Blockchain Technologies: Probability of Double-Spend Attack on a Proof-of-Stake Consensus

Two double-spend attack strategies on a proof-of-stake consensus are considered. For each strategy, the probability of its success is obtained, which depends on the network parameters and the number of confirmation blocks. These results can be used to define how many confirmation blocks a vendor should wait after a correspondent transaction before sending goods or services.


Introduction
Since Bitcoin launched in 2009, blockchain systems and distributed ledger technologies have become popular, received widespread adoption, and attracted significant research effort [1].
They provide a great use case and have big advantages in environments that require no trust. That includes various financial applications (DeFi), cryptocurrencies, different types of distributed registries, etc. The decentralized blockchain-based systems provide the common view on the history of transaction ledger, censorship resistance, and no single point of failure.
Although, comparing to the centralized approach, a decentralized environment has much longer latencies on transaction confirmations. As there is no central server(s), the majority of network nodes in a trustless environment should receive a new transaction, validate it, and share that with other nodes, working in conditions with delayed message delivery over the network.
Moreover, some part of network participants may be well coordinated by an adversary who attacks the system. At the same time, honest nodes have no ability to discern the malicious behavior until an attack is finished (with any result).
Within such conditions, a distributed system user must decide whether she accepts the transaction (and provides corresponding services or goods for the accepted value) or she should wait for higher confirmation assurance (or just reject the transaction).
For many practical applications, such as on-line exchanges or retail, it is critical to minimize the confirmation time latency.
So, on given input parameters (such as the adversarial ratio among all nodes reaching consensus), it is important to define concrete criterion regarding when a transaction may be secure and accepted with low risk and when it should be removed from the final history of the blockchain.
Thus, the special case of persistence, as one of two major ledger properties [2], needs to be analyzed: the resistance to the double-spend attack. The essence of this attack does not depend on the type of consensus protocol. Technically, it happens as follows. An adversary carries out some transaction in the block with number i, transferring coins to a supplier of goods for some purchase. The supplier receives those coins and accordingly supplies the goods to the buyer. The adversary also starts mining (forging) a different block with the same height i-that is, a block following the block with number (i-1), but one that either does not contain this transaction-or he transfers coins to another one of his own accounts. To guarantee acceptance of this alternative chain by honest participants, he tries to "hook" as many blocks as possible to the alternative block at height i. If he succeeds in making the alternative chain longer, then exactly this chain, according to the consensus protocol, will be the one that is considered correct. Obviously, the larger the share kept by the adversary (it is not essential whether is it computing power in the case of PoW or a share of a stake in the case of PoS), the higher chance his attack has of being successful. In particular, if the share of the adversary is not less than 1/2, then the probability of the attack success is equal to 1.
A double-spend attack may seem to be very similar to a selfish mining attack, but they have two main differences. The first difference consists in their purposes: the purpose of a double-spend attack is to use the same coin for two (or more) different payments, creating conflicting transactions; the purpose of a selfish mining attack is to generate essentially more blocks than is expected for a given adversary's ratio and, therefore, to get profit that is not proportional to his share. The second difference yields from the first one: in the double-spend attack, an adversary should keep his alternative branch in secret until the necessary number of confirmation blocks are created; therefore, he builds this chain only by himself, while in selfish mining, honest miners see the alternative chain and occasionally may maintain its creation.
In this work, we investigate only the security of the general model of PoS protocol against a double-spend attack under only one assumption, which is quite standard: the probability that the next block is generated by some stakeholder is proportional to its stake. Our innovative contribution is that we for the first time obtain formulas for exact values of probability of a double-spend attack, unlike lots of previous papers, which give only asymptotic estimations of such probabilities or their upper bounds, which for some sets of parameters are trivial (i.e., take values that are ≥1). Informally speaking, such papers state: "if you are waiting for an infinitely long time, the probability that an adversary may invert your transaction is infinitely small". However, nobody wants to wait an infinitely long time; the vendor wants to know exactly how many confirmation blocks he should wait to be sure (with some predefined probability) that transaction is irreversible. Our results are just for such case-for an arbitrary ratio of adversaries and numbers of confirmation blocks, the vendor can achieve the following: (1) For a given number of confirmation blocks, calculate the probability that his transaction is irreversible; or (2) Set some desirable level of probability (say, 0.999) and calculate the minimal number of confirmation blocks he should wait to be sure that his transaction is irreversible.
A more detailed comparative analysis between our results and previous works will be given in the next section.
We also give a lot of examples of numerical results, which were obtained according our formulas, and corresponding graphs. They also confirm the correctness and practical benefits of the statements and formulas obtained in this work.

Related Work
The first mention of a double-spend attack and its detailed description was made by Nakamoto in his historical paper [3].
To ensure protection against this attack in Bitcoin, Nakamoto proposed not to supply the goods as soon as the transaction occurred, but to wait for some time, more precisely for a number of confirmation blocks, and only then, if the transaction has not disappeared from the blockchain, to supply the goods. In this case, the adversary cannot open his alternative chain immediately after the payment, as then the provider will see that the transaction disappears and then appears in the blockchain and thus reject the transaction. For this reason, the adversary first waits until the block with the transaction "grows" by the required number of confirmation blocks. During this waiting period, he can try to seamlessly generate a fork that starts before the block with the transaction; that is, in our notations, he may generate an alternative ith block with the blocks to follow, but in no case does he share this alternative chain during the confirmation period, so that the supplier will not suspect anything bad. This is the first stage of the attack. However, when the confirmation blocks are formed and the goods are received, the adversary tries to "catch up" with the existing chain, and this is the second stage of the attack. Suppose that while six confirmation blocks are being generated, the adversary was able to generate four blocks of the alternative chain. Now, he lags behind by at least two blocks. If ever in the future he is able to generate as many blocks as it is needed to "catch up" with the existing chain, which, in turn, will also grow all the time, then the attack will be successful. In particular, if he managed to generate seven or more blocks at the first stage of the attack while he waited for the confirmation blocks, then the attack was already successful: there is nothing to catch up. Having received the goods, he simply presents his own longer chain, in which the money remains with him. Now, the next question is: how many confirmation blocks should the supplier wait? In other words, for the given network parameters and given (arbitrarily small) ε > 0, what number of confirmation blocks after a transaction should he wait for a probability of a successful attack to be smaller than that given ε?
The answer to this question, given in [3] by Nakamoto and in [4] by Saleh, requires correction. The assumptions made in [3] do not quite correspond to the real deployment model. The first assumption is that the time of generation of the block and the time of its appearance in the network coincide, so the block propagation delay is zero. However, from this assumption, it follows that the probability of an "accidental" fork is zero, but reality shows that such forks happen [5]. The second assumption states that the random variable, which is equal to the number of attempts that honest miners do to generate z confirmation blocks, where p is the probability of success, is replaced by its expectation z p . Due to these assumptions, the number of confirmation blocks in [3] is underestimated.
After [3], the probability of a double-spending attack was analyzed in papers [6,7], which also have some lacks, including unproved statements. For the first time, the problem gets a fully correct solution in [8], which is really wonderful from the mathematical point of view. In this paper, the authors prove that the process of generating "honest"/"dishonest" blocks in the network is described by a negative binomial distribution. It was first proved in this paper, using special functions, that the fork probability decreases exponentially with the growth of the number of confirmation blocks.
However, the authors of [8] could not and even did not try to get rid of the same assumption on the instantaneous propagation of the block in the network.
The work [9] generalized the results obtained in [8]. In this work, for the first time (in model with continuous time, without simplified assumptions about discrete timeslots), the author obtained and strictly proved the expression that gives the value of double-spend attack probability in dependence on network parameters, including network synchronization time.
Note that all these works [3,4,[6][7][8][9] investigate proof-of-work consensus protocol, but there are still no analogical results for proof-of-stake [10-12]. However, consensus protocol proof-of-stake is much more preferable than proof-of-work from a lot of points of view. The main problems that occur on block generation with PoW consensus are the following: − Miners must be on-line and continuously solve PoW puzzles; − Huge energy consumption to generate a block with an acceptable security level; − Occasional forks where parts of work made by honest miners are lost.
To solve these problems, as well as several other ones, a proof-of-stake-based approach was proposed. The first provable secure PoS was presented in [13] as well as its next generations [14][15][16][17].
The main idea of PoS consensus is randomized slot leader selection; i.e., a participant who forges the next block is randomly selected in a non-biased way to issue the block within a given period of time. The probability to become a slot leader is proportional to the stake owned by the participant. A detailed description of PoS approaches is given in [13][14][15][16][17][18][19], as well as definitions, a model with strict formalizations, and security proofs.
For the first time, the rationale for the robustness of PoS protocol was given in [13] under the standard assumption that slot leaders are chosen among stakeholders with probabilities that are proportional to their stakes. To assure such an assumption, an Ouroboros protocol was proposed, which was modified and improved in the next papers [13][14][15][16] The statements formulated about PoS security in [13] are "general"; they concern such properties of protocol as "liveness" and "persistence". Informally speaking, the deeper the block, the higher the probability that it is stable. Most of the statements about block stabilization given in [13] are upper estimations of probabilities (which sometimes turn out to be trivial for certain values of parameters) or descriptions of their asymptotic behavior. Such results persuade us that the probability of block stabilization increases fast when the depth of the block increases, but it cannot be used to calculate the minimal number of confirmation blocks after which we are sure that the block is stable.
A lot of papers published every year analyze different additional properties and applications of PoS protocols. Among others, we can note [20], where the authors combine PoS protocol with secure BTC blockchain to obtain a consistent subchain; [21] analyzes the liveness of sidechains, built on PoS, using a special multisignature; [22] discusses PoS with a digital signature scheme that prevents the validators from creating multiple blocks at the same height; [23] considers two cases of smart-contracts of blockchain with PoS; [24] is also devoted to the use of smart-contracts on a private Ethereum blockchain. These works analyze some special aspects of PoS security, but none of them give the answer on such a simple, practical, and specific question: how many confirmation blocks is enough to guaranty block stability with a given probability?
In our paper, we provide analytical estimations of a double-spend attack in the covert adversary model for an arbitrary version of Ouroboros protocol.
Our estimations are strict (not asymptotic), which allows using them to define a necessary number of transaction confirmation blocks that is sufficient to make the transaction irreversible with any given probability (e.g., 1-10 −3 ).
It is interesting that the estimations obtained in this work for PoS protocol are very close to the corresponding results for PoW protocols, which were firstly obtained with a full mathematical background in [8]. However, for obtaining such estimations, rather different probabilistic methods were used (e.g., random processes with continuous time for PoW and random sequences for PoS).
Our analytical estimations allowed obtaining concrete values of the confirmation of block numbers depending on system parameters (including adversarial stake participating in consensus) and building dependence diagrams for them.

Materials and Methods
In this section, we describe two possible strategies for the implementation of a doublespend attack. The first one is more universal; it is suitable for almost any consensus protocol. It was first proposed by Nakamoto in his historical work [3] for PoW consensus protocol. The second one is specific for the PoS (and, may be, for some limited class of other) protocol. For both strategies, we give exact analytical expressions for the probability of success of the attack, which depends only on an adversary's ratio and the number of confirmation blocks that the vendor should wait before sending goods. We stress that these expressions are non-asymptotical, so they may be also used for such purpose as to find the minimal number of confirmation blocks, which guarantees that the attack probability is less than some predefined small value, such as ε = 10 −3 or less.
Note that the security of some object, model, system, or process against any attack is defined by two main parameters: the computational efforts (or/and, maybe, the volume of memory) needed for the successful implementation of this attack and probability of its success. If the adversary needs unreachable computational efforts to implement the attack with significant probability during some appropriate period of time, or if the probability of attack is negligible, we say that this object (model, system process, etc.) is secure against this attack.
In the model of a double-spend attack discussed in our work, we make some assumptions in favor of the adversary: we assume that he has unlimited time to implement the attack. Recall that the adversary's ratio, which is defined by his stake, is minority, i.e., less than 50%.
In this section, we are going to prove the next result: for arbitrary adversary's ratio of 0 ≤ q < 1 2 and arbitrarily small ε > 0, there is such z = z(q, ε) that after z confirmation blocks the probability of a double-spend attack, which is implemented according to the strategies described below, is less than this given ε. It means that the vendor can reduce the probability of a double-spend attack to an arbitrarily small and negligible value, waiting for some certain number of confirmation blocks. In other words, in such a manner, we can achieve an arbitrarily large level of security of PoS protocol against a double-spend attack, even in the model when the adversary has unlimited time (but a minority of stake).
In what follows, we will use the next designations. Let B 0 , B 1 , . . . , B n be blocks of the blockchain, and let some transaction with a payment for the vendor be included into block B i , for some i ∈ N. Then, the vendor waits until z blocks have been linked after this block to be sufficiently certain the sender cannot prune it.
At the same time, the adversary (sender) wants to prune the block B i with his transaction and take money back.
In this model, the adversary tries to organize a branch point in block B i−1 , just before the block with the transaction. We will consider two different strategies of the adversary.

Strategy 1: Description of Attack and Estimation of Probability of Its Success
The adversary does not form his blocks in his timeslots in the chain that honest miners build. Instead, he starts to form an alternative branch with a branch point (BP) in After z blocks B i+1 , B i+2 , . . . , B i+z are formed, he tries to make his alternative branch longer.
Note that according to this strategy (during the attack, the adversary does not form his blocks in the"honest" branch) all blocks in the chain, starting from B i−1 , are formed by honest parties.
To succeed, the adversary must build an alternative chain that is longer than the "honest" one. It is possible only in case if, in some timeslot with number s, after the blocks B i+1 , B i+2 , . . . , B i+z are formed, the number of "adversary's" timeslots between the timeslot that corresponds to the block B i−1 (let it be the timeslot with the number t) and the timeslot with number s, is not less than the number of "honest" timeslots on the same time interval. In this case, the adversary can form the alternative chain: for some r, where all blocks are formed in his timeslots, and block B r is formed in timeslot number s.
Hence, the necessary and sufficient condition for the successful attack is the existence of such a sequence of timeslots after the timeslot with number t, where the number of "malicious" slots is not less than the number of "honest" slots.
To find the probability for successful attack, we will use the random excursions model (REM) [12].
Firstly, we need to formalize the problem using REM. We assume that among n parties, t are malicious (t < n /2) and n − t are honest. So, the probability that an arbitrary timeslot is honest is p = (n − t) /n, and the probability of a malicious timeslot is q = t /n.
Let ξ i , i ≥ 1 be a Bernoulli random variable (RV), Here, a random sequence ξ i , i ≥ 1 describes the distribution of timeslots in the blockchain. If ξ i = 1, then the slot leader of the ith timeslot is honest; if ξ i = −1, then he is malicious.
Let us define the following random variables: The physical senses of these random variables are the following: -S + n , n = 0, 1, . . . is equal to the number of timeslots that the honest slot leader has on the interval between the slot with the number 0 and the slot with the number n; -S − n , n = 0, 1, . . . is the analogical value for the number of the adversary's slots; -S n , n = 0, 1, . . . is equal to S + n − S − n ; i.e., the difference between "honest" and "malicious" slots.
In this model, we consider a random excursion that starts at the moment t, so there are z + 1 "honest" blocks after it, before the adversary tries to build an alternative branch. He can use only timeslots after block B i−1 , because this block is a branch point (BP).
Fix some k ∈ N and let us define a new random variable Here, τ k is the number of timeslots, such that on the interval [0, τ k ], there exists exactly k slots, which belong to the honest slot leaders. Now, in this definition, our purpose is to find the probability of the event for k = z + 1, where S − m , S + m are defined according to (1)-(3). The event A(k) is just the event that after k confirmation blocks were built, at some moment, the adversary managed to build the longer chain using his timeslots.
In what follows, we need the result in a random excursion, "gambler ruin problem" [25]. We formulate this result as the next lemma.
Let C k be the next event: C k = ∃l ∈ N : S (k) l = 0 , and q k be its probability: q k = P(C k ). Then Informally speaking, this lemma states that if at some moment an adversary with a stake ratio q is k blocks behind, the probability that he will catch up (during unlimited time) To prove our main result, we also need some definitions and properties of special functions [6,7]. The matter is that the probability of this attack can be expressed in terms of a well-known special function: a regularized incomplete beta function. Now, we give its definition and main properties that are used in the statements presented below. Definition 1. Regularized incomplete beta function is the function.
where ) is a beta function,

Lemma 2. ([26]
). The regularized incomplete beta function satisfies the symmetry relation: From Lemma 2 and definition of inverse binomial distribution, we get the next corollary. Corollary 1. In our designations, z ∑ l=0 C l z+l q z+1 p l = ∞ ∑ l=z+1 C l z+l p z+1 q l . Now, we are ready to formulate the next theorem.
Theorem 1. In our designations, the next equality for probability of a double-spend attack after z confirmation blocks is true: or using the local Moivre-Laplace theorem, for appropriate p, q and z: or using a regularized incomplete beta function: and, finally, for sufficiently large z: Proof of Theorem 1. Define the events: Event H l means that the adversary accumulated exactly l blocks before the time when slot τ z begins.

Strategy 2: Description of Attack and Estimation of Probability of Its Success
In this strategy, the adversary forms his blocks in the same way that honest parties do all the time and issues them to both "honest" and "malicious" chains, but his purpose is the same: to choose some appropriate moment for building a longer alternative chain with the branch point in B i−1 and with block B i without his transaction.
As in the previous case, in this alternative chain, he may use all his timeslots after the slot in which B i−1 was formed. The main difference is that all blocks in this chain are formed in the successive timeslots without missing, i.e., to form z "honest" blocks after B i , we need just z timeslots.
To make the alternative chain with a branch point in B i−1 , the adversary can use all his timeslots after (i − 1)th (in which B i−1 was formed). Then, on the interval from B i to B i+z , he may have from 0 to (z + 1) timeslots.
We will use the same REM, defined in (1), (2), with q < p, q + p = 1. For some k ∈ N, define the event: E(k) = {∃ m ≥ k : S − m ≥ S + m }. We are interested in finding the probability P(E(z + 1)).

Theorem 2.
In our designations, the probability of a double-spend attack, according to Strategy 2 and after z confirmation blocks, is: Proof of Theorem 2. Let us define the events: Event H l means that the adversary accumulated l timeslot between timeslot t 1 , which corresponds to block B i−1 , and timeslot t 2 , which corresponds to block B i+z .
Probabilities of P E(z+1) H l can be obtained according to Lemma 1: , when q < p and l ≤ z + 1; 1 , else.
. (17) Then, rewrite (15) using (16) and (17) and obtain: The theorem is proved. Figure 1 below gives the dependency of the logarithm value of probability P(A(z + 1)) of a double-spend attack under z confirmation blocks, which were obtained in (7) (on the Y-axis), on the value z (on the X-axis), for different adversary ratios. As long as the graphics for the logarithm of probability are straight lines, then the value P(A(z + 1)) decreases exponentially with the growth of z. According to the Formula (8), the function decrease rate P(A(z + 1)) with the growth of z is the same as for function (4pq) z+1 . Then, rewrite (15) using (16) and (17) and obtain:

Results and Discussion
The theorem is proved. □

Results and Discussion
of a double-spend attack under z confirmation blocks, which were obtained in (7) (on the Y -axis), on the value z (on the X -axis), for different adversary ratios. As long as the graphics for the logarithm of probability are straight lines, then the value decreases exponentially with the growth of z . According to the Formula (8), the function decrease rate with the growth of z is the same as It is interesting that the probability of a double-spend attack in PoS consensus in the synchronous model turns out to be equal to the probability of the same attack in PoW consensus under the assumption of zero synchronization time ( [8]). However, the methods of obtaining these two results for these two consensuses are essentially different.
Using our results, we can now reasonably recommend to the vendor how many confirmation blocks he should wait after the correspondent transaction before sending goods or services. The only information we need to set is the stake share of the alleged attacker. This information we can get from the different mining pools' observations and analysis, which shows us that some mining pool(s) behaves suspiciously. It is interesting that the probability of a double-spend attack in PoS consensus in the synchronous model turns out to be equal to the probability of the same attack in PoW consensus under the assumption of zero synchronization time [8]. However, the methods of obtaining these two results for these two consensuses are essentially different.
Using our results, we can now reasonably recommend to the vendor how many confirmation blocks he should wait after the correspondent transaction before sending goods or services. The only information we need to set is the stake share of the alleged attacker. This information we can get from the different mining pools' observations and analysis, which shows us that some mining pool(s) behaves suspiciously. Table 1 below shows some values P(A(z + 1)) = 2I q (z + 1, z + 1), according (7), for a different ratio q of the adversary and different numbers of confirmation blocks z. In Table 2, we show the minimal values of z, for a different ratio q, which provides the condition P(A(z)) < 10 −3 . It means that if the vendor waits for such a number of confirmation blocks, the probability of a double-spend attack, even during an infinitely large amount of time, is less than 10 −3 . Note that our results once more demonstrate that PoS protocol is more preferable than PoW from the point of view of its security against a double-spend attack. The matter is that usually, the timeslots are large enough (comparing with the synchronization time) so that the slot leader can create a block and share it among other participants during his timeslot. So, we may neglect the network synchronization time and work with a synchronous model, in which the security level against the double-spend attack is defined only by the adversary's stake ratio. However, in PoW, the synchronization time plays a very important role. As shown in [9,27], the security threshold (the minimal adversary ratio that can implement the attack with probability 1 despite the number of confirmation blocks) decreases when the synchronization time increases, and in the case of a large synchronization time, even an adversary with a minority hashrate can implement the attack with probability 1).

Conclusions
We researched two types of strategies for a double-spend attack and give strictly proved expressions for success probabilities for both of them. Note that comparing Formulas (7) and (14), we see that Strategy 1 is always more preferable for the adversary than Strategy 2. Indeed, under condition p > 1 2 > q, we get the next inequality: So, the success probability in Strategy 2 is less than the same probability in Strategy 1 under the same values of q and z.
Using the results obtained, one can define the necessary number of confirmation blocks to make this probability negligible.
There are two interesting questions that we would like to investigate in our next works:

1.
To consider an asynchronous model, where the adversary can delay the message delivery for honest slot leaders for some significant period of time, for example, equal to several timeslots, and analyze the probability of a double-spend attack in a such model.

2.
To obtain similar results in a case when the adversary has only a limited period of time to implement his attack. Such models occur when, for example, the blockchain has checkpoints, and the adversary can create a fork only in the period before the next checkpoint.