the attacker does not gain any direct benefit by performing the attack
Hi guys,
It is NOT true that the attacker cannot benefit from such an attack!
In our paper published 6 months ago we explain how to make block withholding attacks PROFITABLE.
It is very very simple and gains can be quite substantial in practice, see:
http://arxiv.org/abs/1402.1718Well, the first assumption under the block withholding section of that paper is already wrong.
We assume that all miners mine in pools, small and large. Miners in one pool mine with the public key of the pool manager which later re-distributes the gains.
Both Eligius and P2Pool do not use this method.
Not to speak for the authors, but I believe that this doesn't change anything.
We assume that the pool managers are perfectly neutral and do not try to detect or prevent any unusual behavior.
Also untrue, at least in the case of Eligius, as made obvious previously.
While I'm just going to stop there, since some of your initial assumptions are just wrong, I must assume the balance of the section is equally so. Skimming it looks like you assume the withholding miner has some 20% of the network hash rate... then go on to say they can have greater returns by withholding than legitimate miners somehow. Magic I guess.
They make several assumptions at the beginning, just to allow the result to follow cleanly. This is done all the time in economics and the sciences. See "Assume a spherical cow." It is known to the authors that these assumptions may be unrealistic, but if they hold even partially then the result can hold even partially. Once an interesting result comes out, it is the job of the authors' peers and the public at large to debate the assumptions, and to what extent they are true. Which is obviously what you are doing, but don't use the assumption to as an excuse to write the authors off as idiots and discard the entire argument.
Ultimately, though, the paper has a major logic fail. The paper takes the example that the attacker has a large amount of hashrate (20% of the network), splits it into two (10% and 10%) and puts 10% in a pool, and 10% solo-mining. They do some math that basically tries to show that by withholding the blocks from the pool, the pool has its apparent luck reduced, while everybody else has their apparent luck increased. (See the logic fail already?) They claim that the increase in luck for the non-pool 10% is a net gain, besides getting fairly paid for the pool 10%.
The fatal flaw is the (understandable, to naïve Bitcoiners) assumption that the apparent luck of a given pool/miner going down, equates to an increase in the apparent luck of everybody else on the network. This is a gross misunderstanding of the stochastic nature of Bitcoin mining. The paper treats Bitcoin mining like a lottery with 500 tickets, distributed among 500 miners, so that when 50 miners are removed from the room, then the other miners have an increased chance of winning (1/450 instead of 1/500). Rather, it is like having 500 miners set up at tables, each of them rolling 10 dice constantly, and every time they roll 10 6's, they get paid. Removing 50 miners from the room would not affect the chances of any of the remaining 450 rolling 10 6's (although it would slow down the overall rate of miners rolling 10 6's..... if 500 people produced this result on average once an hour, 450 people would produce the result on average once every 1.11 hours, to do some simple math -- which may not be entirely appropriate (stats was never my strong suit) but it illustrates the point.).
Naïvely, yes, each block now has a chance of being found by only 450 people, not 500. However,
the mining income per unit of time by each miner does not change. Each miner (assuming they all roll the dice at the same rate) maintains the same income per hour/day/month. Looking at results "per block" instead of "per unit time" will lead to silly results like the ones in this paper. There are an infinite amount of blocks; while they do only come one at a time, they are not exactly a scarce commodity. Like Whack-a-Mole, each time a block is solved, another block pops up in its place.
Yes, mining is a "race" for every block, and the first to find the block gets the reward; but there is always a new block to start on. There could be some very complex and relatively subtle effects in the network, due to block propagation and that kind of thing, but the paper doesn't even start to think about that... and I think it would mostly be noise, with some positives for those on low-latency Internet connections, which all pools and presumably any large solo-miner would be sure to have. Ignoring network delays, every miner (and mining pool) has an equal and independent chance of mining a block, based solely on their hashrate. Eligius' luck does not impact the luck of Ghash.io. Everybody's luck is calculated against the Bitcoin difficulty, not against any other miner's luck. The overall luck of the entire Bitcoin network does not add up to 100%; in fact, it is for this reason that the difficulty adjustment occurs in the first place.
The only impact that such an attack would have is to try to ruin the pool, or to earn BTC without impacting the difficulty. (Which, granted, could be goals of an attacker.) But the attacker could not *gain* anything by such an attack. Their 10% would earn just as much BTC by solo mining as they get in the pool; and the other 10% would not earn any more or less.
It is alarming that a PhD who studies and teaches cryptography would make such a mistake.
BTW, thinking through all of this made me realize how important it is that Eligius kept the BTC from that miner who was doing block withholding. The bad actor must have something at risk by withholding blocks; if they are found out and the payment is withheld, they have wasted that hashpower (electricity costs, + time value of miners) for no reward, where they could have found blocks and gained the rewards from solo-mining (or mining with the pool, but not withholding blocks). It is critical that all pools keep up this kind of vigilance, and leave no question that any discovered block withholders will in turn have their funds withheld. So they will have nothing to gain, and something to lose.