Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks...
Transcript of Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks...
![Page 1: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/1.jpg)
Attacks on Mining Protocol
1
Yujin Kwon
KAIST
2018.03.22
![Page 2: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/2.jpg)
Cryptocurrencies
![Page 3: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/3.jpg)
Cryptocurrencies
Increase!
![Page 4: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/4.jpg)
Cryptocurrencies
1 BTC≈ $8.5K1 ETH≈ $180
Increase!
![Page 5: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/5.jpg)
Proof-of-Work Mining
They use blockchain to run without a trusted third party.
Miners generate blocks by spending their computational power.
If a miner generates a valid block, he earns reward for the block.
This process is competitive.
12.5 BTC
Blockchain
New Block(N-1)-th Block N-th Block (N+1)-th Block
Miner
![Page 6: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/6.jpg)
Proof-of-Work Mining Problem
– Miners must solve cryptographic
problems to generate a valid block.
– What is the valid nonce such that
𝐻(𝑐𝑜𝑛𝑡𝑒𝑛𝑡𝑠| 𝑛𝑜𝑛𝑐𝑒 < TARGET𝐹 ?
– 𝐻(∙) is a hash function based on
SHA-256 in Bitcoin.
Nonce
![Page 7: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/7.jpg)
Step (Miner)
New transactions are broadcast to all nodes.
Each node collects new transactions into a block.
Each node works on finding a difficult proof-of-work for its block.
When a node finds a proof-of-work, it broadcasts the block to all nodes.
Nodes express their acceptance of the block by working on creating the
next chain, using the hash of the accepted block as the previous hash.
![Page 8: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/8.jpg)
Forks
![Page 9: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/9.jpg)
Forks
![Page 10: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/10.jpg)
Forks
![Page 11: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/11.jpg)
Forks
![Page 12: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/12.jpg)
Forks
![Page 13: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/13.jpg)
Forks
Only one head is accepted as a valid one among heads.
An attacker can generate forks intentionally by holding his found
block for a while.
![Page 14: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/14.jpg)
Forks
Only one head is accepted as a valid one among heads.
An attacker can generate forks intentionally by holding his found
block for a while.
![Page 15: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/15.jpg)
Mining Difficulty
Time
Dif
ficu
lty
Increase!
From “https://blockchain.info”
![Page 16: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/16.jpg)
Mining Pool
AntPool
23%
F2Pool
11%
BitFury
11%BTCC
11%
Slush
7%
BW.COM
7%
BTC.COM
7%
Others
23%
Miners organize pools and prefer to mine together to reduce the variance of reward.
Currently, major players are pools.
Bitcoin Ethereum Litecoin
Ethpool
27%
F2Pool
23%nano
11%
MPH
10%
Ethfans
8%
Others
21%AntPool
30%
F2Pool
30%
LTC.top
10%
ViaBTC
10%
BW.COM
6%
Litecoin
6%
Others
8%
![Page 17: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/17.jpg)
Mining Pool
Workers
1. Give the problem.
Pool
manager
PPoW:𝐻(𝑐𝑜𝑛𝑡𝑒𝑛𝑡𝑠| 𝑛𝑜𝑛𝑐𝑒 < target𝑃 ?
FPoW:𝐻(𝑐𝑜𝑛𝑡𝑒𝑛𝑡𝑠| 𝑛𝑜𝑛𝑐𝑒 < TARGET𝐹 ?
(target𝑃 ≫ TARGET𝐹)
![Page 18: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/18.jpg)
Mining Pool
Workers
Pool
manager
2. Submit shares.
463125
352432
PPoW
FPoW
![Page 19: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/19.jpg)
Mining Pool
Workers
Pool
manager
3. Pay the reward.
![Page 20: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/20.jpg)
Several Mining Attacks The 51 % Attack
“The Economics of Bitcoin Mining, or Bitcoin in the Presence of Adversaries”, WEIS 2013
Selfish mining
– Generate forks intentionally
“Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014
Block withholding (BWH) attack
– Exploit the pools’ protocol
“The Miner’s Dilemma”, IEEE S&P 2015
“On Power Splitting Games in Distributed Computation: The Case of Bitcoin Pooled Mining”, CSF 2016
Fork after withholding (FAW) attack
– Generate forks intentionally through pools
“Be Selfish and Avoid Dilemmas: Fork After Withholding (FAW) Attacks on Bitcoin”, ACM CCS 2017
![Page 21: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/21.jpg)
Selfish Mining
21
![Page 22: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/22.jpg)
Selfish MiningForks
– Due to the nonzero block propagation delay, nodes can have different views.
– When a fork occurs, only one block becomes valid.
(N-1)-th Block
(N+1)-th Block
N-th Block
(N+1)-th Block
Fork
Which of two blocks
should I choose as a main
chain?
![Page 23: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/23.jpg)
Selfish Mining Generate intentional forks adaptively.
– An attacker finds a valid block and propagates the block when another block
is found by an honest node.
Force the honest miners into wasting victims’ computations on the stale
public branch.
![Page 24: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/24.jpg)
Selfish Mining
𝛾: An attacker’s network
capability
When an attacker
possesses more than 33%
computational power,
the attacker can always
earn extra rewards.
![Page 25: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/25.jpg)
Selfish Mining
![Page 26: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/26.jpg)
Selfish Mining
Impractical!
![Page 27: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/27.jpg)
Impractical The value of γ cannot be 1 because when the intentional fork occurs, the
honest miner who generated a block will select his block, not that of the
selfish miner.
Honest miners can easily detect that their pool manager is a selfish mining
attacker.
– If the manager does not propagate blocks immediately when honest miners
generate FPoWs, the honest miners will know that their pool manager is an
attacker.
– The blockchain has an abnormal shape when a selfish miner exists.
![Page 28: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/28.jpg)
Block Withholding Attack
28
![Page 29: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/29.jpg)
Block Withholding (BWH) Attack
An Attacker
Pool
manager
Submit only PPoWs.
463125
352432
Withhold
![Page 30: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/30.jpg)
Block Withholding (BWH) Attack An attacker joins the victim pool.
She should split her computational power into solo mining and malicious
pool mining (BWH attack).
She receives unearned wages while only pretending to contribute work to the
pool.
Solo PoolBWH
AttackMining
Attacker
![Page 31: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/31.jpg)
Block Withholding (BWH) Attack
![Page 32: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/32.jpg)
Result
Infiltration mining power Attacker relative reward Victim relative reward
The BWH attack is always profitable.
![Page 33: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/33.jpg)
The Miners’ dilemma (S&P 2015) Pools can launch the BWH attack each other through infiltration.
Pool 1 Pool 2
Infiltration from
Pool 1 into Pool 2
Infiltration from
Pool 2 into Pool 1
![Page 34: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/34.jpg)
Result
When they execute the BWH attack each other, both of them make a loss.
![Page 35: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/35.jpg)
The Miners’ dilemma (S&P 2015)
The equilibrium reward of the pool is inferior compared to the no-attack scenario.
The fact that the BWH attack is not common may be explained.
From “The Miner’s Dilemma”
![Page 36: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/36.jpg)
Fork After Withholding Attack
36
![Page 37: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/37.jpg)
FAW Attack Against One Pool
Target pool
Pool Solo
Mining
Submit an FPoW to the pool only
if others generate another block.
Otherwise, throw away her FPoW.
Attacker
Others
![Page 38: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/38.jpg)
FAW Attack Against One Pool
Target pool
Pool Solo
Mining
Attacker
OthersAn attacker generates forks intentionally through a pool!
Submit an FPoW to the pool only
if others generate another block.
Otherwise, throw away her FPoW.
![Page 39: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/39.jpg)
FAW vs BWHCase 1) When an attacker finds an FPoW through solo mining…
Blockchain
New Block(N-1)-th Block N-th Block (N+1)-th Block
FAW/ BWH
Attacker
Victim Others
![Page 40: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/40.jpg)
FAW vs BWHCase 1) When an attacker finds an FPoW through solo mining…
Blockchain
New Block(N-1)-th Block N-th Block (N+1)-th Block
FAW/ BWH
Attacker
The attacker earns the block reward.
Victim Others
![Page 41: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/41.jpg)
FAW vs BWHCase 2) When an honest miner in the victim pool finds an FPoW…
Blockchain
New Block(N-1)-th Block N-th Block (N+1)-th Block
FAW/ BWH
Attacker
Victim Others
![Page 42: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/42.jpg)
FAW vs BWHCase 2) When an honest miner in the victim pool finds an FPoW…
Blockchain
New Block(N-1)-th Block N-th Block (N+1)-th Block
The victim earns the block reward and
shares the reward with the attacker.
FAW/ BWH
Attacker
Victim Others
![Page 43: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/43.jpg)
FAW vs BWHCase 3) When only others find an FPoW…
Blockchain
New Block(N-1)-th Block N-th Block (N+1)-th Block
FAW/ BWH
Attacker
Victim Others
![Page 44: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/44.jpg)
FAW vs BWHCase 3) When only others find an FPoW…
Blockchain
New Block(N-1)-th Block N-th Block (N+1)-th Block
Others earn the block reward.
FAW/ BWH
Attacker
Victim Others
![Page 45: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/45.jpg)
FAW vs BWHCase 4) When the attacker finds an FPoW in the victim pool,
and others also find another FPoW…
Blockchain
New Block(N-1)-th Block N-th Block (N+1)-th Block
BWH
Attacker
Victim Others
![Page 46: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/46.jpg)
BWH
Attacker
FAW vs BWHCase 4) When the attacker finds an FPoW in the victim pool,
and others also find another FPoW…
Blockchain
New Block(N-1)-th Block N-th Block (N+1)-th Block
Others earn the block reward.
Victim Others
![Page 47: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/47.jpg)
FAW vs BWHCase 4) When the attacker finds an FPoW in the victim pool,
and others also find another FPoW…
Blockchain
Attacker’s
New Block
(N-1)-th Block N-th Block
Others’
New Block
(N+1)-th Block
FAW
Attacker
Victim Others
![Page 48: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/48.jpg)
FAW vs BWHCase 4) When the attacker find an FPoW in the victim pool,
and others also find another FPoW…
Blockchain
Attacker’s
New Block
(N-1)-th Block N-th Block
If others’ block is selected as the main chain,
others earn the block reward.
Others’
New Block
(N+1)-th Block
FAW
Attacker
Victim Others
![Page 49: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/49.jpg)
FAW vs BWHCase 4) When the attacker find an FPoW in the victim pool,
and others also find another FPoW…
Blockchain
Attacker’s
New Block
(N-1)-th Block N-th Block
If the attacker’s block is selected as the main
chain, the victim earns the block reward and
shares the reward with the attacker.
Others’
New Block
(N+1)-th Block
FAW
Attacker
Victim Others
![Page 50: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/50.jpg)
FAW vs BWHCase 4) When the attacker find an FPoW in the victim pool,
and others also find another FPoW…
Blockchain
Attacker’s
New Block
(N-1)-th Block N-th Block
To increase the probability to win this race,
the attacker can plant many Sybil nodes in
the Bitcoin network.
Others’
New Block
(N+1)-th Block
FAW
Attacker
Victim Others
![Page 51: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/51.jpg)
FAW vs BWH The FAW Attack The BWH Attack
![Page 52: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/52.jpg)
FAW vs BWH The FAW Attack The BWH Attack
![Page 53: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/53.jpg)
FAW vs BWH
Attacker Victim Others
FAW
BWH
![Page 54: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/54.jpg)
Numerical Analysis An attacker possesses 20% power (0.2).
A variable 𝑐 represents a probability that an attacker’s FPoW will be
selected as the main chain.
Attacker Victim
Always positive Always negative
![Page 55: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/55.jpg)
Numerical Analysis
The case is
equivalent to
the case of the
BWH attack.
IncreasingAn attacker’s power
We can see that the FAW attack is more profitable than the BWH attack numerically.
𝒄 𝜶 0.1 0.2 0.3 0.4
0 0.53 (%) 1.14 (%) 1.85 (%) 2.7 (%)
0.25 0.65 (%) 1.38 (%) 2.2 (%) 3.1 (%)
0.5 0.85 (%) 1.74 (%) 2.7 (%) 3.75 (%)
0.75 1.21 (%) 2.37 (%) 3.52 (%) 4.69 (%)
1 2.12 (%) 3.75 (%) 5.13 (%) 6.37 (%)Increasing
![Page 56: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/56.jpg)
FAW Attack Against Multiple Pools
56
Pool 1
Pool 3
Pool 2Solo
Target pool 1
Others
Submit FPoWs to pools only if
others propagate a block.
Otherwise, throw her FPoWs.
MiningTarget pool 2
Target pool 3
Attacker
![Page 57: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/57.jpg)
FAW Attack Against Two Pools When the attacker finds an FPoW in
each of pools, a fork with three branches
occurs.
In general, when 𝑛 pools are targeted, a
fork with 𝑛 + 1 branches can occur.
When considering the power
distribution, the attacker can earn the
extra reward 56% more than the BWH
attacker.
![Page 58: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/58.jpg)
FAW Attack Game Pools can launch the FAW attack each other through infiltration.
Pool 1 Pool 2
Infiltration from
Pool 1 to Pool 2
Infiltration from
Pool 2 to Pool 1
![Page 59: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/59.jpg)
Dilemma? Not Always
Pool 1 possesses 0.2 computational power.
The bigger pool can earn the extra reward unlike the miner’s dilemma.
Pool 1 Pool 2
Pool 1 can earn
the extra reward
in the Nash
equilibrium.
Pool 2 can earn
the extra reward
in the Nash
equilibrium.
![Page 60: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/60.jpg)
Break Dilemma
Pool 1 can earn the extra
reward in Nash equilibrium.
FAW attacks between two pools lead to a pool size game: the larger pool can
always earn the extra reward.
![Page 61: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/61.jpg)
Detection of FAW Attack The FAW attack causes high fork rate.
The FAW attacker leaves a trace of the only victim pools’ identities but not the
attacker’s identity unlike selfish mining.
The manager can identify the miner who submits the FPoW causing the fork.
The FAW attacker can use many Sybil nodes in the victim pool.
The FAW attacker can make the detection useless.
![Page 62: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/62.jpg)
No Silver Bullet New reward systems for mining pools
– High variance of rewards
Change Bitcoin protocol
– Two-phase proof-of-work
– Not backward compatibility
There is no one silver bullet.
![Page 63: Attacks on Mining Protocol - SysSecyongdaek/courses/ee515/... · Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014](https://reader034.fdocuments.us/reader034/viewer/2022050210/5f5d09f34744bc372b368806/html5/thumbnails/63.jpg)
Conclusion Currently, the most main coins have the proof-of-work mechanism.
The proof-of-work mechanism is vulnerable to several attacks.
There are still open problems.