I have recently discovered a weakness of the way Proof of Work is currently implemented in Bitcoin. In this post I show how a miner can mine a valid block without knowing on top of which previous block he/she mines, and without even knowing the hash of the previous block. Then I explain the consequence of this weakness on the real world possibility of 51% attack and selfish mining /
block discarding attacks. Simple protocol modifications are proposed and discussed at the end of the post.
Mining without knowing the hash of the previous blockWe are all familiar with the proof of work (PoW) concept, and we all know that a certain hash of the block-header of any valid Bitcoin block must be lower than the corresponding target, yet the specific technical implementation of PoW is less discussed. All details can be found in the
wiki or in this recent interesting
paper.
For simplicity let's say that the block-header is the concatenation of the previous block's hash, root of the current block's merkle tree, and a 32bit short nonce, in this order. Note that the first two fields are of 256 bits each. In reality the block header contains also a timestamp and other data we shall ignore in order to make the weakness clearer. The SHA-256 hash function is applied twice over the block header (meaning, first SHA-256 is calculated over the header and then SHA-256 is calculated over the outcome of the previous calculation), and the result should be lower than the target.
Since the current difficulty is higher than 60 bits and the short nonce contains only 32 bits, once every 2^32 double-SHA-256 calculations the Merkle-tree must be changed in order to refresh the block-header (in fact, the coin-base transaction of the tree contains some extra-nonce as a special field). Moreover, pool miners are used to modify the coin-base transaction of the Merkle-tree not only for block-header refreshing, but also in order to mark the block so that the pool owner can reward them for their shares.
Let's say that the pool organizer sends all pool members (different) lists of merkle-tree roots. Each pool miner then try all 2^32 possible combinations for the short nonce, before taking another root and start all over again. The miner doesn’t need to know the actual merkel-tree, because the pool organizer has already marked it for him/her. Now here is the key point: SHA-256 is a Merkle-Damgard hash function that iteratively compresses 512 bits blocks of the input data. So the first step of calculating SHA-256 over the block-header is compressing the first 512 bits, which are the concatenation of the previous block's hash with the Merkle tree root. After this step those 512 bits are unneeded, hence the pool organizer may just send the pool miners a list of compressed concatenations of the previous block's hash with some Merkle tree root.
Since the compression function of SHA-256 is one-way and the Merkle-tree roots are effectively random numbers, the pool miners cannot discover the hash of the previous block. In other words, they are mining valid blocks without knowing on top of which previous blocks they mine.
ImplicationsRecently Eyal and Sirer published a paper describing the "selfish mining" attack. Unfortunately I was
independently working on the same attack, but they have published their results first (and refused to share the credit with me…). Anyway, I have published my results too and since the Block Discarding Attack is more general and comprehensive I advise you to read
my paper too.
I have claimed that the Block Discarding Attack / Selfish Mining is not applicable to pools, and have just changed my mind about that due to the possibility of mining without knowing the previous block's hash. Assuming pool miners must know the previous block's hash, it can be shown that in practice the selfish mining attack cannot work properly if the attacker is a pool: the attack is based on two contradicting requirements. The first is the ability of pool miners to keep in secret blocks they have found but have not released yet (the pool miners will mine on top of this secret blocks while the honest network mines on older blocks). The second is the acceptance of new miners to the pool (who want to join the pool so they will not suffer from reduced profits due to the attack).
Because anyone can join the pool, including other pools organizers or sites like blockchain.info (note that miners are anonymous), and because pool miners are expected to mine on top of the secret block (whenever there is such a block), assuming that mining can only be done when the previous block hash is known, the hash of any withholded block is expected to be published by some of the pool unfaithful miners. When this hash is published, non-pool miners can also mine on top of it, making the attack impossible (Asaf Ziv, a friend of mine, have noted that in such a situation the pool organizer can choose not to reveal the full block whose hash have been published. However by doing so the pool loses a single block and the honest network loses only a single block too, so this is unprofitable unless the pool has more than half of the total computational power).
Anyway, a pool can use the technique presented here so that unfaithful pool miners will not be able to publish the secret block (or its hash). The only thing they can do is to publish the compressed concatenations of the secret block's hash with a Merkle tree root whose coin-base transaction rewards the pool organizer 25 Bitcoins. Obviously, this cannot harm the pool.
As for the 51% attack, a group of pool organizers whose total hash-power exceeds the hash-power of the rest of the network can use the describe technique to anonymously perform 51% attack, without being affiliated with the attack not even by pool miners! The pool organizer can use new address in the (initially secret) coin-base transactions, so that whenever a valid block is mined by one of the pool miners, only this miner is expected to know that the pool participates in the attack. Because I don’t know of any honest advantage of this technique, my observation about the 51% attack is probably insignificant: honest pools, or pools that pretend to be honest, will simply not use this technique, and thus no honest pool miner will be tricked to participate in any attack.
Protocol modificationThe Bitcoin protocol can be slightly modify so that mining without knowing the previous block's hash (and may be the Merkle tree root too) will not be enabled. There are many possibly ways to do so, of which the most simple is probably reversing the order of the block-header's fields so that the nonce becomes first. Other possibilities include: concatenating the block-header to itself and computing a single SHA-256 over the doubled block-header; Xoring the previous block's hash to the outcome of the first SHA-256 iteration before doing the second SHA-256 iteration; requiring that the outcome of the second SHA-256 iteration will be a number bigger than 2^-128 times the previous block's hash and smaller than 2^-128 times the previous block's hash plus the current target; etc.
Along with the weakness of mining without knowing the previous block's hash, there is another weakness, which is the possibility of non-trivial mining optimizations, i.e. the existence of better mining algorithms than simply calculating the regular SHA-256 function. One such optimization is described
here. When I have the time, I intend to look for optimization of mining multiple blocks on top of the same block, for example mining two blocks on top of the same block so that it will only take 1.5 times more calculations than mining a single block (this might have bad implications over the
GHOST proposal).
I think the current protocol should be changed in the near future, so that it will have no weakness due to the specific use of SHA-256.
Lear.
