Mining on multiple pools will make luck much less of an issue: https://bitcointalksearch.org/topic/mine-in-multiple-pools-to-reduce-variance-78031
@organofcorti - If you get a chance, there seems to be a paper that is trying to say that a block withholding attack is somehow * more profitable * for the attacker than legitimate mining... (someone linked to it a page or so ago in this thread)
I skimmed it and, honestly, was not able to come to that conclusion from what they described. I personally (and presumably others) would value your opinion a lot more on the topic, however, if you ever get around to checking it out.
The paper's fatal flaw was assuming that one miner's luck affected the other miners' luck, so if one pool had bad luck, the other participants in the network would have better luck to compensate. The "profit" conclusion (expressed in a nice little formula) hinged entirely on this false assumption.
https://bitcointalksearch.org/topic/m.7712963
baddw, I agree the paper has a number of conceptual and real-world inaccuracies, and as it stands I'd agree that it's wrong.
However, unless I'm completely off-base, I'd always thought it was trivial to show that a substantially sized block-withholding attack on one section of the network would increase the proportion of the network attributable to the attacking group, and therefore solve more blocks than expected before the next retarget.
This gets into "pool hashrate" versus "network hashrate" distinctions. (Which is another blind spot in the paper.) A pool will know its hashrate quite well, because pool miners are submitting low-difficulty shares constantly, and although there is minor variance, there are a huge number of low-difficulty shares to base its hashrate estimate off of. The network on the whole, however, does not know about the trillions of low-difficulty shares generated by miners, but only valid blocks which meet the full difficulty requirement. The overall network hashrate therefore is much harder to estimate, and much less accurate.
Let's say that the network hashrate is 1000 GH/s (simplify to 1000G for readability). And let's say that there is a large pool, it has 30% of the network hashrate or 300G. The other 70% (700G) can be considered monolithic. An attacker starts mining with the pool, and withholds all found blocks. This attacker has 100G, which technically adds 10% to the network hashrate. So the pool now thinks that it has 400G. But since the attacker is withholding all found blocks, this 100G is effectively wasted in the eyes of the network on the whole, and the network still thinks that it is mining at 1000G instead of 1100G. The pool will realize that something is up: that it is commanding 400G but is only earning blocks at a rate expected of 300G. But the network on the whole has no way of knowing that the pool has been accepting shares at a rate of 400G while effectively representing to the outside world that it is hashing at 300G.
So the pool will continue to find blocks at the rate of 30% of found blocks. The rest of the network will continue to find 70% of blocks. The 100G is essentially "phantom hashrate" as far as the network is concerned. They are a deadweight on the pool, and the pool will perceive its luck to drop to 75%, but all other miners (the honest 300G in the pool, and the honest 700G outside the pool) will continue to find blocks at the same rate as before. If the 700G outside the pool somehow knew about the attacker's 100G inside the pool, then maybe they would naïvely consider themselves lucky because they are earning 7/10 blocks when they should have only been earning 7/11 blocks (although they are not really lucky because the blocks will be coming slower overall, and the 700G will be generating blocks at the same rate regardless). However, the network as a whole cannot concern itself with knowing the inner workings of pools (nor indeed the true hashrate of other miners within the 70%), but must estimate pools' hashrate based on the number of found blocks. So again, the network as a whole would consider the pool to have 300G and leave it at that.
Now let's consider the scenario that the paper devises. In this scenario, all mining takes place in pools which are able to be attacked and which pay miners "in proportion to their contribution" (bad assumption, but we'll take it for now). We will also ignore difficulty adjustment (since the paper ignores it) and assume a set block difficulty for all time. The attacker has 200G out of a 1000G network, for 20% of the hashrate. First let's consider what would happen if the attacker simply solo-mined. They would earn 20% of all blocks, and the network would produce blocks at a rate associated with 1000G. (Let's say that it's 1 block every 10 minutes, on average, as designed.)
Now let's say that they implement the attack proposed in the paper. Instead of solo-mining with 200G, the attacker uses 100G to infiltrate pools, and 100G to solo-mine. The 100G in the pools means that the pools think that they have 900G in total, but with the 100G withholding blocks, they only hash at an network-effective 800G. The attacker's 100G solo-mining therefore represents 1/9th of the network and mines 1/9th of the blocks. The pools effectively represent 8/9ths of the network and therefore mine 8/9ths of the blocks. The 100G in the pool represents 1/8th of the pools' effective network hashrate, BUT it only represents 1/9th of the pools' known POOL hashrate. Therefore the attacker will only be paid 1/9th of the pools' earnings. Since the pools earn 8/9ths of the blocks, the attacker's 100G will earn 1/9th of that which is 8/81.
Now you say, "Aha! I've got you now, baddw! 1/9 + 8/81 = 17/81 = .20987 which is almost 5% greater than 20%!! The attacker has increased his earnings by 5%!" But the one thing that I left out of the above is that the network is now hashing at an effective rate of 800G (infiltrated pools) + 100G (solo mining attacker) = 900G. So the blocks are coming 10% slower, i.e. instead of averaging every 10 minutes, they are now coming at the average rate of every 11 minutes (or would it be 11.11 minutes? I'll go with 11 just to be conservative). In the 200G solo mining scenario, the blocks came every 10 minutes = 6 blocks per hour = 144 blocks per day. The 200G solo miner could expect to earn 28.8 blocks daily. Now if the blocks come every 11 minutes, the network is finding 130.9 blocks per day. 130.9 * 17/81 = 27.47 blocks per day. So the attacker's income is actually decreased under the 100G block withholding scenario. The attacker earns a greater percentage of blocks, but the rate of block production drops to compensate.
Of course, this discussion (as in the paper) ignored difficulty retargeting, which as we all know is a huge consideration for miners' profitability. As far as delayed difficulty retargeting goes; I discussed this in my follow-up https://bitcointalksearch.org/topic/m.7737259. The attacker will benefit from the additional time to retarget (additional shares submitted at the lower difficulty level = higher value per share), but only to the extent of the difference between the Current Difficulty and the Retargeted Difficulty, and only for the time period of the delay (a few hours, max?). The attacker also stands to benefit from the lesser difficulty increase when the retarget does occur. However, even the combined effect there would be much more subtle than the paper presents. The paper doesn't consider difficulty retargeting at all. And, unless I'm mistaken, in order to maximize these effects, the attacker would be better served by using ALL of their hashrate to execute block withholding attacks, and not solo-mine at all. Far from the paper's conclusion that it is "optimal" to split the hashrate 50/50.