Just so people don't have to go looking for it...
We consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain. Even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker. Nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them. An attacker can only try to change one of his own transactions to take back money he recently spent.
The race between the honest chain and an attacker chain can be characterized as a Binomial Random Walk. The success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attacker’s chain being extended by one block, reducing the gap by -1.
The probability of an attacker catching up from a given deficit is analogous to a Gambler’s Ruin problem. Suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to reach breakeven. We can calculate the probability he ever reaches breakeven, or that an attacker ever catches up with the honest chain, as follows [8]:
p = probability an honest node finds the next block
q = probability the attacker finds the next block
qz = probability the attacker will ever catch up from z blocks behind
Given our assumption that p > q, the probability drops exponentially as the number of blocks the attacker has to catch up with increases. With the odds against him, if he doesn’t make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind.
We now consider how long the recipient of a new transaction needs to wait before being sufficiently certain the sender can’t change the transaction. We assume the sender is an attacker who wants to make the recipient believe he paid him for a while, then switch it to pay back to himself after some time has passed. The receiver will be alerted when that happens, but the sender hopes it will be too late.
The receiver generates a new key pair and gives the public key to the sender shortly before signing. This prevents the sender from preparing a chain of blocks ahead of time by working on it continuously until he is lucky enough to get far enough ahead, then executing the transaction at that moment. Once the transaction is sent, the dishonest sender starts working in secret on a parallel chain containing an alternate version of his transaction.
The recipient waits until the transaction has been added to a block and z blocks have been linked after it. He doesn’t know the exact amount of progress the attacker has made, but assuming the honest blocks took the average expected time per block, the attacker’s potential progress will be a Poisson distribution with expected value:
To get the probability the attacker could still catch up now, we multiply the Poisson density for each amount of progress he could have made by the probability he could catch up from that point:
Rearranging to avoid summing the infinite tail of the distribution…
Converting to C code…
#include
double AttackerSuccessProbability(double q, int z)
{
double p = 1.0 - q;
double lambda = z * (q / p);
double sum = 1.0;
int i, k;
for (k = 0; k <= z; k++)
{
double poisson = exp(-lambda);
for (i = 1; i <= k; i++)
poisson *= lambda / i;
sum -= poisson * (1 - pow(q / p, z - k));
}
return sum;
}
Running some results, we can see the probability drop off exponentially with z.
q=0.1
z=0 P=1.0000000
z=1 P=0.2045873
z=2 P=0.0509779
z=3 P=0.0131722
z=4 P=0.0034552
z=5 P=0.0009137
z=6 P=0.0002428
z=7 P=0.0000647
z=8 P=0.0000173
z=9 P=0.0000046
z=10 P=0.0000012
q=0.3
z=0 P=1.0000000
z=5 P=0.1773523
z=10 P=0.0416605
z=15 P=0.0101008
z=20 P=0.0024804
z=25 P=0.0006132
z=30 P=0.0001522
z=35 P=0.0000379
z=40 P=0.0000095
z=45 P=0.0000024
z=50 P=0.0000006Solving for P less than 0.1…
P < 0.001
q=0.10 z=5
q=0.15 z=8
q=0.20 z=11
q=0.25 z=15
q=0.30 z=24
q=0.35 z=41
q=0.40 z=89
q=0.45 z=340
It takes a careful reading of the paper. It doesn't say "the chance that a malicious miner will win within
z blocks"
What it does say, is that if the attacker is
z blocks behind the current height,
qz is probability the attacker will
ever catch up from z blocks behind. "Ever", as in "given an infinite amount of time, what is the probability that there ever be a single point in time where the bad miner has caught up and is at the same block height as the rest of the network.
This is not really a practical measurement, as a malicious miner won't mine until the heat death of the universe to reverse a particular block, potentially throwing away every block reward they could ever make. The cost of performing this attack is infinite, since it would take an infinite amount of electricity to mine forever, let alone the lost block rewards that have a high probability of being discarded and the cost of mining equipment to maintain the ratio. It is ultimate highest chance that there will
ever be a block replacement.
The
inputs to the formulas given are
p = probability an honest node finds the next block and
q = probability the attacker finds the next block.
One of these is easily replaced - since the probability that
anyone finds the next block is 1, the probability an honest node finds the next block is 1-q.
What does "probability an honest node finds the next block" mean though? It really means "given both miners starting mining at the same time, the probability that one miner will find
any given block. This is related to hashrate, but the clear explanation that it is a
direct and
equivalent relationship is not given in the paper. At a given difficulty a 90% miner has a mean block rate of about 11.1 minutes, whereas a 10% miner has a mean block rate of 100 minutes. Miners are racing against each other though, not the difficulty, so difficulty cancels out. Ultimately we would need to show our math: using Poisson races (down to the individual hash probability level) and how that translates to a mining regime, prove that a 10% hashrate miner truly has a 10% chance of finding the next block.
z is also a starting input.
z=1 means the bad miner is behind by one block. This also could mean "a transaction has z confirmations from the good network, a bad miner would need to mine z blocks to replace the block holding it".
If
z=0, that means the bad miner is currently at the same height as the rest of the network, so the goal has already been achieved.
z=0 doesn't make sense as a starting point.
So now let's look at the tables and see what they actually mean.
Examine the q=0.1 table at the bottom. q=0.1 means 10% probability the attacker finds the next block, and can be interpreted as the attacker having 10% of the network hashrate. The chance they will EVER be able to catch up from their one-block deficit and replace a previous block is P=0.2045873.
We need to answer better questions for particular scenarios. For attackers: what is the cost to replace a z=1 block if we continue our attempt for 10 blocks depth, and the probability of success? When does an attempt to replace a particular transaction become profitable (how large a transaction), and after how long should we abandon our attempt? For users: When is it safe to trust a X BTC transaction with a profit-motivated attacker of Q% hashrate attempting to reverse it.
)