Incentive Compatibility of Pay Per Last N Shares in Bitcoin Mining Pools

Abstract

Pay per last N shares (PPLNS) is a popular pool mining reward mechanism on a number of cryptocurrencies, including Bitcoin. In PPLNS pools, miners may stand to benefit by delaying reports of found shares. This attack may entail unfair or inefficient outcomes. We propose a simple but general game theoretical model of delays in PPLNS. We derive conditions for incentive compatible rewards, showing that the power of the most powerful miner determines whether incentives are compatible or not. An efficient algorithm to find Nash equilibria is put forward, and used to show how fairness and efficiency deteriorate with inside-pool inequality. In pools where all players have comparable computational power incentives to deviate from protocol are minor, but gains may be considerable in pools where miner’s resources are unequal. We explore how our findings can be applied to ameliorate delay attacks by fitting real-world parameters to our model.

A     Appendix

1.1 A.1     Remarks

In the proofs, several aspects related to the concept of incentive compatibility are discussed. For that purpose, it is important to show that:

(1) for the current proofs, we will distinguish only two cases (instead of 3 in Eq. 3) \( 0<x \le N \) and \( x=0 \). That can be explained by the fact that pool mining is either entirely honest or not (incentive compatibility questions only that aspect). The state of incentive compatibility when nobody delays can be derived from Eq. 3, \( x_{i}=0, \forall i \):

$$ \frac{\hat{N}}{N \hat{D}}\,=\,\frac{ \tau _{i}}{N} \left( 1\,+\,\frac{N-x_{i}}{\hat{D}} \right) \,+\,C_{i},~C_{i} \ge 0 . $$

That is equivalent to

$$ \hat{N} \ge \tau _{i} \left( \hat{D}\,+\,N-x_{i} \right) ,$$

or, this is equivalent to the requirement

$$\begin{aligned} \hat{N}\,=\,\tau _{i} \left( \hat{D}\,+\,N-x_{i} \right) , ~ x_{i} \le 0,~ \forall i . \end{aligned}$$

(5)

The latter notation will be used as it allows to analyse conditions for incentive compatibility using the roots of a system of linear equations.

(2) One should distinguish between two different situations: a miner i may have incentives to delay a positive number of shares even if \( i\notin \mathcal {M} \); or, a miner i is included in \( \mathcal {M} \) and definitely has an incentive to delay. It is assumed that miners in \(\mathcal {M} \) do not have information about other delaying miners from outside \(\mathcal { M}\). As a result of inclusion (or not inclusion) in the group of delaying miners \( \mathcal {M} \), the incentive may be different. That is easy to see on the following example: the amounts of the shares delayed by miners in \(\mathcal {M}\) depend on their information about \(\mathcal {M}\), but, for i-th miner who is not in \(\mathcal {M}\) the amount of delayed shares depends on the information about himself (\(\tau _{i}\)) and the information about the number of shares that are delayed by miners in \(\mathcal {M}\). However, in case i is the only miner in \(\mathcal {M}\), e.g. \(\mathcal {M}=\{ i \} \) the incentive of the miner i is the same as if \(\mathcal {M}= \varnothing \).

According to the definition, incentive compatibility is an equilibrium when \(\mathcal {M}=\varnothing \) and nobody has an incentive to delay. Nonetheless, it is not clear if a pool with incentive compatible conditions can be in a state of another equilibrium when \(\mathcal {M} \ne \varnothing \), \( \vert M \vert >1 \). Information about \(\mathcal {M}\) may be incomplete, and, answer to the question about other (delaying) equilibrium may require certain assumption about \(\mathcal {M}\). In order to resolve that obstacle, we will produce some intermediate results in Lemmas 1 and 2.

1.2 A.2     Lemmas

Lemma 1

If there is an equilibrium and a set \(\mathcal {M}\) of delaying miners \(\tau _{i}\), \( i \in \mathcal {M} \), delaying positive number of shares, then miner with power \( \tau _{k} \) is also delaying if \( \exists k \notin \mathcal {M},~ \tau _{k} \ge \tau _{i} \).

Proof

Let’s assume that \(l=\mathrm {arg ~ \underset{\mathcal {M}}{min}} \tau _{i} \). Considering ONLY delaying by miners in the system described by set \( \mathcal {M} \), we rewrite (5) and express \( x_{l} \) as

$$\begin{aligned} x_{l}\,=\,\frac{ \sum _{j \in \mathcal {M}} ^ {}x_{j} \tau _{j}-N}{ \tau _{l}}\,+\,D+N- \sum _{j \in \mathcal {M}} ^ {}x_{j}\,+\,\sum _{j\,\in \,\mathcal {M}} ^ {}x_{j} \tau _{j}. \end{aligned}$$

(6)

Now, we investigate incentive of a miner with \( \tau _{k} \), \( k\notin \mathcal {M} \), who has information about delaying miners from \( \mathcal {M} \). As previously, we use (5), however, in that case additional components with index k is included:

$$ x_{k} \tau _{k}\,=\,\sum _{j\,\in \,\mathcal {M}} ^ {}x_{j} \tau _{j}\,+\,x_{k} \tau _{k}-N\,+\,\tau _{k} \left( D\,+\,N- \sum _{j \,\in \,\mathcal {M}} ^ {}x_{j}\,+\,\sum _{j\,\in \,\mathcal {M}} ^ {}x_{j} \tau _{j}-x_{k}\,+\,x_{k} \tau _{k} \right) , $$

$$\begin{aligned} x_{k} \left( 1- \tau _{k} \right) \,=\,\frac{ \sum _{j\,\in \,\mathcal {M}} ^ {}x_{j} \tau _{j}-N}{ \tau _{k}}\,+\,D\,+\,N- \sum _{j\,\in \,\mathcal {M}} ^ {}x_{j}\,+\,\sum _{j\,\in \,\mathcal {M}} ^ {}x_{j} \tau _{j} . \end{aligned}$$

(7)

Right hand sides of (6) and (7) are identical except of the difference in denominators of terms \( \frac{ \sum _{j \in \mathcal {M}} ^ {}x_{j} \tau _{j}-N}{ \tau _{l}} \) and \( \frac{ \sum _{j\,\in \,\mathcal {M}} ^ {}x_{j} \tau _{j}-N}{ \tau _{k}} \), respectively. Nominator \( \sum _{j\,\in \,\mathcal {M}} ^ {}x_{j} \tau _{j}-N \) is definitely negative. In the opposite case it would mean that at least one miner \( g \in \mathcal {M} \), has incentive to delay \( x_{g}>N \) shares. One can conclude this from the fact that \( \sum _{j \in \mathcal {M}} ^ {} \tau _{j} < p^{*} \le 1 \). Delaying \( x_{g}>N \) is clearly irrational because PPLNS reward scheme considers only the last N submitted shares.

Therefore, \( \frac{ \sum _{j\,\in \,\mathcal {M}} ^ {}x_{j} \tau _{j}-N}{ \tau _{k}} \ge \frac{ \sum _{j\,\in \,\mathcal {M}} ^ {}x_{j} \tau _{j}-N}{ \tau _{l}} \) as long as \( \tau _{k} \ge \tau _{l} \). Finally, we arrive to \( x_{k} \left( 1- \tau _{k} \right) \ge x_{l} \), and because \( x_{l}, \left( 1- \tau _{k} \right) \) are non-negative, \( x_{k} \) is non-negative.    \(\square \)

Lemma 2:

Conditions that support incentive compatibility are inconsistent with any other kind of deviation represented by \(\mathcal {F}\).

Proof

We organize our proof in the following order. First, some \(\mathcal {M}\), \( \vert \mathcal {M} \vert =l \), is considered. That can be expanded by adding index \( l+1 \) which represents a miner who can delay profitably. As a result, \( \mathcal {M} \rightarrow \mathcal {M}^{'} \), \( \vert \mathcal {M} ^ {'} \vert =l\,+\,1 \). Two cases of delay attack will be accounted for a miner with \( \tau _{l\,+\,1} \): attack with \( \mathcal {M} \), attack with \( \mathcal {M}^{'} \). Expressions for the number of delayed shares (\( x_{l+1}^{\mathcal {M}} \) and \( x_{l\,+\,1}^{\mathcal {M}^{'}} \), respectively) will be elaborated for the both cases. It will be demonstrated that if \( x_{l\,+\,1}^{\mathcal {M}} \) is positive, then \( x_{l\,+\,1}^{\mathcal {M}^{'}} \) is positive too, and, vice versa.

Second, we are going show that by reducing \( \mathcal {M} \) we will arrive to \( \mathcal {M}^{1} \), \( \vert \mathcal {M}^{1} \vert =1 \), containing only the most powerful miner of that pool with power \( \tau _{1} \). That would mean that a single deviation from incentive compatibility is profitable, which contradicts with the requirement for equilibrium. This conflicts with our assumption about incentive compatibility.

(1) Recalling (5) and (6) we can write

$$ x_{j} \tau _{j}\,=\,\sum _{j\,\in \,\mathcal {M}}^{}x_{j} \tau _{j}-N\,+\,\tau _{j} \left( D\,+\,N- \sum _{j\,\in \,\mathcal {M}} ^ {}x_{j}\,+\,\sum _{j\,\in \,\mathcal {M}} ^ {}x_{j} \tau _{j} \right) , $$

$$ x_{j}\,=\,\frac{ \sum _{j\,\in \,\mathcal {M}} ^ {}x_{j} \tau _{j}-N}{ \tau _{j}}\,+\,D\,+\,N- \sum _{j\,\in \,\mathcal {M}} ^ {}x_{j}+ \sum _{j\,\in \,\mathcal {M}} ^ {}x_{j} \tau _{j} .$$

There are l possible variants for the first and the second equation, respectively, where \( j=1,2, \dots , l \). Summing up all the l variations for each of the equations, one will obtain:

$$ \sum _{j\,\in \,\mathcal {M}} ^ {}x_{j} \tau _{j}\,=\,l \left( \sum _{j\,\in \,\mathcal {M}} ^ {}x_{j} \tau _{j}-N \right) \,+\,\left( D+N- \sum _{j\,\in \,\mathcal {M}} ^ {}x_{j}\,+\,\sum _{j\,\in \,\mathcal {M}} ^ {}x_{j} \tau _{j} \right) \sum _{j\,\in \,\mathcal {M}}^{} \tau _{j},$$

$$ \sum _{j\,\in \,\mathcal {M}}^{}x_{j}= \left( \sum _{j\,\in \,\mathcal {M}}^{}x_{j} \tau _{j}-N \right) \sum _{j\,\in \,\mathcal {M}}^{}\frac{1}{ \tau _{j}}+l \left( D+N- \sum _{j\,\in \,\mathcal {M}}^{}x_{j}+ \sum _{j\,\in \,\mathcal {M}}^{}x_{j} \tau _{j} \right) ,$$

respectively. For simplicity, we use the following substitutions: \( X= \sum _{j\,\in \,\mathcal {M}}^{}x_{j} \tau _{j} \), \( Y= \sum _{j\,\in \,\mathcal {M}}^{}x_{j} \), \( \dot{p}= \sum _{j\,\in \,\mathcal {M}}^{} \tau _{j} \), \( S= \sum _{j\,\in \, \mathcal {M}}^{}\frac{1}{ \tau _{j}} \). Solving system

$${\left\{ \begin{array}{ll}X=l \left( X-N \right) +\dot{p} \left( D+N+X-Y \right) \\ Y=S \left( X-N \right) +l \left( D+N+X-Y \right) \\ \end{array}\right. },$$

in respect to X and Y we will arrive to the answers \( X=N+\frac{N \left( l+1-2\dot{p} \right) -D\dot{p}}{l^{2}-1-\dot{p} \left( S-1 \right) } \), \( Y=2N+D+\frac{N \left( 2-l+S-2\dot{p} \right) +D \left( 1-l-\dot{p} \right) }{l^{2}-1-\dot{p} \left( S-1 \right) } \). The obtained results are for the system of configuration \(\mathcal {M} \) and dimensionality l. In order to re-calculate X, Y for configuration \( \mathcal {M}^{'} \) (dimensionality \( l+1 \)) one would need to replace l with \( l+1 \), \( \dot{p} \) with \( \dot{p}+ \tau _{l+1} \), S with \( S+\frac{1}{ \tau _{l+1}} \). For configuration \( \mathcal {M} \) we express variable \( x_{l+1}^{\mathcal {M}} \) (which is not yet included in the system) in terms of \( X^{\mathcal {M}},Y^{\mathcal {M}} \) using (7):

$$\begin{aligned} \begin{aligned} x_{l+1}^{\mathcal {M}} \left( 1- \tau _{l+1} \right)&=\frac{X^{\mathcal {M}}-N}{ \tau _{l+1}}+D+N+X^{\mathcal {M}}-Y^{\mathcal {M}}\\&=\frac{1}{ \tau _{l+1}}\frac{N \left( l+1-2\dot{p}+ \tau _{l+1} \left( 2l-S-1 \right) \right) -D \left( \dot{p}+ \tau _{l+1} \left( 1-l \right) \right) }{l^{2}-1-\dot{p} \left( S-1 \right) } . \end{aligned} \end{aligned}$$

(8)

For configuration \( \mathcal {M}^{'} \) we express \( x_{l+1}^{\mathcal {M}^{'}} \) as an in terms of \( X^{\mathcal {M}^{'}}, Y^{\mathcal {M}^{'}} \) using (6):

$$\begin{aligned} \begin{aligned} x_{l+1}^{\mathcal {M}^{'}}&=\frac{X^{\mathcal {M}^{'}}-N}{ \tau _{l+1}}+D+N+X^{\mathcal {M}^{'}}-Y^{\mathcal {M}^{'}}\\&=\frac{1}{ \tau _{l+1}}\frac{N \left( l+1-2\dot{p}+ \tau _{l+1} \left( 2l-S-1 \right) \right) -D \left( \dot{p}+ \tau _{l+1} \left( 1-l \right) \right) }{ \left( l+1 \right) ^{2}-1- \left( \dot{p}+ \tau _{l+1} \right) \left( S+\frac{1}{ \tau _{l+1}}-1 \right) }. \end{aligned} \end{aligned}$$

(9)

Now, we are going to compare right-hand sides of Eq. (8) and (9). In the both cases nominators \( N \left( l+1-2\dot{p}+ \tau _{l+1} \left( 2l-S-1 \right) \right) -D \left( \dot{p}+ \tau _{l+1} \left( 1-l \right) \right) \) are identical. Our task is to prove that denominators in (8) and (9) \( l^{2}-1-\dot{p} \left( S-1 \right) \) and \( \left( l+1 \right) ^{2}-1- \left( \dot{p}+ \tau _{l+1} \right) \left( S+\frac{1}{ \tau _{l+1}}-1 \right) \), respectively, are of the same sign.

We show that expression \( l^{2}-1-\dot{p} \left( S-1 \right) =l^{2}-\dot{p}S- \left( 1-\dot{p} \right) \) is negative. Clearly, \( - \left( 1-p \right) \) is negative. Further, it will be proven that \( l^{2}-\dot{p}S \le 0 \). That expression can be represented as \( l^{2}- \sum _{j=1}^{l} \tau _{j} \times \sum _{j=1}^{l}\frac{1}{ \tau _{j}} \). Component \( \sum _{i=1}^{l} \sum _{j=1}^{l}\frac{ \tau _{i}}{ \tau _{j}} \) has \( l^{2} \) terms. Exactly l out of \( l^{2} \) terms are \( \frac{ \tau _{j}}{ \tau _{j}}=1 \). Among the rest \( l^{2}-l \) (this number is obviously even for any natural l) terms, there are \( \frac{l^{2}-l}{2} \) pairs \( \left( \frac{ \tau _{i}}{ \tau _{j}}, \frac{ \tau _{j}}{ \tau _{i}} \right) \), \( i \ne j \). We conclude that \( \frac{ \tau _{i}}{ \tau _{j}}\,+\,\frac{ \tau _{j}}{ \tau _{i}}=\frac{ \tau _{i} ^ {2}+ \tau _{j} ^ {2}}{ \tau _{i} \tau _{j}} \ge 2 \) because \( \left( \tau _{i}- \tau _{j} \right) ^{2} \ge 0 \).

Denominator \( \left( l+1 \right) ^{2}-1- \left( \dot{p}+ \tau _{l\,+\,1} \right) \left( S+\frac{1}{ \tau _{l+1}}-1 \right) \) from (9) is obtained from \( l^{2}-1-\dot{p} \left( S-1 \right) \) by substituting l with \( l+1 \), \( \dot{p} \) with \( \dot{p}+ \tau _{l+1} \), S with \( S+\frac{1}{ \tau _{l+1}} \). Therefore, its sign is identical to \( l^{2}-1-\dot{p} \left( S-1 \right) \) from (8) because in the proof we generalized values for \( l, \dot{p}, S \). Hence, the both of \( x_{l+1}^{\mathcal {M}} \) and \( x_{l+1}^{\mathcal {M}^{'}} \) are the numbers of the same sign.

(2) Further, the following technique will be used. Posit that the same conditions that provide incentive compatibility may be exploited by a set of miners \( \mathcal {M} \), \( \vert \mathcal {M} \vert =l \), to delay profitably. Also, let us assume another case of a set \( \mathcal {M}^{l-1} \), \( \vert \mathcal {M}^{l-1} \vert =l-1 \), and a miner with power \( \tau _{l} \) who has information about \( \mathcal {M}^{l-1} \). In those two cases, miner with power \( \tau _{l} \) delays profitably according to the proof provided above. For the latter case, the configuration for delaying equilibrium can be represented as \( \{ \mathcal {M}^{l-1},~l \} \). According to the results from Lemma 1, miner \( \left( l-1 \right) \,\in \,\mathcal {M}^{l-1} \) also delays profitably. Therefore, we may consider another possible configuration \( \{ \mathcal {M}^{l-2},~l-1 \} \) for whom delaying is definitely profitable. Finally, we may arrive to the configuration \( \{ \mathcal {M}^{1},~2 \} \) where \( \mathcal {M}^{1} \) contains only 1-st miner with power \( \tau _{1} \), who can delay profitably. In such case he has an incentive to deviate from honest mining even though the information about actions of others is not taken into account. That clearly contradicts with the assumption that incentive compatibility is an equilibrium.    \(\square \)

Lemma 3:

For incentive compatible mining under PPLNS it is sufficient and necessary that \( \tau _{1} \le \frac{N}{N+D} \).

Proof

Condition \( \tau _{1} \le \frac{N}{N+D} \) can be derived from the requirement \( \hat{N} \ge \tau _{1} \left( \hat{D}+N-x_{1} \right) \), \( x_{1}=0 \), for special case when \( \mathcal {M}= \varnothing \) meaning that for the most powerful miner it is not profitable to delay. From the second part of Lemma 2 it is easy to see why such condition is necessary for incentive compatibility. In addition, it will be illustrated that it is sufficient. We consider \( \mathcal {M}^{1} \) which includes only the 1-st miner. According to Lemma 1, the number of delayed shares for the second powerful miner with power of \( \tau _{2} \) (who is not yet included in \( \mathcal {M}^{1} \)) is not positive either, \( x_{2}^{\mathcal {M}^{1}} \left( 1- \tau _{2} \right) \le x_{1}^{\mathcal {M}^{1}} \le 0 \). If we consider \( \mathcal {M}^{2} \) that includes the 1-st and 2- miners, according to Lemma 2, sign of \( x_{2} \) does not change. Hence, neither further expansion of \( \mathcal {M} \) nor considering delay from miners that are not included in \( \mathcal {M} \) can produce roots that are entirely positive. This means that no delaying configuration can be in a state of equilibrium.    \(\square \)