The Incentive System of the Nakamoto Consensus

Incentive system as a countermeasure

We’ve shown that there are different strategies to undermine the integrity of the blockchain, i.e., to perform a double-spending attack. In particular, an attack is possible with any rate of hash power an adversary obtains, whereas the likelihood of success increases the more computational power an attacker holds. Since the blockchain protocol requires a majority of the miners to be honest in order to safeguard the transaction history, there’s the need to ensure that a majority of computational power is invested in honest mining, which includes discouraging the miners from acting maliciously.

This is done by the underlying incentive structure that provides a reward to the miner if he solves the Proof-of-Work successfully. As the reward can only be gained if the newly mined block gets part of the authoritative chain, the miner is encouraged to broadcast his candidate block immediately to the network, not holding it back as in a Finney attack, because any retarding of broadcasting will increase the risk that another node extends the chain, which would imply a loss of the reward. These incentives also discourage the miners from creating an alternative chain, since the probability of success is very low if an adversary isn’t in possession of a large share of the hashing power. Therefore, the maximum probability to gain a reward is when the miner acts honestly and follows the protocol.

As a result, a very important part of the Nakamoto consensus is its underlying incentive system, whereby nodes that successfully solve the PoW get a reward as compensation for their invested resources. From this point of view, the security of any permissionless blockchains, especially of digital currencies, depends on a combination of distributed algorithms, cryptography, and an incentive system.

Selfish mining

This attack on the incentive system was proposed by Eyal and Sirer (2013)Ittay Eyal and Emin Gun Sirer. The majority is not enough: Bitcoin mining is vulnerable. In: Christin N., Safavi-Naini R. (eds) Financial Cryptography and Data Security. FC 2014. Lecture Notes in Computer Science, vol 8437. Springer, Berlin, Heidelberg 2013.. They propose an economic attack they call selfish mining, a strategy for a minority pool (i.e., a pool that holds less than $50 \%$ of the computational power) to gain an unfair advantage over honest miners. The idea is to keep newly mined blocks private, working on their own, secret chain, and publish these blocks strategically in order that the honest parties waste some resources. Although the selfish mining pool is also wasting resources, the honest nodes waste proportionally more, thus honest miners are encouraged to join the pool, whereas the pool quickly grows to become the majority of computational power, which allows a $51 \%$ attack as a consequence.

Eyal and Sirer (2013)Ittay Eyal and Emin Gun Sirer. The majority is not enough: Bitcoin mining is vulnerable. In: Christin N., Safavi-Naini R. (eds) Financial Cryptography and Data Security. FC 2014. Lecture Notes in Computer Science, vol 8437. Springer, Berlin, Heidelberg 2013. conclude that “at least $2 / 3$ of the network needs to be honest to thwart selfish mining,” since mining protocols such that of Bitcoin “will never be safe against attacks by a selfish mining pool that commands more than $1 / 3$ of the total mining power of the network”. This threshold is lower than Nakamoto’s estimation of $50 \%$ but considers an attack against the incentive system rather than an attack on the computational voting power.

Security of the Nakamoto consensus Protocol

Originally, it was assumed that the Nakamoto consensus requires the honest nodes to control the majority, i.e., more than $50 \%$ of computational power in order to guarantee the security of a PoW-based blockchain network, as shown in this section. However, Eyal and Sirer (2013) have shown that selfish mining can decrease this bound to $33 \%$ (see this section).