Transcript On Power Splitting Games in Distributed Computation: Loi Luu

On Power Splitting Games in
Distributed Computation:
The case of Bitcoin Pooled Mining
Loi Luu, Ratul Saha, Inian Parameshwaran,
Prateek Saxena & Aquinas Hobor
National University of Singapore
Distributed computation
• Solve computationally large problem
– Using resources from multiple users
• Classic distributed computation models
– Volunteer computation
– Parasitic computation
• An emerging model
– Competitive computation: Bitcoin, Cryptocurrency, bug
bounties
Problem
U1
U2
…
Un-1
Un
2
Bitcoin mining
• Bitcoin: the most popular cryptocurrency
– Find next valid Blocks
– Find Nonce s.t.
• SHA256(BlkTemplate || Nonce) has D leading
zero bits
– Eg: 0000000000000000024f37840…
• Requires huge computational power
– >100 millions USD of hardware investment
– Miners have to wait for years!
3
Pooled mining
• Delegation of computational power via pooled
mining
– Pooled supervisor distributes work and reward
– Miners find share
• Find Nonce to have d (<D)
leading zeros
– Eg: 000000123fa…
• Shares are meaningful to pool only
• More than 90% are pool miners
0011X
0010X
0001X
0000X
– Pool miners get frequent reward
Securing Bitcoin pool protocol is important!
4
Problem
• Is Bitcoin pooled mining protocol
secure?
– Miner’s reward
computational power?
– Following the protocol
best outcome?
• Intuitive answer: Yes
– Hash inversion is cryptographically hard
• This work
– Shows an attack to make a million USD per
month
5
Block Withholding Attack
●
A topic of hot debate
–
●
Even from a pool operator
–
●
“Withholding attacks don’t make financial sense
— that’s easy to prove with math...”
“Basically in no way has an accurate model of the
network shown withholding to be more profitable
than legitimate mining...”
Still happen in practice
–
The attack caused a damage of 200, 000 USD to
Eligius pool
Our findings
- The attack does profit the attacker
- Applicable to all cryptocurrencies
6
Contributions
• Study the Bitcoin pooled mining protocol
– Game theoretic approach, i.e. formulate
Bitcoin mining as a game
• Analyze the BWH attack
– The attack is profitable
• Pool protocol is vulnerable
– Empirically evaluate the findings
7
Model
BITCOIN MINING AS A
COMPUTATIONAL POWER SPLITTING GAME
8
Compete to get
25 BTCs
D=4
d=2
Find 0000X
25 BTCs
Free to
distribute power
5 BTCs
9
Bitcoin as a Computational Power Splitting
Game
• N pools
• Player: α
• Player action: Pick =(β0, β1, β2 ,…, βn)
– Use αβ0 to compete independently
– Contribute αβi to pool Pi
– Get reward Ui from pool i
• Player’s goal is to maximize R = åUi
GAME NETWORK
P1
P2
αβ1
αβ0
αβ2
…
Pn-1
Pn
αβi
PLAYER
αβn
10
Case study
BLOCK WITHHOLDING ATTACK
11
Block Withholding Attack
●
●
Only submit “normal” shares
–
Reduces pool’s reward and other miners’ reward
–
Pool has to pay the attacker for his shares
Hard to detect
–
Finding a block is probabilistic
Honest
BWH
0011X
0011Y
0010X
0010Y
0001X
0001Y
0000X
0000Y
12
BWH attack is profitable
• Intuition: Bitcoin is a zero-sum game
– Coins supply is constant
– The loss in the victim pool is picked up by
other pools
BWH attack
+x
+
X
-x
-0.2X
+0.8X
13
Simple example
attacker
BWH attack
5%
Victim pool
75%
20%
25%
75%
Attack Scenario
Honest Scenario
5%
1 pool, α=25%
(β0, β1) = (0.8, 0.2)
αβ0 = 20% αβ1 = 5%
0%
75%
20%
79%
21%
Honest Scenario
Mining
Power
Actual Mining Power Distribution
Reward
Honest
Attack
scenario scenario
Attacker
25%
25%
25.9%
Pool
75%
75%
74.1%
4.9%
21%
74.1%
Actual Reward Distribution
14
Analyze BWH attack using CPS game
• Compute the reward of the attacker
– Before vs after the attack in each pool
– Infer attacking rules
• Consider different scenarios
– Single attacker, single pool
– Single attacker, multiple pools
– Multiple attackers
15
Scenario: single attacker
ab (p - b1 )
DR =
p(1- ab1 )
Victim
Extra
reward
Attacking
portion
1
pool’s size
Attacker’s
power
• It’s always profitable to BWH attack
$b1 < p : D R > 0
• There is a threshold on the attacking power
D R > 0 Û b1 < p
• It’s more profitable to target big pool
• Exists the optimal strategy to maximize D R
16
Other scenarios
• There are other dishonest miners
– It’s possibly profitable
– Depends on how much the pool is
“contaminated”
• Attacking multiple pools
– Attacks as many as possible
– Exists the optimal strategy
17
Nash equilibrium
• What is the best strategy for the miner?
• Consider two accessible pools
– The dominant strategy is to attack the other
• There is no pure strategy
– There is always a better move to win back
BWH
from P1
BWH
from P2
P1
P2
18
Does attack’s duration matters?
Does it actually
profit?
1111BTCs/
BTCs/1210mins
mins
10 BTCs/ 10 mins
• Short term
• It depends
• Long term
• Yes
• Difficulty adjusts
19
Evaluate our results
●
●
Use “official” Bitcoin client, popular pool
mining software
–
Run on cloud-based Amazon EC2
–
Burning up to 70,000 CPU core-hours
Essential to
–
check the correctness of our result
–
show our CPS model is faithful
20
Experimental results
Attacker’s
Power
Attack Scenario
Reward
25%
One pool
25.66%
30%
One pool
31.14%
45%
One pool
46.9%
25%
Multiple pools
26.49%
Relative difference: 1%
100%
90%
0
0
0
0.1
0
0
0
0
0.09
0.08
0.15
0.14
0
Unknown
28%
0.20
70%
60%
0
0.1
0.09
0.08
50%
40%
26%
0.08
0.07
0.13
24%
0
0.2
30%
0.18
0.17
0.15
0.14
A acker Reward
Propo on of mining power
80%
30%
KNC
Ghash
Discus
Fish
A acker
0.13
20%
22%
Reward
1
10%
0.6
0.64
0.67
0.62
0.64
0.53
0%
20%
Before
a ack
1st
change
2nd
3rd
4th
5th
change change change change
6th
change
21
Discussion on Defenses
• Assign same task to multiple miners
• Change pay-off scheme
– pay more to shares which are valid blocks
• Change Bitcoin protocol to support
pooled mining natively
– Make share become oblivious to miner
• only pool supervisor knows which shares are
A cheap
and compatible solution to prevent
valid blocks
BWH attack is still an open problem
22
Conclusion
• Security of pool protocols is an open
research topic
• Existing pool protocols are vulnerable to
BWH attack
– Game-based model to understand incentive
structure
• Future work
– Defenses
– Proof of security
23
Thank you
Q&A
Email: [email protected]
BTC
LTC
24
Related work
• BWH attack
– [Rosen11] Analysis of bitcoin pooled mining reward systems
• Attack is not profitable
– [CoBa14] On subversive miner strategies and block
withholding attack in bitcoin digital currency
• Attack does profit, but analysis is incorrect
– [Eyal15] The miner’s dilemma
• Arrives at same findings, but from pool perspective
• No experimental evaluation
• Concurrent work
• Other Bitcoin attacks
– [Rosen11]
• Pool hopping, Lie in wait attack
– [EyalSi13] Majority is not enough: Bitcoin mining is vulnerable
• Selfish mining attack
25
26