Satoxi Weekly Review | How the selfish mining strategy affects the major halving coins

Written in front:

With the arrival of a new cycle of cryptocurrency, miners have ushered in spring, and what lies before them is nothing more than the question of which coin to mine and how to mine to obtain more profits.
Yes, this week’s academic content is related to mining.
What we want to share is a paper from the National Institute of Standards and Technology (NIST) in the United States, which discusses the impact of selfish mining strategies on Bitcoin, Litecoin, Bitcoin Cash (BCH), Dash, Monero, and Zcash.
In the selected section of hardcore technical articles, we will also see the design of PoW schemes based on verifiable random functions (VRF), Optimistic Rollup, and Ethereum 2.0 validator ransomware attacks.
In addition, Bitcoin and Ethereum have also seen many technological advances in the past week.

(Photo from: tuchong.com)

1. The impact of selfish mining strategy on major halving coins

In theory, a selfish mining attack could allow miners to extract an excess share of block rewards while reducing the overall security of payments. There has been a lot of research on how this malicious strategy applies to Bitcoin, but far less attention has been paid to how it affects other cryptocurrencies.

This is because selfish mining is an attack on a cryptocurrency’s difficulty adjustment algorithm (DAA), and therefore can have very different effects when targeting cryptocurrencies that use different DAAs.

In a new paper published by the National Institute of Standards and Technology (NIST), “A Study of Selfish Mining Profitability Based on Multiple Difficulty Adjustment Algorithms,” researchers Michael Davidson and Tyler Diamond evaluated the selfish mining requirements and yields of multiple PoW cryptocurrencies, including Bitcoin, Litecoin, Bitcoin Cash (BCH), Dash, Monero, and Zcash.

Original paper link: https://eprint.iacr.org/2020/094.pdf

The study found that the other cryptocurrencies under consideration are far more susceptible to selfish mining than BTC. In addition, the study also showed that by dishonestly reporting block timestamps, for some difficulty adjustment algorithms (DAA), selfish mining strategies can generate disproportionate income for dishonest miners, which is 2.5 times higher than what they would earn through honest mining.

1.1 The concept of selfish mining

Typically, when a miner mines a new block, they broadcast the block to their peer nodes. The purpose of this is to propagate the block to the rest of the network as quickly as possible. Miners can only receive block rewards after their blocks are accepted. Therefore, under normal circumstances, it is in the best interest of miners to submit any new blocks to competitors quickly.

However, in some cases, deviations from the policy will allow miners with x% of the network's hashrate to receive more than x% of the block rewards.

The strategy works by selfish miners broadcasting blocks that they are withholding and then forcing honest miners to mine on those blocks.

The following diagram shows the algorithm that selfish miners use to determine whether to publish their blocks:

(Figure: The original selfish mining strategy)

However, this alone is not enough for selfish miners to make a profit. As long as the mining difficulty remains unchanged, miners using selfish mining strategies will suffer losses. Of course, the losses of honest miners will be even greater. Therefore, in this case, rational participants will not use selfish mining strategies.

The selfish mining strategy may only be profitable when the network difficulty is adjusted downward.

The following formula gives the percentage of computing power that selfish miners need to have to increase their relative mining income:

If γ = 1/2, selfish mining is profitable when α ≥ 1/4, and if γ = 0, selfish mining is profitable when α ≥ 1/3. (where α is the fraction of total hashrate controlled by selfish miners, and γ is the fraction of honest miners that choose to mine on blocks posted by selfish miners).

1.2 Difficulty Adjustment Algorithm (DAA)

Because proof-of-work (PoW) cryptocurrencies have no central authority that determines who can mine and at what rate, the total amount of network computing power can change over time.

However, in order to maintain a planned monetary policy and a better user experience, new blocks should be found in a predictable time regardless of hashrate (e.g., Bitcoin targets a 10-minute block interval). Without a difficulty adjustment algorithm (DAA), an increase in hashrate would make blocks found more and more frequently, leading to a higher inflation rate for the currency and making payments less predictable and secure. The role of the difficulty adjustment algorithm (DAA) is to change the difficulty of the mining puzzle to adapt to changes in hashrate, generating blocks at a relatively constant rate.

While the primary purpose of the Difficulty Adjustment Algorithm (DAA) is to maintain block time consistency over the long term despite fluctuations in hashrate in order to enforce a cryptocurrency’s monetary policy, various other factors may be taken into account in its design.

For example, when hashrate remains constant, the Difficulty Adjustment Algorithm (DAA) should avoid sudden difficulty changes, prevent wild oscillations in the feedback between hashrate and difficulty, and avoid abnormally long intervals between new blocks.

1.3 Time and timestamp

Keeping an accurate clock in a distributed system is a challenging problem, and relatively accurate timing is required for the difficulty adjustment algorithm.

Some cryptocurrencies have different timestamp rules, but the rules studied here are roughly the same. Nodes care about three concepts of time: system clock time, block timestamp, and network adjusted time. When nodes connect, they each send a timestamp to each other. Monero is the only cryptocurrency in this study that does not use network adjusted time.

Since the block timestamp is the only time that nodes can objectively agree on, it is the timestamp used in the Difficulty Adjustment Algorithm (DAA) calculation. There are two rules that determine whether a node will consider a block valid based on its timestamp;

The block timestamp must be no more than 2 hours older than the network adjusted time (or in the case of Monero, the system clock time);
The timestamp must be greater than the median timestamp of the previous 11 blocks;

Together, these rules should prevent block timestamps from deviating from actual time by more than a few hours, and provide nodes with an agreed-upon notion of time for difficulty adjustments to occur.

However, if the difficulty adjustment algorithm (DAA) is poorly designed (or poorly implemented), malicious miners could strategically set block timestamps to “confuse” the algorithm and quickly lower the difficulty, thereby mining more rewards faster.

This is a type of attack known as a time warp, and attackers have successfully executed it on several cryptocurrencies, causing the coins to be minted much earlier than originally planned.

Another possible attack using timestamps is a time hijacking attack that exploits the network adjustment time. By connecting to the target node multiple times and reporting incorrect timestamps, an attacker who keeps more than half of the target connected can move the victim's network adjustment time forward or backward by up to 70 minutes, which can be used to force the target node to temporarily consider a block to be valid or invalid.

1.4 Evolution and variants of selfish mining strategies

What we need to know is that the selfish mining strategy is unprofitable before the difficulty adjustment, which has been demonstrated by Cyril Grunspan and Ricardo Pérez-Marco, and this is one of the reasons why we have not observed selfish mining attacks in the Bitcoin network.

Research by Nayak et al. shows that various "stubborn mining" strategies can increase miners' profits. In addition, combining these strategies with eclipse attacks can increase profits and even counterintuitively benefit the "victims" of eclipse attacks. Sapirshtein et al. further improved selfish mining using the Markov decision process, obtained the optimal mining strategy, and showed that using their strategy, miners can reduce the computing power required for attacks from 25% to 23.21%.

Others have studied the performance of selfish mining in more detailed models or in real-world settings, where selfish miners tend to create larger blocks and collect more fees. Gervais et al. incorporate block propagation time, block size, expected block time, and the likelihood of eclipse attacks into their model and show that larger block sizes and shorter expected block times increase the relative income of selfish miners, but advanced block propagation techniques can minimize this problem.

The above studies only considered the model with a single selfish miner, while other studies expanded to the situation where multiple selfish miners act simultaneously.

For example, Francisco J Marmolejo-Cossío et al. proposed that the security of cryptocurrency will be further degraded when there are multiple selfish miners. For example, when there are two independent selfish miners, the computing power threshold for selfish mining can be reduced to 21.48%.

Unlike Bitcoin, Ethereum's "uncle blocks" also provide rewards, which theoretically lowers the threshold for selfish mining, because these blocks still give selfish miners some rewards, making the strategic risk lower. According to the research of Ritz and Zugenmaier, the profitability threshold of selfish mining is α=0.185±0.012 based on the observed proportion of Ethereum uncle blocks. Niu and Feng's Markov model found that selfish mining in Ethereum is profitable when α>0.163, and below this value, the losses of selfish miners are lower than their losses from selfish mining activities on Bitcoin. In addition, due to uncle block rewards, the income of both selfish miners and honest miners increases with α, which may lead to higher inflation of Ethereum assets.

More recently, Cyril Grunspan and Ricardo Pérez-Marco more formally analyzed Ethereum’s susceptibility to selfish mining and proposed a new variant strategy.

Other types of mining attacks that are related to selfish mining but different from it are also increasing.

For example, the FAW (Fork After Withholding) attack proposed by Yujin Kwon et al. involves withholding the proof-of-work solution from the mining pool to which the attacker belongs, and then propagating the solution only when external honest miners publish their solution, thereby creating a deliberate fork. This strategy is always profitable, and in fact it is a way for large mining pools to attack small mining pools. Coin-hopping is another attack method, in which the attacker jumps from one coin to another, forcing honest miners to face a higher difficulty chain, and then switching back when the difficulty decreases, which allows the attacker's miners to mine at the lowest possible cost.

1.5 Coping strategies

Eyal and Sirer, the first proposers of the selfish mining attack scheme, suggested that when two competing chains appear, honest miners should choose randomly instead of giving priority to the first chain they see. This is equivalent to setting γ to 0.5, so if α < 0.25, selfish mining will be unprofitable.

Heilman proposed a technique called Freshness Preferred, where miners do not accept the first block they see, but the block with the latest timestamp from a trusted source. He also suggested using NIST random beacons for "unforgeable timestamps", which raises the profitability threshold for selfish mining to 0.32.

ZeroBlock attempts to prevent selfish mining by having miners append "fake" blocks to the end of their local chain if they have not seen a new block for a certain period of time. Zhang and Preneel proposed a backward-compatible defense against selfish mining, but the main disadvantage of this scheme is that it takes longer for the network to recover from a partition.

1.6 Simulator

It is reported that the researchers of the paper proposed a simulator using the Monte Carlo method to establish the profitability of selfish mining for various difficulty adjustment algorithms (DAA).

Simulator code repository link: https://github.com/usnistgov/SelfishMiningSim

The difficulty adjustment algorithm (DAA) selected for the study is currently used by the top cryptocurrencies in the market, and the PoW consensus mechanism used by Ethereum is more complex and therefore beyond the scope of the study. The currencies considered here are BTC, BCH, LTC, XMR, Dash, and Zcash.

It is reported that this simulator makes some simplifying assumptions:

Continuous block rewards;
Constant hashrate (no new miners coming online or disappearing);
There is no propagation delay for blocks;
After the attack, the exchange rate of cryptocurrencies remained unchanged;
There is only one selfish miner (or mining pool);

In addition, the study did not consider how honest miners would react when they discover a selfish mining attack. In theory, honest miners might take actions to reduce the efficiency of selfish miners. However, existing research shows that selfish mining tends to be more profitable when multiple miners apply this strategy simultaneously.

1.7 Simulation results

(It’s important to emphasize that the results here are for the difficulty adjustment algorithm (DAA) itself, not necessarily the coins that use it, as some cryptocurrencies (such as BCH and Dash) have other mitigation measures in place that may make selfish mining more challenging or less profitable.)

The results of the study show that in order for Bitcoin miners to achieve selfish mining, they need to control a large portion of computing power to be profitable, and when they are profitable, they must have a lower TARG (time-adjusted relative return) than the algorithms of other currencies.

At 40% hashrate and no network influence, the selfish miner will still be loss-making (over 10,000 blocks), while for the next best competitor, Monero, the same selfish miner will increase his time-adjusted revenue by 19.15%. However, this gap tends to narrow as the selfish miner's network influence increases. The Dark Gravity Wave (DGW) algorithm used by Dash and Digishield by zCash are another case, with the DGW algorithm being particularly susceptible to timestamp manipulation, while BCH's D601 algorithm is somewhere in between.

TARG results for each coin with default parameters

1.8 Conclusion and future research directions

This paper compares the effectiveness of selfish mining strategies against various difficulty adjustment algorithms. In addition, the study also proves that some algorithms are more susceptible to selfish mining attacks than others, and selfish miners should consider block timestamp manipulation as a new component of their strategy space.

There are many issues that need to be studied in future work, such as how miners determine the best timestamp, and whether there are more advanced strategies than naively setting the timestamp to an offset from the miner's system time?

How does timejacking affect the profitability of selfish mining? What if multiple selfish miners are mining a cryptocurrency at the same time, and timestamp manipulation greatly reduces the threshold for profitability?

There are many other potential difficulty adjustment algorithms that could be analyzed, including simple combinations. Finally, future research should also examine the effectiveness of certain mitigation measures, such as those currently employed by BCH and Dash.

Satoxi's brief comment: Judging from the difficulty adjustment algorithm alone, Bitcoin seems to be the most resistant to selfish mining attacks, and the requirement to achieve profitability (40% computing power) makes the possibility of such attacks very low, while selfish mining in other PoW currencies is relatively easier to achieve. Of course, some currencies have taken mitigation measures, and their effectiveness still needs to be confirmed.

2. Weekly selection of hardcore technical articles

2.1 Using Verifiable Random Function (VRF) to Eliminate Mining Pools

Author: Runchao Han ([email protected]), Haoyu Lin ([email protected])

The researchers proposed a mining structure based on a verifiable random function (VRF). Through this structure, if miners want to open a mining pool, they must inform the miners of their private keys (the private key is required to calculate the VRF_hash). The result is that no one will choose to open a public mining pool, thus achieving the goal of one-cpu-one-vote.

Compared with other mining scheme designs, this structure is theoretically more decentralized.

Chinese version link: https://hackmd.io/rObi2JbHSUaFUumecjPAow?view

Satoxi's comment: Although such a design is unlikely to be accepted by Bitcoin and Ethereum mining pools (and therefore cannot be adopted), its conception is very interesting. Will complete decentralization be accepted by participants? Is the existence of mining pools necessary? These are questions that have not yet been verified.

2.2 How is Optimistic Rollup designed to achieve sustainable expansion and maintain decentralization?

Original author: John Adler Translator: Min Min & A Jian

Currently, among Ethereum's layer 2 solutions, the rollup solution has emerged, and optimistic rollup and zk rollup are among the most popular.

This post explains why optimistic rollup can achieve scalability in a secure and sustainable way while maintaining decentralization, and introduces some of the teams building this solution.

Article link: https://www.8btc.com/media/554829

Satoxi's brief comment: The optimistic rollup solution that relies on fraud proof and the zk rollup solution that relies on zero-knowledge proof are both very promising layer 2 solutions. As for which one is better, it depends on the specific application. The projects currently researching such solutions are worth observing.

2.3 Risks of extortion that Ethereum 2.0 validators may face

This post describes an attack method against Ethereum 2.0 validators: using the validator's private key, the attacker can generate slashable proofs and receive corresponding "whistleblower" rewards.

The hacker doesn’t need to ask for an immediate reward, so if he finds a zero-day attack on an Ethereum 2.0 client, he can quietly exploit all the validators he finds on the network.

As a victim, if you find yourself being hacked, the best strategy is to confiscate yourself as quickly as possible and demand compensation from the whistleblower. In any case, the staked funds will be lost.

Although the hacker’s whistleblower reward is limited (about 0.05 ETH), things would be interesting if he could hack a few thousand validators.

Additionally, since the losses faced by victims can be high (1-32 ETH), attackers may use extortion smart contracts to increase their profits.

Original link: https://ethresear.ch/t/trustless-validator-blackmailing-with-the-blockchain/6922

A brief review of Satuoxi:
If participants do not have enough confidence in protecting their private keys, then they are better off not being validators. If they are very confident in themselves, then you can ignore this research.

3. Technical progress of mainstream blockchain projects

3.1 Bitcoin development update progress

OP_CHECKTEMPLATEVERIFY (CTV) Workshop: If this proposed soft fork is adopted, users will be able to create covenants using a new CTV opcode, which has several possible applications, most notably vaults and compressed payment batching.
Eclair was upgraded to version 0.3.3, which supports multi-path payment, experimental support for trampoline payment and other improvements;
Experimental tools for Taproot and tapscript: Karl Johan Alm published an experimental fork of his btcdeb tool on the Bitcoin Dev list.

More technical updates: https://bitcoinops.org/en/newsletters/2020/02/12/