Mitigation of block withholding attack based on zero-determinant strategy

Research of BWH and mitigation strategy

Nakamoto (2009) proposed the concept of 51% attack. The ledger of the blockchain needs to be maintained by all the nodes in the network; an attacker must master 51% of the computing power of the whole network in order to tamper with the data in the ledger, which is recognized as the first attack on bitcoin consensus mechanism. Traditionally, it is believed that the safety of bitcoin can be guaranteed, as long as the miners possessing most of the computing power remain honest. With the development of bitcoin, Finney (Wikipedia, 2022) suggested that an attacker can realize double spending by maliciously withholding blocks. In 2011, Rosenfeld (2011) formally put forward the concept of BWH attack, which indicated after joining a mining pool, the attacker only provided the partial PoW (Kwon et al., 2017), maliciously withheld blocks, and simultaneously harmed the revenue of him/her and that of the pool. Courtois & Bahack (2014) extended the BWH attack, held that an attacker can freely distribute his/her computing power between mining independently and attacking the target pool, and demonstrated that the attacker can gain relatively more reward in this scenario. Bag, Ruj & Sakurai (2017) presented sponsored BWH attack to account for the probability that a miner might be employed by a pool to attack other pools. In 2014, the mining pool Eligius was hit by a massive BWH attack (Courtois & Bahack, 2014), which brought a loss of 300 BTC. The BWH attack both harms the interests of the pools, and threatens the stability of the bitcoin network. Therefore, an effective strategy should be designed to mitigate and resist such an attack.

One mitigation approach is to improve the PoW algorithm in terms of task assignment and reward mechanism. Rosenfeld (2011) presented the defense mechanism of task assignment. Under the mechanism, the administrator of a pool redistributes the effective PoW to the miners for calculation; any miner failing to submit the block is deemed as an attacker. However, the miners are forced by the administrator to complete additional computing tasks, resulting in a waste of computing power. Since the miners are rewarded by the administrator, who evaluates their contributions according to partial PoWs, Schrijvers et al. (2017) proposed an incentive-compatible reward mechanism, which encourages miners to submit blocks immediately in exchange for reward, thereby ensuring the revenue of the pool. Bag & Sakurai (2016) created the incentive mechanism with extra reward, which showed a miner submitting the block received an extra reward in addition to the reward proportional to his/her contribution, while an attacker never received any extra reward. Later, Bag, Ruj & Sakurai (2017) developed a mitigation scheme for the BWH attack between mining pools based on hash function encryption. Under the scheme, the attack is withstood as the miners cannot differentiate between partial and complete PoWs. Nevertheless, the attacking pool increases its revenue with the partial PoWs submitted by the infiltration miners, without needing to spend extra computing power to calculate the complete PoW. Hence, incentives do not work on the administrator of the attacking pool. Besides, the task assignment mechanism has an inherent defect, namely, the miners often carry out useless computations, resulting in a waste of computing power.

In 2015, Eyal (2015) explored the mining disaster induced by the BWH attack. Specifically, the game between mining pools was qualitatively analyzed under the mutual attacks between two pools and multiple pools, and treated as an iterated prisoner’s dilemma (IPD). The Nash equilibrium theory was adopted to prove that the mutual attacks reduced the revenues of all pools, forcing them to converge to the closed and stable state. Hence, another mitigation strategy for the BWH attack is grounded on the prisoner’s dilemma model. Tang et al. (2017) further investigated the pure strategy and mixed strategy problems in game dilemmas, and optimized the system revenue of single pool mining dilemma with the ZD strategy. Their strategy ensures that the revenue of attacking miners is linearly correlated with that of honest miners in the pool, increases the revenue of the entire pool, and mitigates the loss of the pool brought by the BWH attack.

Research of ZD strategy

The ZD strategy, initially proposed by Press & Dyson (2012) has attracted widespread attention. Hilbe, Traulsen & Sigmund (2015) considered three different strategy classes, including ZD, for the Iterated Prisoner’s Dilemma and characterized these three classes within the space of memory-one strategies. Ren et al. (2014) extend the theory of ZD strategies to multiplayer games to describe which strategies maintain cooperation and proposed two simple models of alliances in multiplayer dilemmas to show how individuals could further enhance their strategic options by coordinating their play with others. Later, Hilbe et al. (2015) pointed out that the ZD strategy was not evolutionarily stable in some cases, and stable in some other conditions. He et al. (2016) applied the ZD strategy to multi-person multi-strategy iterative game model, and proved that every player could act as the leader to control the expected revenue of his/her opponents. Hao, Rong & Tao (2015) proposed a general model of the ZD strategies for noisy repeated games and derived the pinning strategy under noise, by which the ZD strategy player coercively sets the opponent’s expected payoff to his desired level, although his payoff control ability declines with the increase of noise strength. Mcavoy & Hauert (2017) applied the ZD strategy theory from traditional synchronous games to alternate games, and discussed the autocratic strategy both in a strictly-alternating game and in a randomly-alternating game. Ueda & Toshiyuki (2020) provided a general framework for investigating situations where more than one players employ ZD strategies in terms of linear algebra and theoretically proved general mathematical properties of the ZD strategy. Ueda (2021) defined and provided examples of memory-two ZD strategy in the repeated prisoner’s dilemma game. McAvoy & Hauert (2016) introduced a broader class of autocratic strategies by extending ZD strategies to iterated games with the continuous action space. These studies have enriched the theory of ZD strategy.

In reality, the ZD strategy has been applied in various fields, for its good properties and unlimited research potential. Daoud, Kesidis & Liebeherr (2014) introduced the ZD strategy to the secondary sharing of licensed spectrum, likened the licensed spectrum problem to the non-cooperative iterative game model of power control, and determined the long-term mean rate by changing the power level for the maximal value, which could be realized through the ZD strategy. Zhang et al. (2014a) applied the ZD strategy to manage the deceptions in wireless network cooperation and to share wireless network resources (Zhang et al., 2016), and described the resource sharing between players with an IPD game model. Regardless of the opponent’s strategy, a player could guarantee the high and stable system revenue with the ZD strategy. Zhang et al. (2014b) also implemented the ZD strategy to small cell networks to maximize the system revenue. Pan et al. (2014) incorporated the ZD strategy to public good game model, and drew the following conclusions. When the number of players or the multiplication factor was small, a player could unilaterally control the expected revenue of all the other players through the ZD strategy, and set the proportion of his/her own revenue to the overall revenue of all the other players. In the IPD game model, regardless of the opponent’s strategy, the ZD strategy can control the expected revenue of the opponent, and keep it linearly correlated with the expected revenue of the player adopting the strategy. All the above studies provide a reference for our research, which tries to migrate the BWH attack with the ZD strategy.

Calculation of actual revenue of mining pool

The BWH attack can be traced back to the nascency of pool mining. The attacker could be an administrator of a mining pool. He/she might arrange the computing power under his/her control to mine honestly or infiltrate another pool. The attacking behavior is either honest mining or withholding blocks. Such an attack will harm the mining revenue of the attacked pool and other participants. The attacking miners will only send partial PoWs to the attacked pool, and discard any complete PoW being acquired. The pool will continue to distribute mining revenue to the attacker, but cannot benefit from the computing power of the attacker. In this way, both the revenue of every participant of the attacked pool and that of the attacker will be lowered. However, the pool that launches the attack eyes the maximization of its own revenue. Then, whether the revenue of the attacking pool will increase or decrease through the BWH attack? To answer this question, it is necessary to define the calculation formulas for the pool revenues.

• 1. Pool revenue

For simplicity, the computing power is regarded as equivalent to the revenue. The greater the computing power, the stronger the competitiveness of a pool, and the more revenue acquired by the pool through mining. Obviously, the total revenue of the bitcoin system is the revenue obtained by the effective computing power of the system. The system computing power H is defined as the total computing power of all miners in the bitcoin network. The effective computing power of the system is equal to the system computing power minus the computing power for the BWH attack H_attack. Similarly, the total computing power of a pool h_pool minus the computing power for the BWH attack h_attack is the effective computing power of a pool. Then, the revenue of a pool can be defined as

(1) $$R_{pool}={\displaystyle \frac{h_{pool}-h_{attack}}{H-H_{attack}}.}$$

• 2. Average revenue of miners

The average revenue of the miners in a pool can be defined as

(2) $$R_{miner}={\displaystyle \frac{R_{pool}}{h_{pool}}.}$$

• 3. Honest mining revenue

The honest mining revenue of a miner is the average revenue of the miners multiplied by the computing power of honest miners. That is, the honest mining revenue is distributed according to the computing power of honest miners h_honest as a proportion of the total computing power of the pool h_pool. The formula is

(3) $$R_{honest}=h_{honest}\cdot {\displaystyle \frac{R_{pool}}{h_{pool}}=h_{honest}\cdot R_{miner}.}$$

• 4. Attack revenue

The attack revenue is the product of the average revenue of the miners in the attacked pool and the computing power of the attack h_attack.

(4) $$R_{attack}=h_{attack}\cdot {\displaystyle \frac{R_{pool}}{h_{pool}}=h_{attack}\cdot R_{miner}}$$

• 5. Actual revenue

The actual revenue of a pool is the sum of the revenue of honest mining and the attack revenue.

(5) $$R_{real}=R_{honest}+R_{attack}$$

The actual bitcoin network is rather complicated. There are many mining pools in the whole network. Each pool has complex mining behaviors. To facilitate the analysis of the BWH attack, this paper considers the simplest situation, i.e., there are only two pools named Pool₁ and Pool₂ in the network, and the other miners conduct mining honestly and independently. Suppose the computing power of the entire network is 1, and the computing power of Pool₁, Pool₂ and the other miners are h₁, h₂ and h₃, respectively. It is obvious that h₁ + h₂ + h₃ = 1. The administrator of each pool distributes block reward fairly to each miner according to his/her proportion of computing power. If no attack takes place, the actual revenues of Pool₁ and Pool₂ are h₁ and h₂, respectively. The following is an analysis on the revenue variation of each pool under two difference scenarios, namely, the BWH attack launched by only one pool and the attack launched by both pools.

Unilateral attack

Figure 1 shows the scenario of unilateral attack. It is assumed that Pool₁ attacks Pool₂ with r₁h₁ (0 < r₁ < 1) of its own computing power, and conducts honest mining with the remaining computing power $\left(1-r_1\right)h_1$, while Pool₂ does not attack Pool₁. Note that r₁ is the infiltration rate, i.e., the percentage of infiltration miners in all miners of the pool (Normally, r₁ = 0.1). Then, the effective computing power of the entire network is 1 − r₁h₁.

The pool revenues of Pool₁ and Pool₂ are

(6) $$R_{poo{l}_1}={\displaystyle \frac{\left(1-r_1\right)h_1}{1-r_1{h}_1},}$$

(7) $$R_{poo{l}_2}={\displaystyle \frac{h_2}{1-r_1{h}_1}.}$$

The average revenue of the miners in Pool₁ and Pool₂ are

(8) $$R_{mine{r}_1}={\displaystyle \frac{1}{1-r_1{h}_1},}$$

(9) $$R_{mine{r}_2}={\displaystyle \frac{h_2}{\left(1-r_1{h}_1\right)\left(r_1{h}_1+h_2\right)}.}$$

The honest mining revenue of a miner in Pool₁ and Pool₂ are

(10) $$R_{hones{t}_1}={\displaystyle \frac{\left(1-r_1\right)h_1}{1-r_1{h}_1},}$$

(11) $$R_{hones{t}_2}={\displaystyle \frac{h_2^2}{\left(1-r_1{h}_1\right)\left(r_1{h}_1+h_2\right)}.}$$

The attack revenue of Pool₁ is

(12) $$R_{attac{k}_1}={\displaystyle \frac{r_1{h}_1{h}_2}{\left(1-r_1{h}_1\right)\left(r_1{h}_1+h_2\right)}.}$$

The actual revenue of Pool₁ and Pool₂ are

(13) $$R_{rea{l}_1}={\displaystyle \frac{h_1{h}_2+r_1{h}_1^2-{r_1}^2{h}_1^2}{\left(1-r_1{h}_1\right)\left(r_1{h}_1+h_2\right)},}$$

(14) $$R_{rea{l}_2}={\displaystyle \frac{h_2^2}{\left(1-r_1{h}_1\right)\left(r_1{h}_1+h_2\right)}.}$$

If Pool₁ does not launch an attack, the original revenue of Pool₁ is R′_real1 = h₁. Let $\mathrm{\Delta }{R}_1=R_{rea{l}_1}-R_{rea{l}_1}^{\mathrm{\prime }}={\displaystyle \frac{r_1{h}_1^2\left(r_1{h}_1-r_1+h_2\right)}{\left(1-r_1{h}_1\right)\left(r_1{h}_1+h_2\right)}}$, where ${\displaystyle \frac{r_1{h}_1^2}{\left(1-r_1{h}_1\right)\left(r_1{h}_1+h_2\right)}>0}$. When $r_1<{\displaystyle \frac{h_2}{1-h_1}}$, r₁h₁ − r₁ + h₂ is also greater than zero, i.e., ΔR₁ > 0. In this case, Pool₁ can obtain more revenue than what it can obtain without launching any attack. Apparently, there is a suitable infiltration rate for Pool₁ to maximize its revenue, showed in Fig. 2.

If Pool₁ does not launch an attack, the original revenue of Pool₂ is R′_real2 = h₂. Then, $\mathrm{\Delta }{R}_2=R_{rea{l}_2}-R_{rea{l}_2}^{\mathrm{\prime }}={\displaystyle \frac{r_1{h}_1{h}_2\left(r_1{h}_1+r_1{h}_2-1\right)}{\left(1-r_1{h}_1\right)\left(r_1{h}_1+h_2\right)}}$. Since r₁h₁ + r₁h₂ − 1 < 0 and any other term in the formula is greater than zero, ΔR₂ < 0. Hence, as shown in Fig. 2, an attack by Pool₁ will definitely lower the revenue of Pool₂. Therefore, a rational pool will choose to attack in order to control its own loss, that is, both pools will choose to attack. The total revenue of miners engaged in independent mining is $R_3={\displaystyle \frac{h_3}{1-r_1{h}_1}}$. Since 1 − r₁h₁ < 1, the actual revenue of these miners is greater than the original revenue h₃.

Mutual attacks

Under the premise that Pool₁ launches an attack, it is assumed that Pool₂ attacks Pool₁ with r₂h₂ (0 < r₂ < 1) of its computing power, as is shown in Fig. 3. In this case, the effective computing power of the entire network is 1 − r₁h₁ − r₂h₂.

The pool revenues of Pool₁ and Pool₂ are

(15) $$R_{poo{l}_1}={\displaystyle \frac{\left(1-r_1\right)h_1}{1-r_1{h}_1-r_2{h}_2},}$$

(16) $$R_{poo{l}_2}={\displaystyle \frac{\left(1-r_2\right)h_2}{1-r_1{h}_1-r_2{h}_2}.}$$

The average revenue of the miners in Pool₁ and Pool₂ are

(17) $$R_{mine{r}_1}={\displaystyle \frac{\left(1-r_1\right)h_1}{\left(1-r_1{h}_1-r_2{h}_2\right)\left(\left(1-r_1\right)h_1+r_2{h}_2\right)},}$$

(18) $$R_{mine{r}_2}={\displaystyle \frac{\left(1-r_2\right)h_2}{\left(1-r_1{h}_1-r_2{h}_2\right)\left(r_1{h}_1+\left(1-r_2\right)h_2\right)}.}$$

The honest mining revenue of a miner in Pool₁ and Pool₂ are

(19) $$R_{hones{t}_1}={\displaystyle \frac{{\left(1-r_1\right)}^2{h}_1^2}{\left(1-r_1{h}_1-r_2{h}_2\right)\left(\left(1-r_1\right)h_1+r_2{h}_2\right)},}$$

(20) $$R_{hones{t}_2}={\displaystyle \frac{{\left(1-r_2\right)}^2{h}_2^2}{\left(1-r_1{h}_1-r_2{h}_2\right)\left(r_1{h}_1+\left(1-r_2\right)h_2\right)}.}$$

The attack revenue of Pool₁ and Pool₂ are

(21) $$R_{attac{k}_1}={\displaystyle \frac{r_1\left(1-r_2\right)h_1{h}_2}{\left(1-r_1{h}_1-r_2{h}_2\right)\left(r_1{h}_1+\left(1-r_2\right)h_2\right)},}$$

(22) $$R_{attac{k}_2}={\displaystyle \frac{\left(1-r_1\right)r_2{h}_1{h}_2}{\left(1-r_1{h}_1-r_2{h}_2\right)\left(\left(1-r_1\right)h_1+r_2{h}_2\right)}.}$$

The actual revenue of Pool₁ and Pool₂ are

(23) $$R_{rea{l}_1}={\displaystyle \frac{{\left(1-r_1\right)}^2{h}_1^2}{\left(1-r_1{h}_1-r_2{h}_2\right)\left(\left(1-r_1\right)h_1+r_2{h}_2\right)}+{\displaystyle \frac{r_1\left(1-r_2\right)h_1{h}_2}{\left(1-r_1{h}_1-r_2{h}_2\right)\left(r_1{h}_1+\left(1-r_2\right)h_2\right)},}}$$

(24) $$R_{rea{l}_2}={\displaystyle \frac{{\left(1-r_2\right)}^2{h}_2^2}{\left(1-r_1{h}_1-r_2{h}_2\right)\left(r_1{h}_1+\left(1-r_2\right)h_2\right)}+{\displaystyle \frac{\left(1-r_1\right)r_2{h}_1{h}_2}{\left(1-r_1{h}_1-r_2{h}_2\right)\left(\left(1-r_1\right)h_1+r_2{h}_2\right)}.}}$$

Figure 4 shows the revenues of the two pools and honest miners at different infiltration rates, with h₁ = 0.3 and h₂ = 0.5. When the two pools attack each other, in most cases, the revenue of each side is lower than that of honest mining, yet higher than that under the scenario of being attacked but not attacking the other side. This phenomenon can be explained by the revenue variation of the miners engaged in independent mining. The actual total revenue of independent miners $R_3={\displaystyle \frac{h_3}{1-r_1{h}_1-r_2{h}_2}}$ is always above the original revenue h₃. Whereas the total revenue of the bitcoin system is fixed, the total revenue of Pool₁ and Pool₂ will definitely drop. In each round of mining, the best strategy for each pool is to attack the other side. When the system reaches the equilibrium, the revenue of each pool will be lower than that of honest mining. This is the mining dilemma, which is comparable to the classic prisoner’s dilemma in the game theory.

In the entire bitcoin system, a pool administrator can select the strategy for each round of mining, i.e., how much computing power should be reserved for mining in the pool, and how many miners should be sent to launch the BWH attack. From the perspective of the IPD, the continuous mining competition between pools is an iterative game. In each round, each pool, as a game party, can choose between launching an BWH attack (i.e., the defection strategy of the prisoner’s dilemma) and not to attack (i.e., the cooperation strategy of the prisoner’s dilemma).

Prisoner’s dilemma and IPD

The prisoner’s dilemma, proposed by A. W. Tucker in 1950 (Tucker & Luce, 1959), is a classic problem in the game theory. The model involves two members X and Y of a gang of robbers, who have been arrested and interrogated in separate rooms. If both plead guilty, i.e., choose defection, each will be sentenced to 3 years; if one pleads guilty and the other does not, the former will be released immediately, while the latter will be sentenced to 5 years; if both do not plead guilty, i.e., choose cooperation, each will be sentenced to 1 year.

The revenues of the two prisoners can be described by Table 1, where R is the reward for mutual cooperation; T is the temptation to defect for the defector; S is the sucker’s payoff when one party chooses defection and the other chooses cooperation; P is the punishment for mutual defection. These parameters satisfy T > R > P > S and 2R > T + S, and normally $\left(T,R,P,S\right)=\left(5,3,1,0\right)$. For X, if Y chooses cooperation, his/her best choice is defection; if Y chooses defection, he/she will also choose defection, because defection reduces his/her loss. Hence, regardless of the other party’s choice, the best choice is always defection. Rational prisoners will always betray each other. That is, (defection, defection) is the Nash equilibrium of the prisoner’s dilemma. However, the Nash equilibrium point is not necessarily the optimal strategy combination for system revenue. The revenue of the state is below that under (cooperation, cooperation). Therefore, the prisoners face the dilemma of selecting between cooperation and defection (Press & Dyson, 2012).

An iterative game is multiple (greater than two) repetitions of a game. If the prisoner’s dilemma only lasts one round, (defection, defection) is the inevitable outcome. In the Iterated Prisoner’s Dilemma (IPD) model, however, the same gamers encounter each other repeatedly. If a player chooses to defect, he/she must consider the fact that the other side also prefers defection to reduce loss. Hence, the revenues of both sides will remain low. Then, each side of the game faces the pressure that long-term revenue is better than short-term revenue. Since the game is iterative, a rational prisoner will not stick to defection, but cautiously choose between defection and cooperation according to the selection of the opponent in the previous round. Defection might evoke punishment from the opponent, and cooperation might invite a return favor. If the iterative game lasts indefinitely, the equilibrium of (cooperation, cooperation) might appear.

Experimental setting

The following are some classic strategies for the prisoner’s dilemma model.

1. Always Cooperate (AllC): always choose cooperation, regardless of the opponent’s behaviors. In this case, the selection probability is $AllC=\left(1,1,1,1\right)$, i.e., the BWH attack will never be launched, and the infiltration rate r = 0.

2. Always Defect (AllD): always choose defection, regardless of the opponent’s behaviors. In this case, the selection probability is $AllD=\left(0,0,0,0\right)$, i.e., the BWH attack will always be launched, and the infiltration rate r > 0.

3. Tit For Tat (TFT): choose cooperation initially, and choose the same strategy as the opponent’s strategy in the previous round. In this case, the selection probability is $TFT=\left(1,0,1,0\right)$.

4. Win-Stay, Lose-Shift (WSLS): set a threshold for revenue, and choose cooperation in the first round; in each of the following rounds, if the revenue is above the threshold, keep the strategy; otherwise, choose the opposite strategy. Here, the selection probability is defined as $WSLS=\left(1,0,0,1\right)$.

5. Random: choose a random strategy at a discrete probability.

X has a total of eight strategies, which are AllC, AllD, TFT, WSLS, Random, set strategy, extortionate strategy, and adaptive strategy. Y has a total of five strategies, which are AllC, AllD, TFT, WSLS, and Random. Through orthogonal design, a total of 30 different games were obtained for our experiments.

Simulation results and analysis

Simulation results of pairwise game

Let h₁ = h₂ = 0.4, and r₁ = r₂ = 0.1. Each game was simulated for 100 rounds. Then, the revenues of X and Y in each round of each game are summarized as the following Figs. 5 and 6.

It can be inferred from the above figures that if X chooses AllC, and Y chooses AllC, TFT, or WSLS, the two parties always cooperate with each other, and each party receives a revenue of R in each round. If X chooses AllC, and Y chooses AllD, X receives a revenue of S in each round, while Y receives T. Therefore, if Y unilaterally launches a BWH attack, his/her own revenue will increase at the cost of the other’s revenue. If X chooses AllD, and Y chooses AllD, the revenues of both X and Y are P. If X chooses AllD, and Y chooses TFT, the strategy will evolve into AllD in the second round. If X chooses AllD, and Y chooses WSLS, its strategy for each round will be the opposite to that for the previous round. If X chooses TFT, and Y chooses TFT or WSLS, the two parties will always cooperate with each other. If both choose WSLS, the two parties will always cooperate with each other.

Analysis of convergence of average revenue

Next, the initial cooperation probability of X was set to 0.9, and 500 rounds of game were simulated under the set strategy, extortionate strategy, and adaptive strategy of the ZD, respectively. The average revenue variation of each party is recorded in Fig. 7. Obviously, every set of game strategies could converge very quickly. After less than 10 rounds at least or no more than 40 rounds at most, the average revenue of both X and Y has been basically stable, indicating that the mining dilemma can be effectively mitigated.