Revisiting FAW attack in an imperfect PoW blockchain system

Abstract

Malicious miners in a Proof-of-Work (PoW) blockchain can apply less computing power to perform fork-after-withholding (FAW) attack than that to selfish mining and other withholding attacks. Quantitative study of FAW attack enables an in-depth understanding of the attack and then helps design countermeasures. The existing quantification studies of FAW attack only considered a perfect Bitcoin blockchain, where there is no block propagation delay. This paper aims to quantitatively investigate FAW attack in imperfect Bitcoin and Ethereum systems. We first establish an analytic model to capture the chain dynamics under FAW attack in a PoW system where the longest-chain protocol is used. Then the model is explored to derive closed-formed metric formulas for Bitcoin and Ethereum, respectively. These closed-formed formulas enable the evaluation of both the profitability of FAW adversaries and the impact of FAW attack on system throughput. Experimental results reveal that FAW adversaries can get more revenue in the network with propagation delay than without delay. FAW attack can reduce the blockchain throughput, especially in Bitcoin.

Appendices

Appendix A

In the main part, several propositions are proposed in Section III for computing rewards of pools. In this appendix, we present the proofs of Lemma 1 and Proposition 1. Due to space limitations, we omit the proof of Proposition 2 and 3, which is similar to Proposition 1. The notations used in this appendix are given in Table 1 of the main part.

Before describing the proof, we first define “round” to denote the interval where there is no block newly created, and there are one or two blocks created at the start. The end of one round is the start of its subsequent round. It is illustrated in Fig. 16. In the rest of the appendix, four types of pools, MP, IM, VH, and OP, are considered. We use their initials to represent the pool that generates blocks. For example, MV indicates both MP and VHs create blocks in the next round.

Fig. 16

Illustration of a round

Proof of lemma 1

We first prove the formula of computing \(P_{B} \left( {M|MV} \right)\), which denotes the probability that MP’s block becomes a regular block when a fork occurs due to MP and VHs generating blocks. These two blocks (namely MP’s block and VHs’ block) are respectively denoted by \(B_{M}\) and \(B_{V}\), which all pools can choose to mine their new block in the next round. As described in Section III.C, there are 11 types of block generation in total and they can be classified into two categories: generating one block and generating two blocks simultaneously. Since IMs behave maliciously, we consider them separately. Thus, we discuss these three cases in the following.

2.1 Generate one new block

In this case, MP, VHs, or OPs generate one new block in the next round. As all pools mine blocks honestly, MP mines block on \(B_{M}\) and VHs mine on \(B_{V}\). For OPs, they mine blocks on \(B_{M}\) and \(B_{V}\) with the probability of 50%, respectively. Thus, \(B_{M}\) can be a regular block with the probability \(p_{M} + p_{O} /2\) when MP or OPs generate one block in the next round.

2.2 Generate two new blocks

In this case, any two types of pools can generate blocks simultaneously. In addition, OPs can create a fork. That is, a fork occurs because more than one block is generated by OPs. Thus, there are the following 7 subcases in this case.

1. a)

   blocks generated by MI. IMs submit block if only OPs publish their blocks. Thus, only MP’s block is published in this case and this block is mined on \(B_{M}\).

2. b)

   blocks generated by MV. MP and VHs mine their new blocks on \(B_{M}\) and \(B_{V}\) respectively. The probability that \(B_{M}\) becomes a regular block is \(P_{B} \left( {M|MV} \right)\).

3. c)

   blocks generated by MO. MP’s new block is on \(B_{M}\) while OPs randomly choose one block from \(B_{M}\) and \(B_{V}\)(as shown in Fig. 17) to mine. If an OP creates a block on \(B_{M}\)(Fig. 17a), \(B_{M}\) can be a regular block. However, if an OP creates a block on \(B_{V}\) (Fig. 17b), \(B_{M}\) can be a regular block with probability \(P_{B} \left( {M|MO} \right)\). Each of the two subcases occurs with a probability of 1/2.

4. d)

   blocks generated by IV. Similar to case 0, IMs withhold their block and VHs publish. Since VHs mine block on \(B_{V}\), \(B_{M}\) cannot be a regular block in this case.

5. e)

   blocks generated by IO. OPs publish their block so IMs choose to submit their block in this case. As mentioned before, OPs mine blocks on \(B_{M}\) with probability 1/2 while IMs mine on \(B_{V}\). Similar to Fig. 17, if an OP creates a block on \(B_{V}\), \(B_{M}\) cannot be a regular block. If an OP creates a block on \(B_{M}\), \(B_{M}\) can be a regular block with probability \(P_{B} \left( {O|VO} \right)\).

6. f)

   blocks generated by VO. This is basically the same as the previous case since VHs behave as same as IMs in Case 2.e.

7. g)

   blocks generated by OO. OPs generate a fork in this case. Each OP chooses blocks randomly so the probability that both new blocks are on \(B_{M}\) is 1/4 and one of the new blocks is on \(B_{M}\) is 1/2. In the next round, all pools will choose blocks randomly since all blocks are created by OPs. Thus, when one of the new blocks is on \(B_{M}\), the probability of \(B_{M}\) becoming a regular block is 1/2.

Fig. 17

Two cases that each of MP and OPs generates one block when the blockchain is in MV fork of Section 7.2.c

2.3 AIMs generate one new block

IMs withhold their block in most cases. When OPs generate blocks in the next round, IMs submit their block. These blocks have the same block height. When the blockchain is in MV fork, IMs mine blocks on \(B_{V}\) to avoid detection. However, OPs choose blocks randomly and then there are the following two subcases.

1. a)

   OPs generate one block in the next round. This subcase happens with probability \(p_{O}\). In the next round, the blockchain is in VO fork because the information of IMs’ block is the same as that of VHs’ block. Thus, this subcase can be considered as Case 2.e.

2. b)

   OPs generate two blocks in the next round. This subcase happens with probability \(p_{OO}\). If both of the two blocks are on \(B_{M}\)(with probability 1/4), the probability of \(B_{M}\) being a regular block is \(P_{B} \left( {O|VOO} \right)\). If one of the blocks is on \(B_{M}\)(with probability 1/2), the probability of \(B_{M}\) being a regular block is \(P_{B} \left( {O|VOO} \right)/2\). If none of the blocks is on \(B_{M}\)(with probability 1/4), \(B_{M}\) cannot become a regular block.

We add the probabilities in all cases and get the formula of \(P_{B} \left( {M|MV} \right)\) given in Eq. (1) in the main part. Similarly, we can compute \(P_{B} \left( {M|MO} \right)\),\(P_{B} \left( {V|VO} \right)\) and \(P_{B} \left( {V|VOO} \right)\) ■

Proof of proposition 1

We first consider the types of block generation that make pools get regular rewards with certain probabilities. We call these types as “reward type” of the pool. We call the probabilities as “reward probability” of the reward types. Then we calculate the reward probability of each reward type. We can get the regular reward of a pool by multiplying the block generation rate of all reward types and the corresponding regular reward probabilities and adding them up.

For MP, it can get a regular reward when MP, MI, MV, and MO generate blocks. For both MP and MI, only MP publishes its new block and then all pools reach a consensus. Namely, MP can get a regular reward with probability 1 when MP or MI generates blocks. However, when MP generates a fork with VP or OPs, it cannot always get regular rewards. As proved in Lemma 1, \(P_{B} \left( {M|MV} \right)\) is the probability of MP’s block becoming a regular block when MV and MO generate blocks, respectively. Thus, the regular reward which MP can get is the addition of the above.

VP can get a regular reward when VHs, MV, IV, IO, VO, and IMs generate blocks. Among them, VHs and IV have the same probability that the newly-generated block by VHs becomes a regular block, respectively. So are IO and VO. When only VHs publish one block in a round, all pools get to a consensus and VP gets regular block reward. If VO generate blocks, VP can get regular reward with probability \(P_{B} \left( {V|VO} \right)\). Similarly, if MV generate blocks, VP can get regular reward with probability \(P_{B} \left( {V|MV} \right)\). When only IMs generate a block in a round, VP’s regular reward relies on the block generation in the next round. In particular, if OPs publish a block in the next round, VP can get regular rewards with probability \(P_{B} \left( {V|VO} \right)\). In addition, if OPs publish two blocks, VP can get regular rewards with probability \(P_{B} \left( {V|VOO} \right)\).

OPs can get regular rewards when OP, MO, IO, VO, and OO generate blocks. The probability for OPs getting regular rewards is \(P_{B} \left( {O|MO} \right)\) when MO generate blocks, and is \(P_{B} \left( {O|VO} \right)\) when IO or VO generate blocks. We now further discuss the situations of OP and OO. If IMs do not withhold blocks (in state (0,1,0), (0,2,0), (0,2,1), or (0,3,1)), OPs can get regular reward immediately. Namely, the probability of OPs getting regular block rewards when OP or OO generate blocks is 1 in this case. However, IMs submit blocks when OP or OO generate blocks if they have withheld blocks (in state (1,1,0), (1,2,0), (1,2,1), or (1,3,1)). In these two cases, OPs can get regular rewards with probability \(P_{B} \left( {O|VO} \right)\) and \(P_{B} \left( {O|VOO} \right)\) respectively.

Proposition 1 is proved by multiplying the block generating probability and the corresponding regular reward probability and adding them up. ■