The Bitcoin White Paper: 11. Calculations

The Bitcoin White Paper: 11. Calculations…

Bitcoin Calculations

“Bitcoin: A Peer-to-Peer Electronic Cash System
Satoshi Nakamoto
October 31, 2008″

Here comes the heavy math part of The Bitcoin White Paper. Be prepared for many formulas. Satoshi goes into the probability that the Bitcoin network could be attacked.

11. Calculations

We consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain. Even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker. Nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them. An attacker can only try to change one of his own transactions to take back money he recently spent.

The race between the honest chain and an attacker chain can be characterized as a Binomial Random Walk. The success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attacker’s chain being extended by one block, reducing the gap by -1.”

Attacker of Bitcoin Network probability formula. Bitcoin becomes tougher to attack as it grows in total computing power. “Given our assumption that p > q, the probability drops exponentially as the number of blocks the attacker has to catch up with increases. With the odds against him, if he doesn’t make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind.

We now consider how long the recipient of a new transaction needs to wait before being sufficiently certain the sender can’t change the transaction. We assume the sender is an attacker who wants to make the recipient believe he paid him for a while, then switch it to pay back to himself after some time has passed. The receiver will be alerted when that happens, but the sender hopes it will be too late.

The receiver generates a new key pair and gives the public key to the sender shortly before signing. This prevents the sender from preparing a chain of blocks ahead of time by working on it continuously until he is lucky enough to get far enough ahead, then executing the transaction at that moment. Once the transaction is sent, the dishonest sender starts working in secret on a parallel chain containing an alternate version of his transaction.

The recipient waits until the transaction has been added to a block and z blocks have been linked after it. He doesn’t know the exact amount of progress the attacker has made, but assuming the honest blocks took the average expected time per block, the attacker’s potential progress will be a Poisson distribution with expected value:

attacker of Bitcoin Network's potential progress formula

To get the probability the attacker could still catch up now, we multiply the Poisson density for each amount of progress he could have made by the probability he could catch up from that point:

probability the attacker could still catch up

Rearranging to avoid summing the infinite tail of the distribution…

Rearranging to avoid summing the infinite tail of the distribution formula...

Converting to C code…

#include double AttackerSuccessProbability(double q, int z) { double p = 1.0 – q; double lambda = z * (q / p); double sum = 1.0; int i, k; for (k = 0; k <= z; k++) { double poisson = exp(-lambda); for (i = 1; i <= k; i++) poisson *= lambda / i; sum -= poisson * (1 – pow(q / p, z – k)); } return sum; }

Running some results, we can see the probability drop off exponentially with z.

q=0.1 z=0 P=1.0000000 z=1 P=0.2045873 z=2 P=0.0509779 z=3 P=0.0131722 z=4 P=0.0034552 z=5 P=0.0009137 z=6 P=0.0002428 z=7 P=0.0000647 z=8 P=0.0000173 z=9 P=0.0000046 z=10 P=0.0000012 q=0.3 z=0 P=1.0000000 z=5 P=0.1773523 z=10 P=0.0416605 z=15 P=0.0101008 z=20 P=0.0024804 z=25 P=0.0006132 z=30 P=0.0001522 z=35 P=0.0000379 z=40 P=0.0000095 z=45 P=0.0000024 z=50 P=0.0000006

Solving for P less than 0.1%…

P < 0.001 q=0.10 z=5 q=0.15 z=8 q=0.20 z=11 q=0.25 z=15 q=0.30 z=24 q=0.35 z=41 q=0.40 z=89 q=0.45 z=340″

Bitcoin has survived all attacks for over 14 years. The math above lays out how Bitcoin is the most secure network in history.

References

8. W. Feller, “An introduction to probability theory and its applications,” 1957. ↩

Thanks to the Nakamoto Institute for making the whitepaper available freely via an Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license. More info on that here: https://creativecommons.org/licenses/by-sa/4.0/

Source: https://nakamotoinstitute.org/bitcoin/