1 / 26

On Power Splitting Games in Distributed Computation: The case of Bitcoin Pooled Mining

This study analyzes the security of Bitcoin pooled mining protocol and the profitability of Block Withholding Attack (BWH). Game theoretic approach is used to model Bitcoin mining as a computational power splitting game. The findings show that BWH attack is profitable and the pool protocol is vulnerable.

bfreeman
Download Presentation

On Power Splitting Games in Distributed Computation: The case of Bitcoin Pooled Mining

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On Power Splitting Games in Distributed Computation: The case of Bitcoin Pooled Mining LoiLuu, RatulSaha, InianParameshwaran, PrateekSaxena & Aquinas Hobor National University of Singapore

  2. Distributed computation • Solve computationally large problem • Using resources from multiple users • Classic distributed computation models • Volunteer computation • Parasitic computation • An emerging model • Competitive computation: Bitcoin, Cryptocurrency, bug bounties Problem U1 U2 Un … Un-1

  3. Bitcoin mining • Bitcoin: the most popular cryptocurrency • Find next valid Blocks • Find Nonces.t. • SHA256(BlkTemplate || Nonce) has D leading zero bits • Eg: 0000000000000000024f37840… • Requires huge computational power • >100 millions USD of hardware investment • Miners have to wait for years!

  4. Pooled mining • Delegation of computational power via pooled mining • Pooled supervisor distributes work and reward • Miners find share • Find Nonce to have d (<D) leading zeros • Eg: 000000123fa… • Shares are meaningful to pool only • More than 90% are pool miners • Pool miners get frequent reward 0011X 0010X 0001X 0000X Securing Bitcoin pool protocol is important!

  5. Problem • Is Bitcoin pooled mining protocol secure? • Miner’s reward computational power? • Following the protocol best outcome? • Intuitive answer: Yes • Hash inversion is cryptographically hard • This work • Shows an attack to make a million USD per month

  6. Block Withholding Attack A topic of hot debate “Withholding attacks don’t make financial sense — that’s easy to prove with math...” Even from a pool operator “Basically in no way has an accurate model of the network shown withholding to be more profitable than legitimate mining...” Still happen in practice The attack caused a damage of 200, 000 USD to Eligiuspool • Our findings • The attack does profit the attacker • Applicable to all cryptocurrencies

  7. Contributions • Study the Bitcoin pooled mining protocol • Game theoretic approach, i.e. formulate Bitcoin mining as a game • Analyze the BWH attack • The attack is profitable • Pool protocol is vulnerable • Empirically evaluate the findings

  8. Model Bitcoin mining as aComputational power splitting game

  9. D=4 d=2 Compete to get 25 BTCs Find 0000X 25 BTCs Find 0000X Find 0000X 25 BTCs 25 BTCs Find 00Y Find 00Y 5 BTCs 5 BTCs Free to distribute power

  10. Bitcoin as a Computational Power Splitting Game • Player action: Pick =(β0, β1, β2 ,…, βn) • Use αβ0 to compete independently • Contribute αβi to pool Pi • Get reward Ui from pool i • Player’s goal is to maximize • N pools • Player: α GAME NETWORK P1 Pn P2 … Pn-1 αβ0 αβ2 αβi αβ1 αβn PLAYER

  11. Case study Block Withholding attack

  12. Block Withholding Attack Only submit “normal” shares Reduces pool’s reward and other miners’ reward Pool has to pay the attacker for his shares Hard to detect Finding a block is probabilistic Honest BWH 0011X 0011Y 0010X 0010Y 0001X 0001Y 0000X 0000Y

  13. BWH attack is profitable • Intuition: Bitcoin is a zero-sum game • Coins supply is constant • The loss in the victim pool is picked up by other pools BWH attack +x -x +X -0.2X +0.8X

  14. Simple example BWH attack 5% 5% Victim pool attacker Attack Scenario Honest Scenario Honest Scenario 75% 75% 75% 20% 20% 25% (β0, β1) = (0.8, 0.2) αβ0 = 20% αβ1 = 5% 0% 1 pool, α=25% 21% 79% Actual Mining Power Distribution 4.9% 21% 74.1% Actual Reward Distribution

  15. Analyze BWH attack using CPS game • Compute the reward of the attacker • Before vs after the attack in each pool • Infer attacking rules • Consider different scenarios • Single attacker, single pool • Single attacker, multiple pools • Multiple attackers

  16. Scenario: single attacker Attacking portion Extra reward • It’s always profitable to BWH attack • There is a threshold on the attacking power • It’s more profitable to target big pool • Exists the optimal strategy to maximize Victim pool’s size Attacker’s power

  17. Other scenarios • There are other dishonest miners • It’s possibly profitable • Depends on how much the pool is “contaminated” • Attacking multiple pools • Attacks as many as possible • Exists the optimal strategy

  18. Nash equilibrium • What is the best strategy for the miner? • Consider two accessible pools • The dominant strategy is to attack the other • There is no pure strategy • There is always a better move to win back BWH from P1 BWH from P2 P1 P2

  19. Does attack’s duration matters? Does it actually profit? 11 BTCs/ 12 mins 10 BTCs/ 10 mins 11 BTCs/ 10 mins • Short term • It depends • Long term • Yes • Difficulty adjusts

  20. Evaluate our results Use “official” Bitcoin client, popular pool mining software Run on cloud-based Amazon EC2 Burning up to 70,000 CPU core-hours Essential to check the correctness of our result show our CPS model is faithful

  21. Experimental results Relative difference: 1%

  22. Discussion on Defenses • Assign same task to multiple miners • Change pay-off scheme • pay more to shares which are valid blocks • Change Bitcoin protocol to support pooled mining natively • Make share become oblivious to miner • only pool supervisor knows which shares are valid blocks A cheap and compatible solution to prevent BWH attack is still an open problem

  23. Conclusion • Security of pool protocols is an open research topic • Existing pool protocols are vulnerable to BWH attack • Game-based model to understand incentive structure • Future work • Defenses • Proof of security

  24. Thank you Q&A Email: loiluu@comp.nus.edu.sg BTC LTC

  25. Related work • BWH attack • [Rosen11] Analysis of bitcoin pooled mining reward systems • Attack is not profitable • [CoBa14] On subversive miner strategies and block withholding attack in bitcoin digital currency • Attack does profit, but analysis is incorrect • [Eyal15] The miner’s dilemma • Arrives at same findings, but from pool perspective • No experimental evaluation • Concurrent work • Other Bitcoin attacks • [Rosen11] • Pool hopping, Lie in wait attack • [EyalSi13] Majority is not enough: Bitcoin mining is vulnerable • Selfish mining attack

More Related