Bitcoin  is the predominant cryptocurrency today. Nevertheless, our understanding of Bitcoin’ s correctness is limited. Only relatively recently, there have been attempts to formally capture Bitcoin’ s security properties. In a seminal work, Garay et al.  proposed a formal framework (the “backbone protocol”) to describe the Bitcoin system. They defined security properties for the backbone protocol and proved these both in the synchronous and bounded-delay model. Our work extends the work of Garay et al.  in several dimensions. First, in contrast to our model,  assumed a constant honest majority of the participants. However, the Bitcoin protocol has been proven to be more fault-tolerant and able to allow for a majority of dishonest players, as long as this dishonest majority is only temporary. Specifically, in 2014 there was a majority takeover (approximately 54% of the network) by the mining pool GHash.io. The cost to perform such attacks have been studied in  and https://www.crypto51.app/. In this work, we extend the original work of Garay et al.  to capture these attacks, by allowing a temporary dishonest majority. We provide a formal analysis and investigate under which circumstances Bitcoin is secure when the honest majority holds only on expectation. Second, motivated by a model of Pass and Shi , we not only have honest (“alert”) or dishonest (“corrupted”) nodes. Instead, there is a third group of nodes that are currently not able to follow the protocol. We call them “sleepy”, which really is a euphemism for nodes that are basically offline, eclipsed from the action, for instance by a denial of service attack. Understanding this trade-off between corrupted and sleepy nodes gives us a hint whether a dishonest attacker should rather invest in more mining power (to get more corrupted players) or in a distributed denial of service architecture (to get more sleepy players). Third, we introduce a parameter that upper bounds the mining power of the adversary over the mining power of “alert” nodes. This is not necessary for the security analysis. However, as showed in , if the adversary follows a selfish mining strategy, he can gain a higher fraction of blocks (rewards) compared to his fraction of the mining power. Hence, parameter allows us to clearly capture the correlation between this parameter and the advantage of the adversary when he deviates from the honest protocol execution. Fourth, we study network delays since they significantly affect the performance and security. By extending our synchronous model to the a semi-synchronous model, we show that the upper bound on sleepy parties heavily depends on the maximum allowed message delay. Finally, we extend our analysis to a synchronous model, where we allow message losses. This is inspired by an idea described in , where the adversary may perform an eclipse attack [14, 15] on some victims which enables the adversary to control their view of the blockchain. We show security under the assumption that the adversary can eclipse a certain number of players, depending on the number of corrupted players. The omitted theorems, lemmas and proofs can be found in the full version of the paper .
2 The Model
We adapt the model originally introduced by Garay et al.  to prove the security of the Backbone protocol. We initially present all the components of a general model and then parametrize the model to capture the three different models under which we later prove that the backbone protocol is secure.
2.1 The Execution
We assume a fixed set of parties, executing the Bitcoin backbone protocol. Each party can either be corrupted, sleepy or alert; sleepy is an offline honest node and alert an honest node that is actively participating in the protocol.
2.1.1 Involved programs.
All programs are modeled as polynomially-bounded interactive Turing machines (ITM) that have communication, input and output tapes. An ITM instance (ITI) is an instance of an ITM running a certain program or protocol. Let the ITMdenote the environment program that leads the execution of the Backbone protocol. Therefore can spawn multiple ITI’s running the protocol. These instances are a fixed set of parties, denoted by . The control program , which is also an ITM, controls the spawning of these new ITI’s and the communication between them. Further, forces the environment to initially spawn an adversary . The environment will then activate each party in a round-robin way, starting with . This is done by writing to their input tape. Each time, a corrupted party gets activated, is activated instead. The adversary may then send messages to the control program and will register the party as corrupted, as long as there are less than parties corrupted. Further, the adversary can set each party asleep by sending a message to the control program. The control program will set the party
asleep for the next round with probability, without informing if the instruction was successful or not. Each party has access to two ideal functionalities, the “random oracle” and the “diffusion channel”, which are also modelled as ITM’s. These functionalities, defined below, are used as subroutines in the Backbone protocol.
A round of the protocol execution is a sequence of actions, performed by the different ITI’s. In our setting, a round starts with the activation of the party , which then performs the protocol-specific steps. By calling the below defined diffuse functionality, has finished it’s actions for the current round and will activate . If the party is corrupted, will be activated and if is asleep, gets activated instead. The round ends after has finished. Rounds are ordered and therefore enumerated, starting from .
Let us formally define the view of a party . The only “external” input to the protocol is the security parameter . Therefore, we can consider
to be constant over all rounds of the execution and we can exclude it from the random variable describing the view of a party. We denote by the random variablethe view of a party after the execution of the Bitcoin backbone protocol in an environment and with adversary . The complete view over all parties is the concatenation of their views, denoted by the random variable .
2.1.4 Communication and “hashing power”.
The two ideal functionalities, which are accessible by the parties, model the communication between them and the way of calculating values of a hash function concurrently.
2.1.5 The random oracle functionality.
The random oracle (RO) provides two functions, a calculation and a verification function. Each party is given a number of calculation queries and unlimited verification queries per round. Thus, an adversary with corrupted parties may query the random oracle for calculation queries per round. Upon receiving a calculation query with some value by a party , the random oracle checks, whether was already queried before. If not, the RO selects randomly and returns it. Further, the RO maintains a table and adds the pair into this table. If was already queried before, the RO searches in the table for the corresponding pair and returns the value from it. It’s easy to see that a verification query now only returns true/valid, if such a pair exists in the table of the RO. Note that the RO can maintain tables for different hash functions and can be used for all hash functions we need.
2.1.6 The diffuse functionality.
The diffuse functionality models the communication between the parties and thus maintains a string for each party . Note that this is not the same as the previously mentioned input tape. Each party can read the content of its string at any time. The message delay is denoted by , where corresponds to a synchronous setting. The diffuse functionality has a variable, which is initially set to 1. Each party can send a message , possibly empty, to the functionality, which then marks as complete for the current round. We allow to read all the messages that are sent by some , without modifying, dropping or delaying it. When all parties and the adversary are marked as complete, the functionality writes all messages that are rounds old to the strings of either only the alert or all parties. We denote by a Boolean function that indicates exactly that; if the diffuse functionality writes all messages to the strings of the alert parties, while if the diffuse functionality writes all messages to the strings of all parties. Each party can read the received messages in the next round being alert. At the end, is incremented. Note that in the case where , if a party is asleep at a round, it automatically gets marked as complete for this round. Further, upon waking up, it can read all the messages that were written to its string while it was asleep.
2.1.7 Successful queries.
A query to the RO oracle is successful, if the returned value , where is the difficulty parameter for the PoW function. The party, which have issued the query will then create a new valid block and may distribute it by the diffuse functionality. We denote the success probability of a single query by . Note that in Bitcoin, the difficulty parameter is adjusted such that the block generation time is approximately ten minutes.
2.2 Sleepy, Alert and Corrupted
For each round , we have at most corrupted and honest parties. Furthermore, the number of honest parties are divided to alert and sleepy parties, . We assume without loss of generality that no corrupted party is asleep, since we only upper-bound the power of the adversary. Since and are random variables, we can also use their expected value. The expected value is constant over different rounds, thus we will refer to them as and . Since each honest party is independently set to sleep with probability and thus the random variable
is binomially distributed with parametersand . Accordingly, is also binomially distributed with parameters and . Hence, and .
2.3 Parametrized Model
Let be the model, defined in this section. In the following sections, we will look at three instantiations of this model. First of all, we are going to analyze the model , which corresponds to a synchronous setting, in which each party has the ability to make queries to the random oracle and receives every message, even if the party is asleep. Then, we extend these results to the bounded delay model, which corresponds to . As before, every party will always receive messages, but we restrict to be . In the last section, we analyze the model , which corresponds to the synchronous model, but we do not allow the diffuse functionality to write messages on the tapes of sleepy parties.
In order to prove the security of the Bitcoin backbone protocol, we are going to analyze three different properties, following the analysis of . These properties are defined as predicates over , which will hold for all polynomially bounded environments and adversaries with high probability.
Given a predicate and a bound with , we say that the Bitcoin backbone protocol satisfies the property in the model for parties, assuming the number of corruptions is bounded by , provided that for all polynomial-time , the probability that is false is negligible in .
The following two Definitions concern the liveness and eventual consistency properties of the Backbone protocol. We are using the notation of : We denote a chain , where the last blocks are removed, by . Further, denotes that is a prefix of .
The chain growth property with parameters and states that for any honest party with chain in , it holds that for any rounds, there are at least blocks added to the chain of . 111The Chain-Growth Property in  is defined slightly different: …it holds that for any rounds, there are at least blocks added to the chain of . Considering the proof for Theorem 1 (of ), one can see, why we use instead of . It follows by the fact that the sum in Lemma 13 (of ) only goes from to and not to .
The common-prefix property with parameter states that for any pair of honest players adopting the chains at rounds in respectively, it holds that .
In order to argue about the number of adversarial blocks in a chain, we will use the chain quality property, as defined below:
The chain quality property with parameters and states that for any honest party with chain in , it holds that for any consecutive blocks of the ratio of adversarial blocks is at most .
The following two definitions formalize typical executions of the Backbone protocol. Both of them are related to the hash functions, used for implementing the Backbone Protocol. Further, the parameters and are introduced. Throughout the paper, refers to the quality of concentration of random variables in typical executions and corresponds to the parameter, determining block to round translation.
Definition 5 (, Definition 8)
An insertion occurs when, given a chain with two consecutive blocks and , a block is such that form three consecutive blocks of a valid chain. A copy occurs if the same block exists in two different positions. A prediction occurs when a block extends one which was computed at a later round.
Definition 6 (, Definition 9)
(Typical execution). An execution is if, for any set of consecutive rounds with and any random variable , the following holds:
No insertions, no copies and no predictions occurred.
An execution is typical with probability .
To prove a), we can simply use a Chernoff bound by arguing that is in . The proof for b) is equivalent to , by reducing these events to a collision in one of the hash functions of the Bitcoin backbone protocol. Such collisions only happen with probability .∎
3 The -bounded Synchronous Model without Message Loss
In this section, we analyze the Bitcoin backbone protocol in the previously defined model, instantiated as . This corresponds to the -bounded synchronous setting in . First, we define the success probabilities for the alert and corrupted parties, which are used to prove the relations between them. At the end, we use these results to show the properties of chain growth, common prefix and chain quality. Following the definition in , let a successful round be a round in which at least one honest party solves a PoW. The random variable indicates successful rounds by setting and otherwise. Further, we denote for a set of rounds : . We note that if no party is asleep, we have .
Lemma 2 ()
It holds that .
By the definition of , we know that . Thus, the second inequality can easily be derived using Bernoulli. And for the first inequality holds:
We also adapt the notation of a unique successful round from . A round is called a unique successful round, if exactly one honest party obtains a PoW. Accordingly to the successful rounds, let the random variable indicates a unique successful round with and otherwise. And for a set of rounds , let .
Lemma 3 ()
It holds .
To prove the required bounds, we need a few intermediary steps. Using Bernoulli, we can derive the following:
Then, we have to prove that . From the upper bound on , we can derive , for . Therefore:
In order to prove the required bound, it must hold that , which is equivalent to and holds by the fact that . This is also required by the proof in , but not stated explicitly. Since in Bitcoin, is between , the inequality can be justified. To conclude the proof, we just have to prove the following:
Which is equivalent to and holds for the binomial distribution. ∎
Let the random variable if the adversary obtains a PoW at round by the query of the corrupted party. Otherwise, we set . Summing up, gives us and . Then, the expected number of blocks that the adversary can mine in one round is:
3.1 Temporary Dishonest Majority Assumption
We assume the honest majority assumption holds on expectation. In particular, for each round the following holds: , where and is a constant. As in , refers to the advantage of the honest parties and is defined in Definition 6. From the expected honest majority assumption, we can derive a possible upper bound for , depending on and . Formally,
3.2 Security Analysis
First of all, by Definition 6 the properties of the typical execution hold for the random variables , assuming . The following lemma shows the relations between the different expected values. The bounds are required in all proofs of the three properties and therefore essential. 222The statement d) uses different factors as . The problem is, that it’s even not possible to prove the bounds from  with their theorems, lemmas and assumptions.
Lemma 4 ()
The following hold for any set S of at least consecutive rounds in a typical execution.
Next, we prove Bitcoin is secure under temporary dishonest majority in the -bounded synchronous setting by proving the three properties defined in : chain growth, common prefix and chain quality. The proofs can be found in the full version.
4 The semi-Synchronous Model without Message Loss
In this section, we extend the previously seen results to the semi-synchronous (bounded delay) model. This means, that we allow 333According to Theorem 11 of , the parameter has to be known by the honest parties to achieve state machine replication, e.g. achieving consensus. delays for the messages, as described in the Definition of our model. In order to realize the proofs, we have to restrict to be . And as in the last section, we do not assume message losses. Due the introduced network delays, we need to redefine unique successful rounds, because they do not provide the same guarantees in the this model. Especially, Lemma 15 (of ) will not hold in the new model. Therefore, we will introduce two new random variables, one for successful and one for unique successful rounds in the bounded delay model. Note, that the chances for the adversary do not change and we can use the bounds from the synchronous model. Let the random variable be defined such that for each round , , if and , . A round is called -isolated successful round, if . Further, let . Using Bernoulli, we can derive the following bound on :
In order to prove eventual consistency, we have to rely on stronger events than just uniquely successful rounds. In , this is achieved by defining the random variable such that for each round , , if and , . Then, a round is called -isolated unique successful round, if . Further, let . As before, we can lower bound using Bernoulli:
4.1 Temporary Dishonest Majority Assumption
We assume again honest majority on expectation, such that for each round , where and is a constant. 444One might notice that our lower bound of differs from the lower bound from . First of all, they provided two different values for , where both of them are wrong in the sense that they are too small in order to prove the needed bounds. The reason for the higher value of (compared to the synchronous model) is that and we need a way to compensate this difference.
4.2 Security Analysis
In this subsection, we prove Bitcoin is secure, i.e. the chain growth, common prefix and chain quality properties hold, for the semi-synchronous model without message loss. We note that the properties of the typical execution apply to the predefined random variables , given that . The following lemma corresponds to the semi-synchronous version of Lemma 4. Most of the relations follow the same structure and are similar to prove as in the synchronous model.
Lemma 5 ()
The following hold for any set S of at least consecutive rounds in a typical execution.
Let with . For and :
Let with . For :
The proof of Lemma 5 as well as the proofs of the security properties can be found in the full version.
5 The -bounded Synchronous Model with Message Loss
As in the synchronous case, we do not restrict the number of queries and assume no message delays. In the previous sections, we assumed that messages, sent from the diffusion functionality, will be written on the string of each party. However, in this section, we assume that the messages only get written to the strings of alert parties, i.e. sleepy parties do not receive messages. This models the worst possible event of the reality, because in Bitcoin itself, parties that were offline will check on the currently longest chain, once they get back online. This model captures the effects if none of them receives one of the currently longest chains, thus are eventually a victim of an eclipse attack. This implies that it’s not necessarily true that all parties’ local chains have the same length. This change to the model leads to major differences compared to the results from the previous sections. In this case, unique successful rounds doesn’t provide the same guarantees as before, especially Lemma 15 (of ) doesn’t hold any more. In the following, we denote by the set of chains containing all longest chains that exist at round . Further, we refer to the local chain of player at round by . The following lemma shows the expected number of honest players, which have adopted one of the longest chains existing at the current round.
At every round , there are expected parties , such that .
We will prove the lemma by induction over all rounds of an execution. The base case is trivial, because at round , every party starts with the genesis block. Now for the step case, assume that the lemma holds at round . Then we show that it holds at round too. In order to prove this, we perform a case distinction:
Case : No new chains will be diffused, therefore no new chains can be adopted and we can apply the induction hypothesis.
Case : Analogue to the previous case.
Case : (But ) Now we have to differentiate, if the new blocks extend some chain in not:
Some longest chain is extended: Every party, which is not asleep at round will adopt one of the possibly multiple resulting new longest chains. Thus, there are expected alert parties which will have adopted one of the longest chains at round .
No longest chain is extended: No honest party, whose local chain is already one of the currently longest chain will adopt a new chain, since it’s length will not be larger than the length of its local chain. Thus, we can apply the induction hypothesis.
Case : As in the case before, every party, which was alert at round , will adopt the resulting chain, if its length is larger than the length of its local chain. As before, there are alert parties which will have adopted one of the longest chains at round .
Case : Analogue to the previous case. But if the adversary withholds the found block, the case applies and at the round, where it diffuses this block, this case applies.∎
By the lemma above, at every round only expected parties have a local chain . And a fraction of of them will again be sleepy in the following rounds. Therefore, let denote the number of alert parties at round , where . It’s easy to see that is binomially distributed with parameters and . Let denote the expected value of , omitting the round index , since the expected value is equal for all rounds. We define the random variable which indicates, if at least one of the parties solves a PoW at round . Thus, we set , if some honest party with solves a PoW at round and otherwise. Further, we define for a set of rounds S: .
It holds that .
The lemma can be proven using the same argumentation as in the proof for the Lemma 2. ∎
Accordingly, let denote the random variable with , if exactly one honest party solves a PoW at round and . Note that the resulting chain, will be the only longest chain. Further, for a set of rounds let .
It holds .
The proof follows the exactly same steps as the proof for Lemma 3. ∎
5.1 Temporary Dishonest Majority Assumption
In this setting, the honest majority assumption changes slightly. We cannot simply assume that is smaller than some fraction of , because we have also to consider parties with . We assume that for each round holds , where and some constant . Note that is the fraction of alert parties, working on shorter chains. In order to compute the upper bound for , we reformulate the honest majority assumption. Using the quadratic formula, this results in the following:
In the model description, we specified that the adversary is not informed if a party is set to sleep, after sending an instruction to the control program . This assumption is realistic since the adversary can not be certain about the success of his attempt to create a crash-failure. Further, allowing the adversary to know when he successfully set to sleep a node makes him quite powerful. Specifically, in our model we have a fraction of alert parties. Subtracting the parties, which are working on a longest chain, from the parties, leaves us an expected fraction of parties, which can be found on the left hand side of the honest majority assumption. If we would assume that the adversary knows, which parties are asleep at each round, we would have to change the temporary dishonest majority assumption to . Then, the adversary could exploit this knowledge to his advantage and send sleep instructions to the parties working on the longest chains. To capture this adversarial behavior a different model would be necessary (since cannot be considered constant).
5.2 Security Analysis
For this section, we note that the properties of an typical execution apply for the random variables and , given that .
Suppose that at round , the chains in have size . Then by round , an expected number of parties will have adapted a chain of length at least .
By Lemma 6, for every round , the expected number of parties with is . Therefore, we only have to count the number of times, when one of these longest chains gets extended. ∎
In the following, we define a new variable and provide an upper bound for it. This is required for the proof of the common prefix property. Although the proven bound is not tight, it is sufficient for proving the desired properties.
The probability that the honest parties with can create a new chain for some round , before any chain from gets extended is denoted by . It holds that:
Without loss of generality, we may assume that all parties with have the same local chain. Further, we can assume that this chain is just one block shorter than the currently longest chain. Thus, we search an upper bound for the probability that the parties are faster in solving two PoW’s than the parties solving one PoW. In order to prove that, we have to introduce a new random variable , with if some honest party with solves a PoW. By the same argumentation as in Lemma 2, we can argue that . Therefore, the upper bound on the required probability is:
Now, let and . Then by the Definition of and holds:
Thus, is equivalent to:
The inequality holds, since and . ∎
The lemma below replaces Lemma 15 (of ). The possibility to have chains of different length at the same round offers various ways to replace a block from round , where . Thus, we cannot use the same arguments as in Lemma 15 (of ).
Lemma 11 ()
Suppose the k block of a chain was computed at round , where . Then with probability at least , the block in a chain will be B or requires at least one adversarial block to replace .
As in the previous sections, the properties of the typical execution hold and executions are typical with high probability, by Lemma 1. Since we allow message losses in this model, we require more unique successful rounds than in other models. This leads to a different bound in part e) of the following lemma.
Lemma 12 ()
The following hold for any set of at least consecutive rounds in a typical execution.
Next, we prove Bitcoin is secure in the synchronous model with message loss. The proof can be found in the full version.
6 Security Analysis Results
As a result of the temporary dishonest majority assumptions, we have derived upper bounds for the probability as shown in Figure 1. Therefore, we fixed to limit the advantage of an adversary, following a Selfish Mining strategy. Further, we have chosen for all three models . For the synchronous model without message losses, we set , which results in 555Note that is dependent on , which is again dependent on . If we would remove this dependency, the results would be at most 2% better than the actual results shown in Figure 1.. For the Semi-Synchronous model, we set also , resulting in . For , we then get . And for the synchronous model with message losses, we have chosen , which results in .
One might be wondering how we could allow such high values for . We have fixed , respectively , for our calculations. We can do this without loss of generality, since these expected values are dependent on , which depends on the difficulty parameter . The adjustment of , used to regulate the block generation rate, depends on the fraction of sleepy parties, because they do not provide computational power (e.g. new blocks) to the blockchain. These results are also consistent with the results from , where the upper bound on the adversarial fraction is stated at . If we set and , due the value of , we get an maximal possible adversarial fraction of .
7 Related Work
To model temporary dishonest majority in Bitcoin we used an idea, originally introduced by Pass and Shi . In this work, they introduced the notion of sleepy nodes, i.e. nodes that go offline during the execution of the protocol, and presented a provably secure consensus protocol. In this paper, we model the dynamic nature of the system by additionally allowing the adversary to set parties to sleep, thus enabling temporary dishonest majority. Bitcoin has been studied from various aspects and multiple attacks have been proposed, concerning the network layer [8, 11, 1] as well as the consensus algorithm (mining attacks) [6, 13, 5, 9]. The most famous mining attack is selfish mining , where a selfish miner can withhold blocks and gain disproportionate revenue compared to his mining power. The chain quality property, originally introduced in , encapsulates this ratio between the mining power and the final percentage of blocks, and thus rewards, the adversary owns. On the other hand, Heilman et al.  examined eclipse attacks on the Bitcoin’s peer-to-peer network. In turn, Nayak et al.  presented a novel attack combining selfish mining and eclipse attacks. They showed that in some adversarial strategies the victims of an eclipse attack can actually benefit from being eclipsed. Our last model, where offline parties do not get the update messages, captures this attack.
8 Conclusion & Future Work
In this paper, we prove Bitcoin is secure under temporary dishonest majority. Specifically, we extended the framework of Garay et al.  to incorporate offline nodes and allow the adversary to introduce crush failures. This way we can relax the honest majority assumption and allow temporary dishonest majority. We prove Bitcoin’ s security by showing that under an expected honest majority assumption the following security properties hold: chain growth, common prefix and chain quality. We examine three models: the synchronous model, the bounded delay model and the synchronous model with message loss. The first two models result in similar bounds regarding the fractions of corrupted and sleepy parties. In contrast, the last model that allows message losses when a party goes offline is less resilient to sleepy behavior. This is expected since this model captures the nature of eclipse attacks where the adversary can hide part of the network form an honest party and either waste or use to his advantage the honest party’s mining power. We illustrate in Figure 1 the upper bounds on the fraction of sleepy parties depending on the fraction of corrupted parties for all three models. For future work, we did not consider the bounded delay with message loss model. We expect the difference on the results from synchronous to bounded delay model to be similar to the model without message loss. Another interesting future direction is to consider a more powerful adversary, who knows whether his attempt to set a party to sleep is successful or not.
We thank Dionysis Zindros for the helpful and productive discussions. Y. W. is partially supported by X-Order Lab.
-  Apostolaki, M., Zohar, A., Vanbever, L.: Hijacking bitcoin: Routing attacks on cryptocurrencies. In: 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22-26, 2017. pp. 375–392 (2017)
-  Avarikioti, G., Käppeli, L., Wang, Y., Wattenhofer, R.: Bitcoin Security under Temporary Dishonest Majority (2019)
-  Bonneau, J.: Hostile blockchain takeovers (short paper). In: Bitcoin’18: Proceedings of the 5th Workshop on Bitcoin and Blockchain Research (2018)
-  Decker, C., Wattenhofer, R.: Information propagation in the bitcoin network. In: IEEE P2P 2013 Proceedings (Sep 2013)
-  Eyal, I.: The miner’s dilemma. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17-21, 2015. pp. 89–103 (2015)
-  Eyal, I., Sirer, E.G.: Majority is not enough: Bitcoin mining is vulnerable. In: Commun. ACM (Nov 2013)
-  Garay, J.A., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: Analysis and applications. In: Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part II. pp. 281–310 (2015)
-  Heilman, E., Kendler, A., Zohar, A., Goldberg, S.: Eclipse attacks on bitcoin’s peer-to-peer network. In: Proceedings of the 24th USENIX Conference on Security Symposium. pp. 129–144. SEC’15, USENIX Association, Berkeley, CA, USA (2015)
-  Kwon, Y., Kim, D., Son, Y., Vasserman, E.Y., Kim, Y.: Be selfish and avoid dilemmas: Fork after withholding (FAW) attacks on bitcoin. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017. pp. 195–209 (2017)
-  Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system. In: https://bitcoin.org/bitcoin.pdf (Oct 2008)
-  Nayak, K., Kumar, S., Miller, A., Shi, E.: Stubborn mining: Generalizing selfish mining and combining with an eclipse attack. 2016 IEEE European Symposium on Security and Privacy (EuroS&P) pp. 305–320 (2015)
-  Pass, R., Shi, E.: The sleepy model of consensus. In: Takagi, T., Peyrin, T. (eds.) Advances in Cryptology – ASIACRYPT 2017. pp. 380–409. Springer International Publishing, Cham (2017)
-  Sapirshtein, A., Sompolinsky, Y., Zohar, A.: Optimal selfish mining strategies in bitcoin. In: Financial Cryptography and Data Security - 20th International Conference, FC 2016, Christ Church, Barbados, February 22-26, 2016, Revised Selected Papers. pp. 515–532 (2016)
-  Singh, A., Ngan, T.W.J., Druschel, P., Wallach, D.S.: Eclipse attacks on overlay networks: Threats and defenses. In: IEEE Infocom 2006 (Apr 2006)
-  Sit, E., Morris, R.: Security considerations for peer-to-peer distributed hash tables. In: Springer, pp. 261–269 (Oct 2002)