Hold ’em, don’t fold ’em: how to bite Bitcoin pools – The Register

admin on March 13, 2017 Leave a Comment

Bitcoin's reward mechanism is based on publishing a solution to the block chain. What if an Evil Genius reversed this, and rewarded miners for withholding their solutions?

The simple answer: a pool of miners in which an Evil Genius withheld solutions would collapse. The surprise longer answer, presented in this paper at the International Association for Cryptologic Research (IACR), is that the attacker could conceivably end up in the black.

Yaron Velner (Hebrew University of Jerusalem), Jason Teutsch (University of Alabama at Birmingham) and Loi Luu (National University of Singapore) write that the problem arises in the mining pools that now account for most Bitcoin computation (as much as 95 per cent by some estimates).

Withholding attacks have been discussed since early in the blockchain's history, but Bitcoin's pretty resilient against them because if you want to mine coins and not tell anyone, you need enough computing power to be a miner. That means a lot of outlay for a slim return.

Rewarding others to withhold, the Velner/Teutsch/Luu paper suggests, is a lot more affordable, for the following reasons:

As they say on Twitter, huge if true so let's drill down a little.

Nakamoto's original paper (PDF) mentions block withholding attacks as an attacker trying to generate an alternate chain faster than the honest chain.

Block withholding has been typically regarded as a double-spending attack. This paper, instead, is a manipulation of the value of Bitcoin held in pools.

Each time a Bitcoin is successfully mined (that is, someone's rig finds the next solution), the math gets a little bit harder, and the next solution will take longer, or it'll need more computing power to find. That's why Bitcoin mining is now conducted in data centres and dedicated servers, rather than at home on PCs.

If blocks aren't published, they're not included in the assumption that makes Bitcoin progressively more difficult, and the result is that the attacker benefits from reducing the effective hash rate of the entire network.

Only if, however, they can do it for a small outlay and that's where this attack is different. Instead of doing the mining themselves, an attacker with a modest home-scale setup can disrupt pools.

The requirement, the authors write, is merely that the the fraction of the networks hash rate controlled by the attacker is greater than a miners reward for submitting a full solution to the pool.

This mining power is currently equivalent to 4 TH/s [tera-hashes per second El Reg] mining power, which is obtainable by modern ASICs. Moreover, a miner with N ASICs could offer a reward that is N times higher and still make a profit.

Were an Evil Genius to mount the attack, they'd need their minions to prove they're holding valid blocks, and that's one reason withholding attacks don't happen: storage sufficient for the minion to submit a proof to the attacker is expensive.

Instead, the attack asks only for the minion for a proof of stale work to prove that they're performing sha256 operations over some data without an intention of submitting full solutions to the blockchain. When the withholder allocates his mining equipment for stale work, the effective hash power of the network is reduced.

Crucially, because it's an attack on the pool mining protocol, the authors note that their attack does not affect the Nakamoto consensus that protects the truth of the Bitcoin blockchain.

Go here to read the rest:
Hold 'em, don't fold 'em: how to bite Bitcoin pools - The Register

Related Posts
Posted in Bitcoin

Comments are closed.