HAL Id: hal-01310088https://hal.archives-ouvertes.fr/hal-01310088v1
Submitted on 1 May 2016 (v1), last revised 30 Apr 2017 (v3)
HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.
Lâarchive ouverte pluridisciplinaire HAL, estdestinĂŠe au dĂŠpĂ´t et Ă la diffusion de documentsscientifiques de niveau recherche, publiĂŠs ou non,ĂŠmanant des ĂŠtablissements dâenseignement et derecherche français ou ĂŠtrangers, des laboratoirespublics ou privĂŠs.
ZeroBlock: Preventing Selfish Mining in BitcoinSiamak Solat, Maria Potop-Butucaru
To cite this version:Siamak Solat, Maria Potop-Butucaru. ZeroBlock: Preventing Selfish Mining in Bitcoin. [TechnicalReport] Sorbonne Universites, UPMC University of Paris 6. 2016. �hal-01310088v1�
ZeroBlock: Preventing Selfish Mining in Bitcoin
Siamak Solat and Maria Potop-Butucaru
UPMC-CNRS, Sorbonne Universites, LIP6, UMR 7606, Paris, France{[email protected]}
Abstract. Bitcoin was recently introduced as a peer-to-peer electroniccurrency in order to facilitate transactions outside the traditional fi-nancial system. The core of Bitcoin, the Blockchain, is the history ofthe transactions in the system maintained by all nodes as a distributedshared register. New blocks in the Blockchain contain the last transac-tions in the system and are added by nodes (miners) after a block min-ing process that consists in solving a resource consuming proof-of-work(cryptographic puzzle). The reward is a motivation for mining processbut also could be an incentive for attacks such as selfish mining. In thispaper we propose a solution for one of the major problems in Bitcoin :selfish mining or block withholding attack. This attack is conducted byadversarial or selfish nodes in order to either earn undue rewards or wastethe computational power of honest nodes. Contrary to recent solutions,our solution, ZeroBlock, prevents block withholding using a techniquefree of forgeable timestamps. Moreover, we show that our solution is alsocompliant with nodes churn.
Keywords: Electronic Currency; Bitcoin; Cryptocurrency; ZeroBlock;block withholding; selfish mining
1 Introduction
In the last few years crypto-currencies [17,19,20,18,1,8,15] are in the center of theresearch ranging from financial, political and social to computer science and puremathematics. Bitcoin [1] was one of the starters of this concentration of forcestowards creating a system where transactions between individuals can escapethe strict control of the banks and more generally of the financial markets.
Bitcoin was introduced as a pure peer-to-peer [1] electronic currency orcrypto-currency to aim at fully decentralizing electronic payment transactions.Bitcoin allows to perform online payment transactions directly from one partyto another one âwithoutâ the interference of a financial institution as a âtrustedthird partyâ [1]. It uses digital signatures to verify the Bitcoinâs possession andemploys Blockchain in order to prevent double-spending attacks. Blockchain isbroadcasted via a peer-to-peer network to achieve a consensus about the historyof the transactions in the system via a proof-of-work (cryptographic puzzle)[13,2,12] performed by honest parties (nodes that follow the protocol).
Bitcoin is still vulnerable to various attacks including double-spending [27],selfish mining [9], Goldfinger [28], 51% attack [28] etc. In this paper we focus the
2 ZeroBlock: Siamak Solat, Maria Potop-Butucaru
selfish mining attack. Recently, [4] provided a full description of incentives towithhold or selfish mine in Bitcoin. That is, to force honest nodes to waste theircomputational power such that their public chain becomes useless, whereas theprivate chain of the adversarial nodes is accepted as a part of the blockchain.To this end, the adversarial nodes reveal selectively their private blocks to makeuseless the blocks made by honest nodes.
Our contribution In this paper, we introduce a new solution named ZeroBlockwhich prevents block withholding (selfish mining) without using timestampscontrary the recent solution proposed by [26]. In our solution, if a selfish nodewants to keep its block privately more than the expected time calculated byhonest nodes, its block will expire and will be rejected by honest nodes. Weshow that, by using this solution, honest nodes never accept chains infestedwith block withholding . Also, we demonstrate that in a dynamic network if ahonest node joins the network, it can diagnose the correct chain from chainsinfected with block withholding .
Paper Roadmap The rest of this paper is organized as follows: Section 2 presentsan overview of Bitcoin, Section 2.1 presents how to generate a block and proof-of-work process, Section 2.2 presents block withholding attack and selfish mining,Section 2.3 mentions some other Bitcoin problems, Section 3 presents structureof information in Bitcoin netwok including 3.1 Transactions, 3.2 Blocks and 3.3Blochchain. Section 4 presents our ZeroBlock solution altogether with its cor-rectness proof. Finally, Section 5 presents some related work on crypto-currencieswhile Section 6 concludes the paper and presents some future research directions.
2 Bitcoin Overview
Bitcoin is an electronic coin which works as a chain of digital signatures whereeach owner transfers Bitcoin to the next party after adding his signature (gener-ated with his private key) along with the hash of previous transactions and thepublic key of the next owner (i.e. the receiver). As a result, the final receiver isable to verify the ownershipâs chain by verifying the signatures [1].
The key entity in Bitcoin is a public log that is a sequence of blocks, namedBlockchain, that maintains the history of transactions. The safety of Blockchainis provided by a cryptographic puzzle, named proof-of-work (PoW), solved byseveral nodes, named âminersâ. Miners who can solve PoW are permitted togenerate a new block to record transactions and receive some Bitcoins as areward. This reward is used to further motivate miners to share their powerresource with the network and continue to mine.
2.1 Block Generation and Proof-of-Work
A PoW is a cryptographic puzzle that is difficult to generate but easy to verify.Bitcoin network uses Hashcash [2] PoW system for block generation such that
ZeroBlock: Preventing Selfish Mining in Bitcoin 3
a block is accepted by the network if miners perform PoW properly and suc-cessfully. The difficulty of PoW is adjustable regarding to the network power.Currently, the block generation rate is one block per minute. Note that since thesuccess of solving PoW by every node in the network has a very low probability,the prediction on which node will generate the next block is almost impossible.
After a new block is generated, it is broadcasted in the entire network. Ifthis new block is accepted as âheadâ of blockchain, other nodes start to workon this new block to extend it. A competition between two new blocks occursif their respective hash on the previous blocks used in PoW process are equaland also they are broadcasted simultaneously. At this point a fork on blockchainhappens. Since the block broadcast takes only a few seconds but the averageof the time to generate a new block is around 10 minutes, âaccidental forksâoccur almost every 60 blocks [4,3]. In such situation, nodes have to select theblock which is received first and, as a result, the second block will be ignoredby the network. Consequently, nodes that worked on the second block wastedtheir computational power with no reward. Moreover, this may generate a forkon the blockchain which may divide itself into two branches. This competitioncontinues until nodes generate new blocks on each of fork branches and finallythe longest chain will be chosen by honest nodes.
2.2 Block Withholding or Selfish Mining
Block withholding attack was introduced as âSelfish miningâ in [4] and also asâBlock Discarding Attackâ in [29]. This attack relies on âblock concealingâ andrevealing only at a special time selected by some nodes called as Selfish Minerswho does follow Bitcoin protocol. This attack is contrary to this concept thatthe first favor of a miner is to reveal his new block as soon as possible to bea part of main blockchain for achieving more revenue. According to [4], theseSelfish Miners can learn revenues more than their share computational resourcesin comparison with a fair situation [30].
In block withholding strategy, a Selfish Miner after solving PoW and findinga new block, neither publish it in its mining pool nor in entire the network.
In [31] authors extends the selfish mining strategy and provides an algo-rithm to find optimal policies for Selfish Miners. [16] shows that expanding mainblockchain method by adding newest block on the last block creates a simplemodel of âweak and non-uniqueâ Nash equilibrium [31]. [31] shows that this op-timal policies compute threshold such that honest mining would be a âstrict anduniqueâ Nash equilibrium. According to [32] miners are not motivated enoughto propagate transactions. Authors in [33] introduces a cooperative game theoryanalysis relying on interactive mining pools.
According to [4], the selfish mining in Bitcoin network occurs as follows: Inthe case of the generation of a new block by the honest nodes, (1) if the size ofhonest nodesâ blockchain is longer than the adversarial branch, the adversarialcartel tries to set its private chain equal to the public chain of the honest nodes.(2) If the adversarial branch is one block more than the honest nodes chain,
4 ZeroBlock: Siamak Solat, Maria Potop-Butucaru
then adversarial nodes publish their private chain completely (3) If the adver-sarial branch is more than one block longer than the honest nodes chain, thenthe adversarial nodes publish only the head of their private chain. In the case ofgeneration of a new block by adversarial nodes, they keep this new block privateand in case of a competition with the honest nodes, publish it to win the com-petition. According to [4], the success of adversarial nodes in this competition iscontingent on the ι (i.e. adversarial nodes power) and γ (i.e. the proportion ofhonest nodes power which in a block competition work on an adversarial nodeblock). According to the equation 1, if γ = 0, the threshold for success of blockwithholding behavior is ι ⼠33 % and if γ = 0.99, the threshold is ι ⼠0.009[26].
1â Îł3â 2Îł
< Îą <1
2(1)
Eyal and Sirer [4] suggest a solution according to which Îł is fixed to 0.5 andconsequently the threshold of successful block withholding increases to Îą ⼠0.25.Ethan Heilman [26] introduces an approach named âFreshness Preferredâ (FP).Using a random beacons and timestamps, honest nodes select more fresh blocksand the threshold becomes Îą ⼠32 %.
2.3 Other Bitcoin Problems
In this section we mention some other Bitcoin problems. Due to publishing trans-action logs fully publicly, the userâs anonymity is protected only via the use ofpseudonyms addresses [15]. In accordance with [8] the userâs transactions canbe simply linked together. Also, in case of linking one userâs transaction to hisidentity, all of the other transactions performed by the user could be revealed.The userâs privacy in electronic transactions comes back to Chaumâs proposalabout âanonymousâ e-cash by using the âblind signaturesâ [8].
PoW causes some problems such that imposing participation in a miningpool managed by a single miner that decreases and may collapse decentralizednature of Bitcoin network particularly when a significant percentage of miningpower belongs to a single mining pool (e.g. GHash.io [9,10]), a point at which asignificant mining power of the network is in hand of a miner who is the managerof the mining pool and may lead to 51% attack.
The history of transactions as a public log is called a blockchain which ismaintained, recorded and run by a group of miners who are rewarded withrespect to their participation in the Bitcoin network [4]. [4] formally defined anattack to demonstrate that Bitcoin is not an âincentive-compatibleâ protocolwhich means that miners can collude in order to earn a reward larger thantheir fair share. As a result, the size of this colluding group may increase untilconverting into a majority. Since, Bitcoin needs a majority of honest miners (whoperform exactly the prescribed protocol) if a colluding group is able to become amajority it can either prevent some transactions [4] or decide to reject originatedcoins belonging to a particular address leading to coins devaluation. Therefore,
ZeroBlock: Preventing Selfish Mining in Bitcoin 5
users become disinclined to use these coins for the payment [11]. In other words,the decisions need to be accepted via a majority that by default is supposed tobe honest [11]. In fact, the users vote according to their computing power toprevent double-spending. This action restricts the power of a specific group ofusers and leads to performing Sybil attack (i.e. forging different IDs in a âpeerto peerâ network) [11,24]. However, [11] demonstrates some critical decisions inthe Bitcoinâs network which may be controlled by a small set of entities.
On the other hand, some actions such as protocol updates are not consideredto be decentralized, but they are managed by limited entities as administratorswithout respecting the âcomputing powerâ that they control, but depending ontheir roll in the network. In [11] the authors tried to enhance decentralized prop-erty of Bitcoin by reducing the impact of mining pools on the Bitcoin system.
3 Bitcoin Model
Bitcoin network consists of two major types of information. The first one are 3.1Transactions that are entities to transfer the coins entire the network and thesecond one are 3.2 Blocks inserted into a âpublic ledgerâ called as 3.3 Blochchainand employed to âsynchronize status among all Bitcoin nodesâ. We explain thesekey entities in the following sections [3].
3.1 Transactions
Briefly, a transaction transfers the coins from one or multiple âsource accountaddressâ to âdestination account addressâ, where each âaccount addressâ has aunique key pair. Each âaddressâ derives from related âpublic keyâ and employedto recognize the related âaccountâ. For each âBitcoin transferâ between twoaccount, a transaction must be generated including the âdestination accountaddressâ and signed by âprivate keyâ of the âsource accountâ.
To calculate the âbalance of account addressesâ, the public ledger calculateseach transaction outputs (i.e. a ânumeric value of coinsâ) which has transferredthe coins to an account. Thus, the balance is calculated as the âsum of thesevalues of the coinsâ that are not still spent.
Each transaction is recognized by using âhash of serialized context of trans-actionâ. A transaction has also the inputs as âreferences to transaction outputownershipâ.
When transactions are broadcast entire the network, the âpublic ledgerâ willbe updated locally in each node. By passing the time, this copy may be unalikein âdifferent minersâ which may causes âinconsistencyâ. This inconsistency itselfmay lead to some problems. For example, consider a miner receives a transactionthat shows transferring some coins from account âAâ, whereas this miner hasnot still gotten related transaction that shows these coins are âavailableâ foraccount âAâ. Or in another situation, multiple transactions may try to transfersome coins at several times that such âsubversive behaviorâ called as âdoublespendingâ [3].
6 ZeroBlock: Siamak Solat, Maria Potop-Butucaru
3.2 Blocks
Achieving a âconsensusâ in a distributed system is not a âtrivialâ concept andBitcoin solution uses a âuncertain commitment of the transactionsâ and thenâsynchronizingâ them at âorderly time intervalsâ by using Blocks that has beengenerated and broadcast by one miner entire the network.
Each block consists of several transactions. Each miner when receives a newblock, updates its âlocal chainâ and then restores the uncertain committed trans-actions since the last block, where all miners have a âconsensusâ on the trans-actions of the block. [3]
3.3 Blockchain
A blockchain is a chain of blocks in âchronological orderâ, where the blocks areput like a âdirected tree formâ such that each block is referenced by its âparentblockâ. In this tree, the âgenesis blockâ is the root. The âmost distant blockâfrom âgenesis blockâ is called as the âHead of blockchainâ [3].
Fork There is a âblockchain forkâ, when in a blockchain there are more thanone Head. In such situation, the network miners do not have a âconsensusâ on aunique Head. At this point, a miner N whose âHead of blockchainâ distance fromgenesis block is H, when it receives another âblockchain Headâ whose distancefrom âgenesis blockâ is HⲠsuch that H <HⲠthen miner N changes his blockchainHead from H to HⲠ[3]. The âblock withholding attackâ is based on blockchainfork that we introduce ZeroBlock solution to prevent it.
4 ZEROBLOCK
In this section we introduce a new solution, ZeroBlock, to prevent block with-holding and selfish mining in Bitcoin. The key of our solution is that each blockmust be generated and received by the network within an expected time (its com-putation is detailed in section 4.1). Honest nodes perform their computation inrounds with the length equal to the expected time (computed locally by eachnode). Instead of broadcasting the entire chain as in Bitcoin, nodes broadcastonly the new block (the head of the chain). Hence, within expected time a hon-est node either receives a block, or broadcasts a block. Otherwise, it generatesa dummy block called in the following Zeroblock. A detailed description of thealgorithm is proposed in section 4.2.
We demonstrate that if a selfish node wants to keep its block private morethan the expected time calculated by honest nodes, its block will expire andwill be rejected by honest nodes. In Theorem 1, we show that by using thissolution honest nodes, regardless of their percentage in the network, never acceptchains infested with block withholding . In Theorem 2 we demonstrate that ina dynamic network, regardless of the honest nodes percentage, if a honest nodejoins the network, it can diagnose an infested chain with block withholding .
ZeroBlock: Preventing Selfish Mining in Bitcoin 7
In Theorem 3, 4 and 5, we show that if bn+22 c nodes are honest, then when an
honest node joins the network, it can diagnose the correct chain which belongsto honest nodes. Moreover, the selfish cartel cannot impose its selfish chain asthe common chain. Furthermore, in Theorem 5 we prove that our solution alsoprevents the intentional forks.
4.1 Preliminaries
Expected Time computation. Note that the time for generating a block dependson the difficulty level for solving PoW and on the size of the network. This timeis predictable (currently it is around 10 minutes). We call this time as blockgeneration time. Note also that depending on the size of the network, the blockbroadcast time is also predictable [3]. As a result, we define the ExpectedTimeas follows:
ExpectedT ime = BGT +BT (2)
where: BGT = block generation time , BT = block propagation time
Estimation of PoW time. Consider the following condition:
IF FirstHF (hash+ answer) ⤠D then
PoWsucceeded
where:hash : SecondHF (Input : [Previous Blocks])answer : a Random as PoW answerD : Difficulty LevelF irstHF : First Hash FunctionSecondHF : Second Hash Function
In this condition, if D has a small value then PoW is more difficult. So, thetime of solving PoW is predictable by regulating D. Thus one can estimate therequired number of invoking FirstHF (hash + answer). As a result, one canestimate the total required time to learn PoW answer.
Estimation of Block Propagation Time We use the same model of [3] to esti-mate the block propagation time entire the network. We define DTb,d, whereb is generated block and d is destination node, as time difference between firstannouncement by block generator (creative node) and the time at which destina-tion node receives block such that DTb,d = 0, when d is creative node. Accordingto [3], timing information consists of a local time-stamps when announcementhas been received and DTb,d is estimable by subtracting first announcementtimestamp from all announcements for the same block.
8 ZeroBlock: Siamak Solat, Maria Potop-Butucaru
4.2 ZeroBlock Algorithm
In the following we detail the Zeroblock algorithm (Algorithm 1).
Notations Algorithm 1 uses the following notations:
â correct chain : a chain which is not infested with block withholding .â creative node : is a node which in an Expected Time interval can solve PoW
and generate a new block.â Block Propagation Time (BT) : is the delay necessary to the network to learn
the existence of a block once it has been announced by the block generator(see Section 4.1).
â Block Generation Time (BGT) : the time needed to solve PoW (see Section4.1).
â Expected Time is the time interval computed by Equation 1. During anExpected Time interval a node should solve PoW, otherwise if the node doesnot receive a new block from the network, it has to generate a ZeroBlock.
â ZeroBlock : is a dummy block including the index of Expected Time and thehash of previous blocks.
â consumer node : is a node which in an Expected Time interval cannot solvePoW and hence cannot generate a new block. Thus, it either receives a newblock or generates a ZeroBlock.
We assume that at the beginning of the computation, all nodes (honest) agreeon a first block, the genesis block. The genesis block should be hard-coded intothe software. Each node has a local chain which initially is equal to the genesisblock. Nodes have access to a common clock and each node maintains locallya variable LTime, a seconds counter (initially 0) that is updated at each timesecond. Each node maintains locally the variable ET, initially equal to zero,which will be increased with the value of Expected Time at each loop. Moreover,each node keeps a boolean parameter, FlagNewBlock. As soon as a new blockis generated, its value is changed to True. After the initialization phase, theZeroblock algorithm, Algorithm 1, starts an infinite loop. In this loop, ET valueis updated by using refresh() function as follows :
ET = ET + (BGT + BT)
where ExpectedTime is computed using Equation 1. While the counter LTime isless than or equal to ET, a honest node checks its input if there is a new block.If there is a new block head, the honest node investigates if its PoW has beenproperly computed. by verifying if the new block head includes the hash of thecurrent local chain. Then this new bock becomes the head of the local chain.If during the Expected Time, there is no new input, a honest node generatesa ZeroBlock that includes the hash of a fixed value and adds this new blockto its local chain. This block helps to prevent block withholding , because, thenext block will include the hash of the local chain that includes also the hash ofthis ZeroBlock. Thus, if an adversarial node does not reveal a block during the
ZeroBlock: Preventing Selfish Mining in Bitcoin 9
expected time corresponding to the generation of this ZeroBlock, it cannot usethis expired block. In the case when a honest node receives more than one newblock during an expected time interval it accepts the first one.
Fig. 1. ZeroBlock generation by a honest node to prevent block withholding . B2: B2
has been generated by a selfish node and has been kept until ET2 and thus has beenexpired. Thus, PoW of B2 includes only hash of B11 and thus will be rejected by honestnode. ZB (ZeroBlock): the honest node didnât receive a new block until ET2 and thusgenerates a ZeroBlock. B3: PoW of B3 includes hash of (B1 + ZeroBlock) and will beaccepted.
More in details, each node, N , that executes Algorithm 1 performs the fol-lowing steps.
â The initialisation : (Lines 1 and 2) where ET (Expected Time counter) andLTime (the seconds counter) are set to 0. Then, Line 3, node N has alocal chain that at the beginning equals to Genesis block (with followingdefinition). Also, FlagNewBlock is set to false in line 4.
â In Line 11 node N starts an infinite loop where:
10 ZeroBlock: Siamak Solat, Maria Potop-Butucaru
Algorithm 1 ZeroBlock algorithm1: ETâ 02: LTimeâ 0 . LTime is a seconds counter3: localChainâ Genesis4: FlagNewBlockâ False5: counterâ 06: HPrBâ 0 . hash of previous blocks7: Dâ DifficultyLevel8: NewBlockâ Null9: IndexETâ 0 . Index of Expected Time
10: ansPoWâ 0 . answer of PoW11: while (True) do12: if (FlagNewBlock = False) ⧠(ET 6= 0) then13: ZeroBlockâ SecondHF(getHead(localChain)) + SecondHF(ZB) + IndexET14: localChainâ join(ZeroBlock,localChain)15: end if16: refresh(ET)17: IndexETâ IndexET + 118: while (LTime ⤠ET) do19: NewBlockâ checkInput()20: if (NewBlock 6= Null) then21: HPrBâ SecondHF(getHead(localChain))22: if (FirstHF(HPrB,ansPoW) ⤠D) ⨠(HPrB = NewBlock.HPrB) then23: localChainâ join(NewBlock,localChain)24: NewBlockâ Null25: FlagNewBlockâ True26: Break27: end if28: end if29: if (FlagNewBlock = False) then30: HPrBâ SecondHF(getHead(localChain))31: if (FirstHF(HPrB , counter) ⤠D) then . Proof-of-work succeeded32: ansPoWâ counter33: NewBlockâ GenerateBlock(ansPoW,HPrB)34: BroadcastBlock(NewBlock,ansPoW)35: FlagNewBlockâ True36: counterâ 037: Break38: end if39: counterâ counter + 140: end if41: end while42: end while
ZeroBlock: Preventing Selfish Mining in Bitcoin 11
â In Line 12) node N checks if there is no new block from the network (FlagNew-Block equals to False) and if the local chainâs block head is not the genesisblock (ET is not equal to zero). For the first time, always these two condi-tions are False. Then in Line 16) node N invokes refresh() function thatdoes following operation: ET = ET + (BGT + BT ). Then, in Line 17 oneunit is added to the index of ET.
â While node N has time to solve PoW, (Line 18, LTime (seconds counter) isless than ET), N checks its input if there is a new block received from thenetwork (Line 19). If yes, (Line 22) node N verifies the answer of PoW ofthe new block. If PoW has been done correctly (Line 23) , N adds the newblock to its local chain and changes value of FlagNewBlock = True (Line25) and then leaves the while loop and goes (Line 12) and then (Line 16). Ifthere is no new block in its input (condition of (Line 20 is incorrect)) nodeN tries to solve PoW (Line 31), if it succeeds, it generates a new block (Line33) and broadcasts it (Line 34).
â In case PoW does not succeed (the condition of (Line 31) is incorrect), nodeN increases the counter and goes back to Line 18.
â If LTime is more than Expected Time, immediately node N generates a Ze-roBlock (Line 13) and then adds it to its local chain (Line 14).
â Then, node N refreshes Expected Time (Line 16) and increases one unit thevariable index of expected time (Line 17).
â If a ZeroBlock has been generated, node N (honest) rejects a selfish blockin (Line 22) because the two conditions are incorrect. Since HPrB(the hashof node Nâs local chain head) that includes the ZeroBlock is not equal toNewBlock.HPrB (hash of selfish block) that does not include the ZeroBlockand thus its answer of PoW is incorrect and then goes (Line 29).
4.3 Correctness of Algorithm 1
Theorem 1. Honest nodes, regardless of their percentage in the network, neveraccept chains infested with block withholding .
Proof. Each ExpectedTime interval, a honest node generates a new block andbroadcasts it and waits for a new block. If it does not receive a new block, itgenerates a ZeroBlock.
A block withholding can occur if a selfish miner has generated a new blockbut kept it privately, a least an ExpectedTime interval. At this point, to preventblock withholding , all honest nodes which did not receive a new block, generatea ZeroBlock including the hash of previous blocks.
After an ExpectedTime interval (Line 18), all honest nodes leave the whileloop and generate a ZeroBlock since two conditions in (Line 12 are true. Thisis due to the fact that no new block has been received (FlagNewBlock = False)and ET has been refreshed ((Line 16 ET 6= 0). A selfish miner (which here is acreative node) has kept a new block after ExpectedTime and solved PoW for anexpired block. This block will not be accepted by honest nodes since all of themgenerated a ZeroBlock. Therefore, PoW must be renewed such that it shouldinclude the recent ZeroBlock.
12 ZeroBlock: Siamak Solat, Maria Potop-Butucaru
Theorem 2. In a dynamic network, regardless of honest nodes percentage inthe network, if a honest node joins the network, it can diagnose the correct chainfrom infested chain with block withholding .
Proof. For n ExpectedTime intervals, there are n different blocks (including stan-dard block and ZeroBlock). In each ExpectedTime interval, a honest node iseither a creative node which generates a new block or a consumer node whicheither receives a new block from other nodes or generates a ZeroBlock. Thus,for each different ExpectedTime, a honest node has a different block. If a blockwithholding occurs, then after n ExpectedTime intervals there are (n â 1) dif-ferent blocks (see Figure 4.2: for 3 ExpectedTime intervals, on the side of honestnodse there are 3 different blocks including B1, ZeroBlock2, B3 but on the sideof adversarial node there (3 - 1) = 2 different blocks including B1, B2).
When a honest node joins the network at time t, it announces its entrance intoentire network in order to receive the last version of the correct chain from othernodes. Then, using the division of the current time into ExpectedTime intervals,it can find the correct chain. The new node computes EDB = b t
ExpectedTimec
, where t = current time and accepts a chain if and only if (1) it contains EDBdifferent blocks (2) each block includes the hash of the previous blocks. This lastoperation can be done by using verifyPoW (input: NewBlock) to investigate ifeach blockâs PoW has been properly computed.
Theorem 3. In a dynamic network, if bn+22 c nodes are honest, then when a
honest node joins the network, it can diagnose the correct chain which belongsto honest nodes.
Proof. Following the proof of Theorem 2, when a new node joins the networkand broadcasts a message including its address to announce its entrance, othernodes respond with the last version of their local chain. The new node thencompares the received chains and selects the chain sent by a majority. Thus, ifthe half of the network plus one is honest, the honest chain will win and thenew node will have the correct chain that belongs to honest nodes. After that,the new node, similar to other nodes, will continue the protocol as described inalgorithm. According to this process, each node is able to leave and re-join thenetwork infinitely.
Theorem 4. If bn+22 c nodes are honest, then a selfish cartel cannot impose its
selfish chain as common chain.
Proof. In the worst case, there is only a single selfish cartel with a single commonselfish chain. In that case, there are two groups of chain: (1) the selfish chainbelonging to the selfish cartel and (2) the correct chain belonging to honestnodes. Since bn+2
2 c nodes are honest, in this case, the majority chain (the oneof honest nodes) will be chosen by the network.
Note that in [3] the authors show that the accidental forks occur rarely dueto the long propagation time. Therefore, most of the forks occur intentionally.In the following we prove that our solution prevents intentional forks.
ZeroBlock: Preventing Selfish Mining in Bitcoin 13
Theorem 5. Algorithm 1 prevents intentional forks.
Proof. Since by using ZeroBlock, none of honest nodes accept on selfish minersâchains (as described in Theorem 1), selfish miners thus are not able to imposeworking on their chain on honest nodes and our approach thus prevents blockwithholding , thus it is not possible to intentionally forking blochchain âout ofselfish cartelsâ chainâ.
5 Related work on crypto-currency
In this section, we present briefly the state of the art concerning electronic cur-rencies and peer to peer electronic payment systems. Most of the work targetedso far anonymity, privacy and avoiding âdouble-spendingâ attacks. Ripple [17]is an electronic currency such that all users are able to issue a currency but itwill be accepted only by the peers who have reliance on the issuer. Moreoverthe acceptance of a transaction needs a chain of trusted mediators between thesender and the receiver. i-WAT [19] is another similar system where the chain oftrusted mediators is initiated using digital signatures. KARMA [20] is anotherelectronic currency in which the central authority is formed of a set of userswho manage all transactions. In the event of numerous transactions this cen-tral authority risk to be overheaded. PPay [18] is a âpeer to peerâ network inwhich the coin issuer has the responsibility of keeping track of the transactionsin the system. However, it has the same problem as KARMA concerning theoverhead. Mondex as smart card electronic currency [21] is similar to an issuerbank for currency issuance that stores the value as electronic information ona smart card instead of physical notes and coins [22]. However, the remainedproblem is its inability to determine performing âdouble-spendingâ via one ofthe owners in the chain. To avoid using trusted central authority such as the coinissuer, all transactions must be announced publicly [23] to achieve an agreementon an âuniqueâ history of the transaction [1]. Bonneau et al. [8] introduce Mix-coin, fully compatible with Bitcoin that adds an accountable service (Mixes) todetermine the theft of service, means the âaccountableâ mixes sign warrantiesto users such that if a user sends n coins to Mixes until time of t1, the Mixeshave to return n coins to this user by time t2. As a result, in case of misbehav-ing a Mix, the user can devalue the reputation of the Mix by publishing Mixâswarranty. Mixing services exchange the userâs coins arbitrarily with other usersâcoins in order to make unclear the ownership, but without ensuring protectionfrom theft by the service (i.e. Mixing services). Another attempt to enhancethe anonymity of Bitcoin was proposed in [15]. The authors propose Zerocoin acryptographic extension of Bitcoin which despite strong anonymity [25], it stillneeds an advanced cryptography model and significant changes to be compati-ble with Bitcoin [8]. According to [25] Zerocoin reveals the payment destinationsalong with the transaction amount. In [25] the authors introduce the conceptof Decentralized Anonymous Payment (abbreviated DAP) according to which auser is able to pay privately another one. Transactions do not reveal the sender
14 ZeroBlock: Siamak Solat, Maria Potop-Butucaru
of the payment, the destination and the transaction amount. DAP scheme isused in Zerocash as a decentralized anonymous payment system [25].
6 Conclusion and future work
In this paper, we introduced a new solution to prevent block withholding andselfish mining as one of the most important problems of Bitcoin. We demon-strated that if an adversarial selfish node wants to keep its block privately morethan the Expected Time calculated by honest nodes, its block expires and willbe rejected by the honest ones. Also, by using this approach, it is not possibleto intentionally fork a blockchain. Furthermore, we show that our solution iscompliant to nodes churn. That is, nodes that freshly enter the system are ableto retrieve the âcorrect chainâ provided that a majority of nodes are honest.
As future research we would like to explore solutions for other weaknesses ofBitcoin such as Goldfinger attacks or double spending. Moreover, we would liketo investigate the privacy and anonymity of users. Note that the use of publiclogs leads to transparency but it has also negative effects on the privacy andanonymity of the users [14]. On the other hand, PoW causes some problems suchthat imposing participation in a mining pool managed by a single miner thatdecreases and may collapse decentralized nature of Bitcoin network particularlywhen a significant percentage of mining power belongs to a single mining pool(e.g. GHash.io [9,10]), a point at which a significant mining power of the networkis in hand of a miner who is the manager of the mining pool and may lead to51% attack.
References
1. Nakamoto, Satoshi. âBitcoin: A peer-to-peer electronic cash system.â Consulted1.2012 (2008): 28
2. Back, Adam. âHashcash-a denial of service counter-measure.â (2002)3. Decker, Christian, and Roger Wattenhofer. âInformation propagation in the bitcoin
network.â Peer-to-Peer Computing (P2P), 2013 IEEE Thirteenth InternationalConference on. IEEE, 2013
4. Eyal, Ittay, and Emin Gun Sirer. âMajority is not enough: Bitcoin mining is vul-nerable.â Financial Cryptography and Data Security. Springer Berlin Heidelberg,2014. 436-454
5. Garay, Juan, Aggelos Kiayias, and Nikos Leonardos. âThe bitcoin backbone pro-tocol: Analysis and applications.â Advances in Cryptology-EUROCRYPT 2015.Springer Berlin Heidelberg, 2015. 281-310
6. Courtois, Nicolas T., and Lear Bahack. âOn subversive miner strategies and blockwithholding attack in bitcoin digital currency.â arXiv preprint arXiv:1402.1718(2014)
7. Miers, Ian, et al. âZerocoin: Anonymous distributed e-cash from bitcoin.â Securityand Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013
8. Bonneau, Joseph, et al. âMixcoin: Anonymity for Bitcoin with accountable mixes.âFinancial Cryptography and Data Security. Springer Berlin Heidelberg, 2014. 486-504
ZeroBlock: Preventing Selfish Mining in Bitcoin 15
9. Eyal, Ittay. âThe minerâs dilemma.â Security and Privacy (SP), 2015 IEEE Sym-posium on. IEEE, 2015
10. Bastiaan, Martijn. âPreventing the 51%-Attack: a Stochastic Analysis ofTwo Phase Proof of Work in Bitcoin.â Availab le at http://referaat.cs. utwente. nl/conference/22/paper/7473/preventingthe-51-attack-a-stochastic-analysis-of-two-phase-proof-of-work-in-bitcoin. pdf. 2015
11. Gervais, Arthur, et al. âIs Bitcoin a decentralized currency?.â IACR CryptologyePrint Archive 2013 (2013): 829
12. Reid, Fergal, and Martin Harrigan. An analysis of anonymity in the bitcoin system.Springer New York, 2013
13. Dwork, Cynthia, and Moni Naor. âPricing via processing or combatting junk mail.âAdvances in CryptologyâCRYPTOâ92. Springer Berlin Heidelberg, 1993
14. Androulaki, Elli, et al. âEvaluating user privacy in bitcoin.â Financial Cryptogra-phy and Data Security. Springer Berlin Heidelberg, 2013. 34-51
15. Miers, Ian, et al. âZerocoin: Anonymous distributed e-cash from bitcoin.â Securityand Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013
16. Kroll, Joshua A., Ian C. Davey, and Edward W. Felten. âThe economics of Bitcoinmining, or Bitcoin in the presence of adversaries.â Proceedings of WEIS. Vol. 2013.2013
17. Fugger, Ryan. Money as IOUs in social trust networks and a proposal for a decen-tralized currency network protocol. Hypertext document. Available electronicallyat www.ripple. sourceforge. net(2004)
18. Yang, Beverly, and Hector Garcia-Molina. âPPay: micropayments for peer-to-peersystems.â Proceedings of the 10th ACM conference on Computer and communica-tions security. ACM, 2003
19. Saito, Kenji. i-WAT: the internet WAT systemâan architecture for maintainingtrust and facilitating peer-to-peer barter relationships. Diss. PhD thesis, GraduateSchool of Media and Governance, Keio University, 2006
20. Vishnumurthy, Vivek, Sangeeth Chandrakumar, and Emin Gun Sirer. âKarma:A secure economic framework for peer-to-peer resource sharing.â Workshop onEconomics of Peer-to-Peer Systems. Vol. 35. 2003
21. Stalder, Felix. âFailures and successes: notes on the development of electroniccash.â The Information Society 18.3 (2002): 209-219
22. http://www.mastercardconnect.com/mol/molbe/public/login/ebusiness/
smartcards/mondex/about/index.jsp
23. Dai, Wei. âB-money.â Consulted 1 (1998): 201224. Douceur, John R. âThe sybil attack.â Peer-to-peer Systems. Springer Berlin Hei-
delberg, 2002. 251-26025. Ben Sasson, Eli, et al. âZerocash: Decentralized anonymous payments from Bit-
coin.â Security and Privacy (SP), 2014 IEEE Symposium on. IEEE, 201426. Heilman, Ethan. âOne weird trick to stop selfish miners: Fresh bitcoins, a solution
for the honest miner.â (2014)27. Decker, Christian and Seider, Jochen and Wattenhofer, Roger. âBitcoin meets
strong consistency.â Proceedings of the 17th International Conference on Dis-tributed Computing and Networking, Singapore, 2016.
28. Kroll, Joshua A., Ian C. Davey, and Edward W. Felten. âThe economics of Bitcoinmining, or Bitcoin in the presence of adversaries.â Proceedings of WEIS. Vol. 2013.2013
29. Bahack, Lear. âTheoretical Bitcoin Attacks with less than Half of the Computa-tional Power (draft).â arXiv preprint arXiv:1312.7013 (2013)
16 ZeroBlock: Siamak Solat, Maria Potop-Butucaru
30. Luu, Loi, et al. âOn power splitting games in distributed computation: The case ofbitcoin pooled mining.â Computer Security Foundations Symposium (CSF), 2015IEEE 28th. IEEE, 2015
31. Sapirshtein, Ayelet, Yonatan Sompolinsky, and Aviv Zohar. âOptimal selfish min-ing strategies in Bitcoin.â arXiv preprint arXiv:1507.06183 (2015)
32. Babaioff, Moshe, et al. âOn bitcoin and red balloons.â Proceedings of the 13thACM conference on electronic commerce. ACM, 2012
33. Lewenberg, Yoad, et al. âBitcoin mining pools: A cooperative game theoretic anal-ysis.â Proceedings of the 2015 International Conference on Autonomous Agentsand Multiagent Systems. International Foundation for Autonomous Agents andMultiagent Systems, 2015