Bitcoin Selfish Mining and Dyck Words

02/05/2019 ∙ by Cyril Grunspan, et al. ∙ Pôle Universitaire Léonard de Vinci 0

We give a straightforward proof for the formula giving the long-term apparent hashrate of the Selfish Mining strategy in Bitcoin using only elementary probabilities and combinatorics, and more precisely, Dyck words. There is no need to compute stationary probabilities on Markov chain nor stopping times for Poisson processes as it was previously done. We consider also several other block withholding strategies.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 5

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1. Introduction

Selfish mining (in short SM) is a particular non-stop strategy of block withholding strategy described in [1] which exploits a flaw in the Bitcoin protocol in the difficulty adjustment formula [4]. The strategy is made of attack cycles. During each attack cycle, the attacker adds blocks to a secret fork and then, broadcasts them to peers with an appropriate timing. This is a deviant strategy from the Bitcoin protocol since an honest miner never withholds blocks and always mines on top of the last block of the official blockchain [3].

As explained in [4] the good objective function based on sound economics principles in order to compare profitabilities of mining strategies with repetition is the revenue ratio where is the revenue of the miner per attack cyle and is the duration time per cycle. After a difficulty adjustment, this mean duration time becomes equal to where is the number of blocks added to the official blockchain by the network per attack cycle and sec. [6]. Thus, the objective function becomes proportional to the long-term apparent hashrate of the strategy where is the number of blocks added by the attacker to the official blockchain per attack cycle. Several methods have been conceived to compute  . In [1], first a stationary probability is computed for a Markov chain. In [4] we use martingale techniques and consider Poisson processes and associated stopping times. The revenue ratio is then computed at once using Doob’s stopping time theorem. This last method has the advantage to fit the correct profitability analysis, and to identify the source of the weakness of the protocol. It allows a Bitcoin Improvement Proposal (BIP) to prevent the attack. It also yields the mean duration time before the attack becomes profitable. This last fact is out of reach with pure Markov chain models.

As usual, the relative hashrate of the honest miners (resp. attacker) is (resp. ) and denotes its “connectivity”. We have , and . We consider that whenever a competition occurs between two blocks or two forks, there is a fraction of the honest miners who mines on top of a block validated by the attacker.

2. Attack cycle and Dyck word

An attack cycle for the SM strategy can be described as a sequence with . The index indicates the -th block validated since the beginning of the cycle and letters determine the miner who has discovered this block between the selfish miner () and the honest miners ().

Example 2.1.

The sequence SSSHSHH means that the selfish miner has first validated three blocks in a row, then the honest miners have mined one, then the selfish miner has validated a new one and finally the honest miners have mined two blocks. At this point, the advantage of the selfish miner is only of one block. So according to the SM strategy, he decides to publish his whole fork and ends his attack cycle. In that case, we have .

We are interested in the distribution of .

Theorem 2.2.

We have and for , where is the -th Catalan number.

Proof.

For , we note that is a collection of sequences of the form with for all , such that if and are respectively replaced by the brackets “(“ and “)” then, is a Dyck word (i.e., balanced parentheses) with length (see [2]). The number of letters “” (resp. “”) in is (resp. ). So, we get (see [2]). Finally, we note that . Hence we get the result. ∎

Corollary 2.3.

We have

Proof.

It comes from the well know relations

(1)
(2)

that have been already used and proved in [5]. ∎

We can now compute the apparent hashrate.

Theorem 2.4.

The long-term apparent hashrate of the selfish miner in Bitcoin is

Proof.

If , then we are in the cases where all blocks validated by the selfish miner will end in the official blockchain. So, . If , then . Moreover, and (resp. 1) with probability (resp. ). So,

Using Corollary 2.3 we get:

This is nothing but Proposition 4.9 from [4] which is itself another form of Formula (8) from [1]. ∎

3. Stubborn Mining

We consider now two other block witholding strategies described in [7]. In the sequel, denotes the generating series for the Catalan numbers .

3.1. Equal Fork Stubborn Mining

In this strategy, the attacker never tries to override the official blockchain but when it is possible, he broadcasts the part of his secret fork sharing the same height as the official blockchain as soon as the honest miners publish a new block. The attack cycle ends when the attacker has been caught up and overtaken by the honest miners by one block [5, 7]. We show that the distribution of is what we have called a -Catalan distribution of first type in [5].

Theorem 3.1.

We have .

Proof.

Indeed, for , is a collection of sequences of the form with for all , such that if and are respectively replaced by the brackets “(“ and “)” then, is a Dyck word with length . ∎

Corollary 3.2.

We have

Proof.

Obvious by (1) and (2). ∎

Theorem 3.3.

The long-term apparent hashrate of a miner following the Equal-Fork Stubborn Mining strategy is given by .

Proof.

In an attack cycle, all the honest blocks except the last one have a probability to be replaced by the attacker. So, . See Lemma B.1 [5]. Conditionning by for and using Theorem 3.1, we then get

Hence we get the result. ∎

3.2. Lead Stubborn Mining

The strategy looks like the selfish mining strategy but here, the attacker takes the risk of being caught up by the honest miners. When this happens, there is a final competition between two forks sharing the same height. Once the competition is resolved, a new attack cycles starts. In this case, the distribution of is what we have called a -Catalan distribution of second type [5].

Theorem 3.4.

We have and for , .

Proof.

Indeed, we have and for , is a collection of sequences of the form with and such that if and are respectively replaced by the brackets “(“ and “)” then, is a Dyck word with length . ∎

Corollary 3.5.

We have

Proof.

Obvious by (1) and (2). ∎

By repeating the same argument as in the proof of Theorem 3.3 for the computation of , we obtain the following theorem [5].

Theorem 3.6.

The long-term apparent hashrate of a miner following the Lead Stubborn Mining strategy is given by

We color the region according to which strategy is more profitable, and we obtain Figure 1 [5] (HM is the honest mining strategy).

Figure 1. Dominance regions in parameter space .

References