Attacks on Mining Protocol Yujin Kwon KAIST 2018.03.22 1
Cryptocurrencies
Cryptocurrencies Increa rease! se!
Cryptocurrencies Increa rease! se! 1 BTC ≈ $8.5K 1 ETH ≈ $180
Proof-of-Work Mining They use blockcha kchain to run without a trusted third party. Miners generate blocks by spending their comp mputatio utationa nal power er. If a miner generates a valid block, he earns re rewar ard d for t r the block. This process is competi etiti tive ve. 12.5 5 BTC (N (N-1) 1)-th th Block New Block ock N-th th Bloc ock k (N+1)-th th Block Block ockch chain ain Miner ner
Proof-of-Work Mining Problem Nonce – Miners must solve cryptographic problems to generate a valid block. – What is the valid nonce such that 𝐼(𝑑𝑝𝑜𝑢𝑓𝑜𝑢𝑡| 𝑜𝑝𝑜𝑑𝑓 < TARGET 𝐺 ? – 𝐼(∙) is a hash function based on SHA-256 in Bitcoin.
Step (Miner) New transactions are broadcast to all nodes. Each node collects new transactions into a block. Each node works on finding a difficult proof-of-work for its block. When a node finds a proof-of-work, it broadcasts the block to all nodes. Nodes express their acceptance of the block by working on creating the next chain, using the hash of the accepted block as the previous hash.
Forks
Forks
Forks
Forks
Forks
Forks Only one head is accepted as a valid one among heads. An attacker can generate forks intentionally by holding his found block for a while.
Forks Only one head is accepted as a valid one among heads. An attacker can generate forks intentionally by holding his found block for a while.
Mining Difficulty Inc ncrease! rease! iculty ulty Diffic Di Ti Time From “https://blockchain.info”
Mining Pool Others rs 8% 8% Others rs Litecoi oin AntPool ol Others rs Ethpool ool 21% 21% 6% 6% 23% 23% 23% 23% AntPool ol 27% 27% BW.COM COM 30% 30% 6% 6% Ethfans ans ViaBTC BTC.COM C.COM 8% 8% 10% 10% F2Pool 7% 7% 11% 11% BW.COM COM LTC.top MPH F2Pool 7% 7% 10% 10% 10% 10% BitFury 23% 23% F2Pool nano Slush 11% 11% BTCC 30% 30% 11% 11% 7% 7% 11% 11% Ethereum Litecoin Bitcoin Miners organize pools and prefer to mine together to reduce the variance of reward. Currently, major players are pools.
Mining Pool Pool manager 1. Give the problem. PPoW: 𝐼(𝑑𝑝𝑜𝑢𝑓𝑜𝑢𝑡| 𝑜𝑝𝑜𝑑𝑓 < target 𝑄 ? FPoW: 𝐼(𝑑𝑝𝑜𝑢𝑓𝑜𝑢𝑡| 𝑜𝑝𝑜𝑑𝑓 < TARGET 𝐺 ? (target 𝑄 ≫ TARGET 𝐺 ) Workers
Mining Pool PPoW 463 125 Pool manager 352 432 FPoW 2. Submit shares. Workers
Mining Pool Pool manager 3. Pay the reward. Workers
Several Mining Attacks The 51 % Attack “The Economics of Bitcoin Mining, or Bitcoin in the Presence of Adversaries”, WEIS 2013 Selfish mining – Generate forks intentionally “Majority Is Not Enough: Bitcoin Mining Is Vulnerable”, FC 2014 Block withholding (BWH) attack – Exploit the pools’ protocol “The Miner’s Dilemma”, IEEE S&P 2015 “On Power Splitting Games in Distributed Computation: The Case of Bitcoin Pooled Mining”, CSF 2016 Fork after withholding (FAW) attack – Generate forks intentionally through pools “Be Selfish and Avoid Dilemmas: Fork After Withholding (FAW) Attacks on Bitcoin ”, ACM CCS 2017
Selfish Mining 21
Selfish Mining Forks – Due to the nonzero block propagation delay, nodes can have different views. – When a fork occurs, only one block becomes valid. Which of two blocks should I choose as a main (N+1)-th th Bl Block chain? N-th th Bloc ock k (N-1) (N 1)-th th Block (N+1)-th th Block Fork
Selfish Mining Generate intentional forks adaptively. – An attacker finds a valid block and propagates the block when en anot other her bloc ock k is found d by an honest est node. Force the honest miners into wasting victims’ computations on the stale public branch.
Selfish Mining 𝛿: An attacker’s network capability When an attacker possesses more than 33% computational power, the attacker can always earn extra rewards.
Selfish Mining
Selfish Mining Im Impra practical! ctical!
Impractical The value of γ cannot be 1 because when the intentional fork occurs, the honest miner who generated a block will select his block, not that of the selfish miner. Honest miners can easily detect that their pool manager is a selfish mining attacker. – If the manager does not propagate blocks immediately when honest miners generate FPoWs, the honest miners will know that their pool manager is an attacker. – The blockchain has an abnormal shape when a selfish miner exists.
Block Withholding Attack 28
Block Withholding (BWH) Attack 463 125 Pool manager 352 432 Withhold Submit only PPoWs. An Attacker
Block Withholding (BWH) Attack An attacker joins the victim pool. She should split her computational power into solo mining and malicious pool mining (BWH attack). She receives unearned wages while only pretending to contribute work to the pool. Solo Pool Pool BWH Attack Mining Attacker
Block Withholding (BWH) Attack
Result Infiltration mining power Attacker relative reward Victim relative reward The BWH attack is always profitable.
The Miners’ dilemma (S&P 2015) Pools can launch the BWH attack each other through infiltration. Infiltration from Pool 1 into Pool 2 Po Pool ol 1 Po Pool ol 2 Infiltration from Pool 2 into Pool 1
Result When they execute the BWH attack each other, both of them make a loss.
The Miners’ dilemma (S&P 2015) From “The Miner’s Dilemma” The equilibrium reward of the pool is inferi nferior or compared to the no-attack scenario. The fact that the BWH attack is not ot co commo mmon n may be explained.
Fork After Withholding Attack 36
FAW Attack Against One Pool Submit an FPoW to the pool only Tar arge get t poo ool if others generate another block. Otherwise, throw away her FPoW. Pool Pool Solo Mining Attacker Others rs
FAW Attack Against One Pool Submit an FPoW to the pool only Tar arge get t poo ool if others generate another block. Otherwise, throw away her FPoW. Pool Pool Solo Mining Attacker Others rs An attacker generates forks intentionally through a pool!
FAW vs BWH Case 1) When an attacker finds an FPoW through solo mining… FAW/ W/ BWH Attack acker er (N (N-1) 1)-th th Block New Block ock N-th th Bloc ock k (N+1)-th th Block Blockch ockchain ain Victim ctim Othe hers rs
FAW vs BWH Case 1) When an attacker finds an FPoW through solo mining… FAW/ W/ BWH Attack acker er (N (N-1) 1)-th th Block New Block ock N-th th Bloc ock k (N+1)-th th Block Blockch ockchain ain The attacker earns the block reward. Victim ctim Othe hers rs
FAW vs BWH Case 2) When an honest miner in the victim pool finds an FPoW … FAW/ W/ BWH Attack acker er (N (N-1) 1)-th th Block New Block ock N-th th Bloc ock k (N+1)-th th Block Blockch ockchain ain Victim ctim Othe hers rs
FAW vs BWH Case 2) When an honest miner in the victim pool finds an FPoW … FAW/ W/ BWH Attack acker er (N (N-1) 1)-th th Block New Block ock N-th th Bloc ock k (N+1)-th th Block Blockch ockchain ain The victim earns the block reward and shares the reward with the attacker. Victim ctim Othe hers rs
FAW vs BWH Case 3) When only others find an FPoW … FAW/ W/ BWH Attack acker er (N (N-1) 1)-th th Block New Block ock N-th th Bloc ock k (N+1)-th th Block Blockch ockchain ain Victim ctim Othe hers rs
FAW vs BWH Case 3) When only others find an FPoW … FAW/ W/ BWH Attack acker er (N (N-1) 1)-th th Block New Block ock N-th th Bloc ock k (N+1)-th th Block Blockch ockchain ain Others earn the block reward. Victim ctim Othe hers rs
FAW vs BWH Case 4) When the attacker finds an FPoW in the victim pool, BWH and others also find another FPoW … Attack acker er (N (N-1) 1)-th th Block New Block ock N-th th Bloc ock k (N+1)-th th Block Blockch ockchain ain Victim ctim Othe hers rs
FAW vs BWH Case 4) When the attacker finds an FPoW in the victim pool, BWH and others also find another FPoW … Attack acker er (N (N-1) 1)-th th Block New Block ock N-th th Bloc ock k (N+1)-th th Block Blockch ockchain ain Others earn the block reward. Victim ctim Othe hers rs
FAW vs BWH Case 4) When the attacker finds an FPoW in the victim pool, FAW and others also find another FPoW … Attack acker er Attacker’s Ne New Block ock (N (N-1) 1)-th th Block N-th th Bloc ock k (N+1)-th th Block Others’ Blockch ockchain ain Ne New Block ock Victim ctim Othe hers rs
Recommend
More recommend
