Embed Size (px)
Citation preview
On Power Splitting Games in Distributed Computation:
The case of Bitcoin Pooled Mining
Loi Luu, Ratul Saha, Inian Parameshwaran, Prateek Saxena & Aquinas Hobor
National University of Singapore
2
Distributed computation• Solve computationally large problem
– Using resources from multiple users• Classic distributed computation models
– Volunteer computation– Parasitic computation
• An emerging model– Competitive computation: Bitcoin, Cryptocurrency, bug
bounties
Problem
U1 U2 … Un-1Un
3
Bitcoin mining• Bitcoin: the most popular
cryptocurrency– Find next valid Blocks– Find Nonce s.t.
• SHA256(BlkTemplate || Nonce) has D leading zero bits
– Eg: 0000000000000000024f37840…
• Requires huge computational power– >100 millions USD of hardware
investment– Miners have to wait for years!
4
Pooled mining
• Delegation of computational power via pooled mining– Pooled supervisor distributes work and reward– Miners find share
• Find Nonce to have d (<D) leading zeros
– Eg: 000000123fa…
• Shares are meaningful to pool only
• More than 90% are pool miners– Pool miners get frequent reward
Securing Bitcoin pool protocol is important!
0010X
0001X
0011X
0000X
5
• Is Bitcoin pooled mining protocol secure?– Miner’s reward computational power?– Following the protocol best outcome?
• Intuitive answer: Yes– Hash inversion is cryptographically hard
• This work– Shows an attack to make a million USD per
month
Problem
6
Block Withholding Attack● A topic of hot debate
– “Withholding attacks don’t make financial sense — that’s easy to prove with math...”
● Even from a pool operator– “Basically in no way has an accurate model
of the network shown withholding to be more profitable than legitimate mining...”
● Still happen in practice– The attack caused a damage of
200, 000 USD to Eligius pool
Our findings- The attack does profit the
attacker- Applicable to all
cryptocurrencies
7
Contributions
• Study the Bitcoin pooled mining protocol– Game theoretic approach, i.e. formulate
Bitcoin mining as a game
• Analyze the BWH attack– The attack is profitable
• Pool protocol is vulnerable
– Empirically evaluate the findings
8
BITCOIN MINING AS ACOMPUTATIONAL POWER SPLITTING GAME
Model
9
Find 0000X
25 BTCsFi
nd 0
000X
25 B
TCs
Fin
d 00
00X
25 BT
Cs
5 BTCs
Find 00Y
D=4d=2
Find 00Y
5 BTCs
Compete to get 25 BTCs
Free to distribute
power
10
• Player action: Pick =(β0, β1, β2 ,…, βn)
– Use αβ0 to compete independently
– Contribute αβi to pool Pi
– Get reward Ui from pool i
• Player’s goal is to maximize
Bitcoin as a Computational Power Splitting Game
• N pools• Player: α
GAME NETWORK
PLAYER
αβ0P1
αβ1
P2
αβ2
…
αβn
Pn-1
αβi
Pn
11
BLOCK WITHHOLDING ATTACKCase study
12
Block Withholding Attack● Only submit “normal” shares
– Reduces pool’s reward and other miners’ reward– Pool has to pay the attacker for his shares
● Hard to detect– Finding a block is probabilistic
0010X
0001X
Honest
0011X
0000X
0010Y
0001Y
BWH
0011Y
0000Y
13
BWH attack is profitable
• Intuition: Bitcoin is a zero-sum game– Coins supply is constant– The loss in the victim pool is picked up by
other pools
+x -x
BWH attack
+X
-0.2X +0.8X
14
Simple example
25% 75%
Honest Scenario
Mining Power
Reward
Honest scenari
o
Attack scenari
o
Attacker 25% 25% 25.9%
Pool 75% 75% 74.1%
20% 75%
Attack Scenario
5%
21% 79%
Actual Mining Power Distribution
0%
21% 74.1%
Actual Reward Distribution
4.9%
attacker
Victim pool BWH attack
1 pool, α=25%
(β0, β1) = (0.8, 0.2)αβ0 = 20% αβ1 = 5%
20% 75%
Honest Scenario
5%
15
Analyze BWH attack using CPS game
• Compute the reward of the attacker– Before vs after the attack in each pool– Infer attacking rules
• Consider different scenarios– Single attacker, single pool– Single attacker, multiple pools– Multiple attackers
16
Scenario: single attacker
• It’s always profitable to BWH attack
• There is a threshold on the attacking power
• It’s more profitable to target big pool• Exists the optimal strategy to maximize
Extra rewar
d
Attacking portion
Victim pool’s size Attacker’s
power
17
Other scenarios
• There are other dishonest miners– It’s possibly profitable– Depends on how much the pool is
“contaminated”
• Attacking multiple pools– Attacks as many as possible– Exists the optimal strategy
18
Nash equilibrium
• What is the best strategy for the miner?• Consider two accessible pools
– The dominant strategy is to attack the other
• There is no pure strategy– There is always a better move to win back
P1 P2
BWH from P2
BWH from P1
19
Does attack’s duration matters?
10 BTCs/ 10 mins
11 BTCs/ 12 mins
Does it actually profit?
• Short term• It depends
• Long term• Yes• Difficulty adjusts
11 BTCs/ 10 mins
20
Evaluate our results
● Use “official” Bitcoin client, popular pool mining software– Run on cloud-based Amazon EC2– Burning up to 70,000 CPU core-hours
● Essential to – check the correctness of our result– show our CPS model is faithful
21
Experimental resultsAttacker’s Power
Attack Scenario Reward
25% One pool 25.66%
30% One pool 31.14%
45% One pool 46.9%
25% Multiple pools 26.49%
Relative difference: 1%
22
Discussion on Defenses
• Assign same task to multiple miners• Change pay-off scheme
– pay more to shares which are valid blocks
• Change Bitcoin protocol to support pooled mining natively– Make share become oblivious to miner
• only pool supervisor knows which shares are valid blocks
A cheap and compatible solution to prevent BWH attack is still an open
problem
23
Conclusion
• Security of pool protocols is an open research topic
• Existing pool protocols are vulnerable to BWH attack– Game-based model to understand
incentive structure
• Future work– Defenses– Proof of security
25
Related work
• BWH attack– [Rosen11] Analysis of bitcoin pooled mining reward systems
• Attack is not profitable
– [CoBa14] On subversive miner strategies and block withholding attack in bitcoin digital currency
• Attack does profit, but analysis is incorrect
– [Eyal15] The miner’s dilemma• Arrives at same findings, but from pool perspective• No experimental evaluation• Concurrent work
• Other Bitcoin attacks– [Rosen11]
• Pool hopping, Lie in wait attack
– [EyalSi13] Majority is not enough: Bitcoin mining is vulnerable• Selfish mining attack
26
