Table of Links
-
Preliminaries
-
Selfish Mining Attack
3.2 Formal Model
We now formally model our selfish mining attack as an MDP. Recall, an MDP M = (π, π΄, π, π 0) is an ordered tuple where π is a finite set of states, π΄ is a finite set of actions overloaded to specify for each state π β π the set of available actions π΄(π ) β π΄, π : π Γ π΄ β D (π) is a probabilistic transition function, and π 0 β π is the initial state. Hence, in order to formally model our attack as an MDP, we need to define each of these four objects.
Model parameters. Our MDP model uses as a basis the System Model that we defined in Section 2.2. Thus, it is parameterized by the parameters π and πΎ, but also by three additional parameters specific the selfish mining attack itself. We use N to denote the set of all positive integers:
β’ Relative resource of the adversary. π β [0, 1] denotes the fraction of resources in the blockchain owned by the adversary.
β’ Switching probability. πΎ β [0, 1] denotes the probability of an honest miner switching to a newly revealed adversarial chain that is of the same length as the main chain.
β’ Attack depth. π β N denotes the depth of the adversaryβs attack on the chain, i.e. the number of last blocks on the main chain on which the adversary mines private forks.
β’ Forking number. π β N denotes the number of private forks that the adversary creates at each of the last π public blocks.
β’ Maximal fork length. π β N denotes the maximal private fork length. Introducing this parameter ensures that our MDP model consists of finitely many states, which is necessary since existing mean-payoff MDP solvers are applicable to finite state MDPs [18, 20]. We discuss the implications of this in Section 3.4.
MDP definition. We define the MDP M = (π, π΄, π, π 0) as follows:
β’ States. The state space is defined via
i.e. each state is defined as a triple (C, O, type) where C defines the current blockchain configuration (i.e. topology) up to depth π, O specifies who owns each block in the main chain up to depth π (honest miners or the adversary), and type specifies whether the parties are still mining or some party has mined a new block and is supposed to add it to the blockchain. In particular:
β For each 1 β€ π β€ π and 1 β€ π β€ π , we use C [π, π] to denote the length of the π-th private fork mined by the adversary at the depth π block on the main chain. Each private fork has length at most π, so we impose that each πΆ[π, π] β {0, . . . ,π }.
β For each 1 β€ π < π, we use O [π] to denote who owns the block at depth π in the main chain. In particular, O [π] = honest if the block is owned by honest miners and O [π] = adversary if the block is owned by the adversary.
β Finally, type specifies whether a new block to be added to the blockchain is still being mined in which case we set type = mining, or if some party has generated the proof and gets to add a new block in which case we set type = honest and type = adversary, respectively.
β’ Actions. The action space is defined via
Intuitively, mine prescribes that the adversary should not release any private forks and should simply continue mining new blocks. On the other hand, releaseπ,π,π prescribes that the adversary should publish the first π blocks of the π-th private fork mined on the block at depth π in the main chain. The set of available actions at each MDP state π = (C, O, type) is defined as follows:
β If type = mining, then π΄(π ) = {mine}.
β If type β {honest, adversary}, then π΄(π ) = {mine} βͺ {releaseπ,π,π | π β€ C [π, π]}, where the condition π β€ C [π, π] simply ensures that the length of the published part of the private fork cannot exceed the total length of the private fork.
β’ Transition Function. Finally, we define the transition function π : π Γ π΄ β D (π). Let π = (C, O, type) and π β π΄(π ) be an action available in π :
β If type = mining, then we must have π = mine as the only available action. The next state in the MDP is chosen probabilistically, based on who mines the next block and where. Recall, the honest miners own 1βπ fraction of resources in the blockchain and are mining on the main chain only, whereas the adversary owns π fraction of resources but mines on at most π Β· π private forks. Note that the adversary will concurrently mine on top of each private fork starting at public blocks up to depth π in the main chain, as well as on top of each public block up to depth π at which not all π private works were initiated. Hence:
β If type = honest and π = releaseπ,π,π , then the adversary publishes the first π blocks of the π-th private fork mined on the block at depth π in the main chain. Hence, the next MDP state is determined by the chain which gets accepted as the main chain by honest miners. If the newly published fork is strictly longer than the main chain, the honest miners accept it as the new main chain with probability 1. Otherwise, if the main chain and the published fork have the same length, then a βraceβ between the chains happens and the published fork becomes the main chain with switching probability πΎ. Hence:
where Cβ² and Cβ²β² are defined as the previous case. Note that if the published fork and the main chain are of the same length, the race cannot happen as the last block was mined by the adversary and enough time has passed for all the miners to receive the public chain
Authors:
(1) Krishnendu Chatterjee, IST Austria, Austria ([email protected]);
(2) Amirali Ebrahimzadeh, Sharif University of Technology, Iran ([email protected]);
(3) Mehrdad Karrabi, IST Austria, Austria ([email protected]);
(4) Krzysztof Pietrzak, IST Austria, Austria ([email protected]);
(5) Michelle Yeo, National University of Singapore, Singapore ([email protected]);
(6) ΓorΔe Ε½ikeliΔ, Singapore Management University, Singapore ([email protected]).
This paper is