Hold 'em, don't fold 'em: How to bite Bitcoin pools
Boffins demo withholding attack that could work on one ASIC and make an Evil Genius™ rich
Bitcoin's reward mechanism is based on publishing a solution to the block chain. What if an Evil Genius™ reversed this, and rewarded miners for withholding their solutions?
The simple answer: a pool of miners in which an Evil Genius™ withheld solutions would collapse. The surprise longer answer, presented in this paper at the International Association for Cryptologic Research (IACR), is that the attacker could conceivably end up in the black.
Yaron Velner (Hebrew University of Jerusalem), Jason Teutsch (University of Alabama at Birmingham) and Loi Luu (National University of Singapore) write that the problem arises in the mining pools that now account for most Bitcoin computation (as much as 95 per cent by some estimates).
“Withholding attacks” have been discussed since early in the blockchain's history, but Bitcoin's pretty resilient against them because if you want to mine coins and not tell anyone, you need enough computing power to be a miner. That means a lot of outlay for a slim return.
Rewarding others to withhold, the Velner/Teutsch/Luu paper suggests, is a lot more affordable, for the following reasons:
“In this work we propose to pay other miners to withhold blocks … an attacker with only 0.0000002% of Bitcoin’s computation power can reduce the revenue of a big pool to zero without any financial losses on his side. In fact the theoretical outcome of our attack (if miners are fully rational) is equivalent to a classical block withholding attack in which a miner rents Bitcoin’s entire hash power and withholds all the blocks that he finds.”
As they say on Twitter, “huge if true” – so let's drill down a little.
Nakamoto's original paper (PDF) mentions block withholding attacks as “an attacker trying to generate an alternate chain faster than the honest chain”.
Block withholding has been typically regarded as a double-spending attack. This paper, instead, is a manipulation of the value of Bitcoin held in pools.
Each time a Bitcoin is successfully mined (that is, someone's rig finds the next solution), the math gets a little bit harder, and the next solution will take longer, or it'll need more computing power to find. That's why Bitcoin mining is now conducted in data centres and dedicated servers, rather than at home on PCs.
If blocks aren't published, they're not included in the assumption that makes Bitcoin progressively more difficult, and the result is that the attacker “benefits from reducing the effective hash rate of the entire network”.
Only if, however, they can do it for a small outlay – and that's where this attack is different. Instead of doing the mining themselves, an attacker with a modest home-scale setup can disrupt pools.
The requirement, the authors write, is merely that the “the fraction of the network’s hash rate controlled by the attacker” is greater than “a miner’s reward for submitting a full solution to the pool”.
“This mining power is currently equivalent to 4 TH/s [tera-hashes per second – El Reg] mining power, which is obtainable by modern ASICs. Moreover, a miner with N ASICs could offer a reward that is N times higher and still make a profit.”
Were an Evil Genius™ to mount the attack, they'd need their minions to prove they're holding valid blocks, and that's one reason withholding attacks don't happen: storage sufficient for the minion to submit a proof to the attacker is expensive.
Instead, the attack asks only for the minion for a “proof of stale work” – to prove that they're “performing sha256 operations over some data without an intention of submitting full solutions to the blockchain. When the withholder allocates his mining equipment for stale work, the effective hash power of the network is reduced.”
Crucially, because it's an attack on the pool mining protocol, the authors note that their attack does not affect the “Nakamoto consensus” that protects the “truth” of the Bitcoin blockchain. ®