It doesn't have to be arbitrary. You know when a block was "lucky" and you found it ahead of average by a given percentile. You leverage those blocks.

1. They don't have to wait until another miner finds a block, they can just wait "for some time" and then release their block. All that time gives them the edge for the next block.

2. My understanding is that if two different blocks are found concurrently for the same head, then the network waits for the next block to select which "new head" is accepted. I.e. when there are competing chains, the longer chain wins. So I could imagine that a strategy could be to wait until some other miner announces their block and release yours precisely at that time, hence creating two competing chains. But you presumably have an edge because you have already been mining for a while on top of your block.

It's a race. Starting earlier obviously gives an advantage?!

It would be like saying you've an edge if you start earlier at the roulette.

In a lottery, the more tickets you buy, the higher your chances to have the winning number.

If we played with a roulette and said "the goal is to be the first to have a winning number at the roulette" and I could try 50 times before you started, obviously I would be more likely to win our game, wouldn't I?

Yes, and it's exactly the same in bitcoin with the hashing power. Each hash is a ticket.

> If we played with a roulette and said "the goal is to be the first to have a winning number at the roulette" and I can try 50 times before you start, obviously I am more likely to win our game, am I not?

In bitcoin the goal is not to be the first. The goal is to find a winning hash that's on a chain that will not be abandoned. As soon as a new block is propagated you start mining on the new head. It doesn't change anything that you previously worked on another chain. The time spent on the previous chain is not wasted, unless finding a block wouldn't have got you the reward.

There is a kind of a race if 2 blocks are found simultaneously. But that's not really what this discussion is about, and in this case the outcome depends mostly on network connectivity.

> The key idea behind this strategy, called Selfish Mining, is for a pool to keep its discovered blocks private, thereby intentionally forking the chain. The honest nodes continue to mine on the public chain, while the pool mines on its own private branch. If the pool discovers more blocks, it develops a longer lead on the public chain, and continues to keep these new blocks private. When the public branch approaches the pool's private branch in length, the selfish miners reveal blocks from their private chain to the public.

> In bitcoin the goal is not to be the first. The goal is to find a winning hash that's on a chain that will not be abandoned.

The goal is to be the first (or very close to the first), because it makes it much more likely that your chain will not be abandoned. If you wait 2 days before you reveal your block, obviously it will be abandoned...

It VERY MUCH is.

Of course if you take another scenario that doesn't make sense, then it doesn't make sense :-).

> They don't know in advance that they will be that lucky.

Whenever you find a block, you know you are one of the first to find it. It's obvious because nobody else has published a block. So you know you are lucky right now. You can decide to wait 1, 2, 5, X seconds before you reveal your block and start mining the new block in the meantime.

Maybe you just mine for 5 seconds before revealing the block, and that's the winning strategy. Maybe you wait until someone else publishes their block and you immediately reveal yours, ending up with two competing chains but knowing that you had a headstart with yours.

The detail of whether or not this is profitable, and how exactly you should do it (Wait X seconds? Wait until someone publishes a block?) is statistics and game theory ("What if the others are also withholding their blocks now? What is their strategy?"). The whole question is whether or not there is a practical, profitable strategy doing that.

Yes, but everyone else is still buying tickets for yesterday's jackpot, while you're busy accumulating them for tomorrow's.

On the other hand, if someone finds a block while you're keeping yours secret, it's very likely you'll lose the reward of your block.

So, you get a chance to discard the block of another miner, but you have to put your own block at risk of being discarded. Maybe there's a gain here, but it's not clear.

So you can get a head start on the next block from the likely new head block you've found.

It only works on average of course, you might be the one wasting resources if someone else published a block while you're withholding yours, but the trick is for you to gain an edge on average.

Now what happens if everyone is doing that calculation? That's where you need to do the game theory analysis (which I haven't and don't claim to understand).

Finding a block relatively early doesn't affect the odds of others finding a block soon. The odds are always the same, each hash is an independent event.

I don't see why withholding would get you an edge on average. If the others find a block while you're withholding, you lose your reward. If you find another block before them, you get the rewards of 2 blocks, exactly like if the same happened but you didn't withhold.

The only way for you to have an advantage is if you find a 2nd block at the same time as another one finds one on the other chain. You can then publish a height of 2 vs a height of 1, so you win. But to do that you have to first put your first block reward at high risk by withholding it. I don't think the odds are in your favor here.

Edit: I think the strategy does work, but a little differently: if you withhold a block and someone else finds one while you do so, you can still publish yours and win a race with a certain probability, i.e. the expected loss is not as high as one might think.

Then, if you do that and if you have enough hash power, you can end up mining a private chain ahead of the public one often enough, so that the loss you take is less than the loss others take through the hash power they are wasting because of you doing this.

A finds a block after 1 minute, then powers off and waits for another minute. They reveal the block after 2 minutes.

B searches for the block for 2 minutes.

After 2 minutes, A has used 1 minute of their compute, and B has used 2.

The benefit there is that if another miner released a block before that 3 minutes this miner still can release their first block and has already spent 2 minutes working on a block that could better validate their first block now that there are competing chains.

If B finds a block between minute 1 and 2, they start working on their competing chain, but A is already working on theirs. And A had a headstart because it started working on it somewhere between minute 1. So it's more likely that A's fork wins the race in the end.

I'd even say that B is slightly more likely to keep their reward because they started propagating their block earlier, so it's more likely other miners are mining on this block.

If A finds a second block between minute 1 and 2, then they win, but it would be the same if the didn't withhold their block.

When A is mining on their hidden block, they mine for a potential height of 2 that would win against a miner only able to push a height of 1. But by doing that they put the block they found at risk of being abandoned because another miner found a block in the meantime.

So if you find a block, you get almost 100% chance it'll stay if you publish it immediately. If you withhold it and find another one you get 100% chance of keeping your 2 blocks. If you don't find that 2nd one, you get <50% chance of your block to be the main chain (depending on time of reaction of another block being published, and connectivity). On the other hand, if you don't withhold it and find 2 blocks in a row, you also get almost 100% chance of keeping your 2 blocks. I fail to see how withholding is profitable.

Because you keep ignoring the part where it is profitable :-).

> If A finds a second block between minute 1 and 2, then they win, but it would be the same if the didn't withhold their block.

Except that by withholding their block, they got a headstart so they are more likely to find the second block. So it's not the same.

And you keep ignoring the fact that they don't necessarily have to wait until someone else finds a competing block. Maybe a winning strategy is to always withhold the block for 5 seconds. If you slightly increase your likelihood to find the winning block, you increase your profit, and that's the whole point.

With the interesting consequence (and that's the game theory part) where if everybody starts withholding their block for 5 seconds, then it changes the winning strategy.

Withholding their block (5s or whatever) doesn't make them more likely to find the second block. The probability of finding a block is always the same, given a hashrate.

They are the only ones mining on this particular chain, but that's not an advantage either. How mining on a hidden chain is an advantage?

On the other hand, withholding certainly makes them more likely to lose the reward of the block.

It's easier to see the argument if you have a head start. Imagine you've somehow created a private chain that's 10 blocks ahead of the public chain. You could publish that now and earn 10 blocks of reward, or you could continue mining until the lead diminishes to 0 blocks, earning the same 10 blocks of reward plus however many blocks you've mined in the meantime.

If you have 50%+ε of the hash rate on the network, this argument would have you bully other miners out by almost always stranding their blocks, since in expectation you'll mine blocks faster than your competitors.

The insight is that this same situation can happen probabilistically with a finite but non-majority fraction of the hash rate on the network. With 49% of the hash rate you'll still be able to build a private chain some fraction of the time, so waiting a little bit to see if this occurs might have positive expected value.

So, you have to risk a lot of rewards, and for what potential gain? If you win you get to discard some blocks of others. You don't get more rewards, you just make others earn less (and you push the difficulty down a bit).

I can see how you get a chance to double spend, though. If you want to double spend a transaction with N confirmations, you've to be N+1 blocks ahead in your hidden chain, publish your first transaction, wait for N confirmations on the public chain, and you publish your chain that's still 1 block ahead (and includes your double spend transaction).

Indeed, it's not "51% expensive", but it's still very expensive because of the rewards lost during the failed attempts before you get ahead enough. Actually, it might even be more expensive, because with 51% you're guaranteed to get ahead enough at some point, so you don't really risk your rewards (if you can maintain 51%).

You KNOW you are ahead, because you found a block and nobody else has published a block.

I think you are missing something very basic here: the longer you compute, the higher the likelihood that you will find the hash before the others.

The extreme case being that if you can try ALL the possibilities before the others can start, then you are guarantee to find the solution before them.

Your advantage is having exhausted a fraction of the search space. But that fraction is tiny.

You're trying to find a hash with a value below a certain threshold (simplified said, a hash starting with a certain amount of zeroes). You do this by trying random inputs to the hash function. Every input has the same probability of getting an output that is low enough in value. You are not advancing by having tried other inputs. It's practically equivalent to rolling multiple dices until enough of them show a one. Every roll has the same probability of succeeding regardless of the rolls before.

That's the whole question: is it relevant or not? Even if it makes mining slightly more profitable, that's a win. No need to remind you that those who mine do it exclusively for profit.

Not necessarily. The whole idea is that it maybe more profitable to withhold a block for some time. "More profitable" means that you make more money at the end. Not that you make billions in a second.

In hopefully simpler words; You want to find a hash with all zeroes. So you start trying inputs from your search space and hash them to see if they match that criterion. Every single input you try has the same probability of matching. After trying a lot of inputs you have exhausted a part of the search space. You have already tried many incorrect inputs. At some point if you keep only trying incorrect inputs you should have exhausted the whole search space and the last remaining possible input has to be the correct one resulting in an all zeroes hash. So the probability of the next hash being the correct one should go up during your search as you learn information about the remaining candidates in the search space. If this information is in any way significant in practice with any feasible amount of computing power, the cryptographic hash function is insecure. Of course with Bitcoin you aren't searching for a full hash inversion with all zeroes but only for a partial one starting with some zeroes, but that does not change the fundamentals. It should be infeasible to learn any significant information about the output of untried inputs by trying other inputs.

If SHA256 was to be broken in that way, we'd be in big trouble and Bitcoin would be the least of our worries.

And you would sill have 10% chance of mining another block if you don't withhold.

What advantage does withholding give you?

One last time. By withholding, you have a headstart on the next block. If you can mine for longer, you increase your chances.

The hidden chain can easily be discarded if the miner of the hidden chain doesn't find a 2nd block and if the miners on the public chain find a block and propagate it before the hidden chain is published. In that case, the public chain and hidden chains will be 2 competing heads, and other miners will decide which one wins. They will generally take the first block they saw, so most likely not the (previously) hidden chain. In that situation, mining on the hidden chain was a waste, not a head start. We could even say that the miners on the public chain had a head start. That's why I say there's no such thing as a head start.

But I'll stop discussing that with you. It's pointless and you're way too condescending.

That's just an intuition. You keep saying "having a headstart doesn't help, because those are independent probabilities". Which is wrong: having a headstart does help. How much does it help, and is it worth it? That's the whole question. And it would require more work to answer it.