
- 5.
For simplicity of calculation, we assume that the hardness of the puzzle that M posts in a given block is equally hard compared to the mining problem in the current block.
- 6.
For the purposes of our calculations, it is equivalent to assume that the miner devotes a fraction of his computational resources to puzzle solving and \(1-a\) fraction to mining.
- 7.
A slightly weaker inequality holds here. At the end of Attack 1, the attacker’s private chain is a block longer than the public chain, and so the attacker’s expected net gain per block actually exceeds \((1-p) \cdot b\) by some positive quantity, namely \( [(1-p)\epsilon / (p-\epsilon )]\cdot b\), which tends to zero as \(\epsilon \rightarrow 0\). In this argument we ultimately care only about what happens as \(\epsilon \) approaches 0, and so for now we ignore this quantity. We revisit the present calculation in more detail in Lemma 7.
- 8.
Since many Bitcoin users do not consider a transaction confirmed until the transaction is at least 6 places deep in the blockchain, one might wish to wait until the private chain extension is at least 6 blocks long before revealing it. This can be done be choosing an \(\epsilon \) satisfying, in the notation of Lemma 5, \(t(p,\epsilon ,1) \ge 6 \cdot (p-\epsilon )/p\), or equivalently \(\epsilon \le p/6\).
- 9.
In the long run, the private blockchain becomes the main chain.
References
http://www.mail-archive.com/cryptography@metzdowd.com/msg09959.html
Bonneau, J.: Why buy when you can rent? bribery attacks on Bitcoin. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 19–26. Springer, Heidelberg (2016). doi:10.1007/978-3-662-53357-4_2
Courtois, N.T.: On the longest chain rule and programmed self-destruction of crypto currencies. CoRR, abs/1405.0534 (2014)
Courtois, N.T., Bahack, L.: On subversive miner strategies and block withholding attack in Bitcoin digital currency. CoRR, abs/1402.1718 (2014)
Eyal, I.: The miner’s dilemma. In: IEEE Symposium on Security and Privacy (SP 2015), pp. 89–103, May 2015
Eyal, I., Sirer, E.G.: Majority is not enough: Bitcoin mining is vulnerable. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 436–454. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45472-5_28
Ethereum Foundation. Ethereum’s white paper (2014). https://github.com/ethereum/wiki/wiki/White-Paper
Franco, P.: Understanding Bitcoin: Cryptography, Engineering and Economics. Wiley, New York (2014)
Garay, J., Kiayias, A., Leonardos, N.: The Bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46803-6_10
Luu, L., Saha, R., Parameshwaran,I., Saxena, P., Hobor, A.: On power splitting games in distributed computation: the case of Bitcoin pooled mining. http://eprint.iacr.org/2015/155
Luu, L., Teutsch, J., Kulkarni, R., Saxena, P.: Demystifying incentives in the consensus computer. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), pp. 706–719. ACM, New York (2015)
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. http://bitcoin.org/bitcoin.pdf
Rosenfeld, M.: Analysis of Bitcoin pooled mining reward systems. CoRR, abs/1112.4980 (2011)
Tschorsch, F., Scheuermann, B.: Bitcoin and beyond: a technical survey on decentralized digital currencies. http://eprint.iacr.org/2015/464
Acknowledgements
We thank Frank Stephan, Loi Luu, and Gregory J. Duck for useful discussions and helpful feedback.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 International Financial Cryptography Association
About this paper
Cite this paper
Teutsch, J., Jain, S., Saxena, P. (2017). When Cryptocurrencies Mine Their Own Business. In: Grossklags, J., Preneel, B. (eds) Financial Cryptography and Data Security. FC 2016. Lecture Notes in Computer Science(), vol 9603. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-54970-4_29
Download citation
DOI: https://doi.org/10.1007/978-3-662-54970-4_29
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-54969-8
Online ISBN: 978-3-662-54970-4
eBook Packages: Computer ScienceComputer Science (R0)