On Power Splitting Games in Distributed Computation: The case of Bitcoin Pooled Mining Loi Luu, Ratul Saha, Inian Parameshwaran, Prateek Saxena & Aquinas Hobor National University of Singapore

Distributed computation Solve computationally large problem – Using resources from multiple users Classic distributed computation models – Volunteer computation – Parasitic computation An emerging model – Competitive computation: Bitcoin, Cryptocurrency, bug bounties 2 Problem U1U1 U1U1 U2U2 U2U2 … … U n-1 UnUn UnUn

Bitcoin mining Bitcoin: the most popular cryptocurrency – Find next valid Blocks – Find Nonce s.t. SHA256(BlkTemplate || Nonce) has D leading zero bits – Eg: f37840… Requires huge computational power – >100 millions USD of hardware investment – Miners have to wait for years! 3

Pooled mining Delegation of computational power via pooled mining – Pooled supervisor distributes work and reward – Miners find share Find Nonce to have d (<D) leading zeros – Eg: fa… Shares are meaningful to pool only More than 90% are pool miners – Pool miners get frequent reward 4 Securing Bitcoin pool protocol is important! 0010X 0001X 0011X 0000X

Is Bitcoin pooled mining protocol secure? – Miner’s reward computational power? – Following the protocol best outcome? Intuitive answer: Yes – Hash inversion is cryptographically hard This work – Shows an attack to make a million USD per month Problem 5

Block Withholding Attack ● A topic of hot debate – “Withholding attacks don’t make financial sense — that’s easy to prove with math...” ● Even from a pool operator – “Basically in no way has an accurate model of the network shown withholding to be more profitable than legitimate mining...” ● Still happen in practice – The attack caused a damage of 200, 000 USD to Eligius poola damage of 200, 000 USD 6 Our findings -The attack does profit the attacker -Applicable to all cryptocurrencies Our findings -The attack does profit the attacker -Applicable to all cryptocurrencies

Contributions Study the Bitcoin pooled mining protocol – Game theoretic approach, i.e. formulate Bitcoin mining as a game Analyze the BWH attack – The attack is profitable Pool protocol is vulnerable – Empirically evaluate the findings 7

BITCOIN MINING AS A COMPUTATIONAL POWER SPLITTING GAME Model 8

Find 0000X 25 BTCs Find 0000X 25 BTCs Find 0000X 25 BTCs 5 BTCs Find 00Y 9 D=4 d=2 D=4 d=2 Find 00Y 5 BTCs Compete to get 25 BTCs Free to distribute power

Player action: Pick =( β 0, β 1, β 2,…, β n ) – Use αβ 0 to compete independently – Contribute αβ i to pool P i – Get reward U i from pool i Player’s goal is to maximize Bitcoin as a Computational Power Splitting Game N pools Player: α GAME NETWORK PLAYER αβ 0 P1P1 P1P1 αβ 1 P2P2 P2P2 αβ 2 … … αβ n P n-1 αβ i PnPn PnPn 10

BLOCK WITHHOLDING ATTACK Case study 11

Block Withholding Attack ● Only submit “normal” shares – Reduces pool’s reward and other miners’ reward – Pool has to pay the attacker for his shares ● Hard to detect – Finding a block is probabilistic X 0001X Honest 0011X 0000X 0010Y 0001Y BWH 0011Y 0000Y

BWH attack is profitable Intuition: Bitcoin is a zero-sum game – Coins supply is constant – The loss in the victim pool is picked up by other pools 13 +x -x BWH attack +X+X -0.2X +0.8X

Simple example 25% 75% Honest Scenario Mining Power Reward Honest scenario Attack scenario Attacker25% 25.9% Pool75% 74.1% 20% 75% Attack Scenario 5% 21% 79% Actual Mining Power Distribution 0% 21% 74.1% Actual Reward Distribution 4.9% attacker Victim pool BWH attack 14 1 pool, α =25% (β 0, β 1 ) = (0.8, 0.2) αβ 0 = 20% αβ 1 = 5% 20% 75% Honest Scenario 5%

Analyze BWH attack using CPS game Compute the reward of the attacker – Before vs after the attack in each pool – Infer attacking rules Consider different scenarios – Single attacker, single pool – Single attacker, multiple pools – Multiple attackers 15

Scenario: single attacker It’s always profitable to BWH attack There is a threshold on the attacking power It’s more profitable to target big pool Exists the optimal strategy to maximize 16 Extra reward Attacking portion Victim pool’s size Attacker’s power

Other scenarios There are other dishonest miners – It’s possibly profitable – Depends on how much the pool is “contaminated” Attacking multiple pools – Attacks as many as possible – Exists the optimal strategy 17

Nash equilibrium What is the best strategy for the miner? Consider two accessible pools – The dominant strategy is to attack the other There is no pure strategy – There is always a better move to win back 18 P1 P2 BWH from P2 BWH from P1

Does attack’s duration matters? BTCs/ 10 mins 11 BTCs/ 12 mins Does it actually profit? Short term It depends Long term Yes Difficulty adjusts 11 BTCs/ 10 mins

Evaluate our results ● Use “official” Bitcoin client, popular pool mining software – Run on cloud-based Amazon EC2 – Burning up to 70,000 CPU core-hours ● Essential to – check the correctness of our result – show our CPS model is faithful 20

Experimental results 21 Relative difference: 1%

Discussion on Defenses Assign same task to multiple miners Change pay-off scheme – pay more to shares which are valid blocks Change Bitcoin protocol to support pooled mining natively – Make share become oblivious to miner only pool supervisor knows which shares are valid blocks 22 A cheap and compatible solution to prevent BWH attack is still an open problem

Conclusion Security of pool protocols is an open research topic Existing pool protocols are vulnerable to BWH attack – Game-based model to understand incentive structure Future work – Defenses – Proof of security 23

Thank you Q&A 24 LTCBTC

Related work BWH attack – [Rosen11] Analysis of bitcoin pooled mining reward systems Attack is not profitable – [CoBa14] On subversive miner strategies and block withholding attack in bitcoin digital currency Attack does profit, but analysis is incorrect – [Eyal15] The miner’s dilemma Arrives at same findings, but from pool perspective No experimental evaluation Concurrent work Other Bitcoin attacks – [Rosen11] Pool hopping, Lie in wait attack – [EyalSi13] Majority is not enough: Bitcoin mining is vulnerable Selfish mining attack 25

26