summary of selfish mining
selfish mining as a transparency problem: you get to build on a blockchain head you haven’t published.
same as transparency problem in Apple FBI case for example; that’s what CoSi is for.
solution: any keyblock you build on is collectively signed, and the next block’s hash covers the last block’s signature.
if you withhold a block, you can’t get a collective signature on it; without that collective signature, you can’t secretly mine a next block on top of it.
Finally, we consider the now much more well-understood problem of selfish mining. A selfish miner strategically withholds some of its successfully mined blocks in attempt to gain a higher share of mining rewards, by causing other miners to waste effort mining redundant blocks. For example, if Greedy Greg successfully mines a new block, he might deliberately delay announcing it. If Innocent Ivan announces a competing block, Greg quickly races to announce and widely distribute his, which may reliably overtake Ivan’s if Greg is fast and well-connected. Alternatively, if Greg manages to mine a second block in private before a competing first block appears, then Greg is in the enviable position of being able to “trump” and eliminate that competing block once it does appear, simply by revealing his longer private blockchain.
While ByzCoin’s keyblock mining mechanism alone is still vulnerable to selfish mining, its microblock commitment process using Byzantine consensus provides a clean, simple defense against selfish mining. Any transaction microblock the consensus group commits contains a cryptographic hash of the latest known keyblock at the time, and any newly-mined keyblock must similarly contain a cryptographic hash of a recently-committed microblock (e.g., within a few microblocks from the head). Whenever the consensus group commits a new microblock, all honest members verify that the keyblock pointer in the new microblock is consistent with those in all prior microblocks, ensuring that any new keyblock is “locked in” irreversably once the new keyblock is known. This leaves only seconds, rather than minutes, in which a selfish miner could try to announce and distribute a competing keyblock. Further, because each keyblock must reference a recent microblock, any newly-mined keyblock becomes invalid and useless if its owner fails to announce it within a few microblock commitment cycles — again, on the order of seconds rather than minutes.
In essence, ByzCoin’s microblock commit mechanism enforces transparency on the keyblock mining process, ensuring that a selfish ByzCoin miner would likely be faced with a vanishingly small probability of profiting from any keyblock-withholding strategy.
This post of course represents only an informal, and no doubt incomplete, analysis of the differences in incentives between Bitcoin and ByzCoin, focusing primarily on mining incentives. It is quite possible that a full, rigorous incentive analysis of ByzCoin may reveal new incentive-compatibility issues that its architecture introduces. Further, ByzCoin is still an experimental protocol under rapid development and evoluation.
Given these caveats, however, ByzCoin’s architecture at least appears to be much more resilient to the known strategic mining attacks against Bitcoin, whether through block withholding or deliberate forking. In particular, by replacing Bitcoin’s instant-gratification, winner-take-all reward model with a delayed-gratification, investment-dividend model, ByzCoin ensures that the distribution of mining profits are fixed long before any strategic miner might know about or be able to respond to the appearance of a goose egg or other transaction fee variance. By ensuring that keyblocks and microblocks track each other cryptographically, ByzCoin forces miners either to announce new keyblocks quickly or else lose them, making selfish mining unprofitable.
In short, it does not appear necessary for new cryptocurrencies to “make the block reward permanent and accept monetary inflation as inevitable” as Narayanan suggests. Whether inflationary or deflationary monetary policies are preferable is an important and highly debatable question, but it need not be constrained by technical weaknesses of Bitcoin. With more sophisticated blockchain architectures such as ByzCoin, there is plenty of hope that mining incentives can work independent of monetary policy.