Leveraging the Veriers Dilemma to Double Spend in Bitcoin Tong Cao1 J er emie Decouchant2y and Jiangshan Yu3y

2025-05-02 0 0 702.98KB 23 页 10玖币
侵权投诉
Leveraging the Verifier’s Dilemma to Double
Spend in Bitcoin?
Tong Cao1,, J´er´emie Decouchant2,, and Jiangshan Yu3,
1Kunyao Academy, Shanghai, China
2Delft University of Technology, Delft, The Netherlands
3Monash University, Melbourne, Australia
Abstract. We describe and analyze perishing mining, a novel block-
withholding mining strategy that lures profit-driven miners away from
doing useful work on the public chain by releasing block headers from
a privately maintained chain. We then introduce the dual private chain
(DPC) attack, where an adversary that aims at double spending increases
its success rate by intermittently dedicating part of its hash power to
perishing mining. We detail the DPC attack’s Markov decision process,
evaluate its double spending success rate using Monte Carlo simulations.
We show that the DPC attack lowers Bitcoin’s security bound in the
presence of profit-driven miners that do not wait to validate the trans-
actions of a block before mining on it.
Keywords: Bitcoin ·Double spending ·Block withholding attack
1 Introduction
Bitcoin’s security level is traditionally measured as the proportion of the mining
power that an adversary must control to successfully attack it. Nakamoto as-
sumed that an adversary would not control the majority of the mining power [28].
If this assumption does not hold, an attacker is able to spend a coin twice and af-
fect the system consistency in what is known as a double spending attack or 51%
attack. The soundness of the honest majority assumption has been discussed in
the literature and mechanisms have been proposed to harden the mining process
against the 51% attack without completely eliminating it [11,37,23,8].
Despite rewarding miners with newly minted coins and transaction fees, the
Bitcoin mining process has also been shown to be vulnerable to selfish behaviors.
Using selfish mining, a miner withholds mined blocks and releases them only after
the honest miners have wasted computing resources mining alternative blocks.
Selfish mining increases a miner’s revenue beyond the fair share it would obtain
This work was partly performed while Tong Cao was with the University of Luxem-
bourg.
These authors are listed in alphabetical order and contributed equally.
?This paper will appear on the 27th Financial Cryptography and Data Security con-
ference (FC 2023).
arXiv:2210.14072v2 [cs.CR] 9 Feb 2023
by following the default Bitcoin mining protocol [19]. Using simulations, selfish
mining has been shown to be profitable only after a difficulty adjustment period
in Bitcoin for any miner with more than 33% of the global hash power [21,30].
Variants of selfish mining further optimize a miner’s expected revenue [34].
Additionally, miners face the verifier’s dilemma [26,36,7], where upon receiv-
ing a block header they have to decide whether they should wait to have received
and verified the corresponding transactions, or whether they should start mining
right away based on the block header. Different miners might react differently
to this dilemma.
Following previous works, we say that a chain of blocks is public if the honest
miners are able to receive all its content, while we say that a chain is private if
some contents of the chain are kept hidden by the adversary. In this paper, we
show that an adversary can leverage a novel block withholding strategy, which we
call perishing mining, to slow down the public chain in an unprecedented man-
ner. More precisely, perishing mining leads miners that react differently to the
verifier’s dilemma to mine on different forks. We then present the Dual Private
Chain (DPC) attack, which further leverages the verifier’s dilemma to double
spend on Bitcoin. This attack is, to the best of our knowledge, the first attack
where an adversary temporarily sacrifices part of its hash power to later favor
its double spending attack, and the first attack where an adversary simultane-
ously manages two private chains. Intuitively, the first adversarial chain inhibits
the public chain’s growth, so that the second one benefits from more favorable
conditions for a double spending attack.
To evaluate the impact of the distraction chain on the public chain we first
establish the Markov decision process (MDP) of perishing mining. From this
MDP, we obtain the probability for the system to be in each state, and quantify
the impact of perishing mining on the public chain, i.e., its growth rate decrease.
We further describe the DPC attack and its associated MDP. We then evaluate
its expected success rate based on Monte Carlo simulations. Counterintuitively,
our results show that the adversary increases its double spending success rate
by dedicating a fraction of its hash power to slow the public chain down, instead
of attacking it frontally with all its hash power.
Overall, this work makes the following contributions.
We present perishing mining, a mining strategy that is tailored to slow
down the progress of the public chain by leveraging the verifier’s dilemma. Using
perishing mining an adversary releases the headers of blocks that extend the
public chain so that some honest miners mine on them while some honest miners
keep mining on the public chain, which effectively divides the honest miners hash
power. We present the pseudocode of the perishing mining strategy, establish its
Markov chain model and quantify its impact on the public chain growth.
Building on perishing mining, we describe the DPC attack that an ad-
versary can employ to double spend by maintaining up to two private chains.
The first chain leverages the perishing mining strategy to slow down the pub-
lic chain’s growth and ease the task of the second chain, which aims at double
2
spending. We provide the pseudocode of the attack, and characterize the states
and transitions of its Markov chain model.
We evaluate the perishing mining strategy and the DPC attack based on
extensive Monte Carlo simulations. Our results indicate that perishing mining
reduces the public chain progress by 69% when the adversary owns 20% of the
global power and 50% of the hash power belongs to miners that mine on block
headers without verifying their transactions. In comparison, selfish mining, which
aims at optimizing a miner’s revenue share, would only decrease it down by 15%.
Our evaluation also shows that an adversary that owns 30% of the global hash
power can double spend with 100% success rate when 50% of the hash power
belongs to optimistic miners who do not verify transactions (i.e., type 2 miners
in §3.2). While we focus on the double spending threat, we also show that the
DPC attack allows an adversary to obtain a higher revenue than the one it would
obtain by mining honestly or following previously known strategies (Appx. C).
This paper is organized as follows. §2discusses the related work and provides
some necessary background. §3defines our system model. §4provides an overview
of the DPC attack. §5details the perishing mining strategy and the DPC attack
that builds on it. §6presents our evaluation results. §7provides a discussion on
other aspects of the attack. Finally, §8concludes this paper.
2 Related Work
Double spending attack. The double spending attack on Bitcoin was de-
scribed in Nakamoto’s whitepaper [28], and has been further analyzed since [25,33].
Nowadays, z= 6 blocks need to be appended after a block for its transactions
to be considered permanent. An adversary with more than 50% of the global
mining power is able to use a coin in a first validated transaction and, later on,
in a second conflicting transaction. Nakamoto characterized the race between
the attacker and the honest miners as a random walk, and calculated the proba-
bility for an attacker to catch up with the public chain after zblocks have been
appended after its initial transaction. Our DPC attack aims at double spending,
and improves upon the classical double spending’s success rate.
Block-withholding attacks. Selfish mining was the first mining strategy
that allows a rational miner to increase its revenue share [19], and was later
shown to harm the mining fairness [10,15]. Selfish mining is not more profitable
than honest mining when the mining difficulty remains constant despite the fact
that the adversary is able to increase its revenue share [22,21]. Nayak et al.
proposed plausible values for the selfish miner’s propagation factor by utilizing
the public overlay network data [29]. They pointed out that the attacker could
optimize its revenue and win more blocks by eclipsing [24] honest miners when
the propagation factor increases. Gervais et al. analyzed the impact of stale rate
on selfish mining attack [21]. Negy et al. pointed out that applying selfish mining
in Bitcoin is profitable after at least one difficulty adjustment period (i.e., after
approximately two weeks at least) [30]. The DPC attack differs from these works
3
Table 1: Notations.
Symbol Interpretation
α[0,0.5] Mining power of the adversary.
β[0,1] Fraction of its mining power that the adversary dedicates to its first
private chain.
µ[0,0.5] Mining power of type 2 miners.
vtValue of the transaction the adversary inserts in a block when starting
the DPC attack and attempts to double spend.
vbMining reward per block.
in the sense that its main goal is not to increase the adversary’s mining share
but to double spend with higher probability than previous attacks.
Combining selfish mining and double spending. Previous works have
shown that an adversary can combine the double spending attack with selfish
mining [21,35]. In this attack, the attacker maintains a single chain, which lowers
the double spending success rate compared to the initial double spending attack.
Our DPC attack shows that an adversary can simultaneously manage two private
chains to launch a more powerful double spending attack.
Blockchain Denial of Service Attacks. The BDOS attack proposed strate-
gies to partially or completely shut down the mining network [27]. To do so, the
adversary only sends the block header to the network whenever she discovers
a block that is ahead of the public chain and there is no fork, and publishes
the block body if the next block is generated by the honest miners. By doing
so, the profitability and utility of the rational miners and Simplified Payment
Verification (SPV) miners is decreased, so that they eventually leave the mining
network. The objective of BDOS attacks is to halt the system. An adversary
would need to spend approximately 1 million USD per day to shut down the
system. Our DPC attack frequently separates other miners’ hash power, which
has some similarities with the BDOS attack’s partial shut down case. However,
the DPC attack allows the adversary to double spend.
3 System Model
This section introduces the categories of miners we consider, and the adversary
that launches a DPC attack. Table 1summarizes our notations.
3.1 Bitcoin mining and the verifier’s dilemma
Bitcoin mining is a trial-and-error process4. The public blockchain (or chain) is
visible to all participants, and is maintained by honest miners. To achieve con-
sistency, honest miners accept the longest chain in case of visible forks [31,20,17].
4https://en.bitcoin.it/wiki/Block hashing algorithm
4
However, temporary block withholding attacks have been shown to threaten Bit-
coin’s security [25,33,19,34]. Honest miners monitor the network to verify block
headers and verify transactions.
In the Bitcoin’s network, block headers are often propagated faster than
transactions. Bitcoin’s incentive mechanism does not directly reward the verifi-
cation of transactions, and BIP-1525introduced the compact block propagation
optimization where each node can relay a block in a compact format before
verifying its transactions. In this case, a miner that immediately mines on the
block header of a correct block gets a time advantage to find the next block.
If the miners instead wait and verify the included transactions before the next
mining round, then they might sacrifice some non-negligible time in the mining
race [26,36,7,12].
We assume that miners follow the traditional block exchange pattern [16,27]
using the overlay network. Block dissemination over the overlay network takes
seconds, whereas the average mining interval is 10 minutes. While accidental
forks (which may occur every 60 blocks [16] on average) reduce the effective
honest mining power on the public chain and makes our attack easier, we do not
consider accidental forks created by honest miners in order for simplicity. We
evaluate mining and double spending strategies using event-based simulations
where an event is the discovery of a block by a category of miner. We note vb
the mining reward that miners obtain whenever a block they have discovered is
permanently included in the blockchain.
3.2 Miner Categories
We consider two types of honest Bitcoin miners that react differently to the
verifier’s dilemma: type 1 honest miners and type 2 honest miners.
Type 1 honest miners always follow the default mining protocol and mine on
the longest chain of fully verified blocks. In particular, these miners do not mine
on a block header that extends a longer non-fully verified concurrent chain.
Type 2 honest miners are profit-driven. As Bitcoin allows miners to accept
and generate new blocks without verifying their transactions, type 2 miners start
mining on a new block or its header if it extends the longest chain without verify-
ing the transactions it contains. Note that type 2 miners can verify transactions
whenever they are received and stop mining on a block header when associated
transactions are faulty, or if they successfully mine the next block without having
received the previous transactions. In our experiments, we consider two opposite
categories of type 2 miners that behave differently upon reception of successive
block headers to evaluate the best and worst possible attack results.
Optimistic type 2 miners miners always mine on the longest chain of blocks,
which is possibly made of several block whose transactions have not yet
been received. In particular, Simplified Payment Verification (SPV) min-
ers [3,4,5,6] can be categorized as optimistic type 2 miners. Upon finding a
5https://github.com/bitcoin/bips/blob/master/bip-0152.mediawiki
5
摘要:

LeveragingtheVeri er'sDilemmatoDoubleSpendinBitcoin?TongCao1;,JeremieDecouchant2;y,andJiangshanYu3;y1KunyaoAcademy,Shanghai,China2DelftUniversityofTechnology,Delft,TheNetherlands3MonashUniversity,Melbourne,AustraliaAbstract.Wedescribeandanalyzeperishingmining,anovelblock-withholdingminingstrategy...

展开>> 收起<<
Leveraging the Veriers Dilemma to Double Spend in Bitcoin Tong Cao1 J er emie Decouchant2y and Jiangshan Yu3y.pdf

共23页,预览5页

还剩页未读, 继续阅读

声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!

相关推荐

更多
立即下载
分类:图书资源 价格:10玖币 属性:23 页 大小:702.98KB 格式:PDF 时间:2025-05-02

开通VIP享超值会员特权

  • 多端同步记录
  • 高速下载文档
  • 免费文档工具
  • 分享文档赚钱
  • 每日登录抽奖
  • 优质衍生服务

作者详情

相关内容

更多

热门标签

人际关系 动力学连接体 力的合成 配电装置 高考理综 全宋诗作者索引 公务员考试
/ 23
评分 收藏
分享
立即下载
客服
关注