# Research on PoW Protocol Security under Optimized Long Delay Attack

^{*}

## Abstract

**:**

_{OD}model, which makes the main chain record in the model more close to the actual situation and reduces the errors caused by the establishment of the model in the analysis process. By comparing the differences between the T

_{OD}model and the original model, it is verified that the improved model has a higher success rate of attack when the probability of mining the delayable block increases. Then, the long delay attack is improved on the balance attack in this paper, which makes the adversary control part of the computing power and improves the success rate of the adversary attack within a certain limit.

## 1. Introduction

_{MC}model proposed by the authors is too idealistic, and when the number of forks is large in the model, a large amount of node information cannot be recorded on the model, resulting in errors. In addition, in the authors’ proposed model for long delay attacks against the PoW protocol, the authors set the adversary to only control the communication to indicate that the PoW protocol has some security, which does not clearly reflect the complex delay situation. This paper makes improvements to solve these problems. The main contributions of this research include:

- Optimized the main chain record model based on the original research so that the improved record model can simulate the evolution of the main chain on the blockchain accurately.
- Improved the original long delay attack model, combined it with the balanced attack where the adversaries can control a certain number of corrupted miners, and proposed the improved long delay attack model, which made the improved attack model more real and improved the success probability of the adversary attack.
- Based on the above research, this paper analyzes the security of the PoW protocol in a complex latency environment and shows that the PoW protocol still has good security in a complex delay environment.

## 2. Related Work

_{MC}and modified the three security attributes proposed in [18,19] to prove that the blockchain is safe under the long delay attack of $\u2206\ge 1\u2215np$ in an asynchronous network.

## 3. Optimized Blockchain Model

#### 3.1. T_{OD} Record Model

_{OD}. In this improved T

_{OD}model, the main operations are shown below (in Figure 1):

_{OD}and that the individual nodes ${\mathrm{C}}_{0}=({\mathrm{B}}_{0},{\mathrm{B}}_{1},\dots {\mathrm{B}}_{\mathrm{k}})$ are exactly the same as the first k block nodes on the broadcast chain ${\mathrm{C}}^{\prime}$, i.e., there exists a value of k $(0<\mathrm{k}<\mathrm{n})$ such that the first k nodes on ${\mathrm{C}}^{\prime}$ are exactly equal to the ${\mathrm{C}}_{0}$ branch, and at that point k reaches its minimum value that satisfies the conditions, then adds the blocks on ${\mathrm{C}}^{\prime}$ from k + 1 to n to the branch.

_{OD}. After the Addblock operation on the current round, determine whether a new fork is created on the current model and whether the fork depth at the original node in the model increases.

#### 3.2. Fork Problems on T_{OD}

- After adding a new block, determine whether a new fork is generated on the current model.
- If there is a new fork after adding a new block to the original fork, judge whether the fork depth on the node increases.

## 4. Long Delay Attack Based on T_{OD} Model

#### 4.1. Effect of Long Delay Attack on Chain Growth

_{OD}model to simulate and analyze the potential threat of long delay attacks on the blockchain PoW protocol and make a comparison experiment with [20]. Similarly, we set the adversary to not control any computing power, and we divide miners into H

_{A}and H

_{B}to represent two branches on T

_{OD}. At the same time, the number of miners in the two sets is dynamically equal. That is, assuming $\left|{H}_{A}\right|=\left|{H}_{B}\right|=n/2$, the probability of successful mining in each round is $p$, and the probability of mining a delayable block in each round is α. If n miners successfully mined, then the probability of successful mining is $\eta (n,p)=1-{(1-p)}^{n}$, and when $n$ is large enough, we can consider $\eta (n,p)\approx np$.

- (1)
- If both branches A and B grow at the end of a round, there are several possible situations:
- (a)
- After the consensus process, both A and B have mined non-delayable blocks, so in the next round, each branch is successfully extended, the fork depth is increased by 1, and the length of the blockchain is increased by 1; the probability is shown in Equation (1).$$\frac{\eta {(\frac{n}{2},(1-\alpha )p)}^{2}}{\eta (n,p)}\approx \frac{\frac{1}{4}{(1-\alpha )n}^{2}{p}^{2}}{np}=\frac{(1-\alpha )np}{4}$$
- (b)
- After the completion of the consensus processes of A and B, the miners have successfully mined the block, the two branch chains have increased, and the probability of this situation is Equation (2).$$\frac{\eta {(\frac{n}{2},p)}^{2}}{\eta (n,p)}\approx \frac{\frac{1}{4}{n}^{2}{p}^{2}}{np}=\frac{np}{4}$$
- (c)
- When both A and B mines the delayable block, and the adversary chooses to broadcast in the same round, the chain length will also increase. We will discuss the details in case 4.

- (2)
- If only one branch grows after the current round r, BoolTurn is set to 1, and BoolTurn is set to 0 in round r + 1. If a new block is generated in round r + 1, no delete operation is performed, and so if a branch grows, BoolTurn is set to 1. Without loss of generality, the probability that one of the branches A or B mined a non-delayable block is A, and B failed to mine a new block, and so we can obtain Equation (3):$$\frac{2(1-\eta (\frac{n}{2},p))\eta (\frac{n}{2},(1-\alpha )p)}{\eta (n,p)}\approx \frac{(1-\alpha )(2-np)}{2}$$

- (3)
- Branch A and branch B failed to mine a new block in the round r, and at this time, both branches did not grow; the probability of such a situation is shown in Equation (4):$$\frac{{(1-\eta (\frac{n}{2},p))}^{2}}{\eta (n,p)}\approx \frac{\frac{1}{4}{(2-np)}^{2}}{np}=\frac{{(2-np)}^{2}}{4np}$$

- (4)
- Here we focus on several cases after a delayable block has been mined. When one of the two branches has a delayable block, without loss of generality, set it to A and discuss the other block.
- (a)
- If branch B failed to mine the block, it needs to consider whether the block mined by branch A has reached the delay limit. If it has reached the $\u2206$ round, the block must be broadcast. If it has not reached the $\u2206$ round, the adversary can choose to continue to delay; if A did not mine a non-delayable block, it will have the following probability in the following round shown in Equation (5):$${P}_{n}=(1-\eta (\frac{n}{2},p))\xb7(1-\eta (\frac{n}{2},(1-\alpha )p))\approx \frac{(2-np)(2-np+\alpha np)}{4}$$
- (b)
- Branch B must broadcast a non-delayable block in the current round, and in a sense, the probability of the adversary not mining a non-delayable block is almost equivalent to the probability of mining a delayable block, and so we can obtain Equation (6):$$\begin{array}{l}\frac{2(1-\eta (\frac{n}{2},(1-\alpha )p))\xb7\eta (\frac{n}{2},(1-\alpha )p)}{\eta (n,p)}\\ \approx (1-\frac{(1-\alpha )np}{2})(1-\alpha )=1-\alpha -\frac{{(1-\alpha )}^{2}np}{2}\end{array}$$

#### 4.2. Improvement of Long Delay Attack

_{A}and H

_{B}, and the chains C

_{A}and C

_{B}represent the two branches. Each chain has $n(\mu +1)/2$ nodes, but the corrupted miners do not always mine on the current chain. For example, when miners on one chain have finished mining, miners on the current chain can dynamically delay attacks on the other chain, which also greatly improves the work efficiency of corrupt miners in this case. So, we have the following situation (see Table 1):

#### 4.3. Proof of Security

- (1)
- When blocks are mined on both C
_{A}and C_{B}, and the blocks on that chain are both obtained by at least one honest miner, and after the miners broadcast the chains on their respective nodes, a fork is formed between C_{A}and C_{B}at this point, with the fork depth increasing by 1 and the chain growth increasing by 1. So, we can obtain Equation (9), and the probability of this happening is:

- (2)
- On C
_{A}and C_{B}, one of the chains has a miner successfully mining a node and the block is a non-delayable block, and the other chain has not mined. According to the T_{OD}model, it is known that when a new block is created on one chain it will not immediately delete the shorter chain and enter the BoolTurn operation, maximizing the spare chain on the model and allowing the adversary the opportunity to extend the fork. So, in the next round, if the shorter chain mines a new block, the adversary succeeds in increasing the fork, and success in the next round requires two conditions to be satisfied: one chain does not mine a non-delayable block, and the other chain does not succeed in mining, and so the probability of entering the next round is shown in Equation (10):

- (3)
- If only one chain in C
_{A}and C_{B}mined a block, which was mined by a corrupted miner, and another failed, then the probability of this case is shown in Equation (14):

- (4)
- If only one chain in C
_{A}and C_{B}mined a block, which was mined by an honest miner, and the other chain failed to mine the block, then the probability of this case is:

## 5. Experimental Analysis

_{OD}model, experimentally verifying the feasibility of the T

_{OD}model and the change in attack efficiency after the improved attack.

#### 5.1. Experimental Analysis of Long Delay Attack on Chain Growth

_{OD}, the adversary is called successful. The fork depth and delay success probability are shown in the following table.

_{OD}and Tree

_{MC}in a round with $np$ = 1/60. From Figure 6, we can see that under the same value of $\alpha $, the optimized T

_{OD}model shows that the success rate of the adversary’s attack is higher than that of the Tree

_{MC}model, and the success rate of the adversary’s attack on the chain growth rate increases with the increase in a round but does not exceed 0.8. Combining the previous experimental data, it can be concluded that although the success rate of the attack may increase after the adversary has mined the delayable block, considering the actual situation, with the increase in the number of consecutive rounds T and the decrease in the number of delayable blocks and delayable rounds, the success rate is still at a low level, and so the PoW protocol still has good security in the face of long delay attacks.

#### 5.2. Improved Experimental Analysis of Long Delay Attack

## 6. Conclusions

_{OD}model, it can be seen that the probability of mining a delayable block in the mining process will greatly affect the success rate of the adversary attack, and the success rate of the adversary attack has a great relationship with the current fork depth, the maximum number of delayable rounds, and the corresponding activities of corrupted miners. This paper provides a theoretical analysis of the success rate of adversary attacks and the security of PoW protocols in the face of complex latency environments by providing a flexible division of adversary computing power and network latency from the adversary perspective. According to the experiments in this paper, we can see that when the probability of the delayable block, the maximum number of delayable rounds, and the proportion of corrupted miners in the protocol increase, the success rate of the delay attack will increase, and therefore its security will be affected to some extent. However, in combination with the actual situation, it is difficult for the adversary to control the computing power of a large number of miners in the mining process, and the probability of mining the delayable block and the number of multiple delay rounds will be greatly limited. When the fork depth reaches a certain level, the success rate of the attack will decrease significantly. Therefore, it can be seen that the PoW protocol still provides good security in the face of complex long delay attacks. It is undeniable that as the adversary controls a large amount of computing power in the network and implements delay attacks in a diversified and deepening manner, it is clear that the high energy consumption and inefficient PoW protocols cannot meet the actual needs of the network nodes. Exploring the security of PoW protocols in more complex network environments and under attack conditions will also be our next research direction.

## Author Contributions

## Funding

## Data Availability Statement

## Acknowledgments

## Conflicts of Interest

## References

- Longo, R.; Mascia, C.; Meneghetti, A.; Santilli, G.; Tognolini, G. Adaptable Cryptographic Primitives in Blockchains via Smart Contracts. Cryptography
**2022**, 6, 32. [Google Scholar] [CrossRef] - Romano, D.; Schmid, G. Beyond Bitcoin: Recent Trends and Perspectives in Distributed Ledger Technology. Cryptography
**2021**, 5, 36. [Google Scholar] [CrossRef] - Martínez, V.G.; Hernández-Álvarez, L.; Encinas, L.H. Analysis of the Cryptographic Tools for Blockchain and Bitcoin. Mathematics
**2020**, 8, 131. [Google Scholar] [CrossRef][Green Version] - Caldarola, F.; d’Atri, G.; Zanardo, E. Neural Fairness Blockchain Protocol Using an Elliptic Curves Lottery. Mathematics
**2022**, 10, 3040. [Google Scholar] [CrossRef] - Heilman, E.; Kendler, A.; Zohar, A.; Goldberg, S. Eclipse Attacks on Bitcoin’s Peer-to-Peer Network. In Proceedings of the 24th USENIX Security Symposium, Washington, DC, USA, 12–14 August 2015; pp. 129–144. [Google Scholar]
- Douceur, J.R. The Sybil Attack. In Proceedings of the Peer-to-Peer Systems, First International Workshop, IPTPS 2002, Cambridge, MA, USA, 7–8 March 2002. [Google Scholar]
- Yang, X.; Chen, Y.; Chen, X. Effective Scheme against 51% attack on proof-of-Work Blockchain with History Weighted Information. In Proceedings of the IEEE International Conference on Blockchain (Blockchain), Atlanta, GA, USA, 14–17 July 2019; pp. 261–265. [Google Scholar]
- Wang, H.; Zhang, X.W. SRRS: A blockchain fast propagation protocol based on non-Markovian process. Comput. Netw.
**2022**, 219, 109435. [Google Scholar] [CrossRef] - Trom, J. Cuckoo cycle: A memory bound graph-theoretic proof-of-work. In Proceedings of the International Conference on Financial Cryptography and Data Security, San Juan, Puerto Rico, 26–30 January 2015; Springer: Berlin, Germany, 2015; pp. 49–62. [Google Scholar]
- Pass, R.; Seeman, L.; Shelat, A. Analysis of the blockchain protocol in asynchronous networks. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, 30 April–4 May 2017; pp. 643–673. [Google Scholar]
- Gazi, P.; Kiayias, A.; Russell, A. Tight consistency bounds for bitcoin. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA, 9–13 November 2020; pp. 819–838. [Google Scholar]
- Dembo, A.; Kannan, S.; Tas, E.N.; Tse, D.; Viswanath, P.; Wang, X.; Zeitouni, O. Everything is a race and Nakamoto always wins. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA, 9–13 November 2020; pp. 859–878. [Google Scholar]
- Wei, P.W.; Yuan, Q.; Zheng, Y.L. Security of the blockchain protocol against long delay attack. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Brisbane, Australia, 2–6 December 2018; pp. 250–275. [Google Scholar]
- Eyal, I.; Sirer, E.G. Majority is not enough: Bitcoin mining is vulnerable. In Financial Cryptography and Data Security; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8437, pp. 436–454. [Google Scholar]
- Eyal, I.; Gencer, A.E.; Sirer, E.G.; Renesse, R.V. Bitcoin-NG: Ascalable blockchain protocol. In Proceedings of the 13th Usenix Conference on Networked Systems Design and Implementation, Santa Clara, CA, USA, 16–18 March 2016; pp. 45–59. [Google Scholar]
- Sompolinsky, Y.; Zohar, A. Secure high-rate transaction processing in bitcoin. In Proceedings of the International Conference on Financial Cryptography and Data Security, San Juan, Puerto Rico, 26–30 January 2015; pp. 507–527. [Google Scholar]
- Nayak, K.; Kumar, S.; Miller, A.; Shi, E. Stubborn Mining: Generalizing Selfish Mining and Combining with an Eclipse Attack. In Proceedings of the IEEE European Symposium on Security & Privacy, Saarbruecken, Germany, 21–24 March 2016; pp. 305–320. [Google Scholar]
- Kiayas, A.; Panagiotakos, G. Speed-Security Tradeoffs in Blockchain Protocols. IACR ePrint Archive Report. 2016. Available online: https://eprint.iacr.org/2015/1019 (accessed on 5 June 2023).
- Garay, J.; Kiayias, A.; Leonardos, N. The Bitcoin Backbone Protocol with Chains of Variable Difficulty. In Proceedings of the International Cryptology Conference, Santa Barbara, CA, USA, 20–24 August 2017; Springer: Cham, Switzerland, 2017; pp. 291–323. [Google Scholar]
- Natoli, C.; Granmoli, V. The balance attack against proof-of-work blockchains: The R3 testbed as an example. In Computing Research Repository. arXiv
**2016**, arXiv:1612.09426. [Google Scholar]

**Figure 3.**No new fork is generated in the current round, but the fork depth is increased, set BoolTurn = 0.

**Figure 4.**No fork is generated in the current round, but the fork depth is increased, set BoolTurn = 0.

**Figure 5.**Relationship between probability of delay and success probability of attack (red: $\u2206=90$, blue: $\u2206=110$, green: $\u2206=130$). (

**a**) T = 4, (

**b**) T = 5, (

**c**) T = 4, (

**d**) T = 5.

**Figure 6.**The relationship between success probability of attack and probability of delay under Tree

_{MC}and T

_{OD}models.

**Figure 7.**Relationship between block delayability probability and adversary success rate at different fork depth.

**Figure 8.**The relationship between proportion of corrupted miners and the success rate of attacks. (

**a**) $\Delta $ = 90, T = 3, (

**b**) $\Delta $ = 90, T = 5.

**Figure 9.**The relationship between proportion of corrupted miners and the success rate of attacks. $\Delta $ = 80, T = 6.

**Figure 10.**Relationship between probability of delayable block and attack success rate at different depths, $\mu $ = 0.35, $\Delta $ = 15.

Long Delay Attack | Balance Attack | Improved Long Delay Attack | |
---|---|---|---|

Whether the adversary controls computing power | No | YES | YES |

Purpose of attack | Extend fork | Change the target chain to the main chain | Extend and produce fork |

Method of attack | The adversary delays the new blocks and broadcasts them to different miners in different order after collecting a certain number of chains | Isolating miners’ communication and implementing efficient mining on the target chain, turning the target chain into the master chain | The adversary delays the new blocks, and the corrupted miners mine the delayable blocks and immediately delay them, then broadcasts them separately to different honest miners. |

Corrupted miner | — | Work on one chain to increase the target chain mining efficiency | According to the mining results of each round, corrupted miners can mine dynamically in the two sets |

$\mathit{\alpha}$ | $\Delta $ | T | f | n | ${\mathit{P}}_{\mathit{s}\mathit{u}\mathit{c}}$ |
---|---|---|---|---|---|

0.70 | 60 | 5 | 1/60 | 100,000 | 0.0002942 |

0.70 | 60 | 3 | 1/60 | 100,000 | 0.0011407 |

0.75 | 80 | 5 | 1/60 | 100,000 | 0.0015351 |

0.75 | 80 | 3 | 1/60 | 100,000 | 0.0045197 |

0.80 | 100 | 5 | 1/60 | 100,000 | 0.0056138 |

0.80 | 100 | 3 | 1/60 | 100,000 | 0.0133162 |

0.85 | 120 | 5 | 1/60 | 100,000 | 0.0165696 |

0.85 | 120 | 3 | 1/60 | 100,000 | 0.0328166 |

0.85 | 140 | 5 | 1/60 | 100,000 | 0.0403558 |

0.85 | 140 | 3 | 1/60 | 100,000 | 0.0766876 |

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |

© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Feng, T.; Liu, Y.
Research on PoW Protocol Security under Optimized Long Delay Attack. *Cryptography* **2023**, *7*, 32.
https://doi.org/10.3390/cryptography7020032

**AMA Style**

Feng T, Liu Y.
Research on PoW Protocol Security under Optimized Long Delay Attack. *Cryptography*. 2023; 7(2):32.
https://doi.org/10.3390/cryptography7020032

**Chicago/Turabian Style**

Feng, Tao, and Yufeng Liu.
2023. "Research on PoW Protocol Security under Optimized Long Delay Attack" *Cryptography* 7, no. 2: 32.
https://doi.org/10.3390/cryptography7020032