Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Power Splitting Games in Distributed Computation: The case of Bitcoin Pooled Mining Loi Luu, Ratul Saha, Inian Parameshwaran, Prateek Saxena & Aquinas.

Published byRoderick Camron Powers Modified over 8 years ago

Similar presentations

Presentation on theme: "On Power Splitting Games in Distributed Computation: The case of Bitcoin Pooled Mining Loi Luu, Ratul Saha, Inian Parameshwaran, Prateek Saxena & Aquinas."— Presentation transcript:

1 On Power Splitting Games in Distributed Computation: The case of Bitcoin Pooled Mining Loi Luu, Ratul Saha, Inian Parameshwaran, Prateek Saxena & Aquinas Hobor National University of Singapore

2 Distributed computation Solve computationally large problem – Using resources from multiple users Classic distributed computation models – Volunteer computation – Parasitic computation An emerging model – Competitive computation: Bitcoin, Cryptocurrency, bug bounties 2 Problem U1U1 U1U1 U2U2 U2U2 … … U n-1 UnUn UnUn

3 Bitcoin mining Bitcoin: the most popular cryptocurrency – Find next valid Blocks – Find Nonce s.t. SHA256(BlkTemplate || Nonce) has D leading zero bits – Eg: 0000000000000000024f37840… Requires huge computational power – >100 millions USD of hardware investment – Miners have to wait for years! 3

4 Pooled mining Delegation of computational power via pooled mining – Pooled supervisor distributes work and reward – Miners find share Find Nonce to have d (<D) leading zeros – Eg: 000000123fa… Shares are meaningful to pool only More than 90% are pool miners – Pool miners get frequent reward 4 Securing Bitcoin pool protocol is important! 0010X 0001X 0011X 0000X

5 Is Bitcoin pooled mining protocol secure? – Miner’s reward computational power? – Following the protocol best outcome? Intuitive answer: Yes – Hash inversion is cryptographically hard This work – Shows an attack to make a million USD per month Problem 5

6 Block Withholding Attack ● A topic of hot debate – “Withholding attacks don’t make financial sense — that’s easy to prove with math...” ● Even from a pool operator – “Basically in no way has an accurate model of the network shown withholding to be more profitable than legitimate mining...” ● Still happen in practice – The attack caused a damage of 200, 000 USD to Eligius poola damage of 200, 000 USD 6 Our findings -The attack does profit the attacker -Applicable to all cryptocurrencies Our findings -The attack does profit the attacker -Applicable to all cryptocurrencies

7 Contributions Study the Bitcoin pooled mining protocol – Game theoretic approach, i.e. formulate Bitcoin mining as a game Analyze the BWH attack – The attack is profitable Pool protocol is vulnerable – Empirically evaluate the findings 7

8 BITCOIN MINING AS A COMPUTATIONAL POWER SPLITTING GAME Model 8

9 Find 0000X 25 BTCs Find 0000X 25 BTCs Find 0000X 25 BTCs 5 BTCs Find 00Y 9 D=4 d=2 D=4 d=2 Find 00Y 5 BTCs Compete to get 25 BTCs Free to distribute power

10 Player action: Pick =( β 0, β 1, β 2,…, β n ) – Use αβ 0 to compete independently – Contribute αβ i to pool P i – Get reward U i from pool i Player’s goal is to maximize Bitcoin as a Computational Power Splitting Game N pools Player: α GAME NETWORK PLAYER αβ 0 P1P1 P1P1 αβ 1 P2P2 P2P2 αβ 2 … … αβ n P n-1 αβ i PnPn PnPn 10

11 BLOCK WITHHOLDING ATTACK Case study 11

12 Block Withholding Attack ● Only submit “normal” shares – Reduces pool’s reward and other miners’ reward – Pool has to pay the attacker for his shares ● Hard to detect – Finding a block is probabilistic 12 0010X 0001X Honest 0011X 0000X 0010Y 0001Y BWH 0011Y 0000Y

13 BWH attack is profitable Intuition: Bitcoin is a zero-sum game – Coins supply is constant – The loss in the victim pool is picked up by other pools 13 +x -x BWH attack +X+X -0.2X +0.8X

14 Simple example 25% 75% Honest Scenario Mining Power Reward Honest scenario Attack scenario Attacker25% 25.9% Pool75% 74.1% 20% 75% Attack Scenario 5% 21% 79% Actual Mining Power Distribution 0% 21% 74.1% Actual Reward Distribution 4.9% attacker Victim pool BWH attack 14 1 pool, α =25% (β 0, β 1 ) = (0.8, 0.2) αβ 0 = 20% αβ 1 = 5% 20% 75% Honest Scenario 5%

15 Analyze BWH attack using CPS game Compute the reward of the attacker – Before vs after the attack in each pool – Infer attacking rules Consider different scenarios – Single attacker, single pool – Single attacker, multiple pools – Multiple attackers 15

16 Scenario: single attacker It’s always profitable to BWH attack There is a threshold on the attacking power It’s more profitable to target big pool Exists the optimal strategy to maximize 16 Extra reward Attacking portion Victim pool’s size Attacker’s power

17 Other scenarios There are other dishonest miners – It’s possibly profitable – Depends on how much the pool is “contaminated” Attacking multiple pools – Attacks as many as possible – Exists the optimal strategy 17

18 Nash equilibrium What is the best strategy for the miner? Consider two accessible pools – The dominant strategy is to attack the other There is no pure strategy – There is always a better move to win back 18 P1 P2 BWH from P2 BWH from P1

19 Does attack’s duration matters? 19 10 BTCs/ 10 mins 11 BTCs/ 12 mins Does it actually profit? Short term It depends Long term Yes Difficulty adjusts 11 BTCs/ 10 mins

20 Evaluate our results ● Use “official” Bitcoin client, popular pool mining software – Run on cloud-based Amazon EC2 – Burning up to 70,000 CPU core-hours ● Essential to – check the correctness of our result – show our CPS model is faithful 20

21 Experimental results 21 Relative difference: 1%

22 Discussion on Defenses Assign same task to multiple miners Change pay-off scheme – pay more to shares which are valid blocks Change Bitcoin protocol to support pooled mining natively – Make share become oblivious to miner only pool supervisor knows which shares are valid blocks 22 A cheap and compatible solution to prevent BWH attack is still an open problem

23 Conclusion Security of pool protocols is an open research topic Existing pool protocols are vulnerable to BWH attack – Game-based model to understand incentive structure Future work – Defenses – Proof of security 23

24 Thank you Q&A Email: loiluu@comp.nus.edu.sgloiluu@comp.nus.edu.sg 24 LTCBTC

25 Related work BWH attack – [Rosen11] Analysis of bitcoin pooled mining reward systems Attack is not profitable – [CoBa14] On subversive miner strategies and block withholding attack in bitcoin digital currency Attack does profit, but analysis is incorrect – [Eyal15] The miner’s dilemma Arrives at same findings, but from pool perspective No experimental evaluation Concurrent work Other Bitcoin attacks – [Rosen11] Pool hopping, Lie in wait attack – [EyalSi13] Majority is not enough: Bitcoin mining is vulnerable Selfish mining attack 25

26 26

Download ppt "On Power Splitting Games in Distributed Computation: The case of Bitcoin Pooled Mining Loi Luu, Ratul Saha, Inian Parameshwaran, Prateek Saxena & Aquinas."

Similar presentations

CPS 296.1 Bayesian games and their use in auctions Vincent Conitzer

CPS Bayesian games and their use in auctions Vincent Conitzer
Game Theory Assignment For all of these games, P1 chooses between the columns, and P2 chooses between the rows.

Game Theory Assignment For all of these games, P1 chooses between the columns, and P2 chooses between the rows.
Mechanism Design without Money Lecture 1 Avinatan Hassidim.

Mechanism Design without Money Lecture 1 Avinatan Hassidim.
Incentive-Compatible Opportunistic Routing for Wireless Networks Fan Wu, Tingting Chen, Sheng Zhong (SUNY Buffalo) Li Erran Li Li Erran Li (Bell Labs)

Incentive-Compatible Opportunistic Routing for Wireless Networks Fan Wu, Tingting Chen, Sheng Zhong (SUNY Buffalo) Li Erran Li Li Erran Li (Bell Labs)
1 Chapter 4: Minimax Equilibrium in Zero Sum Game SCIT1003 Chapter 4: Minimax Equilibrium in Zero Sum Game Prof. Tsang.

1 Chapter 4: Minimax Equilibrium in Zero Sum Game SCIT1003 Chapter 4: Minimax Equilibrium in Zero Sum Game Prof. Tsang.
Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks Mingyan Li, Iordanis Koutsopoulos, Radha Poovendran (InfoComm ’07) Presented.

Optimal Jamming Attacks and Network Defense Policies in Wireless Sensor Networks Mingyan Li, Iordanis Koutsopoulos, Radha Poovendran (InfoComm ’07) Presented.
Markov Game Analysis for Attack and Defense of Power Networks Chris Y. T. Ma, David K. Y. Yau, Xin Lou, and Nageswara S. V. Rao.

Markov Game Analysis for Attack and Defense of Power Networks Chris Y. T. Ma, David K. Y. Yau, Xin Lou, and Nageswara S. V. Rao.
Markov Game Analysis for Attack and Defense of Power Networks Chris Y. T. Ma, David K. Y. Yau, Xin Lou, and Nageswara S. V. Rao.

Markov Game Analysis for Attack and Defense of Power Networks Chris Y. T. Ma, David K. Y. Yau, Xin Lou, and Nageswara S. V. Rao.
Game Theory: introduction and applications to computer networks Game Theory: introduction and applications to computer networks Zero-Sum Games (follow-up)

Game Theory: introduction and applications to computer networks Game Theory: introduction and applications to computer networks Zero-Sum Games (follow-up)
COMS 486 Iowa State University Introduction to Bitcoin A P2P Electronic Cash System.

COMS 486 Iowa State University Introduction to Bitcoin A P2P Electronic Cash System.
CS425/CSE424/ECE428 — Distributed Systems — Fall 2011 2011-12-01Nikita Borisov - UIUC1.

CS425/CSE424/ECE428 — Distributed Systems — Fall Nikita Borisov - UIUC1.
Bitcoin. What is Bitcoin? A P2P network for electronic payments Benefits: – Low fees – No middlemen – No central authority – Can be anonymous – Each payment.

Bitcoin. What is Bitcoin? A P2P network for electronic payments Benefits: – Low fees – No middlemen – No central authority – Can be anonymous – Each payment.
EC102: Class 9 Christina Ammon.

EC102: Class 9 Christina Ammon.
Algoritmi per Sistemi Distribuiti Strategici

Algoritmi per Sistemi Distribuiti Strategici
Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.

Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.
Towards a More Democratic Mining in Bitcoins Goutam Paul R. C. Bose Centre for Cryptology & Security, Indian Statistical Institute Pratik Sarkar Indian.

Towards a More Democratic Mining in Bitcoins Goutam Paul R. C. Bose Centre for Cryptology & Security, Indian Statistical Institute Pratik Sarkar Indian.
Stefan Dziembowski Why do the cryptographic currencies need a solid theory? Forum Informatyki Teoretycznej, Warsaw 30.1.2015.

Stefan Dziembowski Why do the cryptographic currencies need a solid theory? Forum Informatyki Teoretycznej, Warsaw
UNIT II: The Basic Theory Zero-sum Games Nonzero-sum Games Nash Equilibrium: Properties and Problems Bargaining Games Review Midterm3/19 3/12.

UNIT II: The Basic Theory Zero-sum Games Nonzero-sum Games Nash Equilibrium: Properties and Problems Bargaining Games Review Midterm3/19 3/12.
Selfish Caching in Distributed Systems: A Game-Theoretic Analysis By Byung-Gon Chun et al. UC Berkeley PODC’04.

Selfish Caching in Distributed Systems: A Game-Theoretic Analysis By Byung-Gon Chun et al. UC Berkeley PODC’04.
A Payment-based Incentive and Service Differentiation Mechanism for P2P Streaming Broadcast Guang Tan and Stephen A. Jarvis Department of Computer Science,

A Payment-based Incentive and Service Differentiation Mechanism for P2P Streaming Broadcast Guang Tan and Stephen A. Jarvis Department of Computer Science,

Similar presentations

Ads by Google