I haven't read the paper yet, but from this snippet you've provided it sounds like the idea is to keep your blockchain private until some point in the future. At that point, every node that views your forked blockchain will accept it as the true blockchain because it is the longest.

The private chain will probabilistically become shorter than the public chain over time, unless more than 50% of mining power is devoted to the private chain.

That's why miners are normally incentivized to release a block as soon as they find it. If they don't, and a different block is found and then a block is found that builds off that one, the "secret" block will probably never be part of the longest blockchain. And the longest blockchain is "the blockchain."

Sorry this comment can't be more helpful, I haven't read the paper yet.

Your thinking is sensible, the additional assumption they're adding is that their attacker can sibyl attack the network and get between the miners so that when the honest miners find a block that triggers the release of their delayed block.

By doing this, assuming they can, they don't suffer from orphaning due to their delays.

I assume the target is the double-spend they could do. They would transmit transactions to the public blockchain, but put different transactions in their private blockchain.

Let's make it simple. Take Y = I order 100k USD from some bank, pay with bitcoin. Y' = I pay 100k USD equivalent in bitcoin to myself. Suppose I discover a block significantly ahead of the public mining pool

Public: X + Y Mine: X + Y'

Now I reveal the X + Y' chain to part of the network, but not the part where the "target" of the Y transaction is located. And suppose I can get 50% hashrate working on my chain that way. Evolution

Public X + Y + Z1 + Z2 + Z3 (bank confirms transaction after 3 blocks, pays out my 100k USD) Mine X + Y' + Z1 + Z2 + Z2

At this point I put all my spare chips in. I suddenly "discover" 2 blocks. Result

Public X + Y + Z1 + Z2 + Z3 Mine X + Y' + Z1 + Z2 + Z3 + Z4 + Z5

And I re-unify the network at this point. All miners accept the "mine" blockchain, and I was able to confirm one transaction, get the payout, and undo the payment.

(obviously in reality, you'd use many tiny transactions, not one big one, and Z1 + Z2 + Z3 + Z4 + Z5 would only be able to contain transactions from the traitor network + whatever miners joined it after it was X + Y', and and and and and ... But I don't see a good reason it couldn't work)

Maybe you could make this work if you had an internet partition. (happens all the time, but you'd need a pretty big one)

I believe the described system would work fine without needing double spending.

Even simply acquiring the bids to verify transactions into the chain could make it worthwhile. When the "selfish" chain is published, it takes two blocks of transactions from anyone else, plus it has given the "selfish" miners the entire period from when they last discovered a secret to when they played their hand to mine for the block that will follow.

It may allow them to capture a greater portion of the main chain by denying information to other chain agents unless beaten or trumping.

Actually, that would be a good term for the method. "Trumping" the chain.