On Power Splitting Games in Distributed Computation: The Case of Bitcoin Pooled Mining

Several new services incentivize clients to compete in solving large computation tasks in exchange for financial rewards. This model of competitive distributed computation enables every user connected to the Internet to participate in a game in which he splits his computational power among a set of competing pools -- the game is called a computational power splitting game. We formally model this game and show its utility in analyzing the security of pool protocols that dictate how financial rewards are shared among the members of a pool. As a case study, we analyze the Bitcoin crypto currency which attracts computing power roughly equivalent to billions of desktop machines, over 70% of which is organized into public pools. We show that existing pool reward sharing protocols are insecure in our game-theoretic analysis under an attack strategy called the "block withholding attack". This attack is a topic of debate, initially thought to be ill-incentivized in today's pool protocols: i.e., causing a net loss to the attacker, and later argued to be always profitable. Our analysis shows that the attack is always well-incentivized in the long-run, but may not be so for a short duration. This implies that existing pool protocols are insecure, and if the attack is conducted systematically, Bitcoin pools could lose millions of dollars worth in months. The equilibrium state is a mixed strategy -- that is -- in equilibrium all clients are incentivized to probabilistically attack to maximize their payoffs rather than participate honestly. As a result, the Bitcoin network is incentivized to waste a part of its resources simply to compete.

[1]  Emin Gün Sirer,et al.  Majority Is Not Enough: Bitcoin Mining Is Vulnerable , 2014, Financial Cryptography.

[2]  Graham Cormode,et al.  Practical verified computation with streaming interactive proofs , 2011, ITCS '12.

[3]  Tyler Moore,et al.  Game-Theoretic Analysis of DDoS Attacks Against Bitcoin Mining Pools , 2014, Financial Cryptography Workshops.

[4]  Joshua A. Kroll,et al.  The Economics of Bitcoin Mining, or Bitcoin in the Presence of Adversaries , 2013 .

[5]  Avi Wigderson,et al.  Multi-prover interactive proofs: how to remove intractability assumptions , 1988, STOC '88.

[6]  Ittay Eyal,et al.  The Miner's Dilemma , 2015, 2015 IEEE Symposium on Security and Privacy.

[7]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[8]  Nicolas Courtois,et al.  On Subversive Miner Strategies and Block Withholding Attack in Bitcoin Digital Currency , 2014, ArXiv.

[9]  Wenliang Du,et al.  Searching for High-Value Rare Events with Uncheatable Grid Computing , 2005, ACNS.

[10]  Justin Thaler,et al.  Time-Optimal Interactive Proofs for Circuit Evaluation , 2013, CRYPTO.

[11]  Yael Tauman Kalai,et al.  Delegating Computation , 2015, J. ACM.

[12]  Michael T. Goodrich Pipelined algorithms to detect cheating in long-term grid computations , 2008, Theor. Comput. Sci..

[13]  Adam Back,et al.  Hashcash - A Denial of Service Counter-Measure , 2002 .

[14]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[15]  Philippe Golle,et al.  Uncheatable Distributed Computations , 2001, CT-RSA.

[16]  Sanjeev Arora,et al.  Probabilistic checking of proofs: a new characterization of NP , 1998, JACM.

[17]  Meni Rosenfeld,et al.  Analysis of Bitcoin Pooled Mining Reward Systems , 2011, ArXiv.

[18]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[19]  Andreas Haeberlen,et al.  PeerReview: practical accountability for distributed systems , 2007, SOSP.

[20]  S. Goodman Toward Evidence-Based Medical Statistics. 1: The P Value Fallacy , 1999, Annals of Internal Medicine.

[21]  S. Holm A Simple Sequentially Rejective Multiple Test Procedure , 1979 .