Vanishing Probabilities
Last updated
Last updated
The recipient waits until the transaction has been added to a block and z blocks have been linked after it. He doesn't know the exact amount of progress the attacker has made, but assuming the honest blocks took the average expected time per block, the attacker's potential progress will be a Poisson distribution with expected value:
To get the probability the attacker could still catch up now, we multiply the Poisson density foreach amount of progress he could have made by the probability he could catch up from that point:
Rearranging to avoid summing the infinite tail of the distribution…
Converting to C code…
#include double AttackerSuccessProbability(double q, int z) { double p = 1.0 - q; double lambda = z * (q / p); double sum = 1.0; int i, k; for (k = 0; k <= z; k++) { double poisson = exp(-lambda); for (i = 1; i <= k; i++) poisson *= lambda / i; sum -= poisson * (1 - pow(q / p, z - k)); } return sum; } Running some results, we can see the probability drop off exponentially with z.
- Satoshi Nakamoto, Bitcoin Whitepaper
The final part of this section concerns the probabilities of success an attacker might have given varying different quantities of hashpower with which to execute their attack. The first two charts show that for a given percentage of the network’s hashpower (10% and 30% respectively), the chance of ever catching up from a lead of more than just one block is probabilistically low, making the attack highly risky.
The third chart shows how many blocks lead represents a 0.1% chance of catching for a given % of hashpower. We can see that for anything below 30% of the hashrate, a lead of just 24 blocks can represent a 1/1000 chance.
