Ittay Eyal
Emin Gün Sirer
Abstract
The Bitcoin cryptocurrency records its transactions in a public log called the blockchain. Its security rests critically on the distributed protocol that maintains the blockchain, run by participants called miners. Conventional wisdom asserts that the mining protocol is incentive-compatible and secure against colluding minority groups, that is, it incentivizes miners to follow the protocol as prescribed.
We show that the Bitcoin mining protocol is not incentive-compatible. We present an attack with which colluding miners' revenue is larger than their fair share. The attack can have significant consequences for Bitcoin: Rational miners will prefer to join the attackers, and the colluding group will increase in size until it becomes a majority. At this point, the Bitcoin system ceases to be a decentralized currency.
Unless certain assumptions are made, selfish mining may be feasible for any coalition size of colluding miners. We propose a practical modification to the Bitcoin protocol that protects Bitcoin in the general case. It prohibits selfish mining by a coalition that command less than 1/4 of the resources. This threshold is lower than the wrongly assumed 1/2 bound, but better than the current reality where a coalition of any size can compromise the system.
- Andresen, G. March 2013 chain fork post-mortem. BIP 50, en.bitcoin.it/wiki/BIP_50, retrieved Sep. 2013.Google Scholar
- Babaioff, M., Dobzinski, S., Oren, S., Zohar, A. On Bitcoin and red balloons. In EC (ACM, 2012). Google ScholarDigital Library
- Barber, S., Boyen, X., Shi, E., Uzun, E. Bitter to better, how to make Bitcoin a better currency. In FC (2012).Google ScholarCross Ref
- bitcoincharts.com. Bitcoin network. bitcoincharts.com/bitcoin/ (Nov. 2013).Google Scholar
- blockchain.info. Bitcoin market capitalization. blockchain.info/charts/market-cap (Jan. 2014).Google Scholar
- Chaum, D. Blind signatures for untraceable payments. In Crypto 82 (1982), 199--203.Google Scholar
- Decker, C., Wattenhofer, R. Information propagation in the Bitcoin network. In P2P (IEEE, 2013).Google ScholarCross Ref
- Eyal, I., Sirer, E.G. Bitcoin is broken. hackingdistributed.com/2013/11/04/bitcoin-is-broken/ (2013).Google Scholar
- Eyal, I., Sirer, E.G. Majority is not enough: Bitcoin mining is vulnerable. arXiv preprint arXiv:1311.0243 (2013).Google Scholar
- Felten, E.W. Bitcoin research in Princeton CS. freedom-to-tinker.com/blog/felten/bitcoin-research-in-princeton-cs/ (2013).Google Scholar
- Kelkar, A., Bernard, J., Joshi, S., Premkumar, S., Sirer, E.G. Virtual notary.virtual-notary.org/ (Retrieved Sep. 2013).Google Scholar
- Kroll, J.A., Davey, I.C., Felten, E.W. The economics of Bitcoin mining or, Bitcoin in the presence of adversaries. In Workshop on the Economics of Information Security (2013).Google Scholar
- Lee, T.B. Four reasons Bitcoin is worth studying. forbes.com/sites/timothylee/2013/04/07/four-reasons-bitcoin-is-worth-studying/2/ (2013).Google Scholar
- Miers, I., Garman, C., Green, M., Rubin, A.D. Zerocoin: Anonymous distributed e-cash from Bitcoin. In IEEE Symposium on Security and Privacy (2013). Google ScholarDigital Library
- Nakamoto, S. Bitcoin: A peer-to-peer electronic cash system (2008).Google Scholar
- Namecoin Project. Namecoin DNS -- DotBIT project. dot-bit.org (Retrieved Sep. 2013).Google Scholar
- Narayanan, A., Miller, A. Why the Cornell paper on Bitcoin mining is important. freedom-to-tinker. com/blog/randomwalker/why-the-cornell-paper-on-bitcoin-mining-is-important/ (2013).Google Scholar
- Neighborhood Pool Watch. October 27th 2013 weekly pool and network statistics. organofcorti.blogspot.com/2013/10/october-27th-2013-weekly-pool-and.html (Retrieved Oct. 2013).Google Scholar
- Pacia, C. Bitcoin mining explained like you're five: Part 1 -- incentives. chrispacia.wordpress.com/2013/09/02/bitcoin-mining-explained-like-youre-five-part-1-incentives/ (September 2013).Google Scholar
- RHorning, mtgox, btchris, and ByteCoin. Mining cartel attack. bitcointalk.org/index.php?topic=2227, December 2010.Google Scholar
- Rosenfeld, M. Analysis of Bitcoin pooled mining reward systems. arXiv preprint arXiv:1112.4980 (2011).Google Scholar
- Swanson, E. Bitcoin mining calculator. alloscomp.com/bitcoin/calculator (Retrieved Sep. 2013).Google Scholar
- Vishnumurthy, V., Chandrakumar, S., Sirer, E.G. Karma: A secure economic framework for peer-to-peer resource sharing. In Workshop on Economics of Peer-to-Peer Systems (2003).Google Scholar
- Wikipedia. List of cryptocurrencies.en.wikipedia.org/wiki/List_of_cryptocurrencies (Oct. 2013).Google Scholar
- Yang, B., Garcia-Molina, H. PPay: Micropayments for peer-to-peer systems. In CCS (ACM, 2003). Google ScholarDigital Library
Index Terms
- Majority is not enough: bitcoin mining is vulnerable
Recommendations
Fact and Fiction: Challenging the Honest Majority Assumption of Permissionless Blockchains
ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications SecurityHonest majority is the key security assumption of Proof-of-Work (PoW) based blockchains. However, the recent 51% attacks render this assumption unrealistic in practice. In this paper, we challenge this assumption against rational miners in the PoW-based ...
WI Is Not Enough: Zero-Knowledge Contingent (Service) Payments Revisited
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications SecurityWhile fair exchange of goods is known to be impossible without assuming a trusted party, smart contracts in cryptocurrencies forgo such parties by assuming trust in the currency system. They allow a seller to sell a digital good, which the buyer will ...
Fair enough: guaranteeing approximate maximin shares
EC '14: Proceedings of the fifteenth ACM conference on Economics and computationWe consider the problem of fairly allocating indivisible goods, focusing on a recently-introduced notion of fairness called maximin share guarantee: Each player's value for his allocation should be at least as high as what he can guarantee by dividing ...
Reviews
Barrett Hazeltine
This article concerns a way to circumvent the decentralization aspect of Bitcoin, that is, it shows how a group of "miners" could control the cryptocurrency by colluding. The attractiveness of Bitcoin is the perception that no person can be in control. In fact, no evidence exists that up to now a group of miners has colluded. This article gives a strategy for reducing the possibility of control. Bitcoin "records its transactions in a public log called the blockchain." Participants, called miners, enter transactions using a distributive protocol. These miners bring different amounts of resources. As the authors state, "conventional wisdom asserts that the mining protocol ... incentivizes miners to follow the protocol as prescribed" by ensuring that miners would not profit by doing otherwise. Conventional wisdom is incorrect. The article shows that rational miners, by colluding, will profit from a higher share of profits than noncolluding miners; "the colluding group will increase in size until it becomes a [controlling] majority." When such happens, "the Bitcoin system ceases to be a decentralized currency." The article proposes a practical modification to the protocol. The modification prevents "selfish mining by a coalition that commands less than one-fourth of the [total] resources"; this limit is "better than the current reality where a coalition of any size can compromise the system." This article is of most interest to designers of cryptocurrency systems, but is readable and thus of value to anyone wanting to know what is under the hood.
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments