Effective Selfish Mining Defense Strategies to Improve Bitcoin Dependability

Abstract

Selfish mining is a typical malicious attack targeting the blockchain-based bitcoin system, an emerging crypto asset. Because of the non-incentive compatibility of the bitcoin mining protocol, the attackers are able to collect unfair mining rewards by intentionally withholding blocks. The existing works on selfish mining mostly focused on cryptography design, and malicious behavior detection based on different approaches, such as machine learning or timestamp. Most defense strategies show their effectiveness in the perspective of reward reduced. No work has been performed to design a defense strategy that aims to improve bitcoin dependability and provide a framework for quantitively evaluating the improvement. In this paper, we contribute by proposing two network-wide defensive strategies: the dynamic difficulty adjustment algorithm (DDAA) and the acceptance limitation policy (ALP). The DDAA increases the mining difficulty dynamically once a selfish mining behavior is detected, while the ALP incorporates a limitation to the acceptance rate when multiple blocks are broadcast at the same time. Both strategies are designed to disincentivize dishonest selfish miners and increase the system’s resilience to the selfish mining attack. A continuous-time Markov chain model is used to quantify the improvement in bitcoin dependability made by the proposed defense strategies. Statistical analysis is applied to evaluate the feasibility of the proposed strategies. The proposed DDAA and ALP methods are also compared to an existing timestamp-based defense strategy, revealing that the DDAA is the most effective in improving bitcoin’s dependability.

1. Introduction

Blockchain technology has attracted intensive attention from industries, academia, and governments in the past decade [1,2,3,4]. A blockchain is a distributed cryptographic ledger, which consists of a growing list of data packages called blocks. Each block contains a timestamp, the transaction record, and the hash value of the previous block [5]. Its applications span from smart contracts to financial services, from voting to energy trading, and from supply chains to the Internet of Things [6,7,8,9,10]. In this paper, we focus on bitcoin, a peer-to-peer decentralized cryptocurrency system based on blockchain technology [11,12], with a market cap of exceeding USD 1 trillion in October 2021.

Because of being business-critical, bitcoin has become the target of diverse cyber-attacks, including, for example, Sybil attacks [13], Eclipse attacks [14,15], mining pool attacks [16], re-identification attacks [17], miner attacks [18], CryptoLocker-based attacks [19], and selfish mining attacks [20]. Correspondingly, considerable studies were expended in developing mitigation and defense strategies against those attacks. For example, Gervais et al. examined multiple countermeasures (including dynamic timeouts, updating block advertisements, and penalizing nodes that do not respond) to enhance the security of bitcoin [21]. Bamert et al. put forward a hardware token for securing transactions of bitcoin [22]. Göbel et al. applied Markov chains to detect block-hiding attacks by monitoring the production rate of orphan blocks [23]. In this work, we aim to develop effective strategies to defend the selfish mining attacks, also referred to as block withholding attacks. In such attacks, a selfish miner intentionally keeps the newly mined blocks for building his/her own branch and publishes the private branch to gain unfair revenue when the private branch is longer than the main chain by a certain number of blocks.

Considerable research efforts were devoted to the defense against selfish mining attacks. For example, Heilman proposed a timestamp-based method to examine and control the acceptance of new blocks [24]. Eyal and Sirer suggested a mitigation strategy based on the modification of the bitcoin protocol to cope with collusive selfish mining attacks [20]. Saad et al. developed a network-wide defense mechanism using expected transaction confirmation height and block publishing height [25]. A notion of the “truth state” was introduced to detect potential selfish mining behaviors. Wang et al. suggested a machine learning-based system (ForkDec) for highly accurate selfish mining detection [26]. Bicer et al. proposed a selfish mining mitigation algorithm called Fortis, which does not require a trusted authority for timestamps and protects the honest miner’s benefit against any attacker with a computational power of less than 27% [27]. Solat et al. proposed a solution named ZeroBlock to prevent honest nodes from accepting chains infested with block withholding; under this solution, miners are forced to release their blocks within an expected time, otherwise, their mined blocks expire and are rejected by honest miners [28]. Chen et al. proposed a prevention method for the block-withholding attack (PMBWA) based on a credit-level classification algorithm [29]. The algorithm weighs similarity and posterior probability to detect malicious behaviors.

In addition to the defense solutions, there are also studies on the analysis of bitcoin under selfish mining attacks. For example, Wang et al. put forward a mathematical model to investigate the effectiveness of selfish mining attacks, particularly the relationship between computational power and extra mining gain [30]. Motlagh et al. suggested an analytical model to investigate the impacts of selfish mining on the node response time, connectivity of the bitcoin, block delivery time, and arrival rate [31]. Yang et al. used a Markov model to assess the mining revenue, as well as the risk of bitcoin under selfish mining attacks [32]. Xia et al. investigated the influences of multiple miners on selfish mining and the vulnerability of bitcoin under different orphan rates [33]. Zhou et al. suggested a continuous-time Markov chain-based method to estimate the dependability of bitcoin with selfish mining behavior and examined the effects of several attacking and defending parameters on bitcoin dependability, where the dependability is defined as the probability that the system can function normally, i.e., the selfish mining attack is not successful [34].

This work makes contributions by suggesting defense strategies against selfish mining attacks. Particularly, two strategies, referred to as dynamic difficulty adjustment algorithm (DDAA) and the acceptance limitation policy (ALP), are proposed. Their performance and feasibility are investigated and compared through an analytical modeling method and statistical analysis. The results show the improvement using the proposed strategies is statistically significant. The proposed DDAA and ALP methods are also compared to an existing defense strategy to show their effectiveness.

The rest of the paper is arranged as follows. Section 2 presents the state transition diagram of bitcoin under the selfish mining attack and reviews the continuous-time Markov chain (CTMC)-based method for the dependability analysis. Section 3 introduces the DDAA strategy and shows the dependability improvement under this strategy. Optimal parameter selection is also discussed. Section 4 introduces the ALP strategy. Optimal parameter selection and strategy comparison are also discussed. Section 5 compares the proposed DDAA and ALP strategies with an existing timestamp-based method. Section 6 summarizes our research results and points out future study directions.

2. CTMC-Based Dependability Analysis

Figure 1 illustrates the main states and transitions among the states for bitcoin subject to selfish mining under the three-block strategy in the CTMC model.

State 0 is the initial state, where only one main chain exists without any branches. The system may transit from state 0 to state 1 when a malicious miner (MM) finds a block but keeps it secretly, leading to a private branch that is one block longer than the main chain; the transition rate is assumed to be λ₀₁. The system stays in state 0 with a rate of µ₀₀ if an honest miner (HM) mines the block first.

The system may transit from state 1 to state 2 when the MM successfully mines the next block on his/her private branch; the transition rate is denoted as λ₁₂. The system transits from state 1 to state 0′ when the HM mines the next block before the MM; the transition rate is denoted as µ_10′.

The system may transit from state 0′ to state 1 when the MM finds the new block first making the private branch one block longer than the main chain; the transition rate is λ_0′1. The system goes back to state 0 from state 0′ if the HM finds the new block first; the transition rate is µ₀₂₀₃₂₀.

The system may transit from state 2 to state 3 when the MM discovers the next block first; the transition rate is λ₂₃. The system transits from state 2 to state 1 if the HM discovers the next block first; the transition rate is µ₂₁.

The system may transit from state 3 to state 4 when the HM successfully discovers the next block; the transition rate is λ₃₄. In state 4, the MM broadcasts the private branch making it the main branch, thus the selfish mining attack succeeds.

Based on the state transition diagram in Figure 1, Equation (1) gives the state equations of the CTMC with the transition rate matrix and the state probability vector on the left-hand side and the vector of the state probabilities’ derivative on the right-hand side. Specifically, $P_k\left(t\right)$ in Equation (1) represents the probability that the bitcoin occupies state k (k = 0, 0′, 1, 2, 3, 4), and $\dot{P_k}\left(t\right)$ represents the derivative of $P_k\left(t\right)$.

$$\left[\begin{array}{cccccc}-{\lambda }_{01}& {\mu }_{0^{\prime }0}& 0& 0& 0& 0\\ 0& -\left({\mu }_{0^{\prime }0}+{\lambda }_{0^{\prime }1}\right)& {\mu }_{{10}^{\prime }}& 0& 0& 0\\ {\lambda }_{01}& {\lambda }_{0^{\prime }1}& -\left({\mu }_{{10}^{\prime }}+{\lambda }_{12}\right)& {\mu }_{21}& 0& 0\\ 0& 0& {\lambda }_{12}& -\left({\mu }_{21}+{\lambda }_{23}\right)& 0& 0\\ 0& 0& 0& {\lambda }_{23}& -{\lambda }_{34}& 0\\ 0& 0& 0& 0& {\lambda }_{34}& 0\end{array}\right]\left[\begin{array}{c}{P}_0\left(t\right)\\ P_{0^{\prime }}\left(t\right)\\ P_1\left(t\right)\\ P_2\left(t\right)\\ P_3\left(t\right)\\ P_4\left(t\right)\end{array}\right]=\left[\begin{array}{c}{\dot{P}}_0\left(t\right)\\ {\dot{P}}_{0^{\prime }}\left(t\right)\\ {\dot{P}}_1\left(t\right)\\ {\dot{P}}_2\left(t\right)\\ {\dot{P}}_3\left(t\right)\\ {\dot{P}}_4\left(t\right)\end{array}\right]$$

(1)

Applying the Laplace transform-based method using the initial state probabilities of $P_0\left(0\right)=1$ and $P_k\left(t\right)=0$ (for $k=0^{\prime }, 1, 2, 3, 4)$, as well as the condition of ${\displaystyle \sum }_{k=0,0\prime }^4{P}_k\left(t\right)=1$, the state probabilities $P_k\left(t\right)$ can be obtained. Refer to [34] for a detailed solution. The bitcoin dependability is D(t) = 1 − P₄(t) since the selfish mining attack succeeds in state 4. The CTMC-based method presented in this section is applied in Section 3 and Section 4 to evaluate the performance of the proposed defense strategies.

3. Dynamic Difficulty Adjustment Algorithm (DDAA)

In the bitcoin protocol, a difficulty parameter controls the overall mining difficulty. To counter the selfish mining attack, we propose the DDAA, which increases the mining difficulty (i.e., requiring higher computing power requirements) by adjusting the difficulty parameter when a successful selfish mining attack is committed. The increasing cost of the malicious attack because of the increasing computing power requirement disincentivizes any future attacks.

Specifically, let K be the difficulty controlling parameter, H be the hash rate that is determined by the available computing power and the value of K, β be the difficulty adjustment parameter, and λ be the state transition rate. In the proposed DDAA, H is negatively correlated with K because an increase in K means a decrease in the hash rate H (H_new). More specifically, a larger K means that more computation and power resources are needed to mine a block; given the same available resources, the hash rate decreases. In other words, to maintain the same hash rate, when K increases, an MM needs to upgrade their computing hardware, which reduces his/her attack reward, thus disincentivizing the attack.

Because a too big β will heavily decelerate the new block generation speed, thus affecting the normal mining process, to control the variance and reduce the impact on the bitcoin network, in our study we set a range for parameter β as 1 < β < 2 (meaning that the increase in the computing power requirement cannot exceed the twice of the original computing power requirement). In the context of the quantitative dependability analysis, the adjustments in K and H are reflected in the decrease in all the λ transition rates. Equation (2) gives the updating formula for K, H, and λ.

$$K\_new=\beta \times K, H\_new=H/\beta ,\mathrm{and}\mathrm{\lambda }\_new=\lambda /\beta .$$

(2)

To analyze the effectiveness and performance of the suggested DDAA, we evaluate the bitcoin dependability before and after the difficulty adjustment.

Table 1. State transition rate (per hour) values used for numerical analysis.

Rate	Set a	Set b	Set c	Set a′	Set b′	Set c′
λ01	0.03	0.12	0.34	0.024	0.096	0.272
λ0′1	0.11	0.11	0.11	0.088	0.088	0.088
λ12	0.06	0.18	0.56	0.048	0.144	0.448
λ23	0.04	0.04	0.04	0.032	0.032	0.032
λ34	0.36	0.36	0.36	0.288	0.288	0.288
${\mu }_{0\prime 0}$	0.24	0.24	0.24	0.24	0.24	0.24
${\mu }_{10\prime }$	0.12	0.12	0.12	0.12	0.12	0.12
${\mu }_{21}$	0.31	0.31	0.31	0.31	0.31	0.31

presents the transition rates related to the MM’s computing power (λ₀₁$,$ ${\lambda }_{0\prime 1},$ λ₁₂$,$ λ₂₃$,$ λ₃₄) and the transition rates related to the HM’s recovery capability (${\mu }_{0\prime 0},$ ${\mu }_{10\prime },$ ${\mu }_{21}$). The values of those transition rates are designed based on the statistics and studies from [35]. Specifically, values in sets a, b, and c are the original values corresponding to the low, medium, and high computing power of the MM. Using Equation (2) with β = 1.25 (selected for the illustration purpose), the adjusted values of all λ are presented in sets a′, b′, and c′ in Table 1.

3.1. Effects of the DDAA on Bitcoin Dependability

Table 2. Bitcoin dependability and comparisons.

t (hrs)	Set a	Set a′	a–a′	Set b	Set b′	b–b′	Set c	Set c′	c–c′
6	0.9995	0.9998	0.0003	0.9950	0.9977	0.0027	0.9745	0.9868	0.0123
12	0.9964	0.9983	0.0019	0.9705	0.9847	0.0142	0.8887	0.9335	0.0448
18	0.9907	0.9954	0.0047	0.9334	0.9631	0.0297	0.7911	0.8646	0.0735
24	0.9835	0.9915	0.0080	0.8924	0.9379	0.0455	0.7007	0.7961	0.0954
30	0.9755	0.9872	0.0117	0.8515	0.9117	0.0602	0.6202	0.7319	0.1117
36	0.9670	0.9826	0.0156	0.8119	0.8855	0.0736	0.5489	0.6726	0.1237

presents bitcoin dependability at different mission times under the six sets of parameters (calculated using the CTMC-based method in Section 2) and the difference in the dependability values for each comparison. Figure 2, Figure 3 and Figure 4 illustrate the results graphically. It is apparent that bitcoin dependability improves after the adjustment and the improvement becomes more significant as the mission time proceeds.

We apply the paired t-test to examine the effects of the proposed DDAA algorithm. A significant result should prove the feasibility of the algorithm. Before each t-test, we run the F-test to examine the homogeneity of variance of each data pair [36].

Table 3. The p-value in F-test and t-test.

	Set a vs. Set a′	Set b vs. Set b′	Set c vs. Set c′
F-test	0.1914	0.3090	0.5277
t-test	0.0164	0.0097	0.0034

summarizes the results of the F-test and t-test for each comparison.

For each comparison, the p-value obtained in the F-test is greater than 0.05. So, we accept the null hypothesis. The two datasets in each comparison pass the homogeneity of the variance test. The p-value obtained in the t-test is less than 0.05. So, we reject the null hypothesis. Thus, the dependability values of the two sets in each comparison are significantly different, and the dependability after the adjustment is significantly higher than that before the adjustment.

3.2. Optimal Parameter Selection for Parameter β

In this section, we examine the optimal value selection for the key parameter β using set a. In other words, we determine the value of β that can offer the largest degree of improvement in Bitcoin dependability under the DDAA strategy. We run a series of tests with different values of β. Among the values tested, the lowest p-value is obtained at β = 1.43, as shown in

Table 4. The results of the p-value when β varies from 1.1 to 1.6 under the DDAA.

β	1.1	1.25	1.43	1.6
p-value	0.0191	0.0164	0.0145	0.0173

and Figure 5. Bitcoin dependability under the DDAA with β = 1.43 at t = 36 h is 0.983.

4. Acceptance Limitation Policy (ALP)

The traditional bitcoin system adopts the proof-of-work (POW) protocol as its consensus mechanism. The longest chain broadcast is accepted as the valid version of the bitcoin main chain. The selfish mining attacker takes advantage of this mechanism by intentionally withholding his/her mined blocks and publishing his/her longer private chain. The ALP intends to set a limitation to the acceptance ratio when multiple blocks are broadcast at the same time. Let γ be the limitation ratio. This process is equal to reducing the transition rate λ₃₄ using Equation (3):

λ_{34_new} = λ₃₄ × γ where 0 < γ ≤ 1

(3)

To investigate the effectiveness of the ALP, we apply Equation (3) to generate the parameter set a″ based on set a, and both are presented in

Table 5. State transition rate (per hour) values used for numerical analysis of the ALP.

Rate	λ01	λ0′1	λ12	λ23	λ34	${\mathit{\mu }}_{0\prime 0}$	${\mathit{\mu }}_{10\prime }$	${\mathit{\mu }}_{21}$
Set a	0.03	0.11	0.06	0.04	0.36	0.24	0.12	0.31
Set a″	0.03	0.11	0.06	0.04	0.36 × γ	0.24	0.12	0.31

.

Figure 6 shows bitcoin dependability for five different values of γ, where γ = 1 corresponds to the case before the adjustment. It is observed that as the value of γ decreases, the improvement in bitcoin dependability becomes more significant.

To select the optimal value for the key parameter γ (i.e., the value that provides the largest degree of dependability improvement), we run a series of tests using different values of γ and compute the p-value. Among the values of γ tested, the lowest p-value 0.0033 is obtained at γ = 0.8, as shown in

Table 6. The results of the p-value under the ALP.

γ	0.6	0.7	0.8	0.9
p-value	0.0049	0.0044	0.0033	0.0057

and Figure 7.

It can be observed from the above results that the optimal p-value under the ALP is 0.0033, which is lower than the optimal p-value of 0.0145 obtained under the DDAA (Section 3.2). Therefore, in terms of the degree of improving dependability, the ALP performs better than the DDAA in defending selfish mining attacks. However, in terms of the absolute improvement in dependability, the DDAA is more effective than the ALP since the DDAA works on λ₀₁, λ_0′1, λ₁₂, λ₂₃, and λ₃₄, while the ALP only reduces one of those transition rates λ₃₄.

5. Comparative Studies

Heilman suggested a timestamp-based method (TM) to defend selfish mining [24]. The TM-based strategy applies an unforgeable timestamp to ensure that a particular block is mined no later than the timestamp. A random beacon is used as an input to a block. Any miner can act like a verifier to prove that a block has been mined recently. Thus, any block without a timestamp or with an out-of-date timestamp is dropped upon detection. This process is equal to reducing the transition rates ${\mu }_{0\prime 0},$ ${\mu }_{10\prime },$ and ${\mu }_{21}$ using Equation (4):

μ_{_new} = μ × ω where ω > 1

(4)

To compare the effectiveness of the proposed methods and the existing TM method, we use Equation (2) with β = 1.2, 1.4, and 1.6 (for the DDAA), Equation (3) with γ = 1/1.2, 1/1.4, and 1/1.6 (for the ALP), and Equation (4) with ω = 1.2, 1.4, and 1.6 (for the TM) to adjust the parameter set a in Table 1, as summarized in

Table 7. State transition rate (per hour) adjustments under the DDAA, ALP, and TM.

Set	λ01	λ0′1	λ12	λ23	λ34	${\mathit{\mu }}_{0\prime 0}$	${\mathit{\mu }}_{10\prime }$	${\mathit{\mu }}_{21}$
DDAA-a	0.03/β	0.11/β	0.06/β	0.04/β	0.36/β	0.24	0.12	0.31
ALP-a	0.03	0.11	0.06	0.04	0.36×γ	0.24	0.12	0.31
TM-a	0.03	0.11	0.06	0.04	0.36	0.24×ω	0.12×ω	0.31×ω

.

The results in

Table 8. Bitcoin dependability under the DDAA, ALP, and TM.

t (hrs)	β = 1.2	γ = 1/1.2	ω = 1.2	β = 1.4	γ = 1/1.4	ω = 1.4	β = 1.6	γ = 1/1.6	ω = 1.6
6	0.9997	0.9995	0.9995	0.9998	0.9996	0.9996	0.9999	0.9996	0.9996
12	0.9980	0.9967	0.9969	0.9988	0.9969	0.9972	0.9992	0.9971	0.9976
18	0.9948	0.9912	0.9922	0.9968	0.9917	0.9934	0.9979	0.9921	0.9944
24	0.9905	0.9842	0.9866	0.9940	0.9848	0.9889	0.9960	0.9854	0.9907
30	0.9857	0.9762	0.9804	0.9909	0.9769	0.9840	0.9938	0.9776	0.9868
36	0.9805	0.9678	0.9739	0.9875	0.9678	0.9790	0.9914	0.9693	0.9828

and Figure 8 show that for every comparison group (β = ω = 1/γ = 1.2, 1.4, and 1.6), the bitcoin system under the DDAA always has the highest dependability among the three defense strategies. Thus, we conclude that the DDAA has better defense effectiveness than the TM and ALP approaches in terms of absolute dependability improvement.

6. Conclusions and Future Directions

The bitcoin network is developed based on blockchain technology. It is considered one of the most dependable systems because of its distributed, decentralized, and unchangeable features. However, there are diverse attacks targeting bitcoin in the past few years (e.g., Eclipse attacks, Sybil attacks, and selfish mining attacks), which have caused tremendous losses. This work focuses on the selfish mining attack, where selfish miners intentionally withhold the mined block and build their own private chain. The malicious miners then publish their longer chain at a certain point in time to win all mining rewards. Most of the existing research on the selfish mining attack focused on adversary risk detection and cryptography design. There is a lack of studies on strategies that improve bitcoin system dependability and on the statistical proof of the significance of the effectiveness. Our research contributes to the state of the art by designing two defense strategies of the DDAA and ALP and verifying their effectiveness using the CTMC-based dependability analysis, as well as the t-test-based statistical analysis. The analysis results show that both strategies can greatly improve bitcoin dependability. Additionally, by comparing the optimal cases, it was found that the ALP performs better than the DDAA in the degree of dependability improvement. The two proposed strategies are also compared with the existing TM-based strategy. The comparative studies show that the DDAA is the most effective in improving bitcoin dependability.

In a future study, we will extend the defense strategies designed in this work to mitigate other types of attacks, such as Eclipse attacks and Sybil attacks. We also plan to develop a universal defense strategy to improve the resilience of the blockchain-based digital currency network.