SlideShare a Scribd company logo

Mining pools and attacks

Download as PPTX, PDF
V
vpnmentor

Presentation by Stefan Dziembowski, associate professor and leader of Cryptology and Data Security Group University of Warsaw. In BIU workshop on Bitcoin. Covered exclusively by vpnMentor.com

Internet
1 of 73
Mining Pools and Attacks Stefan Dziembowski University of Warsaw Workshop on Bitcoin, Introduction to Cryptocurrencies, Kfar Maccabiah, Ramat Gan, Israel, June 6-7, 2016
Plan 1. Mining pools 2. Security of Bitcoin
Mining pools Miners create cartels called the mining pools This allows them to reduce the variance of their income.
Note 283,494,086 GHash / s 1,700 GHash / s The hashrate of the Achilles Labs AM-1700 miner (1095 USD) The total hashrate of the Bitcoin system as of 5.11.2014 number of blocks in 1 year The user has to wait on average over 3 years to mine a block (even if the difficulty does not increase!) ≈ 166,761 = 3.17 ⋅ (365 ⋅ 24 ⋅ 6)
The general picture The mining pools are operated centrally or are designed in a p2p way. Some of the mining pools charge fees for their services. In other words: • the expected revenue from pooled mining is slightly lower than the expected revenue from solo mining, • but the variance is significantly smaller. Tricky part: how to prevent cheating by miners? How to reward the miners? E.g. if the operator got 25 BTC from mining then he will share 25 BTC – fee among them (and keep the fee to himself)
Popular mining pools As of Oct 13, 2015:
How to design a mining pool? Simple idea: mining pool operator miner a list of transactions 𝐓 𝐢 and a hash 𝐇(𝐁𝐢) this includes a coinbase transaction transferring the reward to 𝐩𝐤. 𝐩𝐤 tries to find 𝐧𝐨𝐧𝐜𝐞 such that 𝐇 𝐧𝐨𝐧𝐜𝐞, 𝐇 𝐁𝐢 , 𝐓 𝐢 starts with 𝐧 zeros current hardness parameter if he finds such 𝐧𝐨𝐧𝐜𝐞 then he sends it to the operator once 𝐧𝐨𝐧𝐜𝐞 is found by some of the pool members each of them is rewarded proportionally to his work. Problem How to verify how much work a miner really did?
A solution: “Proportional method” mining pool operator miner a list of transactions𝐓 𝐢and a hash 𝐇(𝐁𝐢) tries to find 𝐧𝐨𝐧𝐜𝐞 such that 𝐇 𝐧𝐨𝐧𝐜𝐞, 𝐇 𝐁𝐢 , 𝐓 𝐢 starts with 𝐧 zeros if he finds such a 𝐧𝐨𝐧𝐜𝐞 then he sends it to the operator he also submits the “partial solutions”, i.e. values 𝐧𝐨𝐧𝐜𝐞 such that 𝐇 𝐧𝐨𝐧𝐜𝐞, 𝐇 𝐁𝐢 , 𝐓 𝐢 starts with 𝐧′ zeros 𝐧′ ≪ 𝐧 The “amount of work” is measured by the number of “partial solutions” submitted.
Works if the miners don’t change the pools 𝜶 𝟏 𝜶 𝟐 𝜶 𝟑 𝜶 𝟒 ≈ proportional to 𝜶 𝟏 ≈ proportional to 𝜶 𝟐 ≈ proportional to 𝜶 𝟑 ≈ proportional to 𝜶 𝟒 time proportion of computing power probability of that this pool wins: 𝜶 𝟏 + 𝜶 𝟐 + 𝜶 𝟑 + 𝜶 𝟒 pool members submitted shares reward for 𝐏𝟏 in case it wins: 𝐁𝐓𝐂 𝟐𝟓 ⋅ 𝜶 𝟏 𝜶 𝟏+𝜶 𝟐+𝜶 𝟑+𝜶 𝟒 𝐏𝟏 expected reward for 𝐏𝟏: 𝐁𝐓𝐂 𝟐𝟓 ⋅ 𝜶 𝟏
What if the miners change pools? 𝜶 𝟏 𝜶 𝟐 𝜶 𝟑 𝜶 𝟒 time 𝐏𝟏 start a new pool Now the expected revenue of 𝐏𝟏 is a sum of • 𝜶 𝟏 (from the new pool) • plus the revenue from the old pool.
A problem with the proportional method: “Pool hopping” It is profitable to escape from pools with lots of shares submitted. (since such pools have a lot of “mouths to feed” there)
A solution: do not rewarding each share equally Example: Slush’s method Use a scoring function that assigns to each share a score 𝐬. Then assign rewards proportionally to the score. Slush’s scoring function: 𝒔 = 𝐞𝐱𝐩 𝐓 𝐂 . Intuitively: this gives advantage to miners who joined late. time since the beginning of this “round” some constant
Another solution: “Pay-per-share” The operator pays per each partial solution no matter if he managed to extend the chain. mining pool operator miner partial solution reward Major drawback: risky for the operator. He needs to have some reserves to cover the potential losses.
Other methods Score-based: Geometric method, Double geometric method, Pay-per-last-N-shares, Improved pay-per-share: Maximum pay-per-share, Shared maximum pay-per-share, Equalized , Shared maximum pay- per-share, (see [Meni Rosenfeld, Analysis of Bitcoin Pooled Mining Reward Systems, 2011], [Okke Schrijvers, Joseph Bonneau, Dan Boneh, and Tim Roughgarden, Incentive Compatibility of Bitcoin Mining Pool Reward Functions]) ...
How secure are these methods We can assume that the mining pool operator is honest, since he has a reputation. Much harder to avoid: attacks from malicious miners. We discuss two of them: • “sabotage”, • “lie-in-wait”. Both of them are based on withholding certain blocks. a bit similar to the selfish- mining attack on Bitcoin that we discuss later
A “Sabotage”attack on mining pools Submit only the partial solutions. mining pool operator partial solution rewardcomplete solution dishonest miner Results: • the pool looses money • the dishonest miner doesn’t earn anything (also looses a small amount) Adversary’s goal: make the mining pool bankrupt (e.g. he owns a competing pool). It is rumored that in June 2014 such an attack was executed against the mining pool Eligius. Estimated loses: 300 BTC.
Another attack: “lie-in-wait” Once you find a solution for 𝐏𝟐 (say): 1. wait with submitting it 2. mine only for 𝐏𝟐 3. submit the solution to 𝐏𝟐 after some time. It can be formally shown that this is profitable (see [Rosenfeld, 2011]) Mine for several mining pools: 1/3 computing power mining pool 𝐏𝟐 mining pool 𝐏𝟏 mining pool 𝐏𝟑 Intuition: 𝐏𝟐 is a very likely winner
Can we have a mining pool without an operator? (remember: the operators typically charge a fee). Answer: yes, using the Peer-to-peer mining pools.
Peer-to-peer mining pools General idea: the miners create a blockchain with hardness parameter 𝐧′ ≪ 𝐧 on top of the last block 𝐁𝐢. Every 𝐁𝐢 𝟏 , 𝐁𝐢 𝟐 , … is a valid extension of 𝐁𝐢 (except that the hardness may be smaller than 𝐧). The parameter 𝐧′ is chosen is such a way that a new block appears often (say: once per 30 sec.) 𝐁𝐢 𝐏𝟏 𝐏𝟐 𝐏𝟑 𝐁𝐢 𝟏 𝐁𝐢 𝟐 𝐁𝐢 𝟑 𝐧 – current hardness parameter Hence: this has to be done using some other fields in the block (fortunately: blocks have space for this).
How is it done technically? Bitcoin blocks contain fields that can be used to store H(𝐁𝐢 𝐣 )’s. H 𝐁𝐢: … … … 𝐁𝐢 𝟏 : H nonce H(Bi) trans. 𝐁𝐢 𝟐 : nonce H(Bi) trans. H(𝐁𝐢 𝟏 ) H 𝐁𝐢 𝟑 : nonce H(Bi) trans. H(𝐁𝐢 𝟐 )
Finally someone will find a block that extends 𝐁𝐢 according to Bitcoin rules. 𝐁𝐢 𝐏𝟏 𝐏𝟐 𝐏𝐤 𝐁𝐢 𝟏 𝐁𝐢 𝟐 𝐁𝐢 𝐤. . . 𝐁𝐢+𝟏=: 𝐁𝐢 𝐤 enters the main Bitcoin’s blockchain as 𝐁𝐢+𝟏 ends with 𝐧 zeros call it “final”
How to divide the revenue from mining? 𝐁𝐢 𝐏𝟏 𝐏𝟐 𝐏𝟑 𝐁𝐢 𝟏 𝐁𝐢 𝟐 𝐁𝐢 𝟑 includes in 𝐁𝐢 𝟐 a payment to 𝐏𝟏 includes in 𝐁𝐢 𝟑 a payment to 𝐏𝟏 and 𝐏𝟐 if this is missing then other pool members will not mine on top of this block Note: the miner does not know in advance if his block will be final. He has to choose the payment information beforehand.
Plan 1. Mining pools 2. Security of Bitcoin
Possible attack goals • double spending, • get more money from mining than you should, • “short selling” – bet that the price of BTC will drop and then destroy the system (to make the price of BTC go to zero), • someone (government?) interested in shutting Bitcoin down… “Goldfinger attack” Note: this can be done e.g. by a spectacular fork that lasts just for a few hours…
What we do (not) know about Bitcoin’s security? 1. Technical errors 2. Features/problems 3. Conceptual errors 4. Potential threats 5. Problems with key storage
Some notable cases of programming errors • a block 74638 (Aug 2010) contained a transaction with two outputs summing to over 184 billion BTC – this was because of an integer overflow in Bitcoin software (solved by a software update and a “manual fork”) one double spending observed (worth 10.000 USD). • a fork at block 225430 (March 2013) caused by an error in the software update of Bitcoin Core (lasted 6 hours, solved by reverting to an older version of the software) Moral: nothing can be really “completely distributed”. Sometimes human intervention is needed…
Transaction Malleability T2 = (User P1 sends 1 BTC from T1 to P2 signature of P1 on [T2]) Hash Hash(T2) Problem: transactions are identified by their hashes TxId = Hence one can change TxId by mauling the signature: (User P1 sends 1 BTC from T1 to P2 𝝈) (User P1 sends 1 BTC from T1 to P2 𝝈’)
How to do it? Other methods also exists… 𝝈 = (r,s) is a valid signature on M w.r.t. pk 𝝈′ = (r, -s (mod N)) is a valid signature on M w.r.t. pk Bitcoin uses ECDSA signatures. Hence:
What can the adversary do? transaction T mauled T miners [Andrychowicz et al 2015]: very easy to perform in practice.
Is it a problem? Often: NO (the mauled transaction is semantically equivalent to the original one) When things can go wrong? • Bitcoin contracts • buggy software
Claimed attack on MtGox deposits 1 BTC withdraws 1 BTC transaction T = “MtGox sends 1 BTC to A” A transaction T’ = mauled transaction T blockt blockt+1 blockt+2 blockt+3 Since MtGox cannot see a transaction with TxId Hash(T) in the blockchain. Thus it concludes that the transaction did not happen. (so A can double spend) [Decker and Wattenhofer, ESORICS 2014]: this is probably not true.
What we do (not) know about Bitcoin’s security? 1. Technical errors 2. Features/problems 3. Conceptual errors 4. Potential threats 5. Problems with key storage
One obvious problem: lack of anonymity Can sometimes be de-anonymized: [Meiklejohn et al., A fistful of bitcoins: characterizing payments among men with no names, 2013] 1 BTC 1 BTC can be linked 1BTC 1 BTC 1 BTC Heuristic solution: 1BTC
Another problem/feature: hardware mining History of mining: CPU → GPU → FPGA → ASIC
Drawbacks of the hardware mining 1. Makes the whole process ``non-democratic”. 2. Easier to attack by very powerful adversary? 3. Excludes some applications (mining a as “micropayment’’). ?
Advantages of the hardware mining • Security against botnets. • Makes the miners interested in the long-term stability of the system. How “long term”? Remember that the total hashrate can go up almost 100x in one year…
Risk associated to pooled mining June 2014: the Ghash.io pool got > 50% of the total hashpower. Then this percentage went down…
Observation What we were promised: “distributed currency independent from the central banks” What we got (in June 2014): “currency controlled by a single company”…
A problem Individual miners lost control over which blocks they mine. For example in the Stratum protocol (commonly used by mining pools): miners cannot choose Bitcoin transactions on their own From mining.bitcoin.cz/stratum-mining: “In my experience 99% of real miners don’t care about transaction selection anyway, they just want the highest possible block reward. At this point they share the same interest with pool operator, so there’s no real reason to complicate mining protocol just for those 1% who want to create custom blocks for the pool.”
How to break Bitcoin? 1. Start a number of mining pools with a negative fee. 2. Wait until you get >50% of the total hashrate. Will the miners join? they just want the highest possible block reward…
What is really our security assumption? “As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers” we proposed a peer-to- peer network using proof- of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of CPU power 1. No cartel controls the majority of the computing power, or 2. The majority of participants is 100% honest. ?
In order for the Bitcoin to work we need a following (strong) assumption: The majority behaves honestly even if it has incentives not to do so. Is it realistic? enthusiast: sceptics: Yes, since the majority is interested in maintaining the system No, since this is not how capitalism works… (e.g.: tragedy of the commons)
Another risk Why not to rent the hashpower to perform the attack?
Conjecture Maybe the only reason why nobody broke Bitcoin yet is that nobody was really interested in doing it?
How to analyze it? Use a game-theoretic model. See: [Joseph Bonneau, Edward W. Felten, Steven Goldfeder, Joshua A. Kroll and Arvind Narayanan, Why buy when you can rent? Bribery attacks on Bitcoin consensus, 2014]
Major research direction Provide a full game- theoretic model for cryptocurrencies, and show a currency secure in it.
What we do (not) know about Bitcoin’s security? 1. Technical errors 2. Features/problems 3. Conceptual errors 4. Potential threats 5. Problems with key storage
Easy to see An adversary that controls majority of computing power can always break the system. blocki blocki+1 blocki+2 block’i+2 blocki+3 blocki+4 block’i+3 block’i+4 block’i+5 pays using transaction T T Eventually this branch becomes longer so he can “cancel T” and double spend.
It turns out that even a dishonest minority can attack Bitcoin... Selfish mining Ittay Eyal, Emin Gun Sirer Majority is not Enough: Bitcoin Mining is Vulnerable Basic idea: when you mine a new block keep it to yourself (also called block withholding strategy). Goal: make the honest miners waste their effort at mining blocks that will never make it to the chain. Observe • the proportion of the blocks that you mine will be higher than it should be, • hence: you will earn more than your share of computing power (since Bitcoin adjusts the difficulty)
Why is it bad? If there is a strategy that is more beneficial than the honest strategy then miners have an incentive to misbehave (“Bitcoin is not incentive compatible”) (recall that with the honest strategy every miner whose computing power is an 𝜶-fraction of the total computing power gets an 𝜶-fraction of the revenue) Moreover: the larger 𝜶 is the more beneficial this strategy is. Therefore: the miners have incentives to join a large pool that uses this strategy. fraction of revenuefraction of computing power
A simplifying assumption (for a moment) What happens when there is a fork? Bitcoin specification: “from two chains of equal length mine on the first one that you received”. Assume that the adversary is always first (e.g. he puts a lot of “fake nodes” that act as sensors).
An observation Assume that the adversary does not broadcast the new block that he found (and mines on it “privately”). Two things can happen: 1. the adversary manages to extend his “private block chain” by one more block, or 2. the “honest users” manage to find an alternative extension. blocki blocki+1 blocki+2 block’i+2 blocki+3 In this case the adversary quickly publishes his block so he looses nothing
If the adversary is lucky then he obtains advantage over the honest miners. blocki blocki+1 block’i+2 blocki+2 blocki+3 blocki+4 blocki+5 block’i+3 block’i+4 block’i+5 he publishes his chain if the “public chain” equalizes with it the reward for these blocks goes to him Note: this works even if the adversary has minority of computing power.
Full attack The assumption that “the adversary is always first” may look unrealistic. Eyal and Sirer show a modification of this strategy that works without this assumption. 𝜸 − probability that an honest user chooses adversary’s block 𝜶 – fraction of adversary’s computing power We present it on next slides.
Note 𝜸 − probability that an honest user chooses adversary’s block 𝜶 – fraction of adversary’s computing power the probability that the adversary wins if there is a fork is equal to 𝜶 + 𝟏 − 𝜶 𝜸 the adversary extends the chain an honest miners extend the chain they extend adversary’s chain they extend the “honest” chain prob. 𝜶 prob. 𝟏 − 𝜶 prob. 𝜸 prob. 𝟏 − 𝜸 Why? denote it 𝜹
At the beginning of the attack we have: initial state: someone mined a new block and everyone is trying to extend it state 𝟎 First step: if the adversary finds a new block – he keeps it private.
the honest miners also find a block adversary finds another block on top of his old one the adversary published his block ASAP “honest block” won “adversary’s block” won state 𝟎 prob. 𝟏 − 𝜶 prob. 𝜶 prob. 𝟏 − 𝜹 prob. 𝜹 state 𝟏 state 𝟎′ state 𝟎 state 𝟎 state 𝟐 the adversary found a new block
From state 𝟐: state 𝟐 state 𝟑 the adversary publishes his chain ASAP state 𝟎 prob. 𝜶 prob. 𝟏 − 𝜶
In general for 𝒊 ≥ 𝟐 state 𝒊 𝒊 state 𝒊: “the adversary has advantage 𝒊 over the honest miners”
This leads to the following state machine: state 𝟎 state 𝟎′ state 𝟏 state 𝟐 state 𝟑 state 𝟒 . . . 𝜶 𝜶 𝜶 𝜶 𝟏 − 𝜶𝟏 − 𝜶𝟏 − 𝜶𝟏 − 𝜶 𝜶 𝟏 − 𝜶𝟏
This converges to some stationary distribution 𝐩 𝟎, 𝐩 𝟎′, 𝐩 𝟏, 𝐩 𝟐, 𝐩 𝟐, … We can find it using the theory of Markov chains 𝐩 𝟎 𝐩 𝟎′ 𝐩 𝟏 𝐩 𝟐 𝐩 𝟑 𝐩 𝟒 . . . 𝜶 𝜶 𝜶 𝜶 𝟏 − 𝜶𝟏 − 𝜶𝟏 − 𝜶𝟏 − 𝜶 𝜶 𝟏 − 𝜶𝟏
How to calculate adversary’s revenue? state 𝟎 state 𝟎′ state 𝟏 state 𝟐 state 𝟑 state 𝟒 . . . +𝟏 +𝟏 +𝟏 +𝟏 (∗) ∗ = +𝟏 iff the adversary “won a fork”. This happens with probability 𝜹. Look when the adversary “earns a block”: Hence the expected revenue of the adversary is equal to: 𝜹 ⋅ 𝒑 𝟎′ + 𝜶 ⋅ 𝒑 𝟏 + 𝜶 ⋅ 𝒑 𝟐 + ⋯
The final result Eyal and Sirer calculate this, and show that their strategy works as long as α > 𝟏−𝜸 𝟑 −𝟐𝜸 They also show that the larger 𝜶 is the more beneficial this strategy is. α 𝜸
How to fix it? One simple idea to make 𝜸 = 𝟏 𝟐 : Instruct the miners to mine on a random chain (in case they receive to equal ones)
Another clever attack Lear Bahack Theoretical Bitcoin Attacks with less than Half of the Computational Power The “Difficulty Raising Attack” – exploits the way the difficulty is adjusted in Bitcoin.
What we do (not) know about Bitcoin’s security? 1. Technical errors 2. Features/problems 3. Conceptual errors 4. Potential threats 5. Problems with key storage
Blocks without transactions Example: Reason: shorter blocks propagate faster.
In the future the opposite problem can happen When the mining reward becomes negligible, we can experience: Tragedy of the commons: adding a transaction costs nothing, so the miners will not be able to keep the transaction fees high.
Another question Verification of blocks takes time. Maybe it’s cheaper not to verify? (“verifier's dilemma”) (more relevant to Ethereum) See [Luu, Teutsch, Kulkarni, Saxena, Demystifying incentives in the consensus computer, ACM CCS 2015]. Recall that verification includes checking all transactions
Yet another question What happens if someone posts a transaction T with a very high fee (say 100 BTC)? blocki+1block1 blocki+2 for them it’s more profitable to mine on the old block
What we do (not) know about Bitcoin’s security? 1. Technical errors 2. Features/problems 3. Conceptual errors 4. Potential threats 5. Problems with key storage
A practical problem: How to store the bitcoins? • storing in plaintext on the PC – bad idea (malware attacks) • encrypting with a password – susceptible to the dictionary attacks • better: split the key between several devices. Two options: • use the “multisignature feature of Bitcoin • use secret sharing and the MPCs • store on the USB memory – also susceptible to malware (once connected to the PC). • use a smarter device – more secure, especially if it has a display:
©2016 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.

Recommended

Blockchain Security and Privacy
Blockchain Security and PrivacyBlockchain Security and Privacy
Blockchain Security and PrivacyAnil John
 
Consensus Algorithms.pptx
Consensus Algorithms.pptxConsensus Algorithms.pptx
Consensus Algorithms.pptxRajapriya82
 
Dm from databases perspective u 1
Dm from databases perspective u 1Dm from databases perspective u 1
Dm from databases perspective u 1sakthyvel3
 
Network security & cryptography full notes
Network security & cryptography full notesNetwork security & cryptography full notes
Network security & cryptography full notesgangadhar9989166446
 
Blockchain 101 | Blockchain Tutorial | Blockchain Smart Contracts | Blockchai...
Blockchain 101 | Blockchain Tutorial | Blockchain Smart Contracts | Blockchai...Blockchain 101 | Blockchain Tutorial | Blockchain Smart Contracts | Blockchai...
Blockchain 101 | Blockchain Tutorial | Blockchain Smart Contracts | Blockchai...Edureka!
 
Blockchain Introduction Presentation
Blockchain Introduction PresentationBlockchain Introduction Presentation
Blockchain Introduction PresentationAmr Alaa Yassen
 
Blockchain
BlockchainBlockchain
BlockchainPedramDehghanpour
 
Bitcoin & Bitcoin Mining
Bitcoin & Bitcoin MiningBitcoin & Bitcoin Mining
Bitcoin & Bitcoin MiningAbdullah Khan Zehady
 

Recommended

Blockchain Security and Privacy
Blockchain Security and PrivacyBlockchain Security and Privacy
Blockchain Security and PrivacyAnil John
 
Consensus Algorithms.pptx
Consensus Algorithms.pptxConsensus Algorithms.pptx
Consensus Algorithms.pptxRajapriya82
 
Dm from databases perspective u 1
Dm from databases perspective u 1Dm from databases perspective u 1
Dm from databases perspective u 1sakthyvel3
 
Network security & cryptography full notes
Network security & cryptography full notesNetwork security & cryptography full notes
Network security & cryptography full notesgangadhar9989166446
 
Blockchain 101 | Blockchain Tutorial | Blockchain Smart Contracts | Blockchai...
Blockchain 101 | Blockchain Tutorial | Blockchain Smart Contracts | Blockchai...Blockchain 101 | Blockchain Tutorial | Blockchain Smart Contracts | Blockchai...
Blockchain 101 | Blockchain Tutorial | Blockchain Smart Contracts | Blockchai...Edureka!
 
Blockchain Introduction Presentation
Blockchain Introduction PresentationBlockchain Introduction Presentation
Blockchain Introduction PresentationAmr Alaa Yassen
 
Blockchain
BlockchainBlockchain
BlockchainPedramDehghanpour
 
Bitcoin & Bitcoin Mining
Bitcoin & Bitcoin MiningBitcoin & Bitcoin Mining
Bitcoin & Bitcoin MiningAbdullah Khan Zehady
 
Blockchain Study(1) - What is Blockchain?
Blockchain Study(1) - What is Blockchain?Blockchain Study(1) - What is Blockchain?
Blockchain Study(1) - What is Blockchain?Fermat Jade
 
How does blockchain work
How does blockchain workHow does blockchain work
How does blockchain workShishir Aryal
 
Blockchain voting
Blockchain votingBlockchain voting
Blockchain votingsandhyajoshi17
 
SHA-256.pptx
SHA-256.pptxSHA-256.pptx
SHA-256.pptxJadhavSujeet
 
Blockchain data structures and fundamental
Blockchain data structures and fundamentalBlockchain data structures and fundamental
Blockchain data structures and fundamentalCodium Club
 
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...Edureka!
 
Introduction to Blockchain
Introduction to BlockchainIntroduction to Blockchain
Introduction to BlockchainMalak Abu Hammad
 
Blockchain Technology and Its Application in Libraries
Blockchain Technology and Its Application in LibrariesBlockchain Technology and Its Application in Libraries
Blockchain Technology and Its Application in LibrariesNabi Hasan
 
Overview of Blockchain Consensus Mechanisms
Overview of Blockchain Consensus MechanismsOverview of Blockchain Consensus Mechanisms
Overview of Blockchain Consensus MechanismsJohannes Ahlmann
 
Smart contracts
Smart contractsSmart contracts
Smart contractsPhilippe Camacho, Ph.D.
 
Blockchain Basics
Blockchain BasicsBlockchain Basics
Blockchain BasicsShreyas Chaudhari
 
Blockchain and Bitcoin
Blockchain and BitcoinBlockchain and Bitcoin
Blockchain and BitcoinHugo Rodrigues
 
Bitcoin data mining
Bitcoin data miningBitcoin data mining
Bitcoin data miningmalathieswaran29
 
search strategies in artificial intelligence
search strategies in artificial intelligencesearch strategies in artificial intelligence
search strategies in artificial intelligenceHanif Ullah (Gold Medalist)
 
Hash crypto
Hash cryptoHash crypto
Hash cryptoHarry Potter
 
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...Edureka!
 
Blockchain
BlockchainBlockchain
BlockchainSai Nath
 
Lan architecture
Lan architectureLan architecture
Lan architectureLittle Chixcath Guinet
 
Understanding the NFT Ecosystem
Understanding the NFT Ecosystem Understanding the NFT Ecosystem
Understanding the NFT Ecosystem Andres Guadamuz
 
module-1.pptx
module-1.pptxmodule-1.pptx
module-1.pptxRaju385766
 
A research-oriented introduction to the cryptographic currencies (starting wi...
A research-oriented introduction to the cryptographic currencies (starting wi...A research-oriented introduction to the cryptographic currencies (starting wi...
A research-oriented introduction to the cryptographic currencies (starting wi...vpnmentor
 
On the Security of TLS-DHE in the Standard Model
On the Security of TLS-DHE in the Standard ModelOn the Security of TLS-DHE in the Standard Model
On the Security of TLS-DHE in the Standard Modelvpnmentor
 

More Related Content

What's hot

Blockchain Study(1) - What is Blockchain?
Blockchain Study(1) - What is Blockchain?Blockchain Study(1) - What is Blockchain?
Blockchain Study(1) - What is Blockchain?Fermat Jade
 
How does blockchain work
How does blockchain workHow does blockchain work
How does blockchain workShishir Aryal
 
Blockchain data structures and fundamental
Blockchain data structures and fundamentalBlockchain data structures and fundamental
Blockchain data structures and fundamentalCodium Club
 
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...Edureka!
 
Introduction to Blockchain
Introduction to BlockchainIntroduction to Blockchain
Introduction to BlockchainMalak Abu Hammad
 
Blockchain Technology and Its Application in Libraries
Blockchain Technology and Its Application in LibrariesBlockchain Technology and Its Application in Libraries
Blockchain Technology and Its Application in LibrariesNabi Hasan
 
Overview of Blockchain Consensus Mechanisms
Overview of Blockchain Consensus MechanismsOverview of Blockchain Consensus Mechanisms
Overview of Blockchain Consensus MechanismsJohannes Ahlmann
 
Blockchain and Bitcoin
Blockchain and BitcoinBlockchain and Bitcoin
Blockchain and BitcoinHugo Rodrigues
 
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...Edureka!
 
Blockchain
BlockchainBlockchain
BlockchainSai Nath
 
Understanding the NFT Ecosystem
Understanding the NFT Ecosystem Understanding the NFT Ecosystem
Understanding the NFT Ecosystem Andres Guadamuz
 

What's hot (20)

Blockchain Study(1) - What is Blockchain?
Blockchain Study(1) - What is Blockchain?Blockchain Study(1) - What is Blockchain?
Blockchain Study(1) - What is Blockchain?
 
How does blockchain work
How does blockchain workHow does blockchain work
How does blockchain work
 
Blockchain voting
Blockchain votingBlockchain voting
Blockchain voting
 
SHA-256.pptx
SHA-256.pptxSHA-256.pptx
SHA-256.pptx
 
Blockchain data structures and fundamental
Blockchain data structures and fundamentalBlockchain data structures and fundamental
Blockchain data structures and fundamental
 
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...
 
Introduction to Blockchain
Introduction to BlockchainIntroduction to Blockchain
Introduction to Blockchain
 
Blockchain Technology and Its Application in Libraries
Blockchain Technology and Its Application in LibrariesBlockchain Technology and Its Application in Libraries
Blockchain Technology and Its Application in Libraries
 
Overview of Blockchain Consensus Mechanisms
Overview of Blockchain Consensus MechanismsOverview of Blockchain Consensus Mechanisms
Overview of Blockchain Consensus Mechanisms
 
Smart contracts
Smart contractsSmart contracts
Smart contracts
 
Blockchain Basics
Blockchain BasicsBlockchain Basics
Blockchain Basics
 
Blockchain and Bitcoin
Blockchain and BitcoinBlockchain and Bitcoin
Blockchain and Bitcoin
 
Bitcoin data mining
Bitcoin data miningBitcoin data mining
Bitcoin data mining
 
search strategies in artificial intelligence
search strategies in artificial intelligencesearch strategies in artificial intelligence
search strategies in artificial intelligence
 
Hash crypto
Hash cryptoHash crypto
Hash crypto
 
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...
Blockchain Wallet | Blockchain Tutorial for Beginners | Blockchain Training ...
 
Blockchain
BlockchainBlockchain
Blockchain
 
Lan architecture
Lan architectureLan architecture
Lan architecture
 
Understanding the NFT Ecosystem
Understanding the NFT Ecosystem Understanding the NFT Ecosystem
Understanding the NFT Ecosystem
 
module-1.pptx
module-1.pptxmodule-1.pptx
module-1.pptx
 

Viewers also liked

A research-oriented introduction to the cryptographic currencies (starting wi...
A research-oriented introduction to the cryptographic currencies (starting wi...A research-oriented introduction to the cryptographic currencies (starting wi...
A research-oriented introduction to the cryptographic currencies (starting wi...vpnmentor
 
On the Security of TLS-DHE in the Standard Model
On the Security of TLS-DHE in the Standard ModelOn the Security of TLS-DHE in the Standard Model
On the Security of TLS-DHE in the Standard Modelvpnmentor
 
Michael schapira - Hebrew University Jeruslaem - Secure Internet Routing
Michael schapira - Hebrew University Jeruslaem - Secure Internet RoutingMichael schapira - Hebrew University Jeruslaem - Secure Internet Routing
Michael schapira - Hebrew University Jeruslaem - Secure Internet Routingvpnmentor
 
Alternative cryptocurrencies
Alternative cryptocurrencies Alternative cryptocurrencies
Alternative cryptocurrencies vpnmentor
 
Alternative cryptocurrencies
Alternative cryptocurrenciesAlternative cryptocurrencies
Alternative cryptocurrenciesvpnmentor
 
Smart contracts and applications part II
Smart contracts and applications part IISmart contracts and applications part II
Smart contracts and applications part IIvpnmentor
 
Smart contracts and applications part I
Smart contracts and applications part ISmart contracts and applications part I
Smart contracts and applications part Ivpnmentor
 

Viewers also liked (7)

A research-oriented introduction to the cryptographic currencies (starting wi...
A research-oriented introduction to the cryptographic currencies (starting wi...A research-oriented introduction to the cryptographic currencies (starting wi...
A research-oriented introduction to the cryptographic currencies (starting wi...
 
On the Security of TLS-DHE in the Standard Model
On the Security of TLS-DHE in the Standard ModelOn the Security of TLS-DHE in the Standard Model
On the Security of TLS-DHE in the Standard Model
 
Michael schapira - Hebrew University Jeruslaem - Secure Internet Routing
Michael schapira - Hebrew University Jeruslaem - Secure Internet RoutingMichael schapira - Hebrew University Jeruslaem - Secure Internet Routing
Michael schapira - Hebrew University Jeruslaem - Secure Internet Routing
 
Alternative cryptocurrencies
Alternative cryptocurrencies Alternative cryptocurrencies
Alternative cryptocurrencies
 
Alternative cryptocurrencies
Alternative cryptocurrenciesAlternative cryptocurrencies
Alternative cryptocurrencies
 
Smart contracts and applications part II
Smart contracts and applications part IISmart contracts and applications part II
Smart contracts and applications part II
 
Smart contracts and applications part I
Smart contracts and applications part ISmart contracts and applications part I
Smart contracts and applications part I
 

Similar to Mining pools and attacks

Understanding Proof of Work (PoW) and Proof of Stake (PoS) Algorithms
Understanding Proof of Work (PoW) and Proof of Stake (PoS) AlgorithmsUnderstanding Proof of Work (PoW) and Proof of Stake (PoS) Algorithms
Understanding Proof of Work (PoW) and Proof of Stake (PoS) AlgorithmsGautam Anand
 
On Mining Bitcoins - Fundamentals & Outlooks
On Mining Bitcoins - Fundamentals & OutlooksOn Mining Bitcoins - Fundamentals & Outlooks
On Mining Bitcoins - Fundamentals & OutlooksFilip Maertens
 
With a transaction fee market and without a block size limit in Bitcoin netwo...
With a transaction fee market and without a block size limit in Bitcoin netwo...With a transaction fee market and without a block size limit in Bitcoin netwo...
With a transaction fee market and without a block size limit in Bitcoin netwo...ijgttjournal
 
Ergo platform overview
Ergo platform overviewErgo platform overview
Ergo platform overviewDmitry Meshkov
 
Blockchain in Practice, ETH Computational Social Science, Fall 2019
Blockchain in Practice, ETH Computational Social Science, Fall 2019Blockchain in Practice, ETH Computational Social Science, Fall 2019
Blockchain in Practice, ETH Computational Social Science, Fall 2019Rafael Kallis
 
Ergo Presentation - Tokyo
Ergo Presentation - TokyoErgo Presentation - Tokyo
Ergo Presentation - TokyoAlex Chepurnoy
 
Decentralized mining Pools: Security and Attacks
Decentralized mining Pools: Security and AttacksDecentralized mining Pools: Security and Attacks
Decentralized mining Pools: Security and AttacksAlexei Zamyatin
 
Every thing bitcoin in baby language
Every thing bitcoin in baby languageEvery thing bitcoin in baby language
Every thing bitcoin in baby languageOssai Nduka
 
IEEE ICDM 2018 Tutorial on Blockchain Data Analytics
IEEE ICDM 2018 Tutorial on Blockchain Data AnalyticsIEEE ICDM 2018 Tutorial on Blockchain Data Analytics
IEEE ICDM 2018 Tutorial on Blockchain Data AnalyticsCuneyt Gurcan Akcora
 
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)Alex Chepurnoy
 
Bitcoin : A fierce decentralized crypto currency - Report
Bitcoin : A fierce decentralized crypto currency - ReportBitcoin : A fierce decentralized crypto currency - Report
Bitcoin : A fierce decentralized crypto currency - ReportShivek Khurana
 
GET RICHER MINING BITCOIN VAULT - JOIN US- https://bit.ly/btcvminingmarket
GET RICHER MINING BITCOIN VAULT - JOIN US- https://bit.ly/btcvminingmarketGET RICHER MINING BITCOIN VAULT - JOIN US- https://bit.ly/btcvminingmarket
GET RICHER MINING BITCOIN VAULT - JOIN US- https://bit.ly/btcvminingmarketKennedy Odigie
 
Bitcoin Decision Point - April 2017
Bitcoin Decision Point - April 2017Bitcoin Decision Point - April 2017
Bitcoin Decision Point - April 2017Jeff Garzik
 
Ethereum Mining How To
Ethereum Mining How ToEthereum Mining How To
Ethereum Mining How ToNugroho Gito
 
Bitcoin block withholding attack
Bitcoin block withholding attackBitcoin block withholding attack
Bitcoin block withholding attackAnandhu kk
 
Introduction into blockchains and cryptocurrencies
Introduction into blockchains and cryptocurrenciesIntroduction into blockchains and cryptocurrencies
Introduction into blockchains and cryptocurrenciesSergey Ivliev
 

Similar to Mining pools and attacks (20)

Understanding Proof of Work (PoW) and Proof of Stake (PoS) Algorithms
Understanding Proof of Work (PoW) and Proof of Stake (PoS) AlgorithmsUnderstanding Proof of Work (PoW) and Proof of Stake (PoS) Algorithms
Understanding Proof of Work (PoW) and Proof of Stake (PoS) Algorithms
 
On Mining Bitcoins - Fundamentals & Outlooks
On Mining Bitcoins - Fundamentals & OutlooksOn Mining Bitcoins - Fundamentals & Outlooks
On Mining Bitcoins - Fundamentals & Outlooks
 
With a transaction fee market and without a block size limit in Bitcoin netwo...
With a transaction fee market and without a block size limit in Bitcoin netwo...With a transaction fee market and without a block size limit in Bitcoin netwo...
With a transaction fee market and without a block size limit in Bitcoin netwo...
 
01 what is blockchain
01 what is blockchain01 what is blockchain
01 what is blockchain
 
Ergo platform overview
Ergo platform overviewErgo platform overview
Ergo platform overview
 
Blockchain in Practice, ETH Computational Social Science, Fall 2019
Blockchain in Practice, ETH Computational Social Science, Fall 2019Blockchain in Practice, ETH Computational Social Science, Fall 2019
Blockchain in Practice, ETH Computational Social Science, Fall 2019
 
Ergo Presentation - Tokyo
Ergo Presentation - TokyoErgo Presentation - Tokyo
Ergo Presentation - Tokyo
 
Decentralized mining Pools: Security and Attacks
Decentralized mining Pools: Security and AttacksDecentralized mining Pools: Security and Attacks
Decentralized mining Pools: Security and Attacks
 
Every thing bitcoin in baby language
Every thing bitcoin in baby languageEvery thing bitcoin in baby language
Every thing bitcoin in baby language
 
IEEE ICDM 2018 Tutorial on Blockchain Data Analytics
IEEE ICDM 2018 Tutorial on Blockchain Data AnalyticsIEEE ICDM 2018 Tutorial on Blockchain Data Analytics
IEEE ICDM 2018 Tutorial on Blockchain Data Analytics
 
Bit coin(2)
Bit coin(2)Bit coin(2)
Bit coin(2)
 
Bitcoin MOOC Lecture 2.pptx
Bitcoin MOOC Lecture 2.pptxBitcoin MOOC Lecture 2.pptx
Bitcoin MOOC Lecture 2.pptx
 
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
 
Bitcoin : A fierce decentralized crypto currency - Report
Bitcoin : A fierce decentralized crypto currency - ReportBitcoin : A fierce decentralized crypto currency - Report
Bitcoin : A fierce decentralized crypto currency - Report
 
HM Tech LLC Nov 2023.pdf
HM Tech LLC Nov 2023.pdfHM Tech LLC Nov 2023.pdf
HM Tech LLC Nov 2023.pdf
 
GET RICHER MINING BITCOIN VAULT - JOIN US- https://bit.ly/btcvminingmarket
GET RICHER MINING BITCOIN VAULT - JOIN US- https://bit.ly/btcvminingmarketGET RICHER MINING BITCOIN VAULT - JOIN US- https://bit.ly/btcvminingmarket
GET RICHER MINING BITCOIN VAULT - JOIN US- https://bit.ly/btcvminingmarket
 
Bitcoin Decision Point - April 2017
Bitcoin Decision Point - April 2017Bitcoin Decision Point - April 2017
Bitcoin Decision Point - April 2017
 
Ethereum Mining How To
Ethereum Mining How ToEthereum Mining How To
Ethereum Mining How To
 
Bitcoin block withholding attack
Bitcoin block withholding attackBitcoin block withholding attack
Bitcoin block withholding attack
 
Introduction into blockchains and cryptocurrencies
Introduction into blockchains and cryptocurrenciesIntroduction into blockchains and cryptocurrencies
Introduction into blockchains and cryptocurrencies
 

More from vpnmentor

On the Bit Security of Cryptographic Primitives. by Michael Walter
On the Bit Security of Cryptographic Primitives. by Michael Walter On the Bit Security of Cryptographic Primitives. by Michael Walter
On the Bit Security of Cryptographic Primitives. by Michael Walter vpnmentor
 
Homomorphic Lower Digit Removal and Improved FHE Bootstrapping by Kyoohyung Han
Homomorphic Lower Digit Removal and Improved FHE Bootstrapping by Kyoohyung HanHomomorphic Lower Digit Removal and Improved FHE Bootstrapping by Kyoohyung Han
Homomorphic Lower Digit Removal and Improved FHE Bootstrapping by Kyoohyung Hanvpnmentor
 
Review of Previous ETAP Forums - Deepak Maheshwari
Review of Previous ETAP Forums - Deepak MaheshwariReview of Previous ETAP Forums - Deepak Maheshwari
Review of Previous ETAP Forums - Deepak Maheshwarivpnmentor
 
India’s National Biometrics ID - Presented by Mr. Deepak Maheshwari
India’s National Biometrics ID - Presented by Mr. Deepak Maheshwari India’s National Biometrics ID - Presented by Mr. Deepak Maheshwari
India’s National Biometrics ID - Presented by Mr. Deepak Maheshwarivpnmentor
 
Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3vpnmentor
 
TLS: Past, Present, Future
TLS: Past, Present, FutureTLS: Past, Present, Future
TLS: Past, Present, Futurevpnmentor
 
On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption
On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 EncryptionOn the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption
On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryptionvpnmentor
 

More from vpnmentor (7)

On the Bit Security of Cryptographic Primitives. by Michael Walter
On the Bit Security of Cryptographic Primitives. by Michael Walter On the Bit Security of Cryptographic Primitives. by Michael Walter
On the Bit Security of Cryptographic Primitives. by Michael Walter
 
Homomorphic Lower Digit Removal and Improved FHE Bootstrapping by Kyoohyung Han
Homomorphic Lower Digit Removal and Improved FHE Bootstrapping by Kyoohyung HanHomomorphic Lower Digit Removal and Improved FHE Bootstrapping by Kyoohyung Han
Homomorphic Lower Digit Removal and Improved FHE Bootstrapping by Kyoohyung Han
 
Review of Previous ETAP Forums - Deepak Maheshwari
Review of Previous ETAP Forums - Deepak MaheshwariReview of Previous ETAP Forums - Deepak Maheshwari
Review of Previous ETAP Forums - Deepak Maheshwari
 
India’s National Biometrics ID - Presented by Mr. Deepak Maheshwari
India’s National Biometrics ID - Presented by Mr. Deepak Maheshwari India’s National Biometrics ID - Presented by Mr. Deepak Maheshwari
India’s National Biometrics ID - Presented by Mr. Deepak Maheshwari
 
Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3Automated Analysis of TLS 1.3
Automated Analysis of TLS 1.3
 
TLS: Past, Present, Future
TLS: Past, Present, FutureTLS: Past, Present, Future
TLS: Past, Present, Future
 
On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption
On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 EncryptionOn the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption
On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption
 

Recently uploaded

20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsrahman018755
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxi191686
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...kajalverma014
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理F
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Sareena Khatun
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney
 
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...kumargunjan9515
 
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...MOHANI PANDEY
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 

Recently uploaded (20)

20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
 
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 

Mining pools and attacks

  • 1. Mining Pools and Attacks Stefan Dziembowski University of Warsaw Workshop on Bitcoin, Introduction to Cryptocurrencies, Kfar Maccabiah, Ramat Gan, Israel, June 6-7, 2016
  • 2. Plan 1. Mining pools 2. Security of Bitcoin
  • 3. Mining pools Miners create cartels called the mining pools This allows them to reduce the variance of their income.
  • 4. Note 283,494,086 GHash / s 1,700 GHash / s The hashrate of the Achilles Labs AM-1700 miner (1095 USD) The total hashrate of the Bitcoin system as of 5.11.2014 number of blocks in 1 year The user has to wait on average over 3 years to mine a block (even if the difficulty does not increase!) ≈ 166,761 = 3.17 ⋅ (365 ⋅ 24 ⋅ 6)
  • 5. The general picture The mining pools are operated centrally or are designed in a p2p way. Some of the mining pools charge fees for their services. In other words: • the expected revenue from pooled mining is slightly lower than the expected revenue from solo mining, • but the variance is significantly smaller. Tricky part: how to prevent cheating by miners? How to reward the miners? E.g. if the operator got 25 BTC from mining then he will share 25 BTC – fee among them (and keep the fee to himself)
  • 6. Popular mining pools As of Oct 13, 2015:
  • 7. How to design a mining pool? Simple idea: mining pool operator miner a list of transactions 𝐓 𝐢 and a hash 𝐇(𝐁𝐢) this includes a coinbase transaction transferring the reward to 𝐩𝐤. 𝐩𝐤 tries to find 𝐧𝐨𝐧𝐜𝐞 such that 𝐇 𝐧𝐨𝐧𝐜𝐞, 𝐇 𝐁𝐢 , 𝐓 𝐢 starts with 𝐧 zeros current hardness parameter if he finds such 𝐧𝐨𝐧𝐜𝐞 then he sends it to the operator once 𝐧𝐨𝐧𝐜𝐞 is found by some of the pool members each of them is rewarded proportionally to his work. Problem How to verify how much work a miner really did?
  • 8. A solution: “Proportional method” mining pool operator miner a list of transactions𝐓 𝐢and a hash 𝐇(𝐁𝐢) tries to find 𝐧𝐨𝐧𝐜𝐞 such that 𝐇 𝐧𝐨𝐧𝐜𝐞, 𝐇 𝐁𝐢 , 𝐓 𝐢 starts with 𝐧 zeros if he finds such a 𝐧𝐨𝐧𝐜𝐞 then he sends it to the operator he also submits the “partial solutions”, i.e. values 𝐧𝐨𝐧𝐜𝐞 such that 𝐇 𝐧𝐨𝐧𝐜𝐞, 𝐇 𝐁𝐢 , 𝐓 𝐢 starts with 𝐧′ zeros 𝐧′ ≪ 𝐧 The “amount of work” is measured by the number of “partial solutions” submitted.
  • 9. Works if the miners don’t change the pools 𝜶 𝟏 𝜶 𝟐 𝜶 𝟑 𝜶 𝟒 ≈ proportional to 𝜶 𝟏 ≈ proportional to 𝜶 𝟐 ≈ proportional to 𝜶 𝟑 ≈ proportional to 𝜶 𝟒 time proportion of computing power probability of that this pool wins: 𝜶 𝟏 + 𝜶 𝟐 + 𝜶 𝟑 + 𝜶 𝟒 pool members submitted shares reward for 𝐏𝟏 in case it wins: 𝐁𝐓𝐂 𝟐𝟓 ⋅ 𝜶 𝟏 𝜶 𝟏+𝜶 𝟐+𝜶 𝟑+𝜶 𝟒 𝐏𝟏 expected reward for 𝐏𝟏: 𝐁𝐓𝐂 𝟐𝟓 ⋅ 𝜶 𝟏
  • 10. What if the miners change pools? 𝜶 𝟏 𝜶 𝟐 𝜶 𝟑 𝜶 𝟒 time 𝐏𝟏 start a new pool Now the expected revenue of 𝐏𝟏 is a sum of • 𝜶 𝟏 (from the new pool) • plus the revenue from the old pool.
  • 11. A problem with the proportional method: “Pool hopping” It is profitable to escape from pools with lots of shares submitted. (since such pools have a lot of “mouths to feed” there)
  • 12. A solution: do not rewarding each share equally Example: Slush’s method Use a scoring function that assigns to each share a score 𝐬. Then assign rewards proportionally to the score. Slush’s scoring function: 𝒔 = 𝐞𝐱𝐩 𝐓 𝐂 . Intuitively: this gives advantage to miners who joined late. time since the beginning of this “round” some constant
  • 13. Another solution: “Pay-per-share” The operator pays per each partial solution no matter if he managed to extend the chain. mining pool operator miner partial solution reward Major drawback: risky for the operator. He needs to have some reserves to cover the potential losses.
  • 14. Other methods Score-based: Geometric method, Double geometric method, Pay-per-last-N-shares, Improved pay-per-share: Maximum pay-per-share, Shared maximum pay-per-share, Equalized , Shared maximum pay- per-share, (see [Meni Rosenfeld, Analysis of Bitcoin Pooled Mining Reward Systems, 2011], [Okke Schrijvers, Joseph Bonneau, Dan Boneh, and Tim Roughgarden, Incentive Compatibility of Bitcoin Mining Pool Reward Functions]) ...
  • 15. How secure are these methods We can assume that the mining pool operator is honest, since he has a reputation. Much harder to avoid: attacks from malicious miners. We discuss two of them: • “sabotage”, • “lie-in-wait”. Both of them are based on withholding certain blocks. a bit similar to the selfish- mining attack on Bitcoin that we discuss later
  • 16. A “Sabotage”attack on mining pools Submit only the partial solutions. mining pool operator partial solution rewardcomplete solution dishonest miner Results: • the pool looses money • the dishonest miner doesn’t earn anything (also looses a small amount) Adversary’s goal: make the mining pool bankrupt (e.g. he owns a competing pool). It is rumored that in June 2014 such an attack was executed against the mining pool Eligius. Estimated loses: 300 BTC.
  • 17. Another attack: “lie-in-wait” Once you find a solution for 𝐏𝟐 (say): 1. wait with submitting it 2. mine only for 𝐏𝟐 3. submit the solution to 𝐏𝟐 after some time. It can be formally shown that this is profitable (see [Rosenfeld, 2011]) Mine for several mining pools: 1/3 computing power mining pool 𝐏𝟐 mining pool 𝐏𝟏 mining pool 𝐏𝟑 Intuition: 𝐏𝟐 is a very likely winner
  • 18. Can we have a mining pool without an operator? (remember: the operators typically charge a fee). Answer: yes, using the Peer-to-peer mining pools.
  • 19. Peer-to-peer mining pools General idea: the miners create a blockchain with hardness parameter 𝐧′ ≪ 𝐧 on top of the last block 𝐁𝐢. Every 𝐁𝐢 𝟏 , 𝐁𝐢 𝟐 , … is a valid extension of 𝐁𝐢 (except that the hardness may be smaller than 𝐧). The parameter 𝐧′ is chosen is such a way that a new block appears often (say: once per 30 sec.) 𝐁𝐢 𝐏𝟏 𝐏𝟐 𝐏𝟑 𝐁𝐢 𝟏 𝐁𝐢 𝟐 𝐁𝐢 𝟑 𝐧 – current hardness parameter Hence: this has to be done using some other fields in the block (fortunately: blocks have space for this).
  • 20. How is it done technically? Bitcoin blocks contain fields that can be used to store H(𝐁𝐢 𝐣 )’s. H 𝐁𝐢: … … … 𝐁𝐢 𝟏 : H nonce H(Bi) trans. 𝐁𝐢 𝟐 : nonce H(Bi) trans. H(𝐁𝐢 𝟏 ) H 𝐁𝐢 𝟑 : nonce H(Bi) trans. H(𝐁𝐢 𝟐 )
  • 21. Finally someone will find a block that extends 𝐁𝐢 according to Bitcoin rules. 𝐁𝐢 𝐏𝟏 𝐏𝟐 𝐏𝐤 𝐁𝐢 𝟏 𝐁𝐢 𝟐 𝐁𝐢 𝐤. . . 𝐁𝐢+𝟏=: 𝐁𝐢 𝐤 enters the main Bitcoin’s blockchain as 𝐁𝐢+𝟏 ends with 𝐧 zeros call it “final”
  • 22. How to divide the revenue from mining? 𝐁𝐢 𝐏𝟏 𝐏𝟐 𝐏𝟑 𝐁𝐢 𝟏 𝐁𝐢 𝟐 𝐁𝐢 𝟑 includes in 𝐁𝐢 𝟐 a payment to 𝐏𝟏 includes in 𝐁𝐢 𝟑 a payment to 𝐏𝟏 and 𝐏𝟐 if this is missing then other pool members will not mine on top of this block Note: the miner does not know in advance if his block will be final. He has to choose the payment information beforehand.
  • 23. Plan 1. Mining pools 2. Security of Bitcoin
  • 24. Possible attack goals • double spending, • get more money from mining than you should, • “short selling” – bet that the price of BTC will drop and then destroy the system (to make the price of BTC go to zero), • someone (government?) interested in shutting Bitcoin down… “Goldfinger attack” Note: this can be done e.g. by a spectacular fork that lasts just for a few hours…
  • 25. What we do (not) know about Bitcoin’s security? 1. Technical errors 2. Features/problems 3. Conceptual errors 4. Potential threats 5. Problems with key storage
  • 26. Some notable cases of programming errors • a block 74638 (Aug 2010) contained a transaction with two outputs summing to over 184 billion BTC – this was because of an integer overflow in Bitcoin software (solved by a software update and a “manual fork”) one double spending observed (worth 10.000 USD). • a fork at block 225430 (March 2013) caused by an error in the software update of Bitcoin Core (lasted 6 hours, solved by reverting to an older version of the software) Moral: nothing can be really “completely distributed”. Sometimes human intervention is needed…
  • 27. Transaction Malleability T2 = (User P1 sends 1 BTC from T1 to P2 signature of P1 on [T2]) Hash Hash(T2) Problem: transactions are identified by their hashes TxId = Hence one can change TxId by mauling the signature: (User P1 sends 1 BTC from T1 to P2 𝝈) (User P1 sends 1 BTC from T1 to P2 𝝈’)
  • 28. How to do it? Other methods also exists… 𝝈 = (r,s) is a valid signature on M w.r.t. pk 𝝈′ = (r, -s (mod N)) is a valid signature on M w.r.t. pk Bitcoin uses ECDSA signatures. Hence:
  • 29. What can the adversary do? transaction T mauled T miners [Andrychowicz et al 2015]: very easy to perform in practice.
  • 30. Is it a problem? Often: NO (the mauled transaction is semantically equivalent to the original one) When things can go wrong? • Bitcoin contracts • buggy software
  • 31. Claimed attack on MtGox deposits 1 BTC withdraws 1 BTC transaction T = “MtGox sends 1 BTC to A” A transaction T’ = mauled transaction T blockt blockt+1 blockt+2 blockt+3 Since MtGox cannot see a transaction with TxId Hash(T) in the blockchain. Thus it concludes that the transaction did not happen. (so A can double spend) [Decker and Wattenhofer, ESORICS 2014]: this is probably not true.
  • 32. What we do (not) know about Bitcoin’s security? 1. Technical errors 2. Features/problems 3. Conceptual errors 4. Potential threats 5. Problems with key storage
  • 33. One obvious problem: lack of anonymity Can sometimes be de-anonymized: [Meiklejohn et al., A fistful of bitcoins: characterizing payments among men with no names, 2013] 1 BTC 1 BTC can be linked 1BTC 1 BTC 1 BTC Heuristic solution: 1BTC
  • 34. Another problem/feature: hardware mining History of mining: CPU → GPU → FPGA → ASIC
  • 35. Drawbacks of the hardware mining 1. Makes the whole process ``non-democratic”. 2. Easier to attack by very powerful adversary? 3. Excludes some applications (mining a as “micropayment’’). ?
  • 36. Advantages of the hardware mining • Security against botnets. • Makes the miners interested in the long-term stability of the system. How “long term”? Remember that the total hashrate can go up almost 100x in one year…
  • 37. Risk associated to pooled mining June 2014: the Ghash.io pool got > 50% of the total hashpower. Then this percentage went down…
  • 38. Observation What we were promised: “distributed currency independent from the central banks” What we got (in June 2014): “currency controlled by a single company”…
  • 39. A problem Individual miners lost control over which blocks they mine. For example in the Stratum protocol (commonly used by mining pools): miners cannot choose Bitcoin transactions on their own From mining.bitcoin.cz/stratum-mining: “In my experience 99% of real miners don’t care about transaction selection anyway, they just want the highest possible block reward. At this point they share the same interest with pool operator, so there’s no real reason to complicate mining protocol just for those 1% who want to create custom blocks for the pool.”
  • 40. How to break Bitcoin? 1. Start a number of mining pools with a negative fee. 2. Wait until you get >50% of the total hashrate. Will the miners join? they just want the highest possible block reward…
  • 41. What is really our security assumption? “As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers” we proposed a peer-to- peer network using proof- of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of CPU power 1. No cartel controls the majority of the computing power, or 2. The majority of participants is 100% honest. ?
  • 42. In order for the Bitcoin to work we need a following (strong) assumption: The majority behaves honestly even if it has incentives not to do so. Is it realistic? enthusiast: sceptics: Yes, since the majority is interested in maintaining the system No, since this is not how capitalism works… (e.g.: tragedy of the commons)
  • 43. Another risk Why not to rent the hashpower to perform the attack?
  • 44. Conjecture Maybe the only reason why nobody broke Bitcoin yet is that nobody was really interested in doing it?
  • 45. How to analyze it? Use a game-theoretic model. See: [Joseph Bonneau, Edward W. Felten, Steven Goldfeder, Joshua A. Kroll and Arvind Narayanan, Why buy when you can rent? Bribery attacks on Bitcoin consensus, 2014]
  • 46. Major research direction Provide a full game- theoretic model for cryptocurrencies, and show a currency secure in it.
  • 47. What we do (not) know about Bitcoin’s security? 1. Technical errors 2. Features/problems 3. Conceptual errors 4. Potential threats 5. Problems with key storage
  • 48. Easy to see An adversary that controls majority of computing power can always break the system. blocki blocki+1 blocki+2 block’i+2 blocki+3 blocki+4 block’i+3 block’i+4 block’i+5 pays using transaction T T Eventually this branch becomes longer so he can “cancel T” and double spend.
  • 49. It turns out that even a dishonest minority can attack Bitcoin... Selfish mining Ittay Eyal, Emin Gun Sirer Majority is not Enough: Bitcoin Mining is Vulnerable Basic idea: when you mine a new block keep it to yourself (also called block withholding strategy). Goal: make the honest miners waste their effort at mining blocks that will never make it to the chain. Observe • the proportion of the blocks that you mine will be higher than it should be, • hence: you will earn more than your share of computing power (since Bitcoin adjusts the difficulty)
  • 50. Why is it bad? If there is a strategy that is more beneficial than the honest strategy then miners have an incentive to misbehave (“Bitcoin is not incentive compatible”) (recall that with the honest strategy every miner whose computing power is an 𝜶-fraction of the total computing power gets an 𝜶-fraction of the revenue) Moreover: the larger 𝜶 is the more beneficial this strategy is. Therefore: the miners have incentives to join a large pool that uses this strategy. fraction of revenuefraction of computing power
  • 51. A simplifying assumption (for a moment) What happens when there is a fork? Bitcoin specification: “from two chains of equal length mine on the first one that you received”. Assume that the adversary is always first (e.g. he puts a lot of “fake nodes” that act as sensors).
  • 52. An observation Assume that the adversary does not broadcast the new block that he found (and mines on it “privately”). Two things can happen: 1. the adversary manages to extend his “private block chain” by one more block, or 2. the “honest users” manage to find an alternative extension. blocki blocki+1 blocki+2 block’i+2 blocki+3 In this case the adversary quickly publishes his block so he looses nothing
  • 53. If the adversary is lucky then he obtains advantage over the honest miners. blocki blocki+1 block’i+2 blocki+2 blocki+3 blocki+4 blocki+5 block’i+3 block’i+4 block’i+5 he publishes his chain if the “public chain” equalizes with it the reward for these blocks goes to him Note: this works even if the adversary has minority of computing power.
  • 54. Full attack The assumption that “the adversary is always first” may look unrealistic. Eyal and Sirer show a modification of this strategy that works without this assumption. 𝜸 − probability that an honest user chooses adversary’s block 𝜶 – fraction of adversary’s computing power We present it on next slides.
  • 55. Note 𝜸 − probability that an honest user chooses adversary’s block 𝜶 – fraction of adversary’s computing power the probability that the adversary wins if there is a fork is equal to 𝜶 + 𝟏 − 𝜶 𝜸 the adversary extends the chain an honest miners extend the chain they extend adversary’s chain they extend the “honest” chain prob. 𝜶 prob. 𝟏 − 𝜶 prob. 𝜸 prob. 𝟏 − 𝜸 Why? denote it 𝜹
  • 56. At the beginning of the attack we have: initial state: someone mined a new block and everyone is trying to extend it state 𝟎 First step: if the adversary finds a new block – he keeps it private.
  • 57. the honest miners also find a block adversary finds another block on top of his old one the adversary published his block ASAP “honest block” won “adversary’s block” won state 𝟎 prob. 𝟏 − 𝜶 prob. 𝜶 prob. 𝟏 − 𝜹 prob. 𝜹 state 𝟏 state 𝟎′ state 𝟎 state 𝟎 state 𝟐 the adversary found a new block
  • 58. From state 𝟐: state 𝟐 state 𝟑 the adversary publishes his chain ASAP state 𝟎 prob. 𝜶 prob. 𝟏 − 𝜶
  • 59. In general for 𝒊 ≥ 𝟐 state 𝒊 𝒊 state 𝒊: “the adversary has advantage 𝒊 over the honest miners”
  • 60. This leads to the following state machine: state 𝟎 state 𝟎′ state 𝟏 state 𝟐 state 𝟑 state 𝟒 . . . 𝜶 𝜶 𝜶 𝜶 𝟏 − 𝜶𝟏 − 𝜶𝟏 − 𝜶𝟏 − 𝜶 𝜶 𝟏 − 𝜶𝟏
  • 61. This converges to some stationary distribution 𝐩 𝟎, 𝐩 𝟎′, 𝐩 𝟏, 𝐩 𝟐, 𝐩 𝟐, … We can find it using the theory of Markov chains 𝐩 𝟎 𝐩 𝟎′ 𝐩 𝟏 𝐩 𝟐 𝐩 𝟑 𝐩 𝟒 . . . 𝜶 𝜶 𝜶 𝜶 𝟏 − 𝜶𝟏 − 𝜶𝟏 − 𝜶𝟏 − 𝜶 𝜶 𝟏 − 𝜶𝟏
  • 62. How to calculate adversary’s revenue? state 𝟎 state 𝟎′ state 𝟏 state 𝟐 state 𝟑 state 𝟒 . . . +𝟏 +𝟏 +𝟏 +𝟏 (∗) ∗ = +𝟏 iff the adversary “won a fork”. This happens with probability 𝜹. Look when the adversary “earns a block”: Hence the expected revenue of the adversary is equal to: 𝜹 ⋅ 𝒑 𝟎′ + 𝜶 ⋅ 𝒑 𝟏 + 𝜶 ⋅ 𝒑 𝟐 + ⋯
  • 63. The final result Eyal and Sirer calculate this, and show that their strategy works as long as α > 𝟏−𝜸 𝟑 −𝟐𝜸 They also show that the larger 𝜶 is the more beneficial this strategy is. α 𝜸
  • 64. How to fix it? One simple idea to make 𝜸 = 𝟏 𝟐 : Instruct the miners to mine on a random chain (in case they receive to equal ones)
  • 65. Another clever attack Lear Bahack Theoretical Bitcoin Attacks with less than Half of the Computational Power The “Difficulty Raising Attack” – exploits the way the difficulty is adjusted in Bitcoin.
  • 66. What we do (not) know about Bitcoin’s security? 1. Technical errors 2. Features/problems 3. Conceptual errors 4. Potential threats 5. Problems with key storage
  • 67. Blocks without transactions Example: Reason: shorter blocks propagate faster.
  • 68. In the future the opposite problem can happen When the mining reward becomes negligible, we can experience: Tragedy of the commons: adding a transaction costs nothing, so the miners will not be able to keep the transaction fees high.
  • 69. Another question Verification of blocks takes time. Maybe it’s cheaper not to verify? (“verifier's dilemma”) (more relevant to Ethereum) See [Luu, Teutsch, Kulkarni, Saxena, Demystifying incentives in the consensus computer, ACM CCS 2015]. Recall that verification includes checking all transactions
  • 70. Yet another question What happens if someone posts a transaction T with a very high fee (say 100 BTC)? blocki+1block1 blocki+2 for them it’s more profitable to mine on the old block
  • 71. What we do (not) know about Bitcoin’s security? 1. Technical errors 2. Features/problems 3. Conceptual errors 4. Potential threats 5. Problems with key storage
  • 72. A practical problem: How to store the bitcoins? • storing in plaintext on the PC – bad idea (malware attacks) • encrypting with a password – susceptible to the dictionary attacks • better: split the key between several devices. Two options: • use the “multisignature feature of Bitcoin • use secret sharing and the MPCs • store on the USB memory – also susceptible to malware (once connected to the PC). • use a smarter device – more secure, especially if it has a display:
  • 73. ©2016 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.

Editor's Notes

  1. http://bitcoinmagazine.com/3668/bitcoin-network-shaken-by-blockchain-fork/
  2. See: https://litecoin.info/User:Iddo/Comparison_between_Litecoin_and_Bitcoin
  3. See: https://litecoin.info/User:Iddo/Comparison_between_Litecoin_and_Bitcoin