Free and Easy Weekly Review | How Selfish Mining Strategies Affect Every Half Coin

Write in front:

With the advent of the new cycle of cryptocurrencies, miners have ushered in the spring, and what is in front of them is nothing more than which coin to mine and how to mine to get more revenue.

Yes, this week's academic content is related to mining.

What we want to share is a paper from the National Institute of Standards and Technology (NIST), which discusses selfish mining strategies for Bitcoin, Litecoin, Bitcoin Cash (BCH), Dash, Dash, The impact of Monero and Zcash.

• Donation, medical treatment, rescue, community prevention and control, can blockchain become a new weapon to fight the epidemic?
• People's Network: Blockchain technology helps make charity more transparent
• Ethereum 2.0 testnet is about to launch, can host 100,000 validators

In the hardcore technical article selection section, we will also see the content of Verifiable Random Function (VRF) -based PoW solution design, Optimistic Rollup, and Ethereum 2.0 validator ransomware attacks.

In addition, in the past week, Bitcoin and Ethereum also ushered in many technological advances.

(Picture from: tuchong.com)

I. The impact of selfish mining strategies on halving the currency

In theory, a selfish mining attack can allow miners to obtain an excess share of block rewards, while reducing the overall security of payments. There has been much research on the application of this malicious strategy to Bitcoin, but much less attention has been paid to how this strategy affects other cryptocurrencies.

This is because selfish mining is an attack on the Cryptocurrency Difficulty Adjustment Algorithm (DAA), so when it comes to cryptocurrencies using different difficulty adjustment algorithms (DAA), it may have a completely different effect.

In the new paper "Research on the Profitability of Selfish Mining Based on Multi-Difficulty Tuning Algorithms" published by the National Institute of Standards and Technology (NIST), researchers Michael Davidson and Tyler Diamond required selfish mining requirements for multiple PoW cryptocurrencies and Yields have been assessed, including Bitcoin, Litecoin, Bitcoin Cash (BCH), Dash, Monero, and Zcash.

Link to the original paper: https://eprint.iacr.org/2020/094.pdf

Studies have found that other cryptocurrencies under consideration are far more susceptible to selfish mining than BTC. In addition, research has shown that by dishonestly reporting block timestamps, for some DAAs, selfishness Mining strategies can generate disproportionate income for dishonest miners, which is 2.5 times higher than the income they earn through honest mining.

1.1 The concept of selfish mining

Generally, when a miner mines a new block, they broadcast the block to their peers. The purpose of this is to make the block spread to the rest of the network as soon as possible. Block rewards can only be obtained after acceptance, so under normal circumstances, it is in the best interest of miners to quickly submit any new blocks to competitors.

However, in some cases, the deviation strategy will allow miners with full network x% hash power to obtain block rewards exceeding x%.

This strategy works by selfish miners broadcasting their detained blocks and then forcing honest miners to mine on those blocks.

The following figure shows the algorithm used by selfish miners to determine whether to publish their blocks:

(Figure: The original selfish mining strategy)

However, this alone is not enough to make selfish mining miners profitable. As long as the difficulty of mining remains the same, miners using selfish mining strategies will suffer losses. Of course, honest miners will suffer even greater losses, so In this case, rational participants will not use selfish mining strategies.

Only when the difficulty of the network is adjusted downwards can selfish mining strategies be profitable.

The following formula shows how the selfish mining miners can increase the relative income of mining when they have a percentage of computing power:

If γ = 1/2, selfish mining is profitable when α ≥1 / 4, and if γ = 0, selfish mining is profitable when α ≥ 1/3. (Where α is the proportion of total computing power controlled by selfish miners, and γ is the proportion of honest miners who choose to mine on blocks issued by selfish miners).

1, 2 difficulty adjustment algorithm (DAA)

Since Proof-of-Work (PoW) cryptocurrencies do not have a central authority to determine who can mine and at what rate, the total amount of network computing power will change over time.

However, in order to maintain a planned monetary policy and a better user experience, regardless of computing power, new blocks should be found within a predictable time (for example, Bitcoin's goal is a 10-minute block interval). If there is no difficulty adjustment algorithm (DAA), the increase in computing power will make the discovery of blocks more and more frequent, which will lead to an increase in currency inflation and make payments less predictable and secure. The role of the difficulty adjustment algorithm (DAA) is to change the difficulty of mining problems to adapt to changes in computing power and generate blocks at a relatively constant speed.

Although the main purpose of the difficulty adjustment algorithm (DAA) is to maintain the consistency of block time in the case of fluctuating computing power in order to implement the monetary policy of cryptocurrencies, in its design, various other factors may be considered .

For example, when the computing power remains unchanged, the difficulty adjustment algorithm (DAA) should avoid sudden changes in difficulty, prevent the feedback between computing power and difficulty from violently oscillating, and avoid unusually long intervals between new blocks.

1, 3 time and timestamp

In a distributed system, maintaining an accurate clock is a challenging problem, and relatively accurate timing is required by the difficulty adjustment algorithm.

Some cryptocurrencies have different timestamp rules, but the rules studied here are roughly the same. There are three concepts of time that a node cares about: system clock time, block timestamp, and network adjustment time. When nodes connect, they each send a timestamp to each other. Monero is the only cryptocurrency in this study that does not use the network to adjust time.

Since the block timestamp is the only time that nodes can objectively agree, it is the timestamp used in the difficulty adjustment algorithm (DAA) calculation. There are two rules to determine whether a node will consider a block valid based on its timestamp;

1. The block timestamp must be less than 2 hours before the network adjustment time (or in the case of Monero, the system clock time);
2. The timestamp must be greater than the middle timestamp of the first 11 blocks;

In summary, these rules should prevent block timestamps from deviating from actual time by more than a few hours, and provide nodes with an agreed time concept for difficulty adjustments.

However, if the difficulty adjustment algorithm (DAA) is not well designed (or implemented poorly), malicious miners may strategically set block timestamps to "obfuscate" the algorithm and quickly reduce the difficulty, thereby mining faster To more rewards.

This is an attack method known as time warp , and has been successfully executed by several attackers on several cryptocurrencies, which makes the output of these coins much earlier than originally planned.

Another possible attack that uses time stamps is a time hijacking attack that uses the network to adjust time. By connecting to the target node multiple times and reporting the wrong timestamp, an attacker who keeps more than half of the target connected can move the victim's network adjustment time forward or backward by up to 70 minutes, which can be used to force the target node to temporarily consider the zone The block is valid or invalid.

1.4 Evolution and variants of selfish mining strategies

What we need to know is that selfish mining strategies were not profitable until the difficulty was adjusted. This has been demonstrated by Cyril Grunspan and Ricardo Pérez-Marco, which is why we have not observed selfish mining in the Bitcoin network. One of the reasons for the attack phenomenon.

Studies by Nayak et al. Have shown that various "stubborn mining" strategies can increase the profit of miners. In addition, combining these strategies with eclipse attacks can increase revenue and even counter-intuitively make the Japanese The "victims" of eclipse attacks benefit. Sapirshtein et al. Used the Markov decision process to further improve selfish mining, and obtained the optimal mining strategy, and showed that using this strategy, miners can reduce the computing power required for the attack from 25% to 23.21% .

Others study the performance of selfish mining through more detailed models or real-world environments. In this environment, selfish miners tend to create larger blocks, and thus charge more. Gervais et al. Incorporated block propagation time, block size, expected block time, and the possibility of an eclipse attack into their model and showed that larger block sizes and shorter expected block times increase selfishness The relative income of miners, however, advanced block propagation techniques can minimize this problem.

The above studies only considered the model of the existence of a single selfish miner, while other studies were carried out on the situation where multiple selfish miners act simultaneously.

For example, Francisco J Marmolejo-Cossío and others proposed that in the presence of multiple selfish miners, the security of cryptocurrencies will be further degraded. For example, when there are two independent selfish miners, the threshold for computing power to achieve selfish mining is Can drop to 21.48%.

Unlike Bitcoin, Ethereum's "uncle blocks" also provide rewards, and this theoretically lowers the threshold for selfish mining, because these blocks will still give some rewards to selfish miners, reducing strategic risk. According to the research by Ritz and Zugenmaier, the profit threshold for selfish mining is α = 0.185 ± 0.012 through the observed proportion of Ethereum blocks. The Markov model of Niu and Feng found that in the case of α> 0.163, Ethereum's selfish mining is profitable, and below this value, the loss of selfish miners is lower than they do on Bitcoin Loss of selfish mining activities. In addition, due to uncle block rewards, the income of selfish miners and honest miners both increase with α, which may lead to higher inflation of Ethereum assets.

Recently, Cyril Grunspan and Ricardo Pérez-Marco have more formally analyzed the sensitivity of Ethereum to selfish mining and proposed new variant strategies.

And other mining attacks related to selfish mining, but with differences, have gradually increased.

For example, the FAW (Fork After Withholding) attack proposed by Yujin Kwon et al. Involves detaining a proof-of-work solution from the mining pool to which the attacker belongs, and then propagating the solution only when external honest miners release their solutions, thereby Create intentional forks. This strategy is always profitable, in fact it is a way for large mining pools to attack small mining pools. Coin-hopping is another attack method. The attacker jumps from one coin to another, allowing honest miners to face a more difficult chain, and then turning back when the difficulty is reduced. This allows attacker miners to use Mining at the lowest possible cost.

1, 5 coping strategies

Eyal and Sirer, the first authors of the selfish mining attack scheme, suggested that when there are two competing chains appear, honest miners should choose randomly, rather than prioritizing the first seen chain. This is equivalent to setting γ to 0.5, so if α <0.25, selfish mining will not be profitable.

Heilman proposed a technology called Freshness Preferred. After using this technology, miners do not accept the block they see first, but accept the latest timestamp from a trusted source. He also suggested using NIST random beacons for "unforgeable timestamps", which raised the profit threshold for selfish mining to 0.32.

ZeroBlock attempts to prevent selfish mining by having miners attach "fake" blocks to the end of their local chain, provided they do not see new blocks for a certain period of time. Zhang and Preneel proposed a backward-compatible defense to prevent selfish mining. The main disadvantage of this solution is that it takes longer for the network to recover from the partition.

1, 6 simulator

It is reported that the researchers of this paper proposed a simulator using the Monte Carlo method to establish the profitability of selfish mining for various difficulty adjustment algorithms (DAA).

Emulator code library link: https://github.com/usnistgov/SelfishMiningSim

The selected difficulty adjustment algorithm (DAA) is used by the current cryptocurrency market value currency, and because the PoW consensus mechanism used by Ethereum is more complicated, it is beyond the scope of research. The currencies considered here are BTC, BCH, LTC, XMR, Dash, and Zcash.

It is reported that this simulator makes some simplified assumptions:

1. Continuous block rewards;
2. Constant computing power (no new miners come online or disappear);
3. Blocks have no propagation delay;
4. After the attack, the exchange rate of the cryptocurrency remains unchanged;
5. Only one selfish miner (or mining pool) exists;

In addition, the study did not consider how honest miners would react when they discovered a selfish mining attack. In theory, honest miners might take action to reduce the efficiency of selfish miners. However, existing research shows that when multiple miners apply this strategy simultaneously, selfish mining is often more profitable.

1, 7 simulation results

(It should be emphasized that the results here are for the difficulty adjustment algorithm (DAA) itself, not necessarily the currency that uses it, because some cryptocurrencies (such as BCH and Dash) also take other mitigation measures, and these Measures may make selfish mining more challenging, or the benefits will be lower .)

The research results show that for Bitcoin miners to realize selfish mining, they need to master a large part of the computing power to be profitable, and when profitable, they have a lower TARG (time-adjusted relative return) than algorithms of other currencies.

With 40% computing power and no network impact, selfish miners will still be losing money (more than 10,000 blocks), and for the next best competitor Monero, the same selfish miners will Its time-adjusted income increased by 19.15%. However, as the influence of selfish miners' networks increases, this gap tends to narrow. The Dark Gravity Wave (DGW) algorithm used by Dash and Digishield by zCash are another case. The DGW algorithm is particularly vulnerable to timestamp manipulation, while the B601 D601 algorithm is somewhere in between.

TARG results of default parameters for each currency

1.8 Conclusions and future research directions

This paper compares the attack effects of selfish mining strategies on various difficulty adjustment algorithms. In addition, the research also proves that some algorithms are more vulnerable to selfish mining attacks than others, and selfish mining miners should use block time stamp manipulation as a new component of their strategy space.

In future work, there are still many issues that need to be researched, for example, how do miners determine the best timestamp, and whether there is a higher level than naively setting the timestamp to the offset from the miner's system time Strategy?

How does timejacking affect the profitability of selfish mining? What if multiple selfish small miners are mining a cryptocurrency at the same time, and the time stamp manipulation greatly reduces the profit threshold?

There are many other potential difficulty adjustment algorithms to analyze, including simple combinations. Finally, future research should also check the effectiveness of certain mitigation measures, such as those currently used by BCH and Dash.

Free and easy comments: From the perspective of the difficulty adjustment algorithm, Bitcoin seems to be the most resistant to selfish mining attacks, and the requirement for profit (40% hash power) makes the possibility of such attacks very low. The selfish mining of other PoW currencies is relatively easy to implement. Of course, some currencies have already taken mitigation measures, and their effectiveness remains to be confirmed.

Second, hard core technical articles of the week

2.1 Use Verifiable Random Function (VRF) to destroy the mining pool

Author: Runchao Han ([email protected]), Haoyu Lin ([email protected])

Researchers have proposed a mining structure based on a verifiable random function (VRF). With this structure, if a miner wants to open a mining pool, he must inform the miner of his private key (the private key is required to calculate VRF_hash). As a result, no one will choose to open a public mining pool, which can achieve the one-cpu-one-vote goal.

Compared to other mining scheme designs, the degree of decentralization of this structure is theoretically higher.

Chinese version link: https://hackmd.io/rObi2JbHSUaFUumecjPAow?view

Easy and Easy Comment: Although such a design is unlikely to be accepted by the Bitcoin and Ethereum mining pools (and therefore cannot be adopted), its concept is very interesting. Will the complete decentralization be accepted by the participants? Is the existence of a mining pool necessary? These are issues that have not been verified.

2.2 How to Optimize Rollup and Sustainable Decentralization?

Original author: John Adler Translator: Min Min & A sword

Currently, among the Ethereum's layer 2 solutions, the rollup solution has stood out, and optimistic rollup and zk rollup are among the popular ones.

This article explains why optimistic rollup can scale in a safe and sustainable manner while maintaining the decentralized nature, and introduces some of the teams that built the solution.

Article link: https://www.8btc.com/media/554829

Free and easy comments: The optimistic rollup scheme that relies on fraud proofs and the zk rollup scheme that relies on zero-knowledge proofs are very promising layer 2 solutions. As to which one is better, it depends on the specific application. The projects that are currently studying such programs are worth observing.

Possible Escalation Risks for Ethereum 2.0 Verifiers

This article introduces an attack against Ethereum 2.0 verifiers: using the verifier's private key, the attacker can generate a forfeitable certificate and get the corresponding "whistleblower" reward.

The hacker doesn't need to ask for compensation immediately, so if he finds that the Ethereum 2.0 client is under zero-day attack, he can quietly use all the validators found on the network.

As a victim, if you find yourself hacked, then the best strategy is to punish yourself as soon as possible and ask the reporter for compensation. In any case, the pledged funds will be lost.

Although the hacker's whistleblower reward is limited (about 0.05 ETH), if he can hack thousands of validators, things will be interesting.

In addition, as the losses faced by the victims may be high (1-32 ETH), attackers may use extortion smart contracts to increase profits.

Original link: https://ethresear.ch/t/trustless-validator-blackmailing-with-the-blockchain/6922

Free and easy comments:

If participants do not have enough confidence in protecting their private keys, then they are better not to be validators, and if they are very confident in themselves, then you can ignore this research.

Technical Progress of Mainstream Blockchain Projects

3.1 Progress of Bitcoin Development Update

1. OP_CHECKTEMPLATEVERIFY (CTV) Seminar : If this proposed soft fork is adopted, users will be able to use a new CTV opcode to create a covenant. There are several possible applications for this opcode, the most notable of which is Vault and compressed payment batch processing.
2. Eclair upgraded to version 0.3.3, supports multi-path payment, experimental support for trampoline payment, and other improvements;
3. Experimental tools on Taproot and tapscript : Karl Johan Alm has published an experimental branch of his btcdeb tool in the Bitcoin Dev list;

More technical progress updates: https://bitcoinops.org/en/newsletters/2020/02/12/

3.2 Development progress of Ethereum

Ethereum 1.X updates:

1. Nethermind v1.6.1 client released ;
2. Parity v2.7.2 client released ;

Ethereum 2.0 research and development update content:

1. List of Ethereum 2.0 updates ;
2. Ethereum 2.0 research team AMA activities ;

That's it for this issue, see you next week ~

We will continue to update Blocking; if you have any questions or suggestions, please contact us!