arX

iv:1

505.

0534

3v2

[cs.

CR

] 21

May

201

5

Bitcoin Blockchain Dynamics: the Selfish-MineStrategy in the Presence of Propagation Delay

J. Gobel∗, H.P. Keeler†, A.E. Krzesinski‡ and P.G. Taylor†∗Department of Informatics, University of Hamburg, 22527 Hamburg, Germany

Email: goebel@informatik.uni-hamburg.de†Department of Mathematics and Statistics, University of Melbourne, Vic 3010, Australia

Email: {keeler,taylorpg}@unimelb.edu.au‡Department of Mathematical Sciences, Stellenbosch University, 7600 Stellenbosch, South Africa

Email: aek1@cs.sun.ac.za

Abstract—In the context of the ‘selfish-mine’ strategy pro-posed by Eyal and Sirer, we study the effect of propagationdelay on the evolution of the Bitcoin blockchain. First, we usea simplified Markov model that tracks the contrasting statesofbelief about the blockchain of a small pool of miners and the‘rest of the community’ to establish that the use of block-hidingstrategies, such as selfish-mine, causes the rate of production oforphan blocks to increase. Then we use a spatial Poisson processmodel to study values of Eyal and Sirer’s parameterγ, whichdenotes the proportion of the honest community that mine on apreviously-secret block released by the pool in response tothemining of a block by the honest community. Finally, we usediscrete-event simulation to study the behaviour of a networkof Bitcoin miners, a proportion of which is colluding in usingthe selfish-mine strategy, under the assumption that there is apropagation delay in the communication of information betweenminers.

Keywords—Bitcoin, blockchain, block hiding strategies, honestmining, selfish-mine.

I. I NTRODUCTION

Bitcoin is a peer to peer electronic payment system inwhich transactions are performed without the need for a centralclearing agency to authorize transactions. Bitcoin users con-duct transactions by transmitting electronic messages whichidentify who is to be debited, who is to be credited, and wherethe change (if any) is to be deposited.

Bitcoin payments use Public Key Encryption. The payersand payees are identified by the public keys of their Bitcoinwallet identities. Each Bitcoin transaction is encrypted andbroadcast over the network. Suppose you receive a transactionfrom Mary. If you can decrypt Mary’s message using herpublic key, then you have confirmed that the message wasencrypted using Mary’s private key and therefore the messageindisputably came from Mary. But how can you verify thatMary has sufficient bitcoins to pay you?

The Bitcoin system solves this problem by verifyingtransactions in a coded form in a data structure called the

The work of Anthony Krzesinski is supported by the Research Foundationof South Africa (Grant specific unique reference number (UID) 83965) andTelkom SA Limited.

The work of Peter Taylor is supported by the Australian Research CouncilLaureate Fellowship FL130100039 and the ARC Centre of Excellence forMathematical and Statistical Frontiers (ACEMS).

blockchain, which is maintained by a community of partici-pants, known asminers.

It can happen that different miners have different versionsof the blockchain, something which occurs because of prop-agation delays, see Decker and Wattenhofer [1]. For Bitcointo be able to function, it is essential that these inconsistenciesare resolved within a short timescale. We are interested in howthe inconsistencies arise and how they are resolved (1) whenall participants are acting according to the Bitcoin protocol,and (2) when a pool of participants is using the ‘selfish-mine’strategy proposed by Eyal and Sirer [2].

A. The blockchain

At the heart of the Bitcoin system is the computationalprocess calledmining, which involves the solution of acomputationally-difficult cryptographic problem. Bitcoin min-ers receive copies of all transactions as they are generated.They examine the blockchain to investigate the history ofthe bitcoins involved in each transaction. If the proposedtransaction has sufficient bitcoin credit, then it is accepted forincorporation into the block that the miner is currently workingon.

Each transaction is identified with a double SHA-256hash. Miners gather transactions together and use their hashes,together with the hash that is at the current head of theblockchain, as inputs to the cryptographic problem. If a minersucceeds in solving the problem, it is said to havemined ablock that contains records of all the transactions that were partof the calculation. The miner receives a reward (currently 25bitcoins) for accomplishing this, along with a small transactionfee gathered from each transaction in the block.

The process works as follows. A minerM computes ablock hashh over a unique ordering of the hashes of all thetransactions that it is intending to incorporate into its nextblock B. It also takes as input the block solutionsi−1 atthe head of its current version of the blockchain. Denotingconcatenation of strings by the symbol+, the cryptographicproblem thatM has to solve is: compute a SHA-256 hash

si = hash(n+ h+ si−1), (1)

such thatsi has at least a specified numberx of leading zeroswherex ∼ 64. The stringn is a random “nonce” value. Ifsi

does not have at leastx leading zeros, thenn is updated andsi is recomputed until a solution is found with the requirednumber of leading zeros.

Once mined, the new block is communicated to the mem-bers of the peer network and, subject to the fine detail of therules that we shall discuss in the next section, the new blockis added to the blockchain at each peer. The blockchain thusfunctions as a public ledger: it records every Bitcoin paymentever made.

The objective of the designers of the Bitcoin protocol wasto keep the average rate at which blocks are added to thelong-term blockchain at six blocks per hour. To this end, thevalue ofx, which reflects the difficulty of the computationalproblem inherent in (1), is adjusted after the creation of eachset of 2016 new blocks. If the previous 2016 blocks have beencreated at an average rate faster than six blocks per hour, thenthe problem is made more difficult, if they have been created ata slower average rate, then it is made less difficult. The effectis that the difficulty varies in response to the total amount ofcomputational power that the community of miners is applying.

The test of whether a particular hash has the requirednumber of leading zeros is a success/failure experiment whoseoutcome is independent of previous experiments. Therefore,the number of experiments required for the first success isgeometrically distributed and, given that the individual successprobabilities are very low and the time taken to perform anexperiment is correspondingly very small, the time taken toachieve a success is very well-modelled by an exponentialrandom variable. It is thus reasonable to model block creationinstants as a Poisson process with a constant rate of six perhour.

The difficulty of a sequence of blocks is a measure ofthe amount of computing effort that was required to generatethe sequence. This can be evaluated in terms of the numbersof leading zeros that were required when the blocks in thesequence were created. When Bitcoin was started, miners usedPCs to solve the cryptographic puzzle and earn bitcoins. Thedifficulty of the puzzle was increased to limit the rate ofproducing bitcoins. Miners started using the parallel processingcapabilities of Graphical Processing Units (GPUs) to solvethe cryptographic puzzle. The difficulty of the puzzle wasincreased again. Miners started using General ProgrammableField Arrays (GPFAs). The difficulty was increased yet again.Today miners use Application Specific Integrated Circuit(ASIC) computers.

Miners communicate by broadcasting newly-discoveredblocks via a peer-to-peer network. Each miner maintains itsown version of the blockchain based upon the communicationsthat it receives and its own discoveries. The protocol isdesigned so that blockchains are locally updated in such away that they are identical at each miner or, if they differ, thenthe differences will soon be resolved and the blockchains willbecome identical. The way that this process works is explainedin the next subsection.

B. Blockchain rules

The material discussed here is obtained from [3]. Themainbranch of the blockchain is defined to be the branch withhighest total difficulty.

• Blocks. There are three categories of blocks1) Blocks in the main branch: the transactions in

these blocks are considered to be tentativelyconfirmed.

2) Blocks in side branches off the main branch:these blocks have tentatively lost the race tobe in the main branch.

3) Blocks which do not link into the mainbranch, because of a missing predecessor ornth-level predecessor.

Blocks in the first two categories form a tree rootedat the very first block, which is known as thegenesisblock, linked by the reference to the hash of thepredecessor block that each block was built upon. Thetree is almost linear with a few short branches off themain branch.

• Updating the blockchain. Consider the situationwhere a node learns of a new block. This block couldeither be mined locally or have been communicatedafter being mined at another node. The actions thatthe node takes are to:

1) Reject the new block if a duplicate of theblock is present in any of the three blockcategories mentioned above.

2) Check if the predecessor block (that is, theblock matching the previous hash) is in themain branch or a side branch. If it is in neither,query the peer that sent the new block to askit to send the predecessor block.

3) If the predecessor block is in the main branchor a side branch, add the new block to theblockchain. There are three cases.a) The new block extends the main branch:

add the new block to the main branch.If the new block is mined locally, relaythe block to the node’s peers.

b) The new block extends a side branch butdoes not add enough difficulty to causeit to become the new main branch: addthe new block to the side branch.

c) The new block extends a side branchwhich becomes the new main branch:add the new block to the side branchandi) find the fork block on the main

branch from which this sidebranch forks off,

ii) redefine the main branch to extendonly to this fork block,

iii) add each block on the side branch,from the child of the fork block tothe leaf, to the main branch,

iv) delete each block in the old mainbranch, from the child of the forkblock to the leaf,

v) relay the new block to the node’speers.

4) Run all these steps (including this one) recur-sively, for each block for which the new blockis its previous block.

header hihash si nonce nihash sj−1 header hj−1

Tx Tx . . . Tx Tx . . .

block Bi

nonce nj−1

block Bj−1

Fig. 1. Mining a block.

C. Blockchain dynamics

Suppose minerMi is mining block Bi with hash hi

on its versionC of the blockchain which hassi−1 as itsprevious hash, and computes a solutionsi to the cryptographicpuzzle with nonceni. Miner Mi will add Bi to C andbroadcast (Bi, ni, hi, si) to the network. When another minerMj , who is also working on the blockchainC, receives thecommunication, it will compute

s′ = hash(ni + hi + sj−1).

With reference to Figure 1, ifs′ = si then minerMj willadd blockBi to its blockchainC, abandon the blockBj thatit is working on and commence trying to add a block to thechainCBi. Any transactions inBj that are not inBi will beincorporated into in this new block. Importantly, minersMi

andMj now have identical versions of the blockchain.

The existence of propagation delays can upset the aboveprocess, because blocks can be discovered while communica-tion and validation is in process. Decker and Wattenhofer [1]measured the difference between the time that a node an-nounced the discovery of a new block or a transaction andthe time that it was received by other nodes for a period ofoperation in the actual Bitcoin network. They observed thatthemedian time until a node receives a block was 6.5 seconds,the mean was 12.6 seconds and the95th percentile of thedistribution was around 40 seconds. Moreover, they showedthat an exponential distribution provides a reasonable fit to thepropagation delay distribution.

Suppose all miners are working on the same versionC ofthe blockchain and minerMi mines blockBi at timet. It willthen addBi to the blockchainC and broadcast blockBi toall its peers. Suppose that this communication reaches minerMj at time t+ δj and thatMj has mined a blockBj at timet′ ∈ [t, t+ δj).

Miner Mj now knows about two versionsCBi andCBj ofthe blockchain, which are of the same length. From the pointof view of Miner Mj , the blockchain has split, and we canthink of the node as being in a ‘race’ to see which version ofthe blockchain survives.

Miner Mi will build on CBi because this is the versionof the blockchain that it knew about first. However miner,Mj

knew aboutCBj first, and will attempt to build on this versionof the blockchain. Other miners will work on eitherCBi orCBj depending on which version they heard about first. The‘race’ situation is resolved when the next blockB∗ is mined,say onCBi, and communicated via the peer network. ThenCBiB

∗ will be longer thanCBj and all miners will eventuallystart building onCBiB

∗. It is then likely that the blockBj

will not be part of the longterm blockchain and it will becomean orphan block. Any transactions that are inBj, but not inBi or B∗, will be incorporated into a future block.’

The above situation can get more complicated if yetmore blocks are mined while communication is taking place,although this would require the conjunction of two or morelow-probability events.

A rough calculation based upon the fact that it takes600seconds on average for the community to mine a block showsthat we should expect that the probability that a new blockis discovered while communication and validation of a blockdiscovery is taking place is of the order of12.6/600 ≈ 1/50,which is small but not negligible. Given that, on average, 144blocks are mined each day, we should expect this circumstanceto occur two to three times each day, which accords with theobserved rate of orphan blocks [4].

D. Transaction integrity

In his seminal paper proposing the Bitcoin system [5],Nakamoto dealt with the issue of transaction integrity. Heproposed that a vendor should wait until his/her paymenttransaction has been included in a block, and thenz furtherblocks have been added to the blockchain, before dispatchingthe purchased goods. The rule-of-thumb that has been adoptedis to take z = 6, which roughly corresponds to waitingfor an hour before dispatching the goods. Assuming that thecommunity can generate blocks at rateλ2, Nakamoto presenteda calculation of the probabilityPA that an attacker with enoughcomputing power to generate blocks at rateλ1 < λ2 couldrewrite the history of the payment transaction by creating analternate version of the blockchain that is longer than thecommunity’s version. Unfortunately, Nakamoto’s calculationis incorrect, a fact that was observed by Rosenfeld in [6].

Let the random variableK be the number of blocks createdby the attacker in the time that it takes the community tocreatez blocks. Then, we can get the correct expression for theprobability that the attack is successful by noting thatz+K isthe number of Bernoulli trials required to achievez successes,with the success probability of an individual trial given byp ≡ λ2/(λ1 + λ2). It is thus a negative binomial randomvariable with parametersp andz.

Now, using Nakamoto’s observation that, conditional on theattacker having createdK blocks when the vendor dispatchesthe goods, the probability of the attacker ever being able tobuild a blockchain longer than the community blockchain is(λ1/λ2)

z−K if K < z, and one otherwise, we arrive at theexpression in equation (1) of [6],

PA = 1−z∑

k=0

(z + k − 1

z − 1

)(pz(1− p)k − pk(1 − p)z

). (2)

E. Selfish-mine

It follows from an analysis similar to that in Section I-Dthat, if a group of miners control more than half of the totalcomputer power, they can collude to rewrite the history of thetransactions. There might, however, be ways for a group togain an advantage even if it does not control a majority of thecomputational power.

In [2], Eyal and Sirer proposed a strategy, called ‘selfish-mine’, and claimed that, using this strategy, a pool of colluding

‘dishonest’ miners, with a proportionα < 1/2 of the total com-putational power, can earn a proportion greater thanα of themining revenue. In this sense, a pool of miners collaboratingin using the selfish-mine strategy can earn more than its fairshare of the total revenue.

In brief, selfish-mine works as follows. When a pool minermines a block, it informs its colluding pool of miners, but notthe whole community of miners. Effectively, the mining poolcreates asecretextension of its blockchain, which it continuesto work on. The honest miners are unaware of the blocks inthe secret extension and continue to mine and to publish theirmined blocks and solutions according to the standard protocol.

The computational power available to the honest minersis greater than that available to the mining pool. So, withprobability one, the public branch will eventually become aslong as the pool’s secret extension. However it is possiblethat the secret extension will remain longer than the publicbranch in the short term. The mining pool is giving up thealmost certain revenue that it would receive if it publisheditsrecently-mined block in return for a bet that its secret branchwill become long enough for it to take short-term control ofthe mining process.

Specifically, if the lead happens to become two or more,then the pool can publish a single block every time that thehonest community mines a block, and publish two blocks whenits lead is eventually reduced to one. In this way the pool workson its version of the blockchain while allowing the honestcommunity to be engaged in a fruitless search for blocks thathave no chance of being included in the long-term blockchain.

The risk to the pool is that, if it has established a lead ofexactly one by mining a blockBp, which it has kept secret,and then it is informed that the community has mined a blockBh, the pool may end up not getting credit for the blockBp.To minimise this risk, the selfish-mine strategy dictates that thepool should publish the blockBp immediately it hears aboutBh. The pool continues working onBp itself, and it hopes thatat least some of the honest community will also work onBp,so that the pool will get the credit forBp if an honest minermanages to extend it.

When Eyal and Sirer [2] modelled the selfish-mine strategy,they included a parameterγ to denote the proportion of thehonest community that work onBp after it has been publishedaccording to the scenario described above. They deducedthat the pool can obtain revenue larger than its relative sizeprovided that

1− γ

3− 2γ< α <

1

2. (3)

Eyal and Sirer’s analysis did not, however, take propagationdelay into account. Since the honest community has a headstart in propagatingBh before the dishonest miners have evenheard about it and then there is a further propagation delaybeforeBp reaches other honest miners, our first intuition wasthat γ is likely to be very low in the presence of propagationdelays.

In a survey of subversive mining strategies [7], Courtoisand Bahack state (provisionally) that the claims made forefficacy of the selfish-mine strategy [2], which is one ofthe block discarding attacks studied in [8], are exaggerated.

However, the conclusions presented in [7] concerning theselfish-mine attack are not based on experimental or modellinganalysis.

The purpose of the rest of this paper is to propose somesimple models that explicitly take propagation delay intoaccount, which we can use to compare the behaviour of theBitcoin network when all miners are observing the standardprotocol with its behaviour if there is a pool following theselfish-mine strategy.

In next section, we shall introduce and analyse a simplecontinuous-time Markov chain model that tracks the contrast-ing states of belief of a ‘pool’ and the ‘rest of the community’under the assumption that the pool and the community arephysically-separated so that communication between the pooland the community takes longer than communication withinthe pool and within the community. Effectively, we assume thatthere is no communication delay within the pool and withinthe community. We conclude that the rate of production oforphan blocks is likely to be much higher when the pool iskeeping its newly-discovered blocks secret.

In the following Section III, we study the value of Eyaland Sirer’s parameterγ in a model in which pool miners aredistributed according to Poisson processes in the plane andthepropagation delay between two miners is normally distributedwith a mean that depends on the distance between them.

Finally, in Section IV, we shall report results from asimulation of a network of 1,000 miners, of which a fractionform a dishonest pool, again with propagation delays betweenall miners that depend on their spatial separation. Someconclusions and further observations are given in Section V.

II. A SIMPLE MARKOV CHAIN MODEL

In this section we shall describe and analyse a simpleMarkovian model that takes into account the separate statesof belief of a ‘pool of Bitcoin miners’ and the ‘rest of thecommunity’ about the blockchain. We assume that commu-nication within the pool and within the community alwayshappens faster than communication between the pool and thecommunity, effectively taking the propagation delay for theformer type of communication to be zero.

Such a dichotomy between immediate communicationwithin both the pool and community and delayed communi-cation from pool to community and vice-versa is unlikely tobe realistic. However, the model is useful because it illustratesthe effect that block-withholding strategies have on the rateof blockchain splits. In the following Sections III and IV, weshall analyse models with more realistic assumptions aboutcommunication delay.

If the pool and the rest of the community agree about theblockchain, then we denote the state by(0, 0). On the otherhand, if the pool has builtk blocks onto the last ‘fork block’where it agreed with the community, and the community hasbuilt ℓ blocks beyond the fork block, then we denote the stateby (k, ℓ). Given the mechanisms that are in place to resolveinconsistencies, we would expect that states(k, ℓ) for k andℓgreater than one or two would have a very low probability ofoccurrence.

A. The pool mines honestly

We assume that the pool discovers new blocks at rateλ1, while the rest of the community does so at rateλ2,with λ2 > λ1. Without paying attention to node locations,Decker and Wattenhofer [1] observed that it is reasonableto model communication delays with exponential randomvariables. Since an exponential assumption also helps withanalytic tractability, we make such an assumption in this firstmodel. Specifically, we assume that the time that it takes tocommunicate a discovery of a block from the pool to thecommunity and vice-versa is exponentially-distributed withparameterµ ≫ λ2.

If the system is in a state(k, ℓ) with k 6= ℓ, then it returnsto state(0, 0) once communication has occurred, because thenthe pool and the community will agree about the new stateof the blockchain. However, ifk = ℓ ≥ 1, then the pool andthe community have different, but equal length, versions ofthe blockchain and will continue mining on the blockchain asthey see it. The system therefore remains in state(k, k) untila new block is discovered.

The Markov model has transition rates

q((k, ℓ), (k + 1, ℓ)) = λ1, k ≥ 0, ℓ ≥ 0 (4)q((k, ℓ), (k, ℓ+ 1)) = λ2, k ≥ 0, ℓ ≥ 0 (5)

q((k, ℓ), (0, 0)) = µ, k 6= ℓ (6)q((k, ℓ), (k′, ℓ′)) = 0, otherwise. (7)

The first two types of transition, reflected in (4) and (5),occur when the pool (respectively the community) mine ablock, while the third, in (6), occurs once communication hasoccurred when the chain is in a state(k, ℓ) with k 6= ℓ.This latter rate is a simplification of what could have beenassumed: if|k − ℓ| ≥ 2, there are multiple communicationtasks in progress, reporting the last|k − ℓ| block discoveriesin the longest branch and it is only when the communicationreporting the discovery of the final block on the longest brancharrives that the state of the system returns to(0, 0). For thesake of tractability in this simple first model, this is the onlytransition that we have taken into account. As we observedabove, states with|k − ℓ| ≥ 2 have a very low probability ofoccurrence and we can expect that this modification will nothave a great effect on the stationary distribution.

The equations for the stationary distribution are

π(0, 0) (λ1 + λ2) =

∞∑

k=0

∞∑

ℓ=0

π(k, ℓ)µI(k 6= ℓ), (8)

for k 6= ℓ,

π(k, ℓ) (λ1 + λ2 + µ) = π(k − 1, ℓ)λ1I(k > 0)

+ π(k, ℓ− 1)λ2I(ℓ > 0) (9)

and, fork = ℓ,

π((k, ℓ)) (λ1 + λ2) = π(k − 1, ℓ)λ1I(k > 0)

+ π(k, ℓ− 1)λ2I(ℓ > 0). (10)

To express the solution of these equations, we need to definea functionn(k, ℓ; i) which denotes the number of paths thatstart at the origin and finish at(k, ℓ), take steps on the integer

lattice in the directions(1, 0) (north) and(0, 1) (east) andwhich contain exactlyi points(j, j) for j > 0.

As an example, we can see thatn(3, 2; 2) = 4 becausethere are four paths

[(0, 0), (1, 0), (1, 1), (2, 1), (2, 2), (3, 2)],

[(0, 0), (1, 0), (1, 1), (1, 2), (2, 2), (3, 2)],

[(0, 0), (0, 1), (1, 1), (2, 1), (2, 2), (3, 2)], and[(0, 0), (0, 1), (1, 1), (1, 2), (2, 2), (3, 2)]

that link the origin to(3, 2), containing two points of the form(j, j) for j > 0.

With n(k, ℓ; i) = 0 for i > min(k, ℓ), n(k, 0; 0) =n(0, ℓ; 0) = 1 for all k, ℓ > 0, the n(k, ℓ; i) for kℓ 6= 0 aregiven by the recursion

n(k, ℓ; i)

= I(k = ℓ) [n(k − 1, ℓ; i− 1) + n(k, ℓ− 1; i− 1)]

+ I(k 6= ℓ) [n(k − 1, ℓ; i) + n(k, ℓ− 1; i)] . (11)

For 1 ≤ i ≤ k, the numbersT (k, i) = n(k, k; i) are knownin the literature. They give the number ofGrand Dyck pathsfrom (0, 0) to (2k, 0) that meet thex-axis i times, which isa simple transformation of our definition. An expression forthese numbers [9, Equation 6.22] is

T (k, i) =i2i

(2k−ik

)

2k − i. (12)

For k 6= ℓ, the numbersn(k, ℓ; i) do not appear in theEncyclopedia of Integer Sequences [10], and we are not awareof a previous instance where they have been used. However,in a private communication, Trevor Welsh [11], produced anexpression forn(k, ℓ; i) with k 6= ℓ. He showed that, fork > ℓ,

n(k, ℓ; i) = n(ℓ, k; i) =(k − ℓ+ i)2i

(k+ℓ−i

k

)

k + ℓ− i, (13)

which generalises (12) in an elegant way.

With the numbersn(k, ℓ; i) in hand, we are in a positionto write down the stationary distribution of the Markov chain.

Theorem 2.1:The stationary distribution of the Markovchain defined above has the form

π(k, ℓ) = π(0, 0)λk1λ

ℓ2

min(k,ℓ)∑

i=0

(|k − ℓ|+ i)2i(k+ℓ−i

k

)

(k + ℓ− i)(λ1 + λ2)i(λ1 + λ2 + µ)k+ℓ−i, (14)

whereπ(0, 0) is determined by normalisation.

Proof: The result is established by using (11) to verifythat (14) satisfies (8), (9) and (10).

For the case where,λ1 = 0.6/hr, λ2 = 5.4/hr (which cor-responds to the pool having10% of the processing power) andµ = 285/hr, corresponding to Decker and Wattenhofer’s [1]observed average communication delay of12.6 seconds, thevalues ofπ(k, ℓ) for k, ℓ = 0, . . . , 3 are given in Table I.

We see that the pool and the community agree about theblockchain 97.5% of the time, the community has a block thatthe pool is yet to hear about for about 1.8% of the time, the

TABLE I. T HE STATIONARY PROBABILITIESπ(k, ℓ) FOR

k, ℓ = 0, . . . , 3, WHEN THE POOL MINES HONESTLY.

(k, ℓ) 0 1 2 30 0.9757 0.0181 0.0003 0.00001 0.0020 0.0037 0.0001 0.00002 0.0000 0.0000 0.0000 0.00003 0.0000 0.0000 0.0000 0.0000

pool has a block that the community hasn’t heard about for0.2% of the time, while the pool and the community haveversions of the blockchain with a single different final blockabout 0.4% of the time. All other possibilities have a stationaryprobability less than10−3, which supports the intuition thatsplits in the blockchain with branches of length greater thanone occur with low probability.

Each time that the blockchain is in a state(1, 1) and anew block is mined, approximately one orphan block will becreated. This is because the new state will become(1, 2) or(2, 1) and, with high-probability, no other state change willoccur before the successful communication returns the state to(0, 0). The block on the shorter branch will then become anorphan block. With these parameter values, the rate of creationof orphan blocks is approximatelyπ(1, 1)(λ1 + λ2) = 0.022per hour, which translates to an average of about0.53 per day.

Readers will note that this value is much less than theaverage number of orphan blocks that are observed each dayin the real Bitcoin network, which lies between two and three.The discrepancy is explained by the fact that, in this simplemodel, we have assumed instantaneous communication withinthe pool and within the community. We have not countedorphan blocks caused by communication delays within the pooland within the community, which occur in the real network.However, we believe that the model still has interest because,as we shall see in Section II-B, it can be used to demonstratethat the rate of production of orphan blocks becomes muchhigher if the pool is using a block-hiding strategy such asselfish-mine.

B. The pool uses the selfish-mine strategy

Now we assume that the pool is using the selfish minestrategy described by Eyal and Sirer in [2]. As in the modelof Section II-A, we assume that the pool discovers blocks atrateλ1 and the community discovers blocks at rateλ2, withλ1 < λ2, independently of the state.

Under the selfish-mine strategy, the pool does not neces-sarily publish blocks immediately it discovers them. Rather, itkeeps them secret until it finds out that the community hasdiscovered a block, and then publishes one or more of itsblocks in response to this news. Most commonly, this willoccur when the pool has a single blockBp that it has keptsecret from the community and then it is notified that thecommunity has discovered a blockBh. The pool’s responseto this news is immediately to publishBp, hoping that someof the community will mine on it. Whether or not this happens,the pool will keep mining on its own version of the blockchain.The situation resolves itself when the next block is discovered,and the state becomes either(2, 1) or (1, 2), in which case,with high probability, the state will revert to(0, 0) oncecommunication has taken place.

Since we have assumed that communication is instanta-neous within the pool and community, but takes time fromone to the other, Eyal and Sirer’s parameterγ, the proportionof the honest community that mines on the pool’s recently-released block when the state is(1, 1), is equal to zero. Thus,when the state is(1, 1), a new block will be created on thepool’s leaf at rateλ1 and on the community’s leaf at rateλ2.

If the pool has a lead that is greater than or equal to three(a rare occurrence), it does nothing until it is notified of thediscovery of a block by the community. It then publishes itsfirst block. However, since the pool and the community willstill keep working on the blocks at the ends of their respectivebranches, this does not affect the state of the system, andtherefore we putq((k, ℓ), (0, 0)) = 0 whenℓ ≤ k − 2.

If the pool has a lead of exactly two and it is notified ofthe discovery of a block by the community, the system movesto state(2, 1) (or, indeed, the very unlikely states(3, 2), (4, 3)etc.), and then the pool will publish all its blocks. Once thecommunication of the final block has occurred, the rest of thecommunity will start working on the longer pool branch, thusreturning the state of the system to(0, 0). When it publishesblocks in this situation, the pool is ‘cashing-in’ on the lead thatit has built up, rendering useless the work that the communityhas been doing on its branch. This behaviour is reflected in ourMarkov model by puttingq((k, k−1), (0, 0)) = µ whenk ≥ 2,where the time taken to communicate a block from the poolto the community and vice-versa is exponentially-distributedwith parameterµ ≫ λ2.

Finally, we haveq((k, ℓ), (0, 0)) = µ whenk < ℓ, becausethe honest miners always publish blocks that they discover,andthe pool has no choice but to build on the community’s versionof the blockchain if it is longer. As above and in Section II-A,we are taking into account only the communication that reportsthe discovery of the final block in the community’s chain inassigning this transition rate.

Our model of the state of the blockchain when the pool isusing the selfish-mine strategy has transition rates

q((k, ℓ), (k + 1, ℓ)) = λ1, k ≥ 0, ℓ ≥ 0, (15)q((k, ℓ), (k, ℓ+ 1)) = λ2, k ≥ 0, ℓ ≥ 0, (16)

q((k, ℓ), (0, 0)) = µ, k < ℓ, (17)q((k, k − 1), (0, 0)) = µ, k ≥ 2, (18)

q((k, ℓ), (k′, ℓ′)) = 0, otherwise. (19)

The equations for the stationary distribution are

π(0, 0) (λ1 + λ2) =

∞∑

k=0

∞∑

ℓ=k+1

π(k, ℓ)µ

+

∞∑

k=2

π(k, k − 1)µ, (20)

for ℓ > k,

π(k, ℓ) (λ1 + λ2 + µ) = π(k − 1, ℓ)λ1I(k > 0)

+ π(k, ℓ − 1)λ2I(ℓ > 0), (21)

for ℓ = k,

π(k, ℓ) (λ1 + λ2) = π(k − 1, ℓ)λ1I(k > 0)

+ π(k, ℓ− 1)λ2I(ℓ > 0), (22)

TABLE II. T HE STATIONARY PROBABILITIESπ(k, ℓ) FOR

k, ℓ = 0, . . . , 3, WHEN THE POOL MINES SELFISHLY.

(k, ℓ) 0 1 2 30 0.8177 0.0121 0.0002 0.00001 0.0818 0.0749 0.0011 0.00002 0.0082 0.0002 0.0003 0.00003 0.0008 0.0008 0.0000 0.0000

for ℓ = k − 1,

π(k, ℓ) (λ1 + λ2 + µ) = π(k − 1, ℓ)λ1I(k > 0)

+ π(k, ℓ− 1)λ2I(ℓ > 0) (23)

and, forℓ < k otherwise,

π(k, ℓ) (λ1 + λ2) = π(k − 1, ℓ)λ1

+ π(k, ℓ − 1)λ2I(ℓ > 0). (24)

Like the Markov chain in Section II-A, this Markov chain hascountably-many states but, unlike the former chain, it doesnot appear to be possible to write down a simple closed-form expression similar to (14) for its stationary distribution.However, as we observed in respect of the model of SectionII-A, the stationary probabilities decay very quickly to zeroas k and ℓ increase, and we can get a good approximationby truncating the state space and augmenting the transitionrates in a physically reasonable way so that the Markov chainremains irreducible. To get the results that we report below,we truncated the state space so that only states withk+ ℓ ≤ 6were considered and solved the resulting linear equations inMatlab. For the same parameters that we used in the modelabove, Table II contains the stationary probabilities for thesubset of these states wherek, ℓ ≤ 3.

We see now that the blockchain is in a state where thepool and the community agree for only 82% of the time. Forabout 8% of the time, the pool is working on a block that ithas kept secret and, for another 7.5% of the time the pool andthe community have separate branches of length one. As weobserved in Section II-A, each time that the blockchain is instate(1, 1) and a new block is mined, an orphan block willeventually be created. Also, each time the pool publishes ablock in response to the community finding a block, a furtherorphan block is created. The conditions for the latter eventoccur with a probability of the order of10−4, and we thereforesee that the rate of creation of orphan blocks if the pool isplaying the selfish mine strategy is approximatelyπ(1, 1)(λ1+λ2) = 0.4494 per hour, which is about10.8 per day.

Comparing with the similar calculation in Section II-A inwhich the same parametersλ1, λ2 and µ led to a rate ofcreation of orphan blocks of0.5 per day, this illustrates that theincreased rate of orphan block creation has the potential tobeused as a diagnostic tool as to whether there is a pool of minersthat have adopted the selfish-mine strategy. Specifically, thecommunity can monitor whether a significant proportion of theminers is using any type of block-hiding strategy by lookingfor increases in the rate of production of orphan blocks. Inparticular, it would be possible to detect the presence of apool of miners implementing the selfish-mine strategy in thisway.

III. E YAL AND SIRER’ S PARAMETERγ

In the model of Section II, we assumed that the pooland the community were remote from each other, so thatcommunication within the pool and within the communitycould effectively be considered to be instantaneous, whilecommunication between the pool and community incurreda delay. This is clearly unrealistic. Indeed, it is likely thatthe miners of the pool are distributed throughout the honestcommunity and that there is delay in communication betweenany two miners, whether they are both in the pool or not.

To illustrate the type of approach that can be taken tomodel this situation, we shall make some assumptions aboutthe spatial relationships and the communication delays be-tween pool miners and miners in the honest community, andderive some insights about the behaviour of the blockchain.While the assumptions would need to be varied to reflect thecharacteristics of a mining pool in the actual Bitcoin network,we believe that the insights hold in general.

Specifically, we assume that the pool miners are distributedaccording to a spatial Poisson point processΨ = {Xi} withconstant intensityν > 0 over the same regionR2 that containsthe honest miners, soΨ can be considered a random set of poolminer locations{Xi}. The Poisson process is widely used forstochastic models of communication networks, for example,the positioning of transmitters [12]. Although we restrictour-selves to Euclidean spaceR2 for illustration purposes, Baccelli,Norros and Fabien [13] introduced a general framework usingPoisson processes to study peer-to-peer networks, which wasthen later used by Baccelliet al. [14] to study the scalability ofthese networks. It has been remarked [13], [14] that the Poissonprocess in this model can be defined on other spaces moresuitable for studying networks such as hyperbolic space [15],which offers a possible avenue for further research.

Furthermore, we assume that the communication delaybetween two MinersMi and Mj, whether pool or honest,that lie a distancedij apart is normally distributed witha meankdij proportional to this distance and a constantvarianceσ2, independently of other transmission delays. Thisassumption does not contradict Decker and Wattenhofer [1]who modelled theunconditionalcommunication delays withexponential random variables.

The quantity that we are interested in is Eyal and Sirer’s [2]proportionγ of the honest community that mines on a blockreleased by the selfish-mine pool in response to the honestcommunity publishing a block. With reference to Figure 2, weare interested in analysing the communication between twohonest MinersM1 andM2 that lie a distanced12 from eachother. MinerM3 is the pool miner for which the length of thepath betweenM1 andM2 via M3 is minimised. Denote the(random) distances betweenM1 andM3 andM3 andM2 byD13 andD32 respectively.

Consider the situation where the pool has discovered ablockBp that it has kept secret from the honest community andthen honest MinerM1 subsequently discovers and publishesa blockBh. The selfish-mine strategy dictates that MinerM3

should releaseBp immediately it receivesBh from M1. Weare interested in the probability that the other honest Miner M2

will receiveBp beforeBh because, with equal length branches,it will then mine on the branch that it heard about first.

d12

x13 x32

D13D32

M1

M3

M2

Fig. 2. P (D > x) is the probability that no pool miner is located in theellipse withx13 + x32 = x.

Making the further assumption that MinerM3 requires notime to process the information that a block has arrived fromM1 and releaseBp (which could be varied),γ is effectivelythe probability that communication fromM1 to M3 and thenM3 to M2 occurs faster than direct communication fromM1

to M2.

Again with reference to Figure 2, MinerM3 is chosen sothat the distanceD = D13 +D32 is minimal amongst all ofthe pool miners. This means that, for anyx < D, there is nopool miner in the ellipse whose foci are the locations of honestMinersM1 andM2 (taken to be at(−d12/2, 0) and(d12/2, 0)respectively) and semi-axes

a =x

2, b =

1

2(x2 − d212)

1/2. (25)

HenceP (D > x) = e−νA(x), x ≥ d12, (26)

whereA(x) =

πx

4(x2 − d212)

1/2 (27)

is the area of the ellipse (25). It follows that

FD(x) ≡ P (D ≤ x) = 1− e−νA(x), x ≥ d12. (28)

Conditional on the random distancesD13 andD32, the trans-mission timesT13 andT32 are independent and normally dis-tributed with meanskD13 andkD32 respectively and commonvarianceσ2, and therefore the difference∆ ≡ T13+T32−T12 isa normally distributed random variable with meank(D−d12)and variance3σ2. Since the triangle inequality ensures that themean of∆, k(D − d12) is nonnegative, we immediately seethat γ = P (T < 0) is less than or equal to0.5. Furthermore,

P (∆ < 0|D = x) = Φ

(k(d12 − x)√

3σ

), (29)

where Φ is the distribution function of a standard normalrandom variable. Integrating with respect to the probabilitydensity ofD derived from (28), we see that the probabilitythat the honest MinerM2 receivesBp beforeBh is given by

γ = ν

∫∞

d12

A′(x)e−νA(x)Φ

(k(d12 − x)√

3σ

)dx. (30)

A change of variablew = A(x) results in a numericallytractable Laplace transform

γ = ν

∫∞

0

e−νwΦ

(k(d12 −A−1(w))√

3σ

)dw, (31)

TABLE III. V ALUES OF γ FOR DIFFERENT VALUES OFd12 AND ν .

(d12, ν) 0.4 0.8 1.2 1.61 0.0341 0.0654 0.0942 0.12074 0.2034 0.3144 0.3779 0.41608 0.3687 0.4505 0.4758 0.486012 0.4430 0.4835 0.4925 0.4958

where

A−1(w) =1√2([(8w/π)2 + d412]

1/2 + d212)1/2. (32)

It is clear thatγ depends onk andσ only through the ratiok/σ. Taking this ratio to be equal to 50, Table III presentssome values ofγ as the distanced12 betweenM1 and M2

and the densityν of pool miners are varied. We see that, asd12 increases, the value ofγ approaches its theoretical limitof 0.5. The rate of convergence is faster ifν is larger, butthe parameterγ is more sensitive to the distanced12 betweenhonest MinersM1 andM2 than it is to the intensity of thePoisson process of pool miner locations. The intuition behindthis is that, whend12 is large, there is a high probability thatthere will be a pool miner close to the straight line betweenMinersM1 andM2 even if the value ofν is only moderate.

This effect is illustrated in Figure 3, which presents anexample whered12 = 12 and ν = 0.4. Honest MinersM1 ⊙ andM2 ⊗ are located at the points(−6, 0) and (6, 0)respectively. The round circles◦ are the locations of poolminers, and the marked pool miner• is the pool MinerM3,that minimises the distanceD13+D32. Note that, even thoughthe pool miners are not densely packed,M3 lies very close tothe straight line betweenM1 andM2.

Under the assumptions of the model, the above analysiscalculates the probability that the pool minerM3 closest tothe straight line between honest MinersM1 andM2 succeedsin transmittingBp to M2 beforeM2 directly receivesBh.Miner M3 is the pool miner with the highest probability ofsucceeding in this transmission. However, there might be otherpool miners that have a round-trip distance that is not muchfurther than that viaM3, and a complete analysis should takeinto account the possibility that one of these miners succeeds

−6 −4 −2 0 2 4 6−8

−6

−4

−2

0

2

4

6

8

8 V

Fig. 3. An example simulation of the Poisson model withd12 = 12 andν = 0.4.

−10 −5 0 5 10−15

−10

−5

0

5

10

15

8 V±

Fig. 4. A simulation where the pool node⊗ with the shortest round triptime is not the pool node• that lies closest to the straight line betweenM1

⊙ andM2 ✸; d12 = 12 andν = 0.2.

whenM3 does not. Such a situation is illustrated in Figure 4,where the MinerM3 closest to the straight line between MinersM1 andM2 is not the miner that had the smallest value of theround-trip propagation delay.

More precisely, instead of calculating the probability thatthe communication time via the pool nodeM3 that minimisesthe round-trip distance is less than the direct transmissiontime, we should calculate the probability that the minimumof the communication times via all the dishonest nodes is lessthan the direct transmission time. Based upon our assumptionsthat the dishonest nodes are distributed as a spatial Poissonprocess and that transmission delays are normally-distributed,the following result helps with this calculation.

Let ρ(y) denote the distance from honest minerM1 tominer M2 via an intermediate node located aty ∈ R

2. Thenthe distances

{Di} = {ρ(Xi) : Xi ∈ Ψ}from Miner M1 to Miner M2 via dishonest users{Xi} = Ψform a point process on the infinite interval[d12,∞) and thefollowing lemma is a consequence of the Mapping Theorem,see, for example, Kingman [16, page 17].

Lemma 3.1:The point process{Di} is an inhomogeneousPoisson point process with intensity (or mean) measure givenby

ΛD(x) := ΛD ([d12, x]) = νA(x), x ≥ d12 (33)

whereA(x) is given by (27).

We can make further use of the Mapping Theorem to obtaina lemma about the Poisson nature of the round trip times.

Lemma 3.2:The point process{Ti} is an inhomogeneousPoisson point process on(−∞,∞) with intensity measuregiven by

ΛT (y) := ΛT ((−∞, y]) = ν

∫∞

d12

A′(x)Φ

(y − kx√

2σ

)dx,

(34)whereA(x) is given by (27).

TABLE IV. V ALUES OFγ FOR DIFFERENT VALUES OFd12 AND ν .

(d12, ν) 0.4 0.8 1.2 1.61 0.0347 0.0678 0.0992 0.12924 0.2298 0.3914 0.5081 0.59468 0.4891 0.6937 0.7955 0.853012 0.6695 0.8372 0.9018 0.9336

Proof: We can writeTi = kDi + Ei where the sequence{Ei} consists of i.i.d.N(0, 2σ2) random variables, indepen-dent of the sequence{Di}, where, in the theory of markedpoint process, eachEi is referred to as a random mark. By theMarking Theorem [16, page 55], the two-dimensional process(Di, Ei) is also a Poisson process, with intensity measure onrectangles of the form(a, b]× (−∞, y] given by

ΛD,E(a, b, y) = νΦ

(y√2σ

)∫ b

a

A′(x)dx,

and the Poisson nature of the process{Ti} follows again fromthe Mapping Theorem [16, page 17]. To get the expression(34) for the intensity measure of{Ti}, we condition on thepossible value ofDi that leads to a given value ofTi.

The probabilityγ that the pool block released byM3 willreachM2 before the block published byM1 is the probabilitythat there exists a point of the Poisson process{Ti} less thanthe direct transmission timeT12. This latter time is normallydistributed with meankd12 and varianceσ2. If such a pointexists, then there will be at least one pool node where theround-trip time is shorter than the direct time.

Conditional onT12 = t12, we can use Lemma 3.2 to writethe probability of the above event as

P (minTi ≤ T12|T12 = t12) = 1− exp(−ΛT (t12)), (35)

whereΛT is given by(34). This expression can also be derivedby consideringminTi as extremal shot-noise, see, for example,Baccelli and Błaszczyszyn [12, Proposition 2.13].

Now, integrating with respect to the density ofT12, theunconditional probability that there is a point of the roundtripprocess which is less than the direct transmission time is

γ =1

√

2πσ

∫

∞

−∞

(1− exp(−ΛT (u))) exp

(

−(u− kd12)2

2σ2

)

du

= 1−1

√

2πσ

∫

∞

−∞

exp

(

−(u− kd12)2

2σ2− ΛT (u)

)

du. (36)

For the same values ofd12 andν that were used in Table III,again withk/σ = 50, Table IV gives the values ofγ calculatedvia (36).

We notice first that the values ofγ in Table IV are all higherthan than the values ofγ depicted in Table III, reflecting thefact that pool nodes other than the pool node that is closestto the straight line betweenM1 andM2 might lie on the paththat minimises the round-trip delay. Furthermore, we see thatthe values ofγ are more sensitive to the densityν of the poolnodes than the values ofγ. This makes sense because, whenthe density of pool nodes is high, there are likely to be morepool nodes, other than the one that minimises the round-tripdistance betweenM1 andM2, that have short round-trip times.Finally, we note that when distanced12 between nodesM1 andM2 is high, and the densityν of pool nodes is also high, theprobability γ can be arbitrarily high, for example exceeding

0.9 whend12 = 12 andν = 1.6, even though the probabilityγ cannot be greater than0.5.

The overall lesson from the analysis in this section is that,with randomly-varying communication delays, it is advanta-geous for the pool to maximise the number of nodes thatrelease a secret block in response to a block being minedby the honest community. This maximises the probability ofat least one of them succeeding in transmitting its releasedblock to the other honest nodes before they receive the directcommunication fromM1.

In fact, a similar observation can also be applied to thehonest community itself. Rather than relying on the directcommunication betweenM1 and M2 to occur faster thanround-trip communication via the pool nodes, the honestcommunity could also employ intermediate nodes as relaysand there would be a good chance that faster communicationwould be achieved via one of these. Analysing such a situationusing the techniques of this section is an interesting questionfor future research.

IV. B LOCKCHAIN SIMULATION EXPERIMENTS

We developed two blockchain simulators, one in C++ andone in Java, the latter based on the DESMO-J simulationframework [17]. We used the former to simulate a networkof 1,000 nodes. The simulation worked as follows.

• The positions of the nodes were selected uniformly atrandom on the set[0, 1000]× [0, 1000].

• Blocks were mined at randomly-selected nodes at theinstants of a Poisson process. On average, one blockwas mined every 10 minutes.

• Each node maintained a local copy of the blockchain.

• The communication delay between two nodes was arandom variable sampled from a normal distributionwhose mean was proportional to the Euclidean dis-tance between the two nodes and whose coefficient ofvariationCV was kept constant. Note that this differedfrom the delay model described in Section III, wherewe assumed that the normally distributed communi-cation delay had a constant varianceσ2. In the modeldiscussed in this section, the variance increases withthe distance between the nodes.

• A total of 10,000 blocks were mined. This represents70 days of mining.

• Each simulation experiment was replicated 12 timesand 95% confidence intervals for all performancemeasures that we shall discuss below were computed.

• The simulation results are generally presented belowin the form of plots. The plotted points are samplemeans. Confidence interval half widths are shownif they are distinguishable, otherwise they are omit-ted. The plotted points are connected by continuouscurves constructed from segments of cubic polynomi-als whose coefficients are found by weighting the datapoints.

0.001

0.01

0.1

1

10

100

0.001 0.01 0.1 1 10 100

aver

age

num

ber

of b

lock

chai

n sp

lits

per

24 h

ours

average communication delay (seconds)

Fig. 5. The average number of blockchain splits per 24 hours.

A. Honest mining

Figure 5 shows the average numberb(t) of blockchainsplits per 24 hours as a function of the communicationdelay t, averaged over all the nodes in the network. Thedelay was varied from 1 msec to 100 seconds. Both axes arelogarithmic. Fitting a straight line to the log-log plot yieldsb(t) = 0.2508t0.9695 so that the average split rate was almostlinearly proportional to the average communication delay.

The simulation experiments showed that when the expectedcommunication delay was 10 seconds, on average 2.34 splitswere observed per 24 hours. This is roughly in agreement withthe observations made by Decker and Wattenhofer [1] that anaverage communication delay of 12.6 seconds results in anaverage split rate of 2.4 per 24 hours in the actual Bitcoinnetwork.

Suppose there is a (hypothetical) mechanism that is invokedwhen a block is attached to a blockchain. The mechanismcan simultaneously inspect the blockchains at all the nodesand report if each blockchain has a single leaf and if all theblockchains are identical: if this condition occurs then theblockchains are said to besynchronised.

Consider an instant of timet0 when the mechanism reportsthat the blockchains are synchronised. Lett > t0 denote thefirst time instant aftert0 when the mechanism reports that

0.001

0.01

0.1

1

10

100

1000

0.001 0.01 0.1 1 10 100

ave

rag

ed

we

lltim

e(s

eco

nd

s)

average communication delay (seconds)

Fig. 6. The average dwell time.

0

0.2

0.4

0.6

0.8

1

0 0.1 0.2 0.3 0.4 0.5

coeff of variationCV 0.000CV 0.001CV 0.005CV 0.010

α

γ

Fig. 7. The ratioγ.

the blockchains are not synchronised. Lett′ > t denote thefirst time instant aftert when the mechanism reports thatthe blockchains are again synchronised. We shall refer to theinterval t′ − t as thedwell time.

Figure 6 plots the average dwell time as a function of theaverage communication delay. Again, the axes are logarithmic.The figure shows that the dwell time was also almost linearlyproportional to the average communication delay.

As the average communication delay increased, the numberof splits increased and the time until the splits were resolvedand the blockchains were synchronised increased. The averagedwell time exceeded 10 minutes (the average time betweenmining events) when the average communication delay was ofthe order of 100 seconds.

B. Dishonest mining

In remainder of this section we shall report the applicationof our simulator to the situation where a pool of miners usedEyal and Sirer’s selfish-mine approach [2]. The details of ourimplementation of the selfish-mine algorithm are given in theAppendix.

As in Section I-E, we useα to denote the fraction of thetotal computing capacity of the network that is controlled bythe dishonest pool, andγ to denote the probability that anhonest miner will mine on the blockBp, rather thanBh.

When the communication delays are zero, according toEyal and Sirer’s expression (3), the minimum proportion ofcomputing power required for profitable selfish mining rangesfrom α > 0 (if γ = 1) to α > 1/3 (if γ = 0).

We simulated the communication delays between miners inthe network as independent normal random variables whosemean was proportional to distance between the miners andwhose coefficient of variationCV was kept constant. IfCV =0 then, by the triangle inequality, we would have expectedBh

to reachM2 beforeBp reachesM2, unless the three nodesM1,M2 andM3 are collinear, which is an event of probability zero.This expectation was confirmed in the simulation.

However, if CV > 0 then Bp can arrive atM2 beforeBh, and soγ will be positive. We used our simulator toinvestigate the value ofγ as the number of pool miners was

0

0.2

0.4

0.6

0.8

1

0 0.1 0.2 0.3 0.4 0.5

coeff of variationCV 0.000CV 0.001CV 0.005CV 0.010

α

Γ

Fig. 8. The ratioΓ.

varied from from 0 to 500, and thus the proportionα of poolcomputing power was varied from0 to 0.5. Figure 7 presentsthe observed proportionγ as a function ofα for several valuesof the coefficient of variationCV . The figure confirms ourexpectation that, whenCV > 0 and there are dishonest minerspresent, thenγ ought to be positive.

Furthermore, the value ofγ increased quickly as a functionof α even whenCV was taken to be quite small. Thisreinforces the insight that we gained in Section III that, becausethere were many possibilities for the intermediate pool node,the probability of a communication path via one of thembeating the direct communication was unexpectedly high.

The fact that an honest minerMi is mining on a blockBp

revealed by the dishonest pool does not guarantee that the nextblock to be attached to the blockchainCi at nodeMi will belinked to blockBp. If Ci has two leavesBp andBh and ablock Bnew arrives from another node, thenBnew can attachto Bp or to Bh.

Let Γ denote the probability that the next block attachedto the blockchain at an honest node was linked to blockBp.Figure 8 shows that the sample means ofΓ indicated by thepoints (+,×, ∗,✷) corresponded closely with the theoreticalvalueΓ = α+ (1− α)γ given by the continuous curves.

C. The relative pool revenue

Let Nh denote the total number of blocks mined by thehonest miners that were included in the blockchain at theend of the experiment. The revenue earned from these blockshas been credited to the honest miners. LetNp denote thetotal number of blocks mined by the pool that were finallyincluded in the blockchain. Define the relative pool revenueR = Np/(Nh +Np).

Figure 9 presents a map of the relative pool revenueR asa function of the total number of miners (varied from 100 to1,000) and the pool size as a fractionα of the total number,with the average communication delay fixed at 10 seconds. Thefigure demonstrates that the relative pool revenue was roughlyconstant with respect to the number of nodes, and increasedwith increasing values ofα. Significantly,R became greaterthan 0.5 when α reached0.4, which indicates that the poolwas earning more than its fair share of revenue in this region.

0 0.1 0.2 0.3 0.4 0.5 100

200

300

400

500

600

700

800

900

1000

0

0.5

1

R > 0.5

α

nu

mb

er

of

no

de

s

Fig. 9. The relative pool revenueR in networks of increasing size.

D. Detecting the presence of dishonest miners

In this section and the following sections, we follow thetheme of Section II, and discuss how the honest miners candetect the presence of a pool of miners implementing theselfish-mine strategy. Consider a network of 1,000 miners,with an average communication delay of 10 seconds and acoefficient of variationCV = 0.001.

Figure 10 presents the average number of blockchain splitsper 24 hours as a function of the relative sizeα of thedishonest pool. As the size of the dishonest pool increased,the average number of splits per unit time increased by anorder of magnitude. Thus the simulation has confirmed theconclusion of the model that we investigated in Section II thatan increase in the split rate can provide a means for the honestminers to detect the presence of the dishonest miners.

In a network of 1,000 nodes, assuming that all miners havethe same computational power, each miner expects to earn anaverage of25 × 6/1000 = 0.15 bitcoins per hour. Figure 11shows that as the number of dishonest miners increased, thehonest miners earned less than the expected average of 0.15bitcoins per hour. This may also afford a means for the honestminers to detect the presence of a pool of miners implementingthe selfish-mine strategy.

1

10

100

0 0.1 0.2 0.3 0.4 0.5

α

ave

rag

en

um

be

ro

fsp

lits

pe

r2

4h

ou

rs

Fig. 10. The average number of blockchain splits per 24 hours.

0

0.05

0.1

0.15

0 0.1 0.2 0.3 0.4 0.5

honest minersdishonest miners

α

reve

nu

ep

er

min

er

(bitc

oin

s/h

ou

r)

Fig. 11. The average confirmed revenue earned per hour per miner.

E. Dishonest mining is not profitable

Figure 12 presents the relative pool revenueR as a functionof the relative sizeα of the dishonest pool. The figure showsthat forα > 0.25 dishonest mining outperformed honest min-ing. However, this does not imply that the pool incorporatedmore blocks into the main branch than it would have if thedishonest miners had followed the bitcoin rules.

Figure 13 illustrates this by exhibiting the performance ofboth the dishonest pool and the honest miners in terms of thenumbers of blocks they mined that end up in the main branch.It presents the average number of blocks mined per hour bythe pool, by the honest miners and in total, that were includedin the long-term blockchain as a function of the relative sizeα of the dishonest pool. The average block mining rate washeld constant at 6 blocks per hour.

The figure demonstrates that, when there is a pool imple-menting selfish-mine, both the pool and the honest miners wereworse off than they would have been if no dishonest miningwas present. The total number of blocks that the pool andhonest nodes incorporated into the main branch when dishonestmining was present was always less than the number thatwould have been incorporated if dishonest mining were notpresent.

We caution that the above observation is made under theassumption that the difficulty of the cryptographic problemdescribed in Section I-A was held constant. In the real Bitcoin

0

0.2

0.4

0.6

0.8

1

0 0.1 0.2 0.3 0.4 0.5

dishonest nodeshonest nodes

α

rela

tive

po

ol

reve

nu

e

Fig. 12. The relative pool revenueR and R.

0

2

4

6

0 0.1 0.2 0.3 0.4 0.5

totaltotal confirmed

honest confirmeddishonest confirmed

honest fair sharedishonest fair share

α

blo

cks

min

ed

pe

rh

ou

r

Fig. 13. The average block mining rate.

blockchain, the network would respond to an overall decreasein the rate of blocks being successfully mined by reducing thedifficulty of the cryptographic problem. This decreased valueof the difficulty may itself afford a means for the honest minersto detect the presence of the dishonest miners.

F. Adoption threshold

Figure 12 shows that in the range0 < α ≤ 0.25 there is noincentive for a solo miner to adopt the selfish-mine strategy,since by doing so a miner will be become part of a pool thathas a lower relative pool revenue than it would have if allthe members of the pool were honest. Moreover, in the range0 < α ≤ 0.25, solo honest miners benefit (in terms of theirrelative pool revenueR = 1 − R) from the activities of thedishonest pool. A larger participant may already possess morethan 25% of the network mining capacity and may be ableto attract miners with a promise of an enhanced pool revenue.However, as shown in Section IV-E, these miners will earn lessthan they would have earned had they remained honest, and ifthey perceive this they may withdraw from the dishonest pool.

V. CONCLUSIONS

In this paper we have studied the dynamics of the Bitcoinblockchain when propagation delays are taken into account,with specific reference to how the blockchain behaves whenthere is a pool of miners using the selfish-mine strategyproposed by Eyal and Sirer [2]. Our approach has beento construct simple models that provide insight into systembehaviour, without attempting to reflect the detailed structureof the Bitcoin network.

In Section II we used a simple Markov chain model todemonstrate that it is possible for the whole mining communityto detect block-hiding behaviour, such as that used in selfish-mine, by monitoring the rate of production of orphan blocks.

In Section III, our attention turned to Eyal and Sirer’sparameterγ, which is the proportion of the honest communitythat mine on a previously-secret block released by the selfish-mine pool in response to the honest community mining a block.When there is no variability in the propagation delay, it followsfrom the triangle equality (at least within the Poisson networkmodel that we assumed) that the value ofγ is zero. However,the value ofγ can increase surprisingly quickly with increasing

variability of propagation delay. A key observation is thatif allpool nodes release the secret block as soon as they are notifiedof the discovery of the public block, the chances of one ofthem beating the direct communication can be very high. Wedid not study the counter-balancing effect that would occurifall honest miners relayed the honest miner’s block in the sameway. A study of this would be an interesting topic for futureresearch.

Finally, in Section IV, we used simulation to verify theobservations that we made in Sections II and III, under slightlydifferent assumptions. We also were able to study the long-term rate of block production, and hence revenue generationunder both honest mining and selfish-mine strategies and makesome observations about when selfish-mine is profitable. Animportant observation is that, in the absence of a relaxation ofthe difficulty of the mining cryptographic problem, the long-term rate of block production will decrease if a pool of minersis implementing the selfish-mine strategy. It can thus happenthat, even if the selfish pool is earning a greater proportionof the total revenue than is indicated by its share of the totalcomputational power, it is, in fact, earning revenue at a lesserrate than would be the case if it simply followed the protocol.This observation makes intuitive sense, since the whole pointof selfish-mine is to put other miners in a position where theyare wasting resources on mining blocks that have no chanceof being included in the long-term blockchain.

We emphasize that our models, both analytic and simula-tion, are idealised. It would be an interesting line for futureresearch to use network tomography techniques to discover thetopology of the actual Bitcoin network and then employ theanalytical and simulation techniques that we have discussedin this paper to study the effect of propagation delay on thedynamic evolution of the blockchain.

ACKNOWLEDGMENT

The authors would like to thank Maria Remerova for somevaluable comments that led to an improvement of the paper.

REFERENCES

[1] C. Decker and R. Wattenhofer, “Information propagationin thebitcoin network,” in13th IEEE Conference on Peer-to-PeerComputing, 2013, pp. 1–10.

[2] I. Eyal and E. G. Sirer, “Majority is not enough: Bitcoin mining isvulnerable,” inFinancial Cryptography and Data Security. SpringerBerlin, Heidelberg, 2013, pp. 436–454.

[3] [Online]. Available: https://en.bitcoin.it/wiki/Protocol rules

[4] [Online]. Available: https://blockchain.info/charts/n-orphaned-blocks

[5] S. Nakamoto. (2009) Bitcoin: A peer-to-peer electroniccash system.[Online]. Available:http://bitcoins.info/bitcoin-a-peer-to-peer-electroniccash-system-satoshi-nakamoto/

[6] M. Rosenfeld. (2014) Analysis of hashrate-based double-spending.[Online]. Available: http://arxiv.org/abs/1402.2009

[7] N. Courtois and L. Bahack. (2014) On subversive miner strategies andblock withholding attack in bitcoin digital currency. [Online].Available: arXiv:1402.1718v5

[8] L. Bahack. (2013) Theoretical bitcoin attacks with lessthan half ofthe computational power. [Online]. Available: eprint.iacr.org/2013/868

[9] E. Deutsch, “Dyck path enumeration,”Discrete Mathematics, vol.204, pp. 167–202, 1999.

[10] The on-line encyclopedia of integer sequences. [Online]. Available:https://oeis.org/

[11] T. Welsh, private communication.

[12] F. Baccelli and B. Błaszczyszyn,Stochastic geometry and wirelessnetworks: Volume 1: Theory. Now Publishers Inc, 2009, vol. vol. 1.

[13] F. Baccelli, I. Norros, and F. Mathieu, “Performance ofp2p networkswith spatial interactions of peers.” [Online]. Available:http://hal.inria.fr/inria-00615523v2

[14] F. Baccelli, F. Mathieu, I. Norros, and R. Varloot, “Canp2p networksbe super-scalable?” inINFOCOM. IEEE, 2013, pp. 1753–1761.

[15] M. Boguna, F. Papadopoulos, and D. Krioukov, “Sustaining theinternet with hyperbolic mapping,”Nature Communications, vol. 1,p. 62, 2010.

[16] J. Kingman,Poisson Processes. Oxford University Press, 1993.

[17] B. Page and W. Kreutzer,The Java Simulation Handbook – SimulatingDiscrete Event Systems with UML and Java. Aachen: Shaker, 2005.

APPENDIX

The pseudo-code presented in Algorithm 1 summarises theactions of a dishonest node.

Algorithm 1 Selfish-mine algorithm at a dishonest nodei.// Initialise theblockchainat dishonest nodei.

function INITIALISE

blockchain:= publicly known blockssecretExtension:= empty; race := FALSEmine on the last block in theblockchain

end function

// Dishonest nodei attaches a secretBlock to its secretExtension.function SECRETM INE(block Block)

appendBlock to secretExtension; ns := ns + 1if race then

publish Block; race := FALSE; secretExtension:= emptyelse if |secretExtension| > 5 then // prevent runaway

publish the first unpublished block ofsecretExtensionend ifmine onBlock

end function

// Dishonest nodei attaches a public/publishedBlock to its blockchain.// The last block onblockchainhas serial numbernp.// The last block onsecretExtensionhas serial numberns.

function PUBLICM INE(block Block)appendBlock to blockchain; np := np + 1∆ := ns − np // compute the leadif ∆ = −1 then

if race thenrace := FALSE; secretExtension:= empty

end ifmine onBlock

else if∆ = 0 thenrace := TRUEpublish the last (and only) block ofsecretExtensionsecretExtension:= empty; mine on blockns

else if∆ = 1 thenif |secretExtension| = 2 then

publish secretExtension; secretExtension:= emptymine on blockns

end ifelse // ∆ > 1

publish the first unpublished block ofsecretExtensionmine on blockns

end ifend function