Read part II here: https://www.yours.org/content/selfish-mining-for-the-laymen---part-ii-a33d56e4e61c

I've been really curious about the Selfish Mining drama blowing up on twitter right now, because am one of those "laymen" that appears to be getting the wrong end of the stick!

We have that paper https://arxiv.org/pdf/1311.0243.pdf from back in 2013 by the esteemed Ittay Eyal and Emin Gün Sirer of Cornell University. I've followed Emin on twitter for a while and I think he's a great guy that posts interesting content. I'm saddened by the bickering, but boys will be boys :)

Anyway, the "Selfish Mining Paper" calls into question one of the most fundamental aspects of bitcoin, that is, the economic incentives for miners to remain honest. As a layman, I'm not able to fully parse the maths used to resolve the state machine probabilities deep in the Appendix. I have to trust that other experts in the field have verified this, and I'm OK with that, I can see how it works conceptually. This is exactly how I read the original Bitcoin Whitepaper - not a clue on the math, but could very clearly see the overall picture.

Recently, some of the conclusions in the 2013 paper have been called into question because of some underlying assumptions about the Bitcoin network topology. These assumptions would appear to be pre-requisite to the success of such a selfish miner attack.

Background

First a brief recap of what the SM attack might look like.

If we assume there is a proportion of hashrate controlled by a selfish miner (SM) and the remainder of the hashrate is controlled by honest miner(s) (HM).

Starting from a point in time where some "selfish-miner" (SM) chooses to go rogue, there are 2 possible future outcomes

1. HM solves a block

2. SM Solves a block

In the first instance the optimum strategy for SM is to rebase on the new tip. Only when SM solves a block can they begin to try and game the system. They do this by block withholding, in order that they can try and get ahead, by orphaning HM blocks.

Once the game is afoot and SM has a block in the bank, there are two possible things that can happen:

1. HM solves a block (on the public chain)

2. SM solves a second block (on their private chain)

In scenario 1, SM risks losing the reward on the block they solved. The 2013 paper (6.1) explains how the attack takes place through ensuring the SM block is propagated to honest miners before the HM block. In this fashion, some proportion of HM hashrate can be recruited into increasing the chance the SM block will be built on first.

Scenario 2 just sets up a loop wherein the SM continues to mine their own private chain whilst-ever they are ahead, and publishes their chain whenever they are at risk of being caught up by honest miners. This in itself is no more profitable. The selfish-mining edge comes from the "tie breakers" where SM - seeing that HM have published a block - simoultaneously publish, and try to get some proportion of HM to mine on their block, instead of the HM block.

The Problem?

The notion that the attacker can manipulate propagation of the HM block in such a fashion is what troubles me. This would appear to be based on an assumption about the network topology, which in 2013 seemed reasonable. The received wisdom at the time was that the network was a loose mesh and that blocks propagated in a somewhat haphazard fashion.

Recently discussion of the Bitcoin network being a near complete graph has surfaced.

Given the economic incentives that would drive such a phenomenon it is fairly compelling. Of course this might just be me being a layman and getting it all wrong!

Nonetheless it looks like network propagation was addressed in Section 4, which states:

"We denote by γ the ratio of honest miners that choose to mine on the pool’s block, and the other (1−γ) of the non-pool miners mine on the other branch."

Section 4.4 makes the observation "For a given γ, a pool of size α obtains a revenue larger than its relative size for α in the following range:"

Assuming perfect propagation by HM of their block (ie γ = 0) gives us:

1/3 < α < 1/2

So theoretically speaking a pool with 1/3 to half the total hashrate should be able to use selfish mining to obtain more than its fair share of mined blocks.

Relatively speaking *it does*. However, what is happening is, that for the selfish miner to get disproportianatley more blocks than honest miners they most orphan the honest miners blocks. This orphan rate is proportional to the amount of hashrate the SM controls.

A Simulation

In fact I ran my own simulation which compared, for various hashrate %, what the expected returns would be for selfish mining and compared this to what the expected returns would be for honest mining for the same number of block iterations (10k)...

Now this assumes that when an honest miner finds a block, they broadcast to all miners such that the selfish miner doesn't get to "steal" HM hashrate to mine their block. Maybe thats an invalid assumption. That's for you to decide - knowing now a little bit more about Bitcoin network topology.

What this shows is that wherever a selfish miner controls less then 50% hashrate, they would always be better off, in absolute terms, mining honestly. That way their return is, on average, directly proportional to their hashrate.

Now I don't have the cornell degree to back this up. So I expect this will just be labelled as technobabble, or whatever else, but you can look at the code, you can read the above and come to your own conclusion. I'm just trying to find the truth.