Professional Documents
Culture Documents
An Evaluation of Uncle Block Mechanism Effect On Ethereum Selfish and Stubborn Mining Combined With An Eclipse Attack
An Evaluation of Uncle Block Mechanism Effect On Ethereum Selfish and Stubborn Mining Combined With An Eclipse Attack
ABSTRACT Ethereum accelerates the transaction process through a quicker block creation design. Since
the time interval between the generation of blocks is very short (about 15s), block propagation time in an
inefficient network is not negligible compared with the block time interval. This lead to the production of a
large number of orphan blocks. In order to solve the security problems that may be caused by the orphan block
and improve the transaction processing efficiency, Ethereum introduces the uncle block mechanism, i.e., an
orphan block may get part of minted reward if it gets a reference by a regular block. In this paper, we show
the weakness of the uncle block mechanism. Firstly, we describe the specific differences of Ethereum selfish
and stubborn mining in every state from the ones in Bitcoin. Secondly, we simulate possible attacks, and
the results show that the Ethereum selfish and stubborn mining strategies not only increase the reward of
an attacker but also decrease the security threshold. The security threshold refers to the proportion of the
attacker’s computational power that needs to be achieved in order to obtain a higher reward than he should.
In a practical network congestion rate, the security threshold are weakened to 0.129 and 0.216 against the
Lead stubborn mining strategy and the original selfish mining strategy, respectively. When the congestion rate
is rising, the reward is increasing and the threshold is decreasing. Thirdly, possible strategies are evaluated
to find out the optimal one in different settings. Fourthly, we also extend the evaluation by combining three
eclipse attack strategies with selfish or stubborn mining. Most of combinations bring more advantages to an
attacker than a single strategy.
INDEX TERMS Ethereum, uncle block, selfish mining, stubborn mining, eclipse attack.
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see http://creativecommons.org/licenses/by/4.0/
VOLUME 8, 2020 17489
Y. Liu et al.: Evaluation of Uncle Block Mechanism Effect on Ethereum Selfish and Stubborn Mining
blocks (uncle blocks). Regular blocks are encouraged to ref- (decimals are used to represent the proportion of computa-
erence uncle blocks to gain more block reward. In general, tional power) and 0.216, respectively. The previous work [11]
this tree-style Ethereum blockchain supports more transac- is only limited to selfish mining without more complex
tions processing per second than a traditional chain-style data strategies.
structure, e.g., Bitcoin. The evaluation systematically traverses all feasible
For Bitcoin, Nakamoto proposes the 0.51 computational regions to find the optimal strategy under different
power requirement to keep secure consensus. This thresh- parameters of an attacker’s computational power and
old is decreased by a deviant strategy, selfish mining [3]. network congestion rate. Even there is not a strategy fitting
To waste honest computational power and obtain more dis- all settings, the Lead stubborn mining strategy (L-s) and
honest reward, this strategy only reveals the private chain of the Lead, Fork and Trail hybrid stubborn mining strategy
an attacker at a certain time. The basic goal of the stubborn (LFT-s) occupy a relatively large area according to our results.
mining strategies [4] is also to give an attacker more advan- In addition, if the connection of a network is extremely bad,
tage in chain competitions. An eclipse attack [5] is a network- an attacker who controls a low power proportion would still
level attack, which tries to control all information transmitted win the whole reward. Compared with the work [4], our com-
to a victim miner. parison deploys network congestion rate as an independent
For Ethereum, many works aim to improve the security of variable instead of proportion of honest nodes mining on a
smart contract [6], [7]. However, there are fewer concerns on dishonest chain.
how Bitcoin classical attacks influence the Ethereum security The combined selfish and stubborn mining strategies
for different features, e.g., the uncle block mechanism. We are are also analyzed by employing an abstract eclipse attack.
motivated to revisit this mechanism at the high transaction By incorporating those three eclipse strategies from the pre-
process speed. Block reward is a significant incentive for vious work [4], we make a thorough evaluation for these
miners to behave honestly [8]. Ethereum uncle reward has combined attacks in Ethereum. There are 24 combinations
attracted an attacker’s attention to earn more Ethereum coins of possible attack strategies in total. All calculation details
by uncle mining [9], before Ethereum Improvement Pro- for the reward are different from the ones in Bitcoin. Most
posal 100 (Byzantine hard fork) fixes this flaw [10]. The of the composite attacks reflect more advantages than a sin-
previous work [11] analyzes the effect of selfish mining gle selfish or stubborn mining strategy. We figure out the
attack towards Ethereum, but is only limited to selfish min- prominent strategies in various settings, which brings more
ing. We study more complicated attack methods combing dishonest reward than a single strategy in specific values of
stubborn mining strategies and eclipse attack, and carry out power proportion and congestion rate.
detailed simulations.
C. RELATED WORKS
B. OUR CONTRIBUTIONS Honest majority is a basic requirement in the first distributed
In this paper, we make the following contributions. secure cryptocurrency, Bitcoin, created by Nakamoto [1].
We describe the specific differences of Ethereum self- Eyal and Sirer [3] introduce a deviant strategy named self-
ish and stubborn mining in every state from the ones in ish mining, which wastes honest power and decreases the
Bitcoin. Due to the uncle block design, the reward and the security threshold to 0.25. The security threshold refers to the
number of generated blocks of an attacker, honest nodes and proportion of the attacker’s computational power that needs
an eclipse victim are different from those of Bitcoin. We intro- to be achieved in order to obtain a higher reward than he
duce the calculation details in our paper not only for a single should. Nayak et al. [4] conclude the selfish mining strategy
selfish or stubborn mining strategy, but also for a combined and extend it to the stubborn mining strategies, which also
eclipse attack. These details help us program a simulator to combines an eclipse attack. However, all evaluations in that
evaluate how Ethereum deals with selfish or stubborn mining, paper are only expressed in results without reward calculation
and even a combined eclipse attack. details. Heilman et al. [5] resorted a special technique to
We show that the uncle block mechanism decreases the eclipse a Bitcoin mining node, whose connections are all
security threshold against selfish and stubborn mining controlled by an eclipse attacker. Wüst and Gervais [12] and
in a practical Ethereum network. Our results show that Marcus et al. [13] also mount similar attacks on Ethereum.
stubborn mining not only improves an attacker’s reward, but Bitcoin is proved to be inefficient by several works
also helps an attacker to earn dishonest reward more easily [14]–[16], and one of the main obstacles is the P2P network
in Ethereum. With the increasing network congestion rates, performance. It cannot meet the bandwidth requirement of
an attacker is able to obtain more reward by selfish and a blockchain. Therefore, Ethereum partly follows the con-
stubborn mining. In Bitcoin, the classical security threshold current transaction process and the weight of chains idea
is proved to be 0.25 proportion of the total computational [17]–[19], and adopts a tree-style blockchain structure to
power [3] to gain a higher reward. While in a practical improve its efficiency.
Ethereum network, i.e., a network with 0.16 congestion rate, Apart from the attention to the security of smart
the Lead stubborn strategy and the selfish mining strat- contract [6], [7], Lerner [9] finds out the uncle reward flaw
egy decrease the security threshold of Ethereum to 0.129 due to the ignorance of uncle blocks in difficulty alteration.
The uncle mining strategy leads to the intentional raise of 3) THE FORM OF THE NUMERAL
Ethereum coin supply, which makes each coin worth less. Besides showing the absolute value of an attacker’s reward
Ritz and Zugenmaier [11] focus on Ethereum selfish mining and a security threshold, we also use the rate of change value
with the uncle block mechanism in different stale block rates. for making the comparison more clearly. To avoid ambiguity,
However, their evaluation only includes the naive selfish we only express rate of change in the format of percentage,
mining strategy and concerns nothing about other combined and all other proportions and ratios are in decimals.
attacks. 4) THE MEANINGS OF DIFFERENT SHAPES
Organization. The rest of this paper is organized as
In the figures of our cases analysis, different shapes have
follows. In Section II, we introduce the Ethereum uncle block
special meanings as follows:
mechanism and relevant attacks. Section III proposes the • A full line reference: a regular block pointer;
methodology and reasonable assumptions of our evaluation. • A dotted line reference: an uncle block pointer;
We begin our selfish and stubborn mining evaluation on • A full line rectangle: a block that has been revealed to
Ethereum network in Section IV and incorporate the effect the network;
of an eclipse combined attack in Section V. We discuss our • A dotted line rectangle: a private block withholding by
analysis in Section VI and conclude in Section VII. an attacker;
• The letter in a rectangle: the owner type of a block. A,
II. PRELIMINARIES H, C and V denote an attacker, honest nodes, congestion
A. NOTATIONS nodes and a victim, respectively.
1) KEY PARAMETERS
B. STATE MACHINE
We first define some key parameters used in our later analysis.
The state machine is an abbreviation of the finite state
• α: the proportion of computational power controlled by machine, which is a mathematical model abstracted from the
an attacker; operational rules of real things [20]. A finite state machine is
• β: the proportion of computational power of honest a tool used to model object behavior. Its role is to describe
nodes; the sequence of states that an object experiences during its
• δ: the congestion rate. Due to the inadequate network life cycle and responses to various external events.
capability, δ fraction of honest nodes will mine a block The state machine has four elements. The first is State
having the same latest blockheight; which refers to the current state. A state machine must contain
• βC = δβ: the proportion of computational power at least two states. The second is Event. An event is more like
belonging to these congested nodes; a condition. When a condition is met, an action is triggered.
• βM = (1 − δ)β: the proportion of computational power The third is Action which is performed after a condition is
of remained honest nodes; satisfied. After the action is executed, the state machine can
• γ : the fraction of honest power mines on top of a move to a new state or remain in the original state. Actions
dishonest chain, as denoted in the previous works [3], are not necessary. When the conditions are met, it could move
[4], [11]; directly to the new state without performing any actions.
• λ: a victim’s fraction of computational power. The fourth is Transition. That is, changing from one state to
In Section IV, λ = 0 since we do not consider the eclipse another [21].
attack. While in Section V, λ > 0. In our paper, state machines are used to analyze selfish
Note that α + λ + βM + βC = 1 where βM + βC = β. and stubborn mining strategies. In order to study how much
additional benefit each attack strategy could bring to the
2) THE REWARD OF AN ATTACKER adversary, we need to know the proportion of the block gener-
The mining difficulty alteration in Ethereum depends on ated by the adversary in the total block when the steady state is
both regular blocks and uncle blocks. During the evaluation, reached under each attack strategy. Using the state machine,
we use the following notations to denote their corresponding after determining various parameters such as the attacker’s
meanings: computational power, network congestion rate, etc., we could
• attBlocks, honBlocks, vicBlocks: the number of blocks
compute the occurrence probability of each state, and then
owned by an attacker, honest nodes and a victim, calculate the proportion of the attacker’s block in the steady
respectively; state. Comparing this ratio with the attacker’s actual computa-
• attGains: the temporary reward;
tional power, we could know the specific benefits of the attack
• R = attGains/(attBlocks+honBlocks+vicBlocks):
strategy.
the reward proportion of an attacker. Note that in C. ETHEREUM BLOCKCHAIN
Section IV, vicBlocks equals to 0; Ethereum consists of four phases, Frontier, Homestead,
• RSM/SBM (x): the attacker’s reward proportion who Metropolis, and Serenity. In the first three phases, the same
deploys a selfish or stubborn mining strategy where proof-of-work mechanism as in Bitcoin in used to achieve
x denote the attacker’s proportion of computational distributed consensus. While proof-of-stake mechanism will
power. be adopted in the last phase [22], [23]. To accelerate
transactions processing, Ethereum decreases the interval on Bitcoin. In this abstract attack, the implementation details
between two blocks. However, it is impossible that every of an eclipse attack are omitted, e.g., controlling all incoming
block is included as a single blockchain in an inefficient net- and outgoing connections of a node [5]. In their model,
work. Ethereum awards a miner if his block is one-descendant the network is divided into three partitions, i.e., an attacker’s
from the main chain and is referenced by a regular block. This part, a victim and an honest one. Although some measures
block is called an uncle block. The referenced relationship could achieve intrusion detection [24], eclipse attacks could
creates extra mint reward, 1/32 proportion of block reward still be exploited by attackers.
for the regular block owner and (8 − i)/8 for the uncle For selfish and stubborn mining combination, Nayak et al.
one. The variable i ranges from 1 to 6 according to how [4] come up with three eclipse strategies.
many blockheight the reference occurs after the uncle block
creation. Moreover, a regular block could reference up to two 1) DESTROY (DES.) STRATEGY
uncle blocks. The attacker blocks all input and output information of a
Besides refining the structure of blockchain, Ethereum has victim. As a result, the computational power of the victim
another two security improvements. One is the random tie is wasted and the total effective power equals to 1 − λ. Let
breaking rule. Instead of accepting the firstly received chain, RDes (α, λ) denote the attacker’s reward proportion under this
a node randomly selects one chain within all received chains strategy. Recall that RSM/SBM (x) represents the attacker’s
of the same length. The number γ is not fixed anymore and reward proportion under a selfish or stubborn mining strategy.
α
equals the inverse of the competing chains number. The other So we have that RDes (α, λ) = RSM/SBM ( 1−λ ).
one aims to remit the uncle mining strategy [9]. Uncle mining
infringes honest miners’ interests indirectly by inflating the 2) COLLUDE (COL.) STRATEGY
supply of Ethereum coins, which is fixed in EIP 100 [10] by The attacker manipulates the communication channel, e.g.,
counting all regular and uncle blocks in difficulty alteration. a firewall, to open and close according to its own interests,
D. SELFISH AND STUBBORN MINING which actually creates a collusion between an attacker and
After Nakamoto introduces the requirement of an honest a victim. In this case, the total mining power proportion is
majority [1], Bitcoin is known to securely achieve a decen- α + λ. As a conclusion, the rewards of collude eclipse attack
α
tralized consensus. However, Eyal and Sirer [3] break this with selfish and stubborn mining are RCol (α, λ) = α+λ ·
threshold by introducing a deviant strategy, selfish mining RSM/SBM (α + λ).
(SM). When and how to reveal a private block has a marked
impact on the reward of an attacker. The key idea is to waste 3) DESTROY IF NO STAKE (DNS) STRATEGY
honest computational power as much as possible, on the chain A conditional combination of the Des. and Col. strategy
which will be abandoned eventually. Their results show that where an attacker recognizes a victim’s block only if this
Bitcoin only survives at 0.25 dishonest power proportion in block is mined on top of the attacking chain. If a victim’s
the random tie breaking rule. work is accepted by honest nodes, the attacker also gets
Nayak et al. [4] offer an attacker more advantages by his stake. Under this strategy, the reward of the attacker is
stubborn mining (SBM) strategies. The key idea is that an complicated to be denoted by an equation directly. Four zones
attacker could create more competitions to waste more honest are designed [4] to describe various view situations.
power. Nayak et al. propose three basic strategies and their • Zone 1: Honest nodes, the victim and the attacker mine
combinations. The Equal Fork stubborn strategy (F-stubborn, on an identical chain.
F-s) means an attacker does not hurry to reveal the latest • Zone 2: The victim mines on an individual chain. While
attacking block if he wins a tie breaking. The attacking block honest nodes and the attacker mine on another chain.
is revealed after honest nodes extend the honest chain or the This view is the same as the Des. strategy.
attacking chain. The Trail stubborn strategy (T-stubborn, T-s) • Zone 3: Honest nodes mine on a chain. The attacker and
is set in the situation where an attacker does not give up the victim mine on another chain and share views with
too early when his private chain is one block behind the each other. This is similar to the Col. strategy.
main chain. The attacker still could surpass from behind with • Zone 4: Honest nodes, the victim and the attacker mine
some possibility. The Lead stubborn strategy (L-stubborn, on three different chains, respectively.
L-s) requires an attacker to never cover an honest chain by
two leading blocks. Instead, the attacker always reveals only
III. METHODOLOGY AND ASSUMPTION
one block to launch a chain competition when he is leading.
In a PoW-based cryptocurrency, the mining process could
FT-stubborn (FT-s), LF-stubborn (LF-s), LT-stubborn (LT-s)
be seen as a Markov process. Eyal and Sirer [3] model this
and LFT-stubborn (LFT-s) are hybrid strategies based on the
process between an attacker and an honest pool in a two-
naive ones.
party scenario. Apart from their analytic solving method,
E. ECLIPSE ATTACK Nayak et al. [4] introduce a numeric method which is suitable
Besides introducing the seven stubborn strategies, for more possible cases. When an attacker tries to compete
Nayak et al. [4] also combine an abstract eclipse attack with honest nodes by revealing his mining blocks one for
FIGURE 1. The state machines for selfish and stubborn mining [3], [4]. (A state number reflects an attacker’s leading difference.
α, βM : Power proportion of an attacker and main honest nodes. γ : proportion of honest nodes mining on a dishonest chain.)
FIGURE 3. Mining in state 1. FIGURE 6. Mining in state −1 for the T, FT, LT and LFT-s strategies.
FIGURE 4. Mining in state 00 for the SM and L-s strategies. (honest-att.: FIGURE 7. Mining in state 000 for the T, FT, LT and LFT-s strategies.
Honest nodes mine on an attacker’s chain.)
FIGURE 5. Mining in state 00 for the F, T, FT, LF, LT and LFT-s strategies. FIGURE 8. Mining in state 2 for the SM, F, T and FT-s strategies.
TABLE 1. Ethereum selfish and stubborn mining reward in typical power proportion and congestion rates. (Congestion rates δ = 0.00/0.16/0.30. Power
Pro.: Power proportion.)
FIGURE 10. Mining in state k, k ≥ 1 for the L, LF, LT and LFT-s strategies.
FIGURE 11. Mining in state k 0 , k ≥ 1 for the L, LF, LT and LFT-s strategies.
State k 0 , k ≥ 1 in L-s, LF-s, LT-s, LFT-s strategies FIGURE 12. The optimal strategy for selfish and stubborn mining in
(Fig. 11): State k 0 , k ≥ 1 is also similar to state 00 . If an different settings.
V. SELFISH AND STUBBORN MINING Besides the zone variable, there are two other variables
WITH AN ECLIPSE ATTACK reflecting the length difference between a victim or an attack-
We follow the idea of Nayak et al. [4] to analyze how many ing chain and an honest chain, i.e., stateV or stateA, respec-
advantages an extra eclipse attack offers. This combined tively. Another array in our simulator records the private chain
attack includes an abstract eclipse attack with selfish and of an attacker, which could include a victim’s block.
stubborn mining. For this abstract method, this analysis omits 2) A VICTIM MINES ON TOP OF A DIFFERENT
specific eclipse attack techniques, e.g., [12], [13], and mod- CHAIN FROM OTHERS
els the power proportion of a victim λ, to reflect the level An attacker and honest nodes share an identical view in zone
of an eclipse attack. An eclipse attacker controls a firewall 2 (stateA = 0), which is independent with the victim view.
between a victim and honest nodes, which filters the passing Transitions for this zone depend on the leading difference of
information. a victim chain, i.e., the variable stateV.
Following [4], the eclipse attack strategies include Destroy 1) A victim competes with an attacker and honest nodes,
(Des.), Collude (Col.) and Destroy if No stake (DNS). The stateV = 0 (Fig. 14). In this kind of a tie, the vic-
reward equations of the first two naive strategies are con- tim does not access the attacker’s view. The victim
cluded in Section II-E. We focus on the calculation details sticks to his own chain in competition. If the victim
of a DNS strategy eclipse attack in this section. wins, the isolation with his leading keeps existing.
An Extra Assumption for an Eclipse Attack in If the attacker wins, the attacker shows the latest block
Ethereum. Actually, a compact cluster of nodes are more to cover a victim chain. The victim honestly obeys
likely to be blocked by an eclipse attacker than a group the longest rule, which leads to a collusion (zone 3).
of distributed nodes. Therefore, we assume that a potential The expected number of the victim’s uncle blocks
victim is compact in topology. There will be no congestion vicBlocks counts his own power proportion λ for a
block created by a victim. future reference. If honest nodes wins, the attacker
A. THE DNS ECLIPSE ATTACK STRATEGY IN ETHEREUM and the victim follow them and the mining process
Whether an attacker blocks the chain from a victim in the backs to zone 1. Note that a victim’s block will not be
DNS strategy is decided by its contribution to this chain. propagated to honest nodes in this zone.
It could be seen as a probabilistic destroy or collude strat- 2) A victim chain leads the chain of an attacker and honest
egy [4]. However, the previous work [4] did not describe tran- nodes, stateV > 0 (Fig. 15). If a victim obtains a
sitions details, which are different from Ethereum. We next leading position, his next block expands this superior-
explain the reward calculation details under the impact of ity. However, this superiority is isolated by an eclipsed
congestion nodes. The reward of an Ethereum attacker is firewall, which does not influence the view of honest
attGains/(attBlocks + vicBlocks + honBlocks). The min- nodes. Hence, an attacking block creation pushes the
ing process is divided into four zones according to the three system into zone 4, where every party holds different
parties’ mining views. There is no need to calculate the mining views. An attacker would accept an honest
reward of other two parties. block in this case.
1) THE THREE PARTIES MINE ON TOP 3) HONEST NODES MINE ON TOP OF
OF AN IDENTICAL CHAIN A DIFFERENT CHAIN FROM OTHERS
In zone 1, as shown in Fig. 13, all nodes mine on the same The transitions in zone 3 are quite similar to single selfish and
chain, which means that neither a victim nor an attacker finds stubborn mining (stateV = 0). Due to the space limitation,
a valid block. If a victim finds a block, an attacker does we take stateA = 0 as an example.
not propagate this block to honest nodes. The system enters stateA = 0 in zone 3 means state 00 in Section IV. The self-
into zone 2. If an attacker mines a valid block, he shares it ish or stubborn mining strategy decides whether an attacker
with a victim without honest nodes, in order to withhold a reveals the latest block and whether he gives up, as shown
private chain with a victim. The transition targets to zone 3. in Fig. 16. For SM and L-s strategies, if honest nodes win,
a private chain only obtains at most one uncle block reward a private chain γ is used to offer more advantages to an
according to who is the first block owner. attacker. However, the authors of [3], [4] have recognized that
For F, FT, LF and LFT-s strategies, a latest attacking γ also reflects the network control strength by an attacker.
block or victim’s block is hidden, as shown in Fig. 17. If the λ, the power of an eclipsed victim, and γ are two subject indi-
colluded group loses in a tie, an attacker does not give up for cators for the attacker’s network control level. The attacker
one block fall behind in T, FT, LT and LFT-s strategies. could be able to balance λ and γ instead of selecting an
Other cases. All transitions in cases including stateA=1, optimal stubborn mining strategy. In this paper, due to the
stateA=2, stateA>2, stateA=k0 (k ≥ 1), stateA=−1 and fact that Ethereum has deployed the random tie breaking rule,
stateA=000 in zone 3, and zone 4 (three parties mine on δ is a more objective indicator. Hence, our evaluation is of
top of individual chains), are easily to be extended from the more practical value because an attacker could only figure out
descriptions in Section IV. They are provided in the full paper. the best strategy in a given network congestion rate. Our
B. SIMULATION RESULT researchers also may design specific detecting and resisting
For the overview of these combined attacks, there are techniques pointing to different parameters.
24 combinations in total. The best combination of an B. THE DIFFERENCES OF THIS ETHEREUM EVALUATION
eclipse attack strategy and a selfish or stubborn min- FROM THE BITCOIN ONE
ing strategy in different power proportion settings is
For calculation, the reward and the block number calculation
shown in Fig. 18 in typical network congestion rates
in various cases are different from the ones in Bitcoin.
(δ = 0, 0.16, 0.2, 0.3, 0.5, 0.8). We also consider the
For results, the largest Bitcoin mining pool, BTC.com,
non-trivial requirement that the total power proportion of an
accounts for 0.1435 power proportion, which has been wor-
attacker and a victim is below a half. Eclipse means a Destroy
ried about for the 0.25 security threshold. In Bitcoin, every
eclipse strategy combining honest mining. The best combined
selfish or stubborn mining strategy is not able to decrease
strategy gives an attacker more than a single selfish or stub-
the security threshold with adding the attacker’s reward.
born mining strategy.
However, in this Ethereum work, the L-stubborn strategy
The results of a typical attacker who controls 0.25 power
decreases the threshold to 0.129 in a practical network
proportion in different congestion rates are also shown
congestion rate 0.16. The largest Ethereum mining pool,
in Table 3. This attacker could obtain at most 96.4% extra
Ethermine, has controlled 0.27 power proportion in early
reward more than honest mining by eclipsing a λ = 0.1
2019 [25], which is above the L-stubborn security threshold.
victim in the Col.+LFT-s eclipse strategy. Compared with the
For comparing different strategy combinations, our work
single LFT-s strategy, this reward also increases by 56.9%.
deploys network congestion rate δ instead of γ in [4] as
For most combinations, these results are larger than the ones
an independent variable. Our evaluation also shows different
by a single selfish or stubborn mining strategy (Table 1). The
results. In Bitcoin, LF-stubborn strategy occupies a large
exception includes a DNS eclipse attack combined with the
region (Figure 7 in [4]), in which the value of γ is relatively
Lead stubborn family strategy, i.e., DNS+L-s, DNS+LF-s,
large. Single L-s or F-s never becomes an optimal choice.
DNS+LT-s and DNS+LFT-s. These four combinations only
However, the Ethereum L-stubborn strategy fits the most
help an attacker earn more than honest mining.
regions as shown in Fig. 12. For the eclipse combined evalua-
VI. DISCUSSION tion, Bitcoin DNS+LT takes up the largest region in γ = 0.5
A. AN ARGUMENT FOR INTRODUCING NETWORK (Figure 13(c) in [4]). The Ethereum result in Fig. 18 shows
CONGESTION RATE IN AN ETHEREUM EVALUATION that Col.+LFT strategy is the one occupying the most regions
In this paper, the whole analysis always concerns the effect in δ = 0.16. As network congestion rate rises, Ethereum
of network congestion rate δ. In the previous work [4], Des.+LFT gradually becomes the one occupying the most
the proportion of honest computational power mining in regions.
FIGURE 18. The optimal strategy for selfish and stubborn mining combining with different eclipse attack types in different regions. (δ:
congestion rate. Eclipse: Destroy + Honest.).
[15] K. Croman, C. Decker, I. Eyal, A. E. Gencer, A. Juels, A. E. Kosba, YIMING HEI received the B.S. degree from
A. Miller, P. Saxena, E. Shi, E. G. Sirer, D. Song, and R. Wattenhofer, ‘‘On Xidian University, Xian, China, in 2017. He is
scaling decentralized blockchains—(A position paper),’’ in Proc. Int. Conf. currently pursuing the M.S. degree with Beihang
Financial Cryptogr. Data Secur. (FC), Christ Church, Barbados, Feb. 2016, University, Beijing, China. His research interests
pp. 106–125. include applied cryptography and smart contract.
[16] C. Decker and R. Wattenhofer, ‘‘Information propagation in the bitcoin
network,’’ in Proc. 13th IEEE Int. Conf. Peer-to-Peer Comput. (P2P),
Trento, Italy, Sep. 2013, pp. 1–10.
[17] Y. Lewenberg, Y. Sompolinsky, and A. Zohar, ‘‘Inclusive block chain
protocols,’’ in Proc. 19th Int. Conf. Financial Cryptogr. Data Secur. (FC),
San Juan, Puerto Rico, Jan. 2015, pp. 528–547.
[18] Y. Sompolinsky and A. Zohar, ‘‘Accelerating bitcoin’s transaction
processing. Fast money grows on trees, not chains,’’ IACR, Cryp-
tol. ePrint Arch., Tech. Rep. 2013/881, 2013. [Online]. Available:
http://eprint.iacr.org/2013/881
[19] Y. Sompolinsky and A. Zohar, ‘‘Secure high-rate transaction processing in
bitcoin,’’ in Proc. 19th Int. Conf. Financial Cryptogr. Data Secur. (FC),
TONGGE XU received the M.S. degree in
San Juan, Puerto Rico, Jan. 2015, pp. 507–527.
[20] D. Brand and P. Zafiropulo, ‘‘On communicating finite-state machines,’’ electronic and information engineering from
J. ACM, vol. 30, no. 2, pp. 323–342, Apr. 1983. Beihang University, China, in 1993. He is cur-
[21] T. Chow, ‘‘Testing software design modeled by finite-state machines,’’ rently an Associate Professor with the School of
IEEE Trans. Softw. Eng., vol. SE-4, no. 3, pp. 178–187, May 1978. Cyber Science and Technology, Beihang Univer-
[22] A. Kiayias, A. Russell, B. David, and R. Oliynykov, ‘‘Ouroboros: A prov- sity. His current research interests include network
ably secure proof-of-stake blockchain protocol,’’ in Proc. 37th Annu. management, protocol analysis technology, and
Int. Cryptol. Conf. (CRYPTO), Santa Barbara, CA, USA, Aug. 2017, information system design.
pp. 357–388.
[23] V. Buterin and V. Griffith. (2017). Casper the Friendly Finality Gadget.
[Online]. Available: http://arxiv.org/abs/1710.09437.pdf
[24] W. Meng, E. W. Tischhauser, Q. Wang, Y. Wang, and J. Han, ‘‘When
intrusion detection meets blockchain technology: A review,’’ IEEE Access,
vol. 6, pp. 10179–10188, 2018.
[25] Etherscan. (2018). Ethereum Charts and Statistics. [Online]. Available:
https://etherscan.io/chart