Game-Theoretic Analysis of Mining Strategy in Bitcoin-NG Blockchain Protocol

11/03/2019 ∙ by Taotao Wang, et al. ∙ 0

Bitcoin-NG, a scalable blockchain protocol, divides each block into a key block and many micro blocks to effectively improve the transaction processing capacity. Bitcoin-NG has a special incentive mechanism (i.e. splitting the transaction fee to the current and the next leader) to maintain its security. However, the design of the incentive mechanism ignores the joint effect of the transaction fee, the mint coin and the mining duration length on its expected mining reward. In this paper, we identify the advanced mining attack that deliberately ignores micro blocks to enlarge the mining duration length to increase the likelihood of winning the next mining race. We first show that an advanced mining attacker can maximize its expected revenue by optimizing its mining duration length. We then formulate a game-theoretical model in which multiple miners perform advanced mining to compete with each. Based on the proposed model, we compute the expected revenue of the attacker and analyze the Nash equilibrium for the mining game. We show that by adapting the mining duration lengths according to the equilibrium point of the game, these miners can increase their expected mining revenues compared to honest mining. Therefore, we conclude that miners have a great incentive to have advanced mining attack.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

BITCOIN [14] the first successful decentralized digital cryptocurrency, has gained much recognition and support from people in various fields. It has become the 11th largest currency in the world, with a market capitalization of over 0.21 trillion US dollars as of August 2019. As a foundation technology for Bitcoin, blockchain is a decentralized and distributed digital ledger that stores data in chronological order in a way that the data in the chain cannot be falsified. Blockchain has become a cutting-edge technology in FinTech, Internet of Things (IoT), and supply chains [22, 25, 8, 15, 1], thanks to fact that its data are i) replicated and stored in a decentralized manner in many locations; ii) tamper-proof; and iii) traceable.

Despite its strong security and privacy protection, Bitcoin network faces a significant scalability problem, i.e., the speed at which the network can handle transactions is restricted by the block size and block interval [5, 19, 20, 3]. Miners devote computational powers to solve a hash puzzle in each round. The miner who has successfully solved the hash puzzle becomes the leader for that round and broadcast a block that contains transactions to the whole Bitcoin network. For the current Bitcoin network the maximum size of each block is set to 2 MB and the average interval between two successive blocks is fixed to 10 minutes, which means that the Bitcoin network can only handle up to 8 transactions per second (TPS), given a typical transaction size of 250 Bytes. This TPS is a very low transaction processing capacity, compared to the 2000-5000 TPS of Visa global payment system.

In order to improve its on-chain transaction processing capacity, Bitcoin network could simply increase the block size or reduce the block interval. However, increasing the block size (by packing more transactions into each block) and reducing the block interval (by decreasing the difficulty of hash puzzles) both lead to more forks on the blockchain, which compromises the security of Bitcoin blockchain. Without redesigning the blockchain protocol, it is hard to increase the transaction processing capacity of Bitcoin network by simply tuning these network parameters.

To solve the scalability problem of Bitcoin blockchain, new blockchain protocols have been proposed [19, 20, 3, 20, 11, 18, 21, 12, 16, 17, 13, 6]. Among these solutions, the Bitcoin-NG111NG stands for Next Generation. [6] blockchain protocol has attracted much attention, thanks to its effectiveness in solving the blockchain scalability problem and its compatibility with the current Bitcoin network [6]. To achieve large transaction processing capacity, Bitcoin-NG introduces two types of blocks: key blocks and micro blocks. Key blocks are used to elect leaders for each round. Micro blocks are used to record transactions onto the blockchain. In this protocol, the first miner that correctly solves the current hash puzzle creates a new key block and becomes the leader for the current round. After placing the new key block on top of the pervious block (a key block or a micro block), the leader is in charge of packing transaction into the following micro blocks. The creation of micro blocks does not require the mining process for solving hash puzzles. Bitcoin-NG can achieve very fast transaction processing speed, since transactions are packaged into micro blocks that are released much faster than key blocks.

The incentive mechanism of Bitcoin-NG is different from that of Bitcoin in which all transaction fees are allocated to the leader of the current round. For Bitcoin-NG, the incentive mechanism distributes a part of the transaction fees contained in the micro blocks to the leader of the current round and the remaining part of the transaction fees to the leader of the next round [6]. With this special incentive mechanism, the Bitcoin-NG blockchain protocol encourages miners to behavior honestly, i.e., to follow the default behaviors of extending the heaviest chain, including transactions, and extending the longest chain [6].

Bitcoin-NG blockchain protocol can significantly improve the transaction processing capacity of the Bitcoin network. However, Bitcoin-NG blockchain is prone to advanced mining attack that compromises its security. Advanced mining attack refers to the mining behavior in which miners ignore some micro blocks issued by the leader of the current round and intentionally mine the next key block in advance to enlarge their lengths of mining time (see details in Section IV). Although mining in advance will earn less transaction fees (since it ignores and discards some micro blocks), it will increase the probability of mining success and thus increases the expectation of earned mint coins contained in the mined key block. Therefore, there is still a motivation for miners to perform advanced mining attack.

Without considering the joint effect of mining-time length, the mint coins contained in the key block, the transaction fee contained in the micro blocks, the original design of Bitcoin-NG blockchain [6] is not robust against advanced mining attack.

Fig. 1: Data structure of Bitcoin blockchain.

In this paper, we have made a thoughtful analysis of the advanced mining behavior of miners in Bitcoin-NG blockchain, by taking all the relevant factors (i.e., the transaction fee, the mint coin, the mining time length) into account. Specifically, we have the following three contributions.

  • First, we analyze the scenario where an attacker can mine the next key block in advance, while other miners in the network follow the honest mining. We use this scenario to explain what is advanced mining attack and why it is more profitable. We formulate the attacker’s mining problem as an optimization problem that aims to maximize the expected mining reward with respect to the length of mining time. We find the optimal length of mining time to get the maximum expected reward. Our numerical results show that the attacker can indeed gain more rewards under the optimal strategy than the honest miner.

  • Next, we proceed to analyze the scenario where the whole network is divided into two mining pools, and both mining pools can adopt advanced mining. The analysis gets complicated as each pool’s revenue is affected by the mining-time length of the other. We then formulate the mining process of the two-pool scenario as a two-player game. We analytically find the Nash equilibrium for this two-pool mining game.

  • Finally, we further extend the two-player game to an -player game which models the general scenario of mining pools. We find that there always exist a Nash equilibrium for this -player game, although its analytical result is hard to derive. We numerically investigate the equilibrium points for different computing power profiles of the pools.

The remainder of this paper is organized as follows. Section II gives a blockchai preliminary. Section III review the Bitcoin-NG protocol. Section IV presents our analysis for the advanced mining problem. Section V provides numerical results and Section IV concludes this paper.

Ii Blockchain Preliminary

Blockchain is the decentralized append-only ledger for the crypto-currency, Bitcoin. The data of blockchain is replicated and shared among all participants. Its past recorded data are tamper-resistant and participants can only append new data to the tail-end of the chain of blocks. The state of blockchain is changed according to transactions issued by the payers. Specifically, the issued transactions are broadcasted over the blockchain network. Participants then collect and group these transactions into blocks and append them to the blockchain. Each block contains a header and a set of transactions. The header of the block encapsulates the hash of the preceding block, the hash of this block, the merkle root of all transactions contained in this block, and a number called nonce that is generated according to the consensus protocol of Proof-of-Work (PoW) [14]. Since each block must refer to its preceding block by placing the hash of its preceding block in its header, the sequence of blocks then forms a chain arranged in a chronological order. Fig. 1 illustrates the data structure of blockchain.

Ii-a Proof of Work and Mining

Bitcoin blockchain adopts the PoW consensus protocol to validate new blocks in a decentralized manner. In each round, the PoW protocol selects a leader that is responsible for packing transactions into a block and appends this block to blockchain. To prevent adversaries from monopolizing the blockchain, the leader selection must be approximately random. Since blockchain is permissionless and anonymity is inherently designed as a goal of blockchain, it must consider the sybil attack where an adversary simply creates many participants with different identities to increase its probability of being selected as the leader. To address the above issues, the key idea behind PoW is that a participant will be randomly selected as the leader of each round with a probability in proportion to its computing power.

In particular, blockchain implements PoW using computational hash puzzles. To create a new block, the nonce placed into the header of the block must be a solution to the hash puzzle expressed by the following inequality:

(1)

where denotes the binary string assembled using the candidate block data including the Merkle root of all transactions, the hash of the previous block, etc., denotes the solution string, is the cryptographic hash function, is the hash of the candidate block ( is the length of bits in ), is a target value ( is the current difficulty level of the hash puzzle).

The PoW puzzle expressed in (1) aims to search for a solution string, , such that given the concatenation of and as the input to the hash function , the output of the hash function should fall below a target that is small with respect to the whole range of the hash function outputs. Moreover, it is known that with a secure hash function (e.g., the SHA-256 hash used for Bitcoin), it is challenging to guess a nonce to fulfill (1) by a one-shot querying. The only way to solve (1) is to query a large number of nonces one by one to check if (1) is fulfilled until one lucky nonce is found (i.e., to exhaustively search for the nonce). Therefore, the probability of finding such nonce is proportional to the computing power of the participant—the faster the hash function in (1) can be computed in each trial, the more number of nonces can be tried per unit time. Using the blockchain terminology, the process of computing hashes to find a nonce is called mining, and the participants involved are called miners. In the following, we present some mathematical results on modeling the mining process that will be used in our later analysis.

With a difficult level and the corresponding target in (1), each single query to the hash function is an i.i.d. Bernoulli test whose success probability is given by

(2)

When is very large, the above success probability of a single query is very tiny. To win the race of solving the PoW puzzle is a very computationally intensive task, since miners need to compute hash queries as fast as possible. Let denote the number of hash queries that miner can compute per unit time, i.e., is the hash rate of miner . Then, the number of success queries that miner can make converges to a Poisson process with rate [23]. Moreover, the computation time between two successful queries made by miner

(represented by a random variable

) fulfills the exponential distribution with rate

[23]. Thus, the probability that at least once successful query made by miner within the duration of length is given by

(3)

which is proportional to the hash rate and the mining duration length . Intuitively, more computation power (faster hash rate) and more computation time (longer mining time) lead to larger probability of successful mining.

Consider there are totally miners in the network and each performs mining to solve the PoW puzzle independently. Since the combination of the independent Poisson processes is still a Poisson process with a rate obtained by summing up the rates of the independent Poisson processes [9], the number of success queries per unit time made by the whole network is a Poisson processes with rate

(4)

which is also the expectation of the successful queries made by the whole network per unit time. Therefore, the average number of blocks mined during the given block interval is . The difficulty control of blockchain aims at fixing the average number of the mined blocks per block interval to one by adjusting the difficulty level to adapt to fluctuations in the total computation power of the network.

Ii-B Honest Mining Strategy

When a miner tries to append a new block to the latest legal block by placing the hash of the latest block in the header of the new block, we say that the miner mines on the latest block. Blockchain is maintained by miners in the following manner.

To encourage all miners to mine on (maintain) the current blockchain, each legal block distributes a reward the miner as incentives. The reward of each block consists of two parts. The first part of the reward is a certain amount of new coins. When a miner mines a new block out, the miner is allowed to place a coin-mint transaction in its mined block that credits this miner with some new coins as a part of the reward. The other part of the reward is the transaction fee contained in the transactions of the block. If the block is verified and accepted by the blockchain network (i.e., it becomes a legal block), the reward is effective and thus can be spent on the blockchain. When a miner has found an eligible nonce, it publishes his block to the whole blockchain network. Other miners then verify the nonce and verify the transactions contained in that block. If the verification of the block is passed, other miners will mine on the block; otherwise, other miners discard the block and will continue to mine on the previous legal block.

If two miners publish two different legal blocks that refer to the same preceding block at the same time, the blockchain is then forked into two branches. This is called forking of the blockchain. Forking is an undesirable feature of blockchain, since it threatens the security of blockchain [3]. To resolve forking, PoW prescribes that only the rewards of blocks on the longest branch (called the main chain) are effective. Then, miners are incentivized to mine on the longest branch, i.e., miners always add new blocks after the last block on the longest main chain that is observed from their local perspectives. If the forked branches are of equal length, miners may mine subsequent blocks on either branch randomly. This is referred to as the rule of longest chain extension.

The mining strategy of adhering to the rule of longest chain extension and publishing a block immediately after the block is mined is referred to as the honest mining strategy [23]. The miners that comply with honest mining are called honest miners. It was widely believed that the most profitable mining strategy for miners is the honest mining strategy; and that when all miners adopt the honest mining strategy, each miner is rewarded proportionally to the ratio of his/her computing power to the total computing power all miners [23]. As a result, any rational miner will not deviate from honest mining. This belief was later shown to be ill-founded and that other mining strategies with higher profits are possible, such as selfish mining [7], withholding mining [2], etc.

Iii Bitcoin-Ng Blockchain Protocol

Compared with Bitcoin, Bitcoin-NG is a scalable blockchain protocol that allows for greater throughput without inducing extra communication latency. To separate the functionalities of selecting leaders (PoW) and recording transactions, the Bitcoin-NG blockchain protocol introduces two types of blocks: key blocks and micro blocks. Bitcoin’s block and Bitcoin-NG’s key block have the same effectiveness expect that the latter contains no transactions. In Bitcoin-NG, the first miner that correctly solves the current hash puzzle creates a new key block and becomes the leader for the current round. After placing the new key block on the pervious block, the leader is in charge of packing transaction into micro blocks. Intuitively, the Bitcoin-NG protocol divides a bitcoin block into the key block and the micro block to achieve performance improvement.

Iii-a Key Blocks and Micro Blocks

Fig. 2 illustrates the data structure of the Bitcoin-NG blockchain. In each round (e.g., the -th round), once a miner who finds a correct nonce to solve the current hash puzzle (the PoW problem), this miner becomes the new leader and immediately creates a new key block . Unlike the block of Bitcoin, this key block contains no transaction. It still contains the hash of the preceding block, the hash of this block, the nonce, a coin-base transaction to pay out the reward; moreover, it contains an extra public key. This public key must match the private key contained in the subsequent micro blocks. The average interval between two consecutive key blocks is maintained at a constant value by difficulty control.

After the key block, the miner generates many consecutive micro blocks, , that are used to pack transactions. Unlike the key block, the generation of these micro blocks does not need PoW. Thus, the leader can generate consecutive micro blocks quickly without extra computational overhead until the next key block is published. The header of each micro block encapsulates the hash of the preceding block, the Unix time, the hash of ledger entries and a signature of the header. The signature is signed with the private key that matches the public key contained in the key block . To restrain micro block forks, the maximum size and maximum generation rate of micro blocks must be determined [6]. By packing many transactions into each micro block and publishing micro blocks in a relatively high rate, Bitcoin-NG is allowed to achieve very high throughputs of transactions. In [3], it is theoretically analyzed that Bitcoin-NG-like protocols, which decouple the functionalities of leader selection and ledgering into different types of blocks, can achieve the optimal transaction processing capacity of the network.

Fig. 2: Illustration of the Bitcoin-NG blockchain. A key block (the square) is followed with a set of micro blocks (the circle). Transaction fees are divided into two parts: for the current leader and for the next leader.

Iii-B Incentives

Bitcoin-NG employs its specially designed incentive mechanism to motivate rational miners to follow the three honest actions: i) extending the heaviest chain; ii) extending the longest chain; iii) including transactions into the micro blocks.

Heaviest chain extension: Assuming a majority of miners in the network are honest, Bitcoin-NG is designed to incentivize miners to always extend the heaviest chain that contains the largest amount of proof-of-work. If a small number of attackers choose another branch (other than the heaviest chain) to mine on, they may not catch up with the mining speed of honest miners and thus get no benefit. To obtain their profits, rational miners will spontaneously mine on the heaviest chain.

In Bitcoin, the heaviest chain is the longest chain, since each block (that contains proof-of-work) is given a weight. In Bitcoin-NG, only key blocks are given weights and micro blocks are given no weight (since micro blocks contain no proof-of-work. If micro blocks also have weights, a malicious leader may take a kind of selfish mining, in which the leader produces a number of micro blocks but does not release them and then mines on these secret micro blocks to get the next key block while other miners mine on the older released micro blocks. As long as the selfish leader finds the next key block, he/she can release the mined key block together with the secret micro blocks to overwrite the key block mined and released by others, since the branch build by the selfish leader has more weights (more micro blocks). Without assigning weights to micro blocks, Bitcoin-NG does not increase the system’s vulnerability to selfish mining.

Longest chain extension:In Bitcoin-NG, the leader of each round will be compensated with a reward, which includes two parts: i) the new mint coins that contained in the key block; ii) a fraction of the transaction fees that contained in her/his published micro blocks of the current round and a fraction of the transaction fees from the micro blocks of the last round (i.e., the transaction fees contained in each micro block are split into two parts: a fraction is rewarded to the current leader and a fraction is rewarded to the next leader, as shown in Fig. 2). This is different from the incentive mechanism of Bitcoin that compensates the leader with the new mint coins and all transaction fees contained in the block. This incentive mechanism of Bitcoin-NG can encourage miners to extend the longest chain. We explain this as follows.

In each round, the current leader takes in charge of consecutively generating a set of micro blocks and other miners can decide which micro block to mine on. Suppose that all transaction fees contained in these micro blocks will be rewarded to the current leader. To earn more revenue, a malicious miner may deliberately discard the latest published micro block and mine on an earlier published micro block. If this miner succeeds in doing that, he will pack the transactions of the discarded micro block into his own micro blocks to get all transaction fees. Splitting the transaction fees into two parts can incentivize miners to mine on the longest chain that contains the already published micro blocks, since to become the next leader can still earn transaction fees from these micro blocks.

However, even with this incentive mechanism, it is still possible that miners can earn more revenue by deliberately discarding the latest published micro block and mining on an earlier published micro block. The more possible revenue can be achieved using the following mining strategy. If one miner succeeds in mining the one key block, he will then pack the transactions (that contained in the previous micro block discarded by her/him) into his own micro block and continue to mine on the next key block. Hence, the value of should be designed such that the revenue of the leader taking this mining strategy must be smaller than his/her revenue of expanding the longest chain [6].

Transaction inclusion: Another issue with respect to the value of is that it should be chosen to incentivize the current leader to include her/his received transactions into her/his micro blocks, other than to withhold them in some hidden micro blocks.

Consider that in the current round, the leader receives a transaction, and he/she immediately creates a micro block to pack the received transaction and publish the micro block to the whole network. Then, the leader can obtain a fraction of the transaction fee by abiding this honest behavior. Moreover, a leader can potentially obtain 100% of the transaction fee by taking the following malicious mining strategy. First, the leader may generate a micro block consisting of the received transaction, but does not publish this micro block. Then, she/he attempts to secretly mine on this hidden micro block to increase her/his chance for winning the next round of the leader selection. If this leader succeeds in doing that, she/he can then judiciously publish the hidden micro block and the new key block together to earn all the transaction fee of the transaction contained in that micro block. Otherwise, he will wait for the transaction to be packed into a micro block by any other leader and then mine on that micro block to try to earn the transaction fee.

In order to motivate leaders spontaneously pack transactions into published micro blocks, the value of should to be chosen such that the leader’s revenue of withholding the micro block must be smaller than his revenue of abiding by the protocol [6].

In the original design of Bitcoin-NG [6], the value of is suggested to after performing an analysis on the incentive mechanism. However, the analysis on the incentive mechanism of Bitcoin-NG is flawed. Work [24] points out that there is a negligence and an over-simplification on the original analysis of Bitcoin-NG incentive mechanism, and it corrects the optimal value of as .

Iv Game-Theoretic Analysis of Bitcoin-Ng Mining

In this section, we study the optimal mining strategy of selfish miners namely attackers in three different scenarios. First, we consider the scenario where an attacker can change its mining duration to perform the so-called advanced mining attack to other honest miners who follow the rule of mining in a fixed default duration. We formulate the advanced mining attack problem as an optimization problem for the attacker to find the optimal mining duration that maximizes the attacker’s revenue. Second, we consider the scenario of two miners that both are allowed to perform advanced mining (i.e., changing their mining durations) and thus compete with each other. This setup leads to a game-theoretic model in which we derive the Nash equilibrium mining strategies of the two miners. Third, we generalize the game-theoretic model for two miners to miners, where is an arbitrary integer. In the following, we present the models and analysis for the three scenarios, respectively.

Fig. 3: Illustration of the relationship between the variables and .

Iv-a One-Attacker Mining Optimization

We now analyze how an attacker can get higher revenue by violating the protocol to enlarge her/his mining duration.

After the key block of the current round is published, the leader broadcasts consecutive micro blocks to the network within a duration of length . Following the latest micro block, miners try to compute the next key block. We denote as the length of the duration between the last micro block of this round and the key block of the next round, and assume that all the honest miners adopt as the default mining duration. Therefore, the length of the interval between two adjacent key blocks is given by . Since is the length of the default mining duration, the difficulty control of Bitcoin-NG is made with respect to , i.e., by adjusting the difficult level to maintain .

Although the default mining duration is set, miners still can freely decide when to begin their mining due to the decentralized nature of the system. On one hand, since of the transaction fee contained in the micro blocks of this round is distributed to the next leader, miners generally turn to mine on the latest published micro block to earn transaction fees as many as possible. On the other hand, if miners choose to mine on an early micro block, they will lose a part of transaction fee but have more time to make more hash queries for computing the nonce. The greater number of nonces being tried admits a higher probability of finding the correct nonce. If an early miner succeeds to find the next key block earlier than other miners, the lost transaction fee can be compensated by the reward of the new coins mint in the next key block. Therefore, the possible reward motivates miners to mine on an early micro block. We refer to such selfish mining strategy as advanced mining attack.

We now consider that there is one attacker making an advanced mining attack in the Bitcoin-NG network. During the interval between the current key block and the next key block, this attacker uses the last duration of length to compute the next key block, where . Without loss of generality, we group all other miners in the network as a single honest miner, who uses the last duration of length to compute the next key block according to the default mining rule. Fig. 3 illustrates the relationship among the variables of and defined above.

Let denote the hash rate of the attacker, and denote the hash rate of the honest miner. If the perfect difficulty control with respect to is achieved, we have .

Actually, the attacker and the honest miner devote their computation power to perform a mining race: the one who computes a valid nonce earlier than the other is the winner. The winner will be the leader of the next round and can earn the corresponding rewards. Therefore, devoting more computation resources (i.e., longer mining duration) can increase the winning chance, and we model the probability that the attacker wins the mining race as a function of the length of its mining duration denoted by . Note that is monotonically increasing with respect to , indicating that the attacker achieves a higher wining probability when a longer mining duration is devoted.

We denote the lengths of the mining durations needed for successful mining of attacker and the honest miner as random variables and , respectively. The random variables and are independent and both fulfill the exponential distribution with rates and [10], respectively. Hence, the winning probability of the attacker is given by

(5)

where and are the time instances when the attacker and the honest miner successfully find the next key block, respectively. Since the difference between two independent exponential distributed random variables, e.g., , is a Laplace distributed random variable, the probability expressed in (5) can be calculated as [24]:

(6)

If we consider that there is no advanced mining attack, i.e., , the probability in (6) is reduced to , which is the successful probability of honest mining that equals the ratio of the miner’s computation power over the totally computation power of the network [23].

We assume that each key block contains a reward (i.e., the value of the mint new coins), each micro block contains a reward (seen as the value of the transaction fees), and the current leader can generate micro blocks within the duration of length . Then the advanced mining attacker can earn the transaction fees from the first micro blocks, where since . The total reward of the miner includes both the rewards from the new key block and the -fraction of the rewards from the micro blocks. Therefore, if the attacker can succeed to find the next key block, the total reward is given by:

(7)

which is also a function of its mining duration. The expected reward of the attacker is the total revenue multiplied by the probability of successful mining :

(8)

The revenue function is concave and continuous in , and we can obtain the maximum value of when

(9)

Solving (9), we find that the revenue function achieves its maximum value at

(10)

where denotes the Lambert W Function [4]. In the next section, we numerically compute the corresponding maximum expected revenue that is showed to be larger than the expected revenue earned by the honest mining . The result indicates that when all other miners adopt honest mining, the attacker performs the advanced mining over the last duration of the block interval is the optimal strategy to earn the highest expected revenue.

Iv-B Two-Player Mining Game

We proceed to analyze the scenario where all miners in the network are divided into two mining pools that both try to make advanced mining attack. We denote the two mining pools as pool and pool with hash rates and , respectively. Pool attempts to carry out advanced mining using the mining duration of length , and pool uses the mining duration of length to perform advanced mining. The mining behaviors of the two pools in this scenario can be analyzed through a two-player game.

We formulate the two-pool advanced mining problem as a two-player game as follows. The two players, pool and pool , strategically choose their mining durations to compete for the reward from successful mining. The two mining pools are rational and their interaction can be modeled as a non-cooperative game. Each pool has a set of pure strategies in . Let be the mining strategy of pool , where . A two-tuple of strategies of the two mining pools is and a two-tuple of corresponding payoffs is , where is the utility of player given the chosen strategies of the two mining pools. Each mining pool chooses its best strategy to maximize its utility. A set of strategies is the Nash equilibrium if no miner can gain higher utility by unilaterally changing its own strategy when the strategies of the other miners remain unchanged, i.e.,

(11)

The inequalities in (10) define the equilibrium state of the game. At the Nash equilibrium if it exists, the players have no incentive to deviate from their equilibrium strategies.

For the advanced mining problem, we adopt the expected mining rewards as the utilities in the game formulation. We compute the utilities as follows. The rewards for the two mining pools if they have successful mining are

(12)

Only if the time instance for a pool finding a nonce is earlier than the time instance for its opponent does, that pool can earn the reward. Since the mining pools both can change the lengths of their mining durations, and , the successful mining probability of pool is a function of mining durations of both pools, i.e., . We write the successful mining probabilities of pool A and pool B as follows

(13)

where and are the random variables representing the lengths of the mining durations needed for the successful mining of mining pools and , respectively. We find that the computation of probabilities and depends on the sign of , and thus we will analyze two cases when and in the following.

The differences of two independent exponential distributed random variables, , are Laplace distributed. When , and in (13) can be computed as:

(14)

where and . Using (12) and (14), the utilities of the two players (i.e., their expected mining rewards) are given by

(15)

The utilities and are concave and continuous in and , respectively, and thus the Nash equilibrium satisfies

(16)

Solving (16) gives the Nash equilibrium for the two-pool mining game:

(17)

where we have used the difficulty control result .

When , the Nash equilibrium is symmetric to the one in (17) and is given by

(18)

The results indicate that at both cases, the two mining pools will deviate from mining over the default mining duration.

Iv-C -Player Mining Game

We next extend the two-player mining game to a -player mining game. We consider that the miners in the network are grouped into mining pools and all mining pools execute advanced mining. Mining pool with hash rates uses the mining duration of length to carry out advanced mining. The mining behaviors of the pools can also be modeled as a non-cooperative game.

In the N-miner game, all mining pools strategically choose the lengths of their mining durations to maximize their revenue. Each pool has a set of pure strategies . Let be the strategy of mining pool

. The vector of the strategies of

mining pools is , and the vector of the corresponding utilities is , where is the utility of player given the chosen strategies of the mining pools. Each mining pool chooses its best strategy to maximize its utility. The vector of the strategies is the Nash equilibrium if no mining pool can gain higher utility by changing its own strategy when the strategies of the other miners remain unchanged, i.e.,

(19)

where is the vector of the best strategies of the other mining pools except mining pool .

Then we compute the utility of pool in this game as follows. If mining pool succeeds to find the next key block via advanced mining with mining duration of length , its reward is given by

(20)

Since the successful mining probability of mining pool is impacted not only by its own strategy but also other competitors’ strategies, it can be written as a function of and computed as

(21)

where is the random variable representing the length of the mining duration needed for the successful mining of pool . To compute the probabilities for all according to (21), we need to consider cases for the signs of . For example, considering the case of and , we have

(22)

Using (20) and (21), the utility of mining pool can be expressed as

(23)

for all . Then, we can find the Nash equilibrium by solving equation system

(24)

However, we cannot derive the explicit form of the Nash equilibrium for the -player game. In the next section, we will solve the Nash equilibrium in different cases using numerical computation.

V Numerical Results and Discussions

In this section, we provide numerical results to investigate the advanced mining problem in the Bitcoin-NG network. In our numerical computations, we set , , , , and .

We first numerically analyze one-attacker mining optimization. We compute the expected revenue of the attacker for a range of different mining powers. Fig. 4 depicts the expected revenue of the attacker that is a function of the length of its mining duration , given the mining power as the parameter. For a specific mining power, each red point represents the maximum expected revenue achieved by the corresponding optimal mining length shown in (10); each blue point represents the expected revenue achieved by the default mining length . From Fig. 4, we can see that higher mining powers decrease the required mining lengths to achieve the maximum expected revenues. Intuitively, higher mining powers increase the probabilities for finding a key block, thus the miner can mine slightly later and wait for more micro blocks to earn more transaction fees. Higher mining powers also increase the maximum expected revenues of the attacker. Moreover, we can observe that, whatever is the mining power ratio, the maximum expected revenue is achieved by the advanced mining and the expected revenue achieved by advanced mining is higher than that achieved by honest mining.

Fig. 4: The expected revenues of the attacker is given as a function of the mining length for different mining power .

We then investigate the two-player mining game. We compute the optimal mining strategies (i.e., the optimal mining lengths given in (17) and (18)). Fig. 5 depicts the optimal mining lengths for the two players that are given as a function of the mining power of player . We can see that when , the optimal mining length of player is larger than that of player . This fulfills the intuition that to achieve an equilibrium where the two players have the same expected revenues, the miner with less mining power need to mine earlier to enlarge his successful mining probability. The situation is the same for the case of . We compute the optimal mining lengths of players and as a function of the default mining length when the mining power is treated as the parameter. The results are shown in Fig. 6, where we can see that the optimal mining lengths are linearly decreasing in ; when , the optimal mining length of player should be longer than that of player .

Fig. 5: The optimal mining lengths of the two miners are given as functions of the mining power .
Fig. 6: The optimal mining lengths of the two miners are given as functions of the default mining length

We finaly numerically compute the optmial mining lenghes for the -player mining game by setting . When we do that, we fix the mining power of the first palyer , and vary the mining power of the second player . For a given , the computed the optmial mining lenghes are a fucntion of . The results are shown in Fig. 7-Fig. 9 for the different values of , where we can see that in general for different power mining profiles, the miners need to employ different mining lengths to achieve the equilibrium.

Vi Conclusion

In this work, we investigated the advanced mining problem for the Bitcoin-NG network. Although Bitcoin-NG is a scalable blockchain protocol, it is vulnerable to the malicious advanced mining behavior in which selfish miners intentionally ignore the micro blocks issued by the leader and mine one some early micro block to enlarge their successful mining probabilities. We find that although mining in advanced will lose some transaction fee contained in later micro blocks, it is still more profit than honest mining (i.e., mining on the latest micro block). Moreover, we show that if miners all adopt advanced mining, the mining problem of Bitcoin-NG can be formulated as a noncooperative game and each miner individually decides when to mine. We show that the equilibrium of this mining game dose exist and we show how to find it. Numerical results are provided to investigate the advanced mining behavior.

Fig. 7: The optimal mining lengths of the three miners are given as functions of the mining power for
Fig. 8: The optimal mining lengths of the three miners are given as functions of the mining power for
Fig. 9: The optimal mining lengths of the three miners are given as functions of the mining power for

References

  • [1] S. A. Abeyratne and R. P. Monfared (2016) Blockchain ready manufacturing supply chain using distributed ledger. Cited by: §I.
  • [2] S. Bag, S. Ruj, and K. Sakurai (2016) Bitcoin block withholding attack: analysis and mitigation. IEEE Transactions on Information Forensics and Security 12 (8), pp. 1967–1978. Cited by: §II-B.
  • [3] V. Bagaria, S. Kannan, D. Tse, G. Fanti, and P. Viswanath (2018) Deconstructing the blockchain to approach physical limits. arXiv preprint arXiv:1810.08092. Cited by: §I, §I, §II-B, §III-A.
  • [4] R. M. Corless, G. H. Gonnet, D. E. Hare, D. J. Jeffrey, and D. E. Knuth (1996) On the lambertw function. Advances in Computational mathematics 5 (1), pp. 329–359. Cited by: §IV-A.
  • [5] C. Decker and R. Wattenhofer (2013) Information propagation in the bitcoin network. In IEEE P2P 2013 Proceedings, pp. 1–10. Cited by: §I.
  • [6] I. Eyal, A. E. Gencer, E. G. Sirer, and R. Van Renesse (2016) Bitcoin-ng: a scalable blockchain protocol. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16), pp. 45–59. Cited by: §I, §I, §I, §III-A, §III-B, §III-B, §III-B.
  • [7] I. Eyal and E. G. Sirer (2018) Majority is not enough: bitcoin mining is vulnerable. Communications of the ACM 61 (7), pp. 95–102. Cited by: §II-B.
  • [8] K. Fanning and D. P. Centers (2016) Blockchain and its coming impact on financial services. Journal of Corporate Accounting & Finance 27 (5), pp. 53–57. Cited by: §I.
  • [9] M. Fisz and R. Bartoszyński (2018) Probability theory and mathematical statistics. Vol. 3, J. wiley. Cited by: §II-A.
  • [10] D. Kraft (2016) Difficulty control for blockchain-based consensus systems. Peer-to-Peer Networking and Applications 9 (2), pp. 397–413. Cited by: §IV-A.
  • [11] Y. Lewenberg, Y. Sompolinsky, and A. Zohar (2015) Inclusive block chain protocols. In International Conference on Financial Cryptography and Data Security, pp. 528–547. Cited by: §I.
  • [12] C. Li, P. Li, D. Zhou, W. Xu, F. Long, and A. Yao (2018) Scaling nakamoto consensus to thousands of transactions per second. arXiv preprint arXiv:1805.03870. Cited by: §I.
  • [13] L. Luu, V. Narayanan, C. Zheng, K. Baweja, S. Gilbert, and P. Saxena (2016) A secure sharding protocol for open blockchains. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 17–30. Cited by: §I.
  • [14] S. Nakamoto (2008) Bitcoin: a peer-to-peer electronic cash system. Cited by: §I, §II.
  • [15] A. Panarello, N. Tapas, G. Merlino, F. Longo, and A. Puliafito (2018) Blockchain and iot integration: a systematic survey. Sensors 18 (8), pp. 2575. Cited by: §I.
  • [16] R. Pass and E. Shi (2017) Hybrid consensus: efficient consensus in the permissionless model. In 31st International Symposium on Distributed Computing (DISC 2017), Cited by: §I.
  • [17] R. Pass and E. Shi (2018) Thunderella: blockchains with optimistic instant confirmation. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 3–33. Cited by: §I.
  • [18] Y. Sompolinsky, Y. Lewenberg, and A. Zohar (2016) SPECTRE: a fast and scalable cryptocurrency protocol.. IACR Cryptology ePrint Archive 2016, pp. 1159. Cited by: §I.
  • [19] Y. Sompolinsky and A. Zohar (2013) Accelerating bitcoin’s transaction processing. fast money grows on trees, not chains. IACR Cryptology ePrint Archive 2013 (881). Cited by: §I, §I.
  • [20] Y. Sompolinsky and A. Zohar (2015) Secure high-rate transaction processing in bitcoin. In International Conference on Financial Cryptography and Data Security, pp. 507–527. Cited by: §I, §I.
  • [21] Y. Sompolinsky and A. Zohar (2018) PHANTOM: a scalable blockdag protocol.. IACR Cryptology ePrint Archive 2018, pp. 104. Cited by: §I.
  • [22] F. Tschorsch and B. Scheuermann (2016) Bitcoin and beyond: a technical survey on decentralized digital currencies. IEEE Communications Surveys & Tutorials 18 (3), pp. 2084–2123. Cited by: §I.
  • [23] W. Wang, D. T. Hoang, P. Hu, Z. Xiong, D. Niyato, P. Wang, Y. Wen, and D. I. Kim (2019) A survey on consensus mechanisms and mining strategy management in blockchain networks. IEEE Access 7, pp. 22328 – 22370. Cited by: §II-A, §II-B, §IV-A.
  • [24] J. Yin, C. Wang, Z. Zhang, and J. Liu (2018) Revisiting the incentive mechanism of bitcoin-ng. In Australasian Conference on Information Security and Privacy, pp. 706–719. Cited by: §III-B, §IV-A.
  • [25] Z. Zheng, S. Xie, H. Dai, X. Chen, and H. Wang (2018) Blockchain challenges and opportunities: a survey. International Journal of Web and Grid Services 14 (4), pp. 352–375. Cited by: §I.