Selfish mining (in short SM) is a particular non-stop strategy of block withholding strategy described in  which exploits a flaw in the Bitcoin protocol in the difficulty adjustment formula . The strategy is made of attack cycles. During each attack cycle, the attacker adds blocks to a secret fork and then, broadcasts them to peers with an appropriate timing. This is a deviant strategy from the Bitcoin protocol since an honest miner never withholds blocks and always mines on top of the last block of the official blockchain .
As explained in  the good objective function based on sound economics principles in order to compare profitabilities of mining strategies with repetition is the revenue ratio where is the revenue of the miner per attack cyle and is the duration time per cycle. After a difficulty adjustment, this mean duration time becomes equal to where is the number of blocks added to the official blockchain by the network per attack cycle and sec. . Thus, the objective function becomes proportional to the long-term apparent hashrate of the strategy where is the number of blocks added by the attacker to the official blockchain per attack cycle. Several methods have been conceived to compute . In , first a stationary probability is computed for a Markov chain. In  we use martingale techniques and consider Poisson processes and associated stopping times. The revenue ratio is then computed at once using Doob’s stopping time theorem. This last method has the advantage to fit the correct profitability analysis, and to identify the source of the weakness of the protocol. It allows a Bitcoin Improvement Proposal (BIP) to prevent the attack. It also yields the mean duration time before the attack becomes profitable. This last fact is out of reach with pure Markov chain models.
As usual, the relative hashrate of the honest miners (resp. attacker) is (resp. ) and denotes its “connectivity”. We have , and . We consider that whenever a competition occurs between two blocks or two forks, there is a fraction of the honest miners who mines on top of a block validated by the attacker.
2. Attack cycle and Dyck word
An attack cycle for the SM strategy can be described as a sequence with . The index indicates the -th block validated since the beginning of the cycle and letters determine the miner who has discovered this block between the selfish miner () and the honest miners ().
The sequence SSSHSHH means that the selfish miner has first validated three blocks in a row, then the honest miners have mined one, then the selfish miner has validated a new one and finally the honest miners have mined two blocks. At this point, the advantage of the selfish miner is only of one block. So according to the SM strategy, he decides to publish his whole fork and ends his attack cycle. In that case, we have .
We are interested in the distribution of .
We have and for , where is the -th Catalan number.
For , we note that is a collection of sequences of the form with for all , such that if and are respectively replaced by the brackets “(“ and “)” then, is a Dyck word (i.e., balanced parentheses) with length (see ). The number of letters “” (resp. “”) in is (resp. ). So, we get (see ). Finally, we note that . Hence we get the result. ∎
It comes from the well know relations
that have been already used and proved in . ∎
We can now compute the apparent hashrate.
The long-term apparent hashrate of the selfish miner in Bitcoin is
If , then we are in the cases where all blocks validated by the selfish miner will end in the official blockchain. So, . If , then . Moreover, and (resp. 1) with probability (resp. ). So,
Using Corollary 2.3 we get:
3. Stubborn Mining
We consider now two other block witholding strategies described in . In the sequel, denotes the generating series for the Catalan numbers .
3.1. Equal Fork Stubborn Mining
In this strategy, the attacker never tries to override the official blockchain but when it is possible, he broadcasts the part of his secret fork sharing the same height as the official blockchain as soon as the honest miners publish a new block. The attack cycle ends when the attacker has been caught up and overtaken by the honest miners by one block [5, 7]. We show that the distribution of is what we have called a -Catalan distribution of first type in .
We have .
Indeed, for , is a collection of sequences of the form with for all , such that if and are respectively replaced by the brackets “(“ and “)” then, is a Dyck word with length . ∎
The long-term apparent hashrate of a miner following the Equal-Fork Stubborn Mining strategy is given by .
3.2. Lead Stubborn Mining
The strategy looks like the selfish mining strategy but here, the attacker takes the risk of being caught up by the honest miners. When this happens, there is a final competition between two forks sharing the same height. Once the competition is resolved, a new attack cycles starts. In this case, the distribution of is what we have called a -Catalan distribution of second type .
We have and for , .
Indeed, we have and for , is a collection of sequences of the form with and such that if and are respectively replaced by the brackets “(“ and “)” then, is a Dyck word with length . ∎
The long-term apparent hashrate of a miner following the Lead Stubborn Mining strategy is given by
We color the region according to which strategy is more profitable, and we obtain Figure 1  (HM is the honest mining strategy).
-  I. Eyal, E. Sirer. Majority is not enough: bitcoin mining is vulnerable. International Conference on Financial Cryptography and Data Security, pages 436–454, 2014.
-  T. Koshy. Catalan Numbers with Applications. Oxford University Press, 2008.
-  S. Nakamoto. Bitcoin: a peer-to-peer electronic cash system. Bitcoin.org/bitcoin.pdf, 2008.
-  C. Grunspan, R. Pérez-Marco. On profitability of selfish mining. ArXiv:1805.08281v2, 2018.
-  C. Grunspan, R. Pérez-Marco. On profitability of stubborn mining.ArXiv:1808.01041, 2018.
-  C. Grunspan, R. Pérez-Marco. On profitability of trailing mining. ArXiv:1811.09322, 2018.
-  K. Nayak, E. Shi, S. Kumar, A. Miller. Stubborn mining: generalizing selfish mining and combining with an eclipse attack. IEEE European Symp. Security and Privacy, pages 305–320, 2016.