4

I read the original Satoshi's paper on bitcoin as well as Rosenfeld's paper on "Analysis of hashrate-based double-spending". However, they don't answer my question, which is as follows.

Let's assume attacker has q hash power (less or more than 50%) and that the merchant is waiting k confirmations (e.g. 6). What is the probability that after time t (e.g. 12 hours), the attacker will produce longer chain in order to double-spend money?

I have seen formulas to calculate the probability, that the attacker will eventually produce the chain, but what I am looking for is, what happens if the attacker is constrainted by time t. I know that the attacker has 100% chance on eventually getting the longer chain, but I also know that when the hashing power q is around 50%, it would take a lot of time and you would normally need around 60-70% of hashing power.

Maciej Żurad
  • 41
  • 2
  • 2
    The attacker is only guaranteed to eventually get the longer chain when they have more than 50% of hashpower. – Nick ODell Nov 30 '15 at 17:41
  • @Nick Yes, I know that, but my question is: If the attacker has q hashing power and transaction requires 6 confirmation, then what is the probability, that he will succeed with the attack if he has some time t to perform attack. Let's say he has only control of q hashing power for t time. I think this can be seen as Gambler's Ruin, but trying to calculate the probability of getting x coins with an unfair coin of prob. q – Maciej Żurad Nov 30 '15 at 18:44

1 Answers1

1

So there are two ways to launch this attack.

  1. (stupid way) get 6 confirmations on a transaction, the go back to the block before the transaction and mine 6 blocks in a private chain before catching up to the mainline and eventually beating it. I would describe this as a race between main chain and private chain where the main chain has a 6-block lead.

  2. (smart way) immediately after the transaction is in the mempool of the main chain, start a private chain with the double spend tx and keep the chain private until there are 6 confirmations on the main chain and release the longer chain into the world to win. I would describe this as a race between the main chain and private chain where they start from the same place.

I think you're talking about doing (1) where (2) is the more likely to succeed attack. With (1), yes, this will take a long time since you have 6 more blocks to catch up. With (2), you're likely to beat (1) soon after however many confirmations. Since the length of the chain is determined by how much proof-of-work is in it, you might be able to win with a shorter chain (!). In any case, calculating the probability of doing so by time T is an interesting problem for (2) but it's at or above your percentage of the hashing power at any length as long as the second method of attack is used.

Jimmy Song
  • 7,759
  • 17
  • 35