In a blog post published yesterday, I mentioned that only a naive attacker would attack PoW “from the outside”. I since put together a simple model of the “internal attacker” I was thinking about.
I’ll first note, though, that PoW (on in-protocol incentives only) has no security in coordinated choice game theory because majority coalitions can form and profitably censor and revert blocks. But when we think about attacks on PoW, we usually don’t think about forming cartels or bribing miners, but instead we think about buying mining equipment and mining a heavier blockchain.
This blog post is in that vein, of modelling the security of PoW against attackers who are going to directly control half of the hashrate to conduct an attack (they aren’t allowed rent it, or bribe miners for it, or engage in any other kind of coordination with miners).
Bold text for tl;dr
The external attacker
An external attacker buys up enough GPUs or ASICs to “51% attack” an 100% honest network — or at least a 100% not-cooperating-with-attacker network.
I’m tempted to assume that by adding X hashpower to one GPU mineable blockchain, an adversary will push that exact X hashpower worth of GPU miners to switch from mining that blockchain to mining on other blockchains (as if they didn’t, the attacker’s victim chain would be less profitable). It’s a kind of efficient/perfectly competitive market of blockchains-for-GPU-mining assumption.
In this “simplest model” an external attack on a GPU blockchain with T total hashpower would need hashrate X = T/2. That’s a lot of GPUs! :)
I’m also tempted to assume that by adding X ASIC power to the de-facto single one single ASIC-minable blockchain, you increase the total mining power of that ASIC network by X. It’s a kind of monopolistic market of blockchains-for-ASIC-mining assumption
In this other “simplest model” an external attack on an ASIC blockchain with T total hashpower would need to have a hashrate of T to conduct an attack.
The reality for each of these is something in between. The market of blockchains for GPU miners isn’t perfectly competitive, and the market of blockchains for ASIC miners isn’t perfectly monopolistic.
Even though this is super interesting we’re going to keep it simple: no more talk about ASICs and I’m just going to assume that any attacker needs T/2 hashrate to attack a chain with T hashrate.
Btw this is the “competitive market” scenario because miners immediately switched mine other chains when the attacker showed up, because the attacked blockchain became marginally less profitable for them (difficulty readjustment — ouch!).
The key takeaway from all of this is that in our simple model, an attacker with T/2 hashrate can attack a blockchain with T hashrate.
The “internal attacker”
An “internal attacker”, instead of buying enough GPUs to get T/2 of the hashrate, buys some smaller portion of the hashrate X = p*T. The internal attacker starts mining and now the honest part of the network has Y = T - X = (1 - p)*T hashrate (by our efficiency assumption).
The internal attacker continues to mine on the longest chain a time, earning block rewards, competing with miners. (We’re assuming that no one cooperates with our attacker).
The internal attacker reinvests all of his mining revenue into buying more hashpower. We will assume in our model that the internal miner is able to add hashrate at a rate of 1 + r per month. I means that if the internal attacker has X hashrate at month 0, they will have X(1 + r) hashrate at month 1.
Lets also assume that honest miners also invest in increasing their hashrate, but at a rate of 1 + h per month.
In this thought experiment, we will assume that 1 + r > 1 + h. The attacker is focused on maximizing their hashrate. The honest miner is focused on staying profitable. The attacker may have sponsors with nefarious interests, or a long term strategy. The honest miners are not cooperating with the attacker, and will not know the attacker exists (the attacker appears to be mining honestly — although selfish mining would increase r - h).
After N months, the internal attacker has X(1+r)^N hashrate, and the rest of the network has a hashrate of Y(1+h)^N. The attacker wins when they has as much hashrate as the network:
((1+r)/(1+h))^N = Y/X = (1-p)/p
Let us call the ratio (1+r)/(1+h) the “advantage” of the attacker, and denote it as ‘a’.
So the attacker wins when a^N = (1-p)/p.
The internal attacker with advantage a and initial proportion of hashpower p therefore is able to conduct a successful attack after
N = ln((1 - p)/p)/ln(a) months
By the way, it doesn’t need to be months — the math is the same with any period — safe as long as we measure the “advantage” on that period.
Here’s a table with some numbers that helped me:
Also by the way, it would be really, really cool to see anyone come up with realistic estimate bounds on an potential adversaries’ advantage!
So how much security do we have, in this model?
An external attacker who is aware of this “internal” strategy has a choice. If they know that they want to attack in N months, and they know their advantage, then the can calculate how much initial weight they need. Which means that they can calculate how many GPUs to buy.
Alternatively, if the attacker knows how many GPUs they can buy, and their advantage, then they can calculate the number of months it will take them to get a majority of the mining power on their target blockchain.
So what do block rewards buy us?
Increasing block rewards increases the cost of buying any given proportion of the hashrate. An attacker who previously could afford 10% of the hashrate maybe may only be able to afford 5% of the hashrate, to start off their attack.
Doubling the block reward delays the block reward by
∆N =ln((1 - p/2)/(p/2))/ln(a) - ln((1 - p)/p)/ln(a)
= (ln((2 - p)/p) - ln(p/(1 - p)))/ln(a)
So doubling the price of block reward delays an adversary with advantage ‘a’ and the ability to buy ‘p’ of the hash rate delays the adversary’s successful attack by ∆N = ln((1-p)/(2-p))/ln(a)
Here’s another table!
Doubling block rewards to delay an attack by 10 months sounds appealing. However, doubling the rewards every 10 months in order to indefinitely delay an attack sound very expensive (exponential growth happens fast).
In the end the model was really simple. It assumed that the adversary initially has some proportion of the weight, and is able to exponentially increase their hashrate at some rate that is faster than the exponential rate at which honest miners onboard hashrate.
This is a reasonable assumption because miner revenues are proportional to hashrate, and also because it made the math quite doable.
We were able to look at some numbers, in terms of how many months an adversary with a given amount of advantage will take to conduct an attack, and how much their attack is delayed by a doubling in block rewards.
So it is clear that increasing block rewards does increase security in this model where the miners won’t cooperate with an attacker and the attacker has to buy hashpower to attack the network (whether or not they mine honestly after buying the hashpower).
However, much about how this maps onto the real world is still left to the imagination. It would be really cool to see if anyone can come up with reasonable bounds on an adversary’s advantage, when the adversary tries different strategies that are available to them!
Such numbers could really help us think about how much security miners provide the network against adversaries who cannot coordinate with miners.