I wonder how the bitcoin protocol judge illegal transactions. As they say, the miner will look throughout the public ledger to make sure the transaction is alright. There are thousands of transactions in each block, if the miner has to check throughout the public ledger for each transaction, this would be very inefficient.

[State 0]

The attacker’s precise strategy for selfish mining is stated by Vitalik Buterin at bitcoinmagzine.com, which is excerpted below:
Suppose the attacker’s portion of the network hashpower is X, and when there are two competing public chains the portion of the network that picks up on the attacker’s chain is Z.
State 0: If the attacker’s private chain is the same as the public chain, mine on the private chain. With probability X, the attacker discovers a block and advances to state 1 (private chain 1 block ahead). With probability 1-X, the public network discovers a block, and the attacker resets his private chain to the public chain.
State 1: If the attacker’s private chain is 1 longer than the public chain, mine on the private chain. With probability X, the attacker advances to state 2 (private chain 2 blocks ahread). With probability 1-X, the public network discovers a block, setting the system to state 0′.

At state 0, with probability X, the attacker will be 1 block ahead and keep it unexposed. So the public network will work on the block continuously. When it comes to State 2, I doubt that the probability is still X, because the public network has been working all along, while the attacker starts after 1 block ahead and he/she may needs some time to collect transactions.