This change is backward compatible: Any subset of the miners can adopt it without hindering the protocol. Moreover, it is
progressive: any ratio of the miners that adopts it decreases γ,
and therefore increases the threshold.
6. 1. Problem
The Bitcoin protocol prescribes that when a miner knows of
multiple branches of the same length, it mines and propagates only the first branch it received. Recall that a pool that
runs the Selfish-Mine strategy and has a lead of 1 publishes
its secret block P once it hears of a competing block X found
by a non-pool block. If block P reaches a non-pool miner
before block X, that miner will mine on P.
Because selfish mining is reactive, and it springs into
action only after the honest nodes have discovered a block X,
it may seem to be at a disadvantage. But a savvy pool operator can perform a sybil attack on honest miners by adding
a significant number of zero-power miners to the Bitcoin
miner network. These virtual miners act as advance sensors
by participating in data dissemination, but do not mine new
blocks. (Babaioff et al. also acknowledge the feasibility of
such a sybil attack2). The virtual miners are managed by the
pool, and once they hear of block X, they ignore it and start
propagating block P. The random peer-to-peer structure of
the Bitcoin overlay network will eventually propagate X to all
miners, but the propagation of X under these conditions will
be strictly slower than that of block P. By adding enough virtual nodes, the pool operator can thus increase γ. The result
(see Observation 1), is a threshold close to zero.
6. 2. Solution
We propose a simple, backwards-compatible change to
the Bitcoin protocol to address this problem and raise the
threshold. Specifically, when a miner learns of competing branches of the same length, it should propagate all of
them, and choose which one to mine on uniformly at random. In the case of two branches of length 1, as discussed in
Section 4, this would result in half the nodes (in expectancy)
mining on the pool’s branch and the other half mining on
the other branch. This yields γ = 1/2, which in turn yields a
threshold of 1/4.
Each miner implementing our change decreases the selfish pool’s ability to increase γ through control of data propagation. This improvement is independent of the adoption
of the change at other miners, therefore it does not require
a hard fork. This change to the protocol does not introduce
new vulnerabilities to the protocol: Currently, when there
are two branches of equal length, the choice of each miner
is arbitrary, effectively determined by the network topology
and latency. Our change explicitly randomizes this arbitrary
choice, and therefore does not introduce new vulnerabilities.
7. RELATED WORK
Decentralized digital currencies have been proposed before
Bitcoin, starting with eCash6 and followed by peer-to-peer currencies23, 25; see Ref. Barber et al. and Miers et al. 3, 14 for short surveys. None of these are centered around a global log; therefore,
their techniques and challenges are unrelated to this work.
still mine on the pool’s block. In this case, the pool takes no
risk when following the Selfish-Mine strategy and its revenue
is always better than when following the honest algorithm.
The threshold is therefore zero, and a pool of any size can benefit by following Selfish-Mine. In the other extreme, γ = 0, the
honest miners always publish and propagate their block first,
and the threshold is at 1/3. With γ = 1/2 the threshold is at 1/4.
Figure 3 shows the threshold as a function of γ.
We also note that the slope of the pool revenue, Rpool, as a
5. POOL FORMATION
function of the pool size is larger than one above the thresh-
old. This implies the following observation:
Observation 2. For a pool running the Selfish-Mine strategy,
the revenue of each pool member increases with pool size for
pools larger than the threshold.
We have shown that once a selfish pool’s mining power
exceeds the threshold, it can increase its revenue by running Selfish-Mine (Theorem 1). At this point, rational miners will preferentially join the selfish pool to increase their
revenues. Moreover, the pool’s members will want to accept
new members, as this would increase their own revenue
(Observation 2). The selfish pool would therefore increase
in size, unopposed by any mechanism, towards a majority.
Once a miner pool, selfish or otherwise, reaches a majority,
it controls the blockchain. The Selfish-Mine strategy then
becomes unnecessary, since the others are no longer faster
than the pool. Instead, a majority pool can collect all the system’s revenue by switching to a modified Bitcoin protocol
that ignores blocks generated outside the pool; it also has
no motivation to accept new members. At this point, the currency is not decentralized as originally envisioned.
6. HARDENING THE PROTOCOL
Ideally, a robust currency system would be designed to resist
attacks by groups of colluding miners. Since selfish mining
attacks yield positive outcomes for group sizes above the
threshold, the protocol should be amended to set the threshold as high as possible. In this section, we argue that the current Bitcoin protocol has no measures to guarantee a low γ.
This implies that the threshold may be as low as zero, and a
pool of any size can benefit by running Selfish-Mine. We suggest a simple change to the protocol that, if adopted by all
non-selfish miners, sets γ to , and therefore the threshold to .
0 0.25 0.5 0.75 1
Figure 3. Mining power α above which selfish mining trumps honest
mining, function of the propagation factor γ.