AttackerSuccessProbability(0.3,1) = 0.627749

[Sergio_Demian_Lerner]

After some time I gave the Satoshi paper a second read.
I executed the AttackerSuccessProbability() code and computed AttackerSuccessProbability(0.3,1)
(Greg has an online tool to do that here: http://people.xiph.org/~greg/attack_success.html)

The result is 0.627749

Maybe I misunderstood the paper, but this seems to imply that an attacker having 30% of the network hashing can catchup after a 1 block deficit with probability 0.62.
Either this interpretation is incorrect or something in the Satoshi formulae is wrong: an attacker having less than 50% of the hashing power cannot have higher than 50% probability of catching up! That's counterintuitive.

If he had, then the most probably outcome would be that the attacker catches up (in some number of steps).  Since the good branch has more than the double of the attacker hashing power (70% vs 30%) the most probable outcome for the first step is obviously that the good branch mines another block, and not the opposite. So the most probable outcome is that the deficit is increased.

Can anybody clarify this to me?

[1715135360]

1715135360

[1715135360]

1715135360

[1715135360]

1715135360

[scarsbergholden]

First I want to say that I am far from a Bitcoin expert.

My understanding is that as an attacker's percentage of the total hashrate approaches 50%, the probability of them successfully overcoming a deficit approaches 100%.

I believe this has to do with a) luck and b) the fact that the honest portion of the network will always broadcast found blocks while the attacking portion of the network will not broadcast a found block until they have a longer chain then the honest miners.

[amaclin]

Either this interpretation is incorrect or something in the Satoshi formulae is wrong: an attacker having less than 50% of the hashing power cannot have higher than 50% probability of catching up!

I am not sure that correctly understand you, but I'll try to make some assumptions.
Let us take an example.
"My Super-Puper pool" owned by me has 30% of all hashing power.
I do not have my own ASIC devices, but miners over the world work for me.
I am honest miner, but the times are going to change...
There are 10 persons, each of them agree to purchase 10k bitcoins and will pay me after 1 confirmation.
Unfortunately, I do not have 100k btc, I do not have bitcoins at all! I can only loan 10k btc for a day.
What should I do?
Let us create a timeline.

1. My pool finds a block solution height=333333. I do not broadcast this block to a network.
2. I create a transaction sending loaned 10k bitcoins to a person1 and broadcast it
3. I do not insert this transaction into the 333334 block, but put a double-spending transaction into my block.

OK, now the honest 70% miners work for 333333, and my 30% miners work for 333334
With the probability of 30/70 I will find 333334 faster than all others find 333333 I will not publish it, but continue with 333335
It is enough for double-spending 1-confirmation tx.
The probability is 30/70 = 0.42

Let us assume that the network found 333333. It contains the transaction to a person1 which I want to discard.
I am still working on 333334 based on the top of my 333333.
The probability is 30/70 which is 0.42 - not too bad?

So, the probability for doublespending is
0.42 + 0.42² + 0.42³ +... = 0.84

OK, this formula does not include the cost. But it is not my problem. My miners will not receive their earnings. Bad pool luck

[Sergio_Demian_Lerner]

So the problem with my interpretation is that I was not considering that the attacker could catchup after an infinite number of steps/time...

[amaclin]

So the problem with my interpretation is that I was not considering that the attacker could catchup after an infinite number of steps/time...

Yes. Thank you. You said all my words in one sentence.
Upd: I am not sure that my calculations are correct

[fbueller]

That sounds about right Sergio. It's scary when you look at the numbers!

http://www.bitcoinedu.co/tx-strength uses that calculation, in addition to the average block time to work out how long you should wait until you have less than 1% probability of a miner stochastically producing a chain that invalidates the chain your transaction is  confirmed in.

Once a miner has 50% of the hashrate, they can outpace everyone, and hence can replace as much of the chain as they like. Hence the probability is > 1, no matter how deep in the chain your transaction is.

Code:

1 BLOCK DEEP
---------------------------------------------------
0% hashrate? 0.0000000
---------------------------------------------------
5% hashrate? 0.1012037
---------------------------------------------------
10% hashrate? 0.2045873
---------------------------------------------------
15% hashrate? 0.3096983
---------------------------------------------------
20% hashrate? 0.4158994
---------------------------------------------------
25% hashrate? 0.5223125
---------------------------------------------------
30% hashrate? 0.6277491
---------------------------------------------------
35% hashrate? 0.7306252
---------------------------------------------------
40% hashrate? 0.8288610
---------------------------------------------------
45% hashrate? 0.9197758
---------------------------------------------------
50% hashrate? 1.0000000
---------------------------------------------------
55% hashrate? 1.0654611
---------------------------------------------------
60% hashrate? 1.1115651
---------------------------------------------------
65% hashrate? 1.1338155
---------------------------------------------------

Code:

6 BLOCKS DEEP? 
---------------------------------------------------
0% hashrate? 0.0000000
---------------------------------------------------
5% hashrate? 0.0000038
---------------------------------------------------
10% hashrate? 0.0002428
---------------------------------------------------
15% hashrate? 0.0026805
---------------------------------------------------
20% hashrate? 0.0142506
---------------------------------------------------
25% hashrate? 0.0499426
---------------------------------------------------
30% hashrate? 0.1321112
---------------------------------------------------
35% hashrate? 0.2821712
---------------------------------------------------
40% hashrate? 0.5039803
---------------------------------------------------
45% hashrate? 0.7661055
---------------------------------------------------
50% hashrate? 1.0000000

Code:

600 BLOCKS DEEP
---------------------------------------------------
0% hashrate? 0.0000000
---------------------------------------------------
5% hashrate? 0.0000000
---------------------------------------------------
10% hashrate? 0.0000000
---------------------------------------------------
15% hashrate? 0.0000000
---------------------------------------------------
20% hashrate? 0.0000000
---------------------------------------------------
25% hashrate? 0.0000000
---------------------------------------------------
30% hashrate? 0.0000000
---------------------------------------------------
35% hashrate? 0.0000000
---------------------------------------------------
40% hashrate? 0.0000000
---------------------------------------------------
45% hashrate? 0.0003171
---------------------------------------------------
50% hashrate? 1.0000000
---------------------------------------------------
55% hashrate? 1.0000737
---------------------------------------------------
60% hashrate? 1.0000000
---------------------------------------------------
65% hashrate? 1.0000000
---------------------------------------------------

[Sergio_Demian_Lerner]

I've run simulations to check AttackerSuccessProbability, just to be sure, and I don't get the same results.
It true that when q approaches 0.5, p approaches 1, but the exact numbers differ.

In my simulations, the catchup probability for a 1 block deficit for an attacker having 30% of the network hashing power is approximately 0.43.

Catchup probability:  0.43
Avg Catchup Time : 24.71 minutes (when it catches up)

Assumptions:

Honest rate: 0.0011666666667 =1/(10*10/7*60) (70%, one block every 14.2 minutes on average)
Attacker rate: 0.0005 = =1/(10*10/3*60) (30%, one block every 33.3 minutes on average)

Event time function:

Code:

Function nextTime(rateParameter :Double) :Double;
begin
    Result :=-ln(1.0 - random()) / rateParameter;
end;

The probability of catchup when a single block is mined (by either the honest branch or the attacker) is about 0.30.
That is counting the cases where nextTime(attackRate)<nextTime(HonestRate)

Code:

Code:

const
  Max = 100000 ;
  PerAttacker =30;
var
  honestRate,attackRate :Double;
  i,a :Integer;
begin
  honestRate :=1/(10*100/(100-PerAttacker)*60); // 70%  10*10/7
  AttackRate :=1/(10*100/PerAttacker*60); // 30%
  a :=0;
  For i :=1 to Max do
   if (nextTime(attackRate)<nextTime(HonestRate)) then
     inc(a);
   WriteLn(a);
   WriteLn(max);
   WriteLn(a/max :5 :2);
end;

(As you've noted, it's written in Turbo Pascal 6.0 )

It's probable that my simulation has some kind of flaw or the rates are not set properly.
Have anyone run simulations to check Satoshi formulas?

[teukon]

In my simulations, the catchup probability for a 1 block deficit for an attacker having 30% of the network hashing power is approximately 0.43.

(Emphasis mine)

I'm wondering if the catch lies here.

You seem to be asking for the probability that the attacker eventually wins catches up given that the honest chain has a 1 block head-start.
satoshi is considering the probability that the attacker eventually wins catches up given that 1 confirmation has been seen.

In satoshi's scenario, the attacker begins their work at the moment the transaction is broadcast and may actually have found a block or two by chance before the first confirmation.  In your scenario, it seems as though the attacker doesn't begin until 1 confirmation is seen.

This is only an educated guess; I couldn't really follow your code.

Edit:

In my simulations, the catchup probability for a 1 block deficit for an attacker having 30% of the network hashing power is approximately 0.43.

Also from theory: The probability of eventually catching up from 1 block behind is 30%/70% = 0.429 (3.s.f).  This pretty much settles the issue in my mind but I'm happy to dig deeper into either maths or code.

Edit:
"wins" replaced with "catches up" as per deepceleron's observation.

[andytoshi]

Either this interpretation is incorrect or something in the Satoshi formulae is wrong: an attacker having less than 50% of the hashing power cannot have higher than 50% probability of catching up! That's counterintuitive.

If an attacker has 50% of the hashpower, his probability of catching up is 1 -- this decreases continuously to zero as the attacker's hashpower goes to zero. There is no magic number related to "50% probability of success" that I'm aware of.

So without checking yours or Satoshi's math, the 63% number sounds about right to me.

[deepceleron]

Just so people don't have to go looking for it...

We consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain. Even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker. Nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them. An attacker can only try to change one of his own transactions to take back money he recently spent.

The race between the honest chain and an attacker chain can be characterized as a Binomial Random Walk. The success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attacker’s chain being extended by one block, reducing the gap by -1.

The probability of an attacker catching up from a given deficit is analogous to a Gambler’s Ruin problem. Suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to reach breakeven. We can calculate the probability he ever reaches breakeven, or that an attacker ever catches up with the honest chain, as follows [8]:

p = probability an honest node finds the next block
q = probability the attacker finds the next block
qz = probability the attacker will ever catch up from z blocks behind



Given our assumption that p > q, the probability drops exponentially as the number of blocks the attacker has to catch up with increases. With the odds against him, if he doesn’t make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind.

We now consider how long the recipient of a new transaction needs to wait before being sufficiently certain the sender can’t change the transaction. We assume the sender is an attacker who wants to make the recipient believe he paid him for a while, then switch it to pay back to himself after some time has passed. The receiver will be alerted when that happens, but the sender hopes it will be too late.

The receiver generates a new key pair and gives the public key to the sender shortly before signing. This prevents the sender from preparing a chain of blocks ahead of time by working on it continuously until he is lucky enough to get far enough ahead, then executing the transaction at that moment. Once the transaction is sent, the dishonest sender starts working in secret on a parallel chain containing an alternate version of his transaction.

The recipient waits until the transaction has been added to a block and z blocks have been linked after it. He doesn’t know the exact amount of progress the attacker has made, but assuming the honest blocks took the average expected time per block, the attacker’s potential progress will be a Poisson distribution with expected value:



To get the probability the attacker could still catch up now, we multiply the Poisson density for each amount of progress he could have made by the probability he could catch up from that point:



Rearranging to avoid summing the infinite tail of the distribution…


Converting to C code…

Code:

#include <math.h>
double AttackerSuccessProbability(double q, int z)
{
  double p = 1.0 - q;
  double lambda = z * (q / p);
  double sum = 1.0;
  int i, k;
  for (k = 0; k <= z; k++)
  {
    double poisson = exp(-lambda);
    for (i = 1; i <= k; i++)
      poisson *= lambda / i;
    sum -= poisson * (1 - pow(q / p, z - k));
  }
  return sum;
}

Running some results, we can see the probability drop off exponentially with z.


q=0.1
z=0    P=1.0000000
z=1    P=0.2045873
z=2    P=0.0509779
z=3    P=0.0131722
z=4    P=0.0034552
z=5    P=0.0009137
z=6    P=0.0002428
z=7    P=0.0000647
z=8    P=0.0000173
z=9    P=0.0000046
z=10   P=0.0000012

q=0.3
z=0    P=1.0000000
z=5    P=0.1773523
z=10   P=0.0416605
z=15   P=0.0101008
z=20   P=0.0024804
z=25   P=0.0006132
z=30   P=0.0001522
z=35   P=0.0000379
z=40   P=0.0000095
z=45   P=0.0000024
z=50   P=0.0000006

Solving for P less than 0.1…

P < 0.001
q=0.10   z=5
q=0.15   z=8
q=0.20   z=11
q=0.25   z=15
q=0.30   z=24
q=0.35   z=41
q=0.40   z=89
q=0.45   z=340

It takes a careful reading of the paper. It doesn't say "the chance that a malicious miner will win within z blocks"

What it does say, is that if the attacker is z blocks behind the current height, q_z is probability the attacker will ever catch up from z blocks behind. "Ever", as in "given an infinite amount of time, what is the probability that there ever be a single point in time where the bad miner has caught up and is at the same block height as the rest of the network.

This is not really a practical measurement, as a malicious miner won't mine until the heat death of the universe to reverse a particular block, potentially throwing away every block reward they could ever make. The cost of performing this attack is infinite, since it would take an infinite amount of electricity to mine forever, let alone the lost block rewards that have a high probability of being discarded and the cost of mining equipment to maintain the ratio. It is ultimate highest chance that there will ever be a block replacement.

The inputs to the formulas given are p = probability an honest node finds the next block and q = probability the attacker finds the next block.

One of these is easily replaced - since the probability that anyone finds the next block is 1, the probability an honest node finds the next block is 1-q.

What does "probability an honest node finds the next block" mean though? It really means "given both miners starting mining at the same time, the probability that one miner will find any given block. This is related to hashrate, but the clear explanation that it is a direct and equivalent relationship is not given in the paper. At a given difficulty a 90% miner has a mean block rate of about 11.1 minutes, whereas a 10% miner has a mean block rate of 100 minutes. Miners are racing against each other though, not the difficulty, so difficulty cancels out. Ultimately we would need to show our math: using Poisson races (down to the individual hash probability level) and how that translates to a mining regime, prove that a 10% hashrate miner truly has a 10% chance of finding the next block.


z is also a starting input. z=1 means the bad miner is behind by one block. This also could mean "a transaction has z confirmations from the good network, a bad miner would need to mine z blocks to replace the block holding it".

If z=0, that means the bad miner is currently at the same height as the rest of the network, so the goal has already been achieved. z=0 doesn't make sense as a starting point.

So now let's look at the tables and see what they actually mean.

Examine the q=0.1 table at the bottom. q=0.1 means 10% probability the attacker finds the next block, and can be interpreted as the attacker having 10% of the network hashrate. The chance they will EVER be able to catch up from their one-block deficit and replace a previous block is P=0.2045873.

We need to answer better questions for particular scenarios. For attackers: what is the cost to replace a z=1 block if we continue our attempt for 10 blocks depth, and the probability of success? When does an attempt to replace a particular transaction become profitable (how large a transaction), and after how long should we abandon our attempt? For users: When is it safe to trust a X BTC transaction with a profit-motivated attacker of Q% hashrate attempting to reverse it.

[amaclin]

what is the cost to replace a z=1 block if we continue our attempt for 10 blocks depth

Not too much for a pool owner who does not have its own hardware, but a lot of connected miners.
Let us say that this attack will cost zero for such dishonest person.

I think we will see it in the nearest future  

[teukon]

What does "probability an honest node finds the next block" mean though? It really means "given both miners starting mining at the same time, the probability that one miner will find any given block. This is related to hashrate, but the clear explanation that it is a direct and equivalent relationship is not given in the paper. At a given difficulty a 90% miner has a mean block rate of about 11.1 minutes, whereas a 10% miner has a mean block rate of 100 minutes. Miner's are racing against each other though, not the difficulty, doing individual hashes. Ultimately we would need to show our math: of Poisson races down to the individual hash probability level and how that translates to a mining regime, to show that a 10% miner truly has a 10% chance of finding the next block.

Consider a miner that has a 10% chance of finding the next block.  Due to the memorylessness of our simplified mining process, it follows that such a miner will find 10% of all blocks is the long run.  Because each block-seeking hash has an even chance of beating difficulty, it must be that the miner is computing 10% of all such hashes, i.e. controls 10% of the global hashrate.

Examine the q=0.1 table at the bottom. q=0.1 means 10% probability the attacker finds the next block, and can be interpreted as the attacker having 10% of the network hashrate. The chance they will EVER be able to catch up from their one-block deficit and replace a previous block is P=0.2045873.

My understanding is that the P=0.2045873 figure from the table represents the probability that the attacker is on the same level as the honest network at some point in the future given that the honest network found z = 1 block since the attacker began attacking.



For the same parameters, the probability that the attacker is on the same level as the honest network at some point in the future given that the network is z = 1 block ahead of the attacker is 0.1111111 (7.d.p), given by

[deepceleron]

what is the cost to replace a z=1 block if we continue our attempt for 10 blocks depth

Not too much for a pool owner who does not have its own hardware, but a lot of connected miners.
Let us say that this attack will cost zero for such dishonest person.

I think we will see it in the nearest future  

It has a direct cost. The only way that it would be free is if the large pool operator is willing to discard their reputation as an end-game. Current mining software lets an individual miner know when they find a block, and the previous block hash being worked on is part of the information that miners are given to hash. Diverting pool hashrate into a likely long set of orphans or ignoring block finds would be discoverable, as well as the publication of a multi-block-replacing withheld attack chain by the pool.

When miners are paid by hashrate and are insulated from the actual block finding profit (PPS payment), then the pool owner might see fit to do what they want with the hashes. In this case though they are paying for the hashrate at the expected block reward rate. It's not free.

Failure to succeed in making an alternate block chain means that all block find earnings are discarded. If a 30% miner abandons their attack chain against a transaction after 10 real confirmations, then their average cost of failure will be 107BTC. This weird amount is because the 70% remaining honest hashrate takes longer to do 10 blocks - the attack miner would have made on average 4.3 blocks in that time. Their chance of success is not large, and it is even lower than calculations would show, because they can only begin their attack after taking irreversible delivery of the asset paid for in the transaction, and then also must switch the pool software to "attack mode" and craft a replacement block pushing a double-spend transaction to the miners.

[amaclin]

It has a direct cost. The only way that it would be free is if the large pool operator is willing to discard their reputation as an end-game.

OK, reputation also has a cost.
What will the scenario when the profits for attack will be greater than cost of reputation?

Current mining software lets an individual miner know when they find a block,

Does anybody read the log files? (Sorry, I am not in this business, so asking)

Diverting pool hashrate into a likely long set of orphans or ignoring block finds would be discoverable, as well as the publication of a multi-block-replacing withheld attack chain by the pool.

Of course. There will be only one attempt. And in case of success the bitcoin game will be finished.

When miners are paid by hashrate

Who cares about miners? You? Me? Dishonest owner of mining pool?

Failure to succeed in making an alternate block chain means that all block find earnings are discarded.

Yes. The reputation is a bet in this game.

[deepceleron]

Examine the q=0.1 table at the bottom. q=0.1 means 10% probability the attacker finds the next block, and can be interpreted as the attacker having 10% of the network hashrate. The chance they will EVER be able to catch up from their one-block deficit and replace a previous block is P=0.2045873.

My understanding is that the P=0.2045873 figure from the table represents the probability that the attacker is on the same level as the honest network at some point in the future given that the honest network found z = 1 block since the attacker began attacking.



For the same parameters, the probability that the attacker is on the same level as the honest network at some point in the future given that the network is z = 1 block ahead of the attacker is 0.1111111 (7.d.p), given by

A z=1 attack scenario would be an attack that begins after 1 confirmation. The attacker's starting point is one block behind everyone else. We will use our imagination to conjure a high-value service vulnerable to this attack:

- an exchange that trusts 1 confirmation payments
- once the 1 confirmation is achieved, the attacker's scripts then immediately purchase and withdraw irrevocable currency and begin a double-spend attack

z=1 means to immediately start mining a double-spend chain of the payment after 1 confirmation.

Interestingly, the formulas don't compute "to win", they only compute the probability of "to catch up", that both the honest network and the attacker both have the same block height. This is a head-scratching anomaly. Let's say the attacker "caught up" by immediately mining an attack block of the same height as the one confirming the transaction, meeting the statistical goal - the network still trusts and is building on the honest block of the same height; the attacker didn't win.

That just leaves more math, because actually winning and the "first to publish" rules of Bitcoin aren't considered. I think the implications are that the probability for winning a 1 confirmation race is actually z=2.

[teukon]

A z=1 attack scenario would be an attack that begins after 1 confirmation. The attacker's starting point is one block behind everyone else.

No problem.  I'm just pointing out that this is different from the scenario satoshi is considering with the C code and table of values you quoted from the whitepaper.  I believe that the corresponding table for your scenario (probably coinciding with Sergio_Demian_Lerner's simulation) would be:


q=0.1
z=0    P=1.0000000
z=1    P=0.1111111
z=2    P=0.0123457
z=3    P=0.0013717
z=4    P=0.0001524
z=5    P=0.0000169
z=6    P=0.0000019
z=7    P=0.0000002
z=8    P=0.0000000
z=9    P=0.0000000
z=10   P=0.0000000

q=0.3
z=0    P=1.0000000
z=5    P=0.0144583
z=10   P=0.0002090
z=15   P=0.0000030
z=20   P=0.0000000
z=25   P=0.0000000
z=30   P=0.0000000
z=35   P=0.0000000
z=40   P=0.0000000
z=45   P=0.0000000
z=50   P=0.0000000

P < 0.001
q=0.10   z=4
q=0.15   z=4
q=0.20   z=5
q=0.25   z=7
q=0.30   z=9
q=0.35   z=12
q=0.40   z=18
q=0.45   z=35

Interestingly, the formulas don't compute "to win", they only compute the probability of "to catch up"

Yes, I misused the term "win" in my first post here.  I've been more careful with my wording since then but will go and fix my initial post now too.

[bitcoinbeliever]

So the problem with my interpretation is that I was not considering that the attacker could catchup after an infinite number of steps/time...

After an infinite number of steps, an attacker with < 50% is guaranteed to be behind.

Satoshi calculates the probability that attacker ever gets ahead, at any point, since that is long enough to double spend.

You could say a "lucky streak" of some length is required at some point but in fact the success pattern could be arbitrarily complex (with arbitrarily low probability of any particular pattern occurring).

To simulate the process, you could use a recursive function.