Profitable Double-Spending Attacks

Abstract

Our aim in this paper is to investigate the profitability of double-spending (DS) attacks that manipulate an a priori mined transaction in a blockchain. It was well understood that a successful DS attack is established when the proportion of computing power an attacker possesses is higher than that of the honest network. What is not yet well understood is how threatening a DS attack with less than 50% computing power used can be. Namely, DS attacks at any proportion can be a threat as long as the chance to make a good profit exists. Profit is obtained when the revenue from making a successful DS attack is greater than the cost of carrying out one. We have developed a novel probability theory for calculating a finite time attack probability. This can be used to size up attack resources needed to obtain the profit. The results enable us to derive a sufficient and necessary condition on the value of a transaction targeted by a DS attack. Our result is quite surprising: we theoretically show how a DS attack at any proportion of computing power can be made profitable. Given one’s transaction value, the results can also be used to assess the risk of a DS attack. An example of profitable DS attack against BitcoinCash is provided.

1. Introduction

A blockchain is a distributed ledger which has originated from the desire to find a novel alternative to centralized ledgers such as transactions through third parties [1]. Besides the role as a ledger, blockchains have been applied to many areas, e.g., managing the access authority to shared data in the cloud network [2] and averting collusion in e-Auction [3]. In a blockchain network based on the proof-of-work (PoW) mechanism, each miner verifies transactions and tries to put them into a block and mold the block to an existing chain by solving a cryptographic puzzle. This series of processes is called mining. However, the success of mining a block is given to only a single miner who solves the cryptographic puzzle for the first time. The reward of minting a certain amount of coins to the winner motivates more miners to join and remain in the network. As a result, blockchains have been designed so that the validity of transactions is confirmed by a lot of decentralized miners in the network.

A consensus mechanism is programmed for decentralized peers in a network to share a common chain. If a full-node succeeds in generating a new block, it has the latest version of the chain. All of the nodes in the network continuously communicate with each other to share the latest chain. A node may run into a situation in which it encounters mutually different chains more than one. In such a case, it utilizes a consensus rule with which it selects a single chain. Satoshi Nakamoto suggested the longest chain consensus for Bitcoin protocol in which the node selects the longest chain among all competing chains [1]. There are also other consensus rules [4,5], but a common goal of consensus rules is to select the single chain by which the most computation resources have been consumed based on the belief that it may have been verified by the largest number of miners.

A double-spending (DS) attack aims to double-spend a cryptocurrency for the worth of which a corresponding delivery of goods or services has already been completed. The records of payment are written in transactions and shared in a network via the status-quo chain. Thus, to double spend, attackers need to replace the status-quo chain in the network with their new one, after taking the goods or services. For example, under the longest chain consensus, this attack will be possible if an attacker builds a longer chain than the status-quo. Nakamoto [1] and Rosenfeld [6] have shown that the higher computing power is employed, the higher probability to make a DS attack successful is. In addition, if an attacker invests more computing power than that invested by a network, a success of DS attack is guaranteed. Such attacks are called the 51% attack.

In the last few years, unfortunately, blockchain networks have been recentralized [7,8], which make them vulnerable to DS attacks. To increase the chance of mining blocks, some nodes may form a pool of computing chips. The problem arises when a limited number of pools occupy a major proportion of the computing power in the network. For example, the pie chart (date accessed from BTC.com on November 24, 2020) shown in Figure 1 illustrates the proportion of computing power in the Bitcoin network as of January 2020. In the chart, five pools such as F2Pool, BTC.com, Poolin, and Huobi.pool occupy more than 50% of the total computing power of Bitcoin. In a recentralized network, since most computing resources are concentrated on a small number of pools, it could be not difficult for them to conspire to alter the block content for their own benefits, if aiming to double-spend. Indeed, there have been a number of reports in 2018 and 2019 in which cryptocurrencies such as Verge, BitcoinGold, Ethereum Classic, Feathercoin, and Vertcoin suffered from DS attacks and millions of US dollars have been lost [9].

In addition to the recentralization, the advent of rental services which lend the computing resources can be a concern as well [10]. Rental services such as nicehash.com which provide a brokerage service between the suppliers and the consumers have indeed become available. The rental service can be misused for making DS attacks easier. The presence of such computing resource rental services significantly reduce the cost of making a profit from double spending. This is because renting a required computing power for a few hours is much cheaper than building such a computing network. Indeed, nicehash.com attracts DS attackers to use their service by posting one-hour fees for renting 51% of the total computing power against dozens of blockchain networks on their website Crypto51.App (accessed on 26 November 2020).

Success by making DS attacks is possible but is believed to be difficult for a public blockchain with a large pool of mining network support. By the results in [1,6], 51% attack has been considered as the requirement for a successful DS attack [11]. This conclusion however shall be reconsidered given our result in the sequel that there are significant chances of making a good profit from DS attacks regardless of the proportion of computing power. The problem to consider, therefore, is to analyze the profitability of such attacks.

The analysis of attack profitability requires the ability to predict the time an attack will take, since the profit would be a function of time. Studies in [12,13,14,15,16,17,18,19,20] provided DS attack profitability analyses, but their time predictions were not accurate. Specifically, to make the time prediction easier, they either added impractical assumptions to the DS attack model defined by Nakamoto [1] and Rosenfeld [6] or oversimplified the time prediction formula (see Section 6 for details). Whereas, we follow the definition of DS attack in [1,6], and therefore we need to develop a new set of mathematical tools for precise analysis of attack profitability that we aim to report in this paper.

1.1. Contributions

We study the profitability of DS attacks. The concept of cut-time is introduced. Cut-time is defined to be the duration of time, from the start time to the end time of an attack. For each DS attempt, the attacker needs to pay for the cost to run his mining rig. A rational attacker would not, therefore, continue an attack indefinitely especially when operating within the regime of less than 50% computing power. To reduce the cost, the attacker needs to figure out how his attack success probability rolls out to be as the time progresses. We define that a DS attack is profitable if and only if the expected profit, the difference between revenue and cost (see Equation (33)), is positive. Our contributions are summarized into two folds:

First, we theoretically show that DS attacks can be profitable not only in the regime of 51% attack but also in the sub-50% regime where the computing power invested by the attacker is smaller than that invested by the target network. Specifically, a sufficient and necessary condition is derived for profitable DS attacks on the minimum value of target transaction. In the sub-50% regime, we also show that profitable DS attacks necessitate setting a finite cut-time.

Second, we derive novel mathematical results that are useful for an analysis of the attack success time. Specifically, the probability distribution function and the first moment expectation of the attack success time have been derived. They enable us to estimate the expected profit of a DS attack for a given cut-time. All mathematical results are numerically-calculable. All numerical examples of the theoretical results given in this paper are reproducible in our web-site (https://codeocean.com/capsule/2308305/tree).

1.2. Organization of the Paper

In Section 2, we define DS attack scenario and sufficient and necessary conditions required for successful DS attacks. Also, we define random variables that are useful in analyzing the attack profits. Section 3 comprises the analytic results of stochastics of the time-finite attack success. In Section 4, we define the profit function of DS attacks, followed by new theoretical results about the conditions for making them profitable. In Section 5, an example analysis of DS attack profitability in sub-50% regime against BitcoinCash network is given. Section 6 compares our results with related works. Finally, Section 7 concludes the paper with a summary.

2. The Attack Model

We define DS attack that we consider throughout this paper. We also define DS attack achieving (DSA) time, which is the least time spent for an occurrence of double-spending. The DSA time is a random variable derived from a random walk of Poisson counting processes (PCP).

2.1. Attack Scenario

We extend a DS attack scenario which has been considered by Nakamoto [1] and Rosenfeld [6]. Specifically, we add a time-finite attack scenario. There are two groups of miners, the normal group of honest miners and a single attacker. The normal group tends the honest chain.

When the attacker decides to launch a DS attack, he/she makes a target transaction for the payment of goods or services. In the target transaction, the transfer of cryptocurrency ownership from the attacker to a victim is written. We denote t = 0 as the time at which the last block of the honest chain has been generated. At time t = 0, the attacker announces the target transaction to normal group so that normal group starts to put it into the honest chain. At the same time t = 0, the attacker makes a fork of the honest chain which stems from the last block and builds it in secret. We refer to this secret fork as fraudulent chain. In the fraudulent chain, a fraudulent transaction is contained which alters the target transaction in a way that deceives the victim and benefits the attacker.

Before shipping goods or providing services to the attacker, the victim will obviously choose to wait for a few more blocks on the honest chain in addition to the block on which the his/her transaction has been entered, i.e., so-called block confirmation. Karame et al. [21] showed the importance of block confirmation: attackers are able to double-spend against zero block-confirmation even without mining a single block on the fraudulent chain at all. The number of blocks the victim chooses to wait for is referred to as the block confirmation number $N_{BC}\in \mathbb{N}$, which includes the block on which the target transaction is entered.

The attacker chooses to make the fraudulent chain public if his/her attack was successful. An attack is successful if the fraudulent chain is longer than the honest chain after the moment the block confirmation is satisfied. We define two necessary conditions ${\mathcal{G}}^{\left(1\right)}$, ${\mathcal{G}}^{\left(2\right)}$, for a success of DS attack:

Definition 1.

A DS attack succeeds only if there exists a DS attack achieving (DSA) time $T_{DSA}\in \left(0,\infty \right)$ such that

• ${\mathcal{G}}^{\left(1\right)}$: (block confirmation) the length of the honest chain for the duration of time $T_{DSA}$ has grown greater than or equal to N_BC, and
• ${\mathcal{G}}^{\left(2\right)}$: (success in PoW competition) the length of the fraudulent chain for the duration of time $T_{DSA}$ has grown longer than that of the honest chain.

Rational attackers will not wait for his success indefinitely since growing the attacker’s chain incurs the expense per time spent for operating the computing power. The attack thus shall put a limit to the end time to cut loss. We refer to this end time as the cut-time $t_{cut}\in {ℝ}^{+}$. A sufficient condition for the success of DS attack can be defined with applying the cut-time $t_{cut}$:

Definition 2.

For a given cut-time $t_{cut}\in {ℝ}^{+}$, the success of DS attack is declared if, and only if, there exists a DSA time $T_{DSA}\in \left(0,t_{cut}\right)$ at which ${\mathcal{G}}^{\left(1\right)}$ and ${\mathcal{G}}^{\left(2\right)}$ in Definition 1 have been achieved.

2.2. Stochastic Model

We model the conditions in Definition 2 with a stochastic model. We fit the block generation process using the PCP [22] with a given block generation rate $\lambda$ (blocks per second). Including Nakamoto [1] and Rosenfeld [6], it has been most conventional to analyze the block generation process of a blockchain using PCP. A rationale why the block generation process is modeled as PCP is given in Bowden et al. [23], where experiments show the fitness of PCP model to real data samples from a live network.

We denote the lengths of the honest chain and the fraudulent chain over time $t\in \left(0,\infty \right]$ by two independent PCPs, $H\left(t\right)\in {\mathbb{N}}_0$ with the block generation rate ${\lambda }_H$ (blocks per second) and $A\left(t\right)\in {\mathbb{N}}_0$ with the block generation rate ${\lambda }_A$, respectively. Both processes start at the time origin $t=0$ (at which the DS attack is launched) at which the both chains are at the zero states, i.e., $H\left(0\right)=A\left(0\right)=0$. Each chain independently increases at most by 1 at a time point. An increment of 1 in the counting process occurs when the pertinent network adds a new block to its chain.

We represent the difference between $A\left(t\right)$ and $H\left(t\right)$ in a discrete-time domain as a random walk $S_i\in \mathbb{Z}$ for $i\in \mathbb{N}$. For this purpose, we first define two continuous stochastic processes $M\left(t\right)$ and $S\left(t\right)$, which are respectively defined as

$$M\left(t\right):=H\left(t\right)+A\left(t\right),$$

(1)

and

$$S\left(t\right):=H\left(t\right)-A\left(t\right).$$

(2)

The first process $M\left(t\right)$ is also a PCP [22] with the rate

$${\lambda }_T:={\lambda }_A+{\lambda }_H.$$

(3)

The second process $S\left(t\right)$ is the continuous-time analog of the random walk $S_i\in \mathbb{Z}$ for $i\in \mathbb{N}$ such that

$$S_i:=S\left(T_i\right),$$

(4)

where $T_i$ is the state progression time defined by

$$T_i:= \inf \left\{ t\in {ℝ}^{+}:M\left(t\right)=i \right\},$$

(5)

which increases as $i$ increases. Random walk $S_i$ is a stationary Markov chain starting from $S_0=0$. The state transition probabilities [22] are given by

$$p_A:=\mathrm{Pr}\left(S_i=n-1|S_{i-1}=n\right)=\frac{{\lambda }_A}{{\lambda }_T},$$

(6)

and

$$p_H:=\mathrm{Pr}\left(S_i=n+1|S_{i-1}=n\right)=\frac{{\lambda }_H}{{\lambda }_T},$$

(7)

for all $i\in \mathbb{N}$ and $n\in \mathbb{Z}$. The state transition probabilities $p_H$ and $p_A$ are the proportions of computing power occupied by the normal miners and that by the attacker, respectively.

We define independent and identically distributed (i.i.d.) state transition random variables ${\Delta }_i\in \left\{\pm 1\right\}~\mathrm{Bernoulli}\left(p_H\right)$ as

$${\Delta }_i:=S_i-S_{i-1},$$

(8)

for $i\in \mathbb{N}$. Note that $S_i={\displaystyle {\sum }_{k=0}^i{\Delta }_k}$.

Definition 3.

A DS attack $\mathrm{DS}\left(p_A,t_{cut};N_{BC}\right)$ is a random experiment that picks a sample $\omega \in \Omega$. Each element $\omega$ is an infinite-length sequence of pairs of $T_i$ and ${\Delta }_i$ in Equations (5) and (8) for all $i\in \mathbb{N}$, i.e.,

$$\omega :=\left(\left(T_1,{\Delta }_1\right),\left(T_2,{\Delta }_2\right),\cdots ,\left(T_{\infty },{\Delta }_{\infty }\right)\right).$$

(9)

The set $\Omega$ is the universal set of all possible $\omega$, i.e.,

$$\Omega :=\left\{\omega \in {\left\{{ℝ}^{+}\times \left\{\pm 1\right\}\right\}}^{\infty }\right\}.$$

(10)

For given a DS sample $\omega \in \Omega$ and a state index $i\in \mathbb{N}$, we denote projections

$${\pi }_{T_i}\left(\omega \right):=T_i$$

(11)

and

$${\pi }_{{\Delta }_i}\left(\omega \right):={\Delta }_i$$

(12)

that retrieve the progression time $T_i$ and the transition ${\Delta }_i$ of the $i$-th state, respectively.

2.3. DS Attack Achieving Time

Definition 4.

For a DS sample $\omega$ of $\mathrm{DS}\left(p_A,t_{cut};N_{BC}\right)$, we define the DSA time $T_{DSA}$ which measures the least one among the state progression times ${\pi }_{T_i}\left(\omega \right)$ of state indices $i$ at which $\omega$ achieves the necessary conditions ${\mathcal{G}}^{\left(1\right)}$ and ${\mathcal{G}}^{\left(2\right)}$ in Definition 1.

To express $T_{DSA}$ as a random variable, we construct event sets ${\mathcal{D}}_j^{\left(1\right)}\subset \Omega$ and ${\mathcal{D}}_{i,j}^{\left(2\right)}\subset \Omega$. The sets ${\mathcal{D}}_j^{\left(1\right)}$ for $j\in \left\{N_{BC},N_{BC}+1,\cdots ,\infty \right\}$ consist of DS samples $\omega$ which achieves the block confirmation ${\mathcal{G}}^{\left(1\right)}$ at state $j$ for the first time. The sets ${\mathcal{D}}_{i,j}^{\left(2\right)}$ for $i\in \left\{j,j+1,\cdots ,\infty \right\}$ and $j\in \left\{N_{BC},N_{BC}+1,\cdots ,\infty \right\}$ consists of $\omega$ which achieves the success in the PoW competition ${\mathcal{G}}^{\left(2\right)}$ at state $i$ for the first time, given that ${\mathcal{G}}^{\left(1\right)}$ has been already achieved at state $j$. Subsequently, we aim for the samples $\omega \in {\mathcal{D}}_j^{\left(1\right)}\cap {\mathcal{D}}_{i,j}^{\left(2\right)}$ to achieve the two conditions in Definition 1 at a state pair $\left(i,j\right)$ for the first time.

Formally, we first construct a set ${\mathcal{D}}_j^{\left(1\right)}$ focusing only on the first $j$ transitions ${\Delta }_k$ for $k=1,\cdots ,j$ of DS samples $\omega \in \Omega$ with two requirements; one is that they must have $N_{BC}$ number of $+1$’s and $j-N_{BC}$ number of $-1$’s; and the other is that the $j$-th transition ${\Delta }_j$ must be $+1$ to guarantee that they have never been achieved in any states prior to the state $j$. The former requirement implies that all $\omega \in {\mathcal{D}}_j^{\left(1\right)}$ hold $S_j={\displaystyle {\sum }_{k=1}^j{\pi }_{{\Delta }_i}\left(\omega \right)}=2N_{BC}-j$. For example, when $N_{BC}=2$ and $j=5,$ a sequence $\left(+1,-1,-1,-1,+1,\cdots \right)$ of state transitions satisfies the first requirement, and also satisfies $S_j=2N_{BC}-j$.

We next construct a set ${\mathcal{D}}_{i,j}^{\left(2\right)}\subset \Omega$ which does not care about the first $j$ transitions ${\Delta }_k$ for $k=1,\cdots ,j$, but only focuses on the interim transitions ${\Delta }_m$ for $m=j+1,\cdots ,i$. By the definition, all sequences $\omega \in {\mathcal{D}}_{i,j}^{\left(2\right)}$ must achieve ${\mathcal{G}}^{\left(1\right)}$ before the $j$-th state, which implies that they must hold $S_j=2N_{BC}-j$. The rest requirement for each $\omega \in {\mathcal{D}}_{i,j}^{\left(2\right)}$ is that the state changes from starting state $S_j=2N_{BC}-j$ to state $S_i=-1$, while any interim states $S_k$ remain non-negative; i.e., $S_k\ge 0$ for each $k=j+1,\cdots ,i-1$.

The sets ${\mathcal{D}}_j^{\left(1\right)}$ for all $j$ are mutually exclusive as each of them represents the first satisfaction of the block confirmation condition exactly at the $j$-th state. For example, if $\omega \in {\mathcal{D}}_5^{\left(1\right)}$ then $\omega \notin {\mathcal{D}}_6^{\left(1\right)}$ since $\omega$ already has achieved the block confirmation at the 5-th state for the first time before reaching the 6-th state. The sets ${\mathcal{D}}_{i,j}^{\left(2\right)}$ for all $\left(i,j\right)$ are also mutually exclusive for the same reason. Thus, their intersections ${\mathcal{D}}_j^{\left(1\right)}\cap {\mathcal{D}}_{i,j}^{\left(2\right)}$ for all $\left(i,j\right)$ are also mutually exclusive.

By Definition 4, the attack achieving time $T_{DSA}$ can be measured if there exist index pairs $\left(i,j\right)$ such that $\omega \in {\mathcal{D}}_j^{\left(1\right)}\cap {\mathcal{D}}_{i,j}^{\left(2\right)}$. By the mutual exclusivity of ${\mathcal{D}}_j^{\left(1\right)}\cap {\mathcal{D}}_{i,j}^{\left(2\right)}$, if there exists such a pair $\left(i,j\right)$, it must be unique. In addition, if $\omega \in {\mathcal{D}}_j^{\left(1\right)}\cap {\mathcal{D}}_{i,j}^{\left(2\right)}$, $T_{DSA}$ equals ${\pi }_{T_i}\left(\omega \right)$, since the state progression time $T_k$ is non-decreasing as $k$ increases. As the result, $T_{DSA}$ can be rewritten as follows,

$$T_{DSA}=\left\{\begin{array}{cc}{\pi }_{T_i}\left(\omega \right),& if \exists \left(i,j\right)\in {\mathbb{N}}^2: \omega \in {\mathcal{D}}_j^{\left(1\right)}\cap {\mathcal{D}}_{i,j}^{\left(2\right)},\\ \infty ,& otherwise.\end{array}\right.$$

(13)

3. The Attack Probabilities

We aim to calculate the probability distribution function (PDF) of the DSA time $T_{DSA}$. Using this, the success probability of DS attack with a given cut-time $t_{cut}$ can be figured out as the probability that $T_{DSA}<t_{cut}$. Also, the expectation of attack success time can be calculated. The expected attack success time will be used in Section 4 to estimate the attack profits.

From Equation (13), the PDF of $T_{DSA}$ requires the probabilities of two random events: one is the state progression time $T_i$ in Equation (5); and the other is the event that a given state index $i$ satisfies $\omega \in {\mathcal{D}}_j^{\left(1\right)}\cap {\mathcal{D}}_{i,j}^{\left(2\right)}$. It has been well known that $T_i$ follows Erlang distribution [22] given as

$$f_{T_i}\left(t\right)=\frac{{\lambda }_T{\left({\lambda }_{T}t\right)}^{i-1}{e}^{-{\lambda }_{T}t}}{\left(i-1\right)!}.$$

(14)

We provide the probability for the latter event, i.e., $p_{DSA}{}_{,i}=$ $\mathrm{Pr}\left(\omega \in {\mathcal{D}}_j^{\left(1\right)}\cap {\mathcal{D}}_{i,j}^{\left(2\right)}\right)$ in the following Lemma 1:

Lemma 1.

For a sample $\omega$ of random experiment $\mathrm{DS}\left(p_A,t_{cut};N_{BC}\right),$ the probability $p_{DSA,i}=$ $\mathrm{Pr}\left(\omega \in {\mathcal{D}}_j^{\left(1\right)}\cap {\mathcal{D}}_{i,j}^{\left(2\right)}\right)$ can be computed as

$$p_{DSA,i}={\displaystyle \sum _{j=N_{BC}}^{j=2N_{BC}}\left(\begin{array}{c}j-1\\ N_{BC}-1\end{array}\right)C_{\frac{i-1}{2}-N_{BC},2N_{BC}-j}{p}_A{}^{\frac{i+1}{2}}{p}_H{}^{\frac{i-1}{2}}}+\left(\begin{array}{c}i-1\\ N_{BC}-1\end{array}\right)p_H{}^{N_{BC}}{p}_A{}^{i-N_{BC}}$$

(15)

for odd $i>2N_{BC}$ , where $C_{n,m}$ is the ballot number [24] given by

$$C_{n,m}:=\left\{\begin{array}{cc}\frac{m+1}{n+m+1}\left(\begin{array}{c}2n+m\\ n\end{array}\right),& n,m\in {\mathbb{Z}}^{+}\cup \left\{0\right\},\\ 0,& otherwise,\end{array}\right.$$

(16)

and for $i\le 2N_{BC}$ and for all even-numbered $i$, $p_{DSA,i}=0$.

Proof. 

See Appendix A. □

By taking infinite summations of $p_{DSA,i}$ in Lemma 1 for all indices $i\in \mathbb{N}$, we can compute the probability ${\mathbb{P}}_{DSA}$ that a DS attack will ever achieve the necessary conditions in Definition 1.

Corollary 1.

For a sample $\omega$ of random experiment $\mathrm{DS}\left(p_A,t_{cut};N_{BC}\right)$ with $t_{cut}=\infty$ , the probability ${\mathbb{P}}_{DSA}$ has an algebraic expression

$${\mathbb{P}}_{DSA}=\left\{\begin{array}{cc}1,& p_H\le p_A,\\ 1-p_A{}^{N_{BC}+1}{p}_H{}^{N_{BC}}{\displaystyle \sum _{j=N_{BC}}^{2N_{BC}}\left(\begin{array}{c}j-1\\ N_{BC}-1\end{array}\right)A_j,}& p_H>p_A,\end{array}\right.$$

(17)

where

$$A_j:=p_A{}^{j-2N_{BC}-1}-p_H{}^{j-2N_{BC}-1}.$$

(18)

Proof. 

See Appendix B. □

From Equation (13), the PDF of $T_{DSA}$ follows the PDF of $T_i$ at a given state index $i$, if at which it holds that $\omega \in {\mathcal{D}}_j^{\left(1\right)}\cap {\mathcal{D}}_{i,j}^{\left(2\right)}$, with the probability of $p_{DSA,i}$. If there does not exist such an index $i$, with the probability of $1-{\mathbb{P}}_{DSA}$, then $T_{DSA}=\infty$. Thus, we can write the PDF $f_{T_{DSA}}$ of $T_{DSA}$ as follows,

$$\begin{array}{ll}{f}_{T_{DSA}}\left(t\right)=& {\displaystyle \sum _{i=2N_{BC}+1}^{\infty }{p}_{DSA,i}{f}_{T_i}\left(t\right)}\\ & +\left(1-{\mathbb{P}}_{DSA}\right)\delta \left(t-\infty \right),\end{array}$$

(19)

where $\delta \left(t\right)$ is the Dirac delta function.

Proposition 1.

The PDF $f_{T_{DSA}}$ has an analytic expression:

$$\begin{array}{l}{f}_{T_{DSA}}\left(t\right)=\frac{p_A{\lambda }_T{e}^{-{\lambda }_{T}t}{\left(p_A{p}_H{\left({\lambda }_{T}t\right)}^2\right)}^{N_{BC}}}{\left(2N_{BC}\right)!}\cdot {\displaystyle \sum _{j=N_{BC}}^{j=2N_{BC}}\left(\begin{array}{c}j-1\\ N_{BC}-1\end{array}\right)}{ }_2{F}_3\left(a;b;p_A{p}_H{\left({\lambda }_{T}t\right)}^2\right)\\ +\frac{e^{-{\lambda }_{T}t}}{t}\frac{{\left(p_H{\lambda }_{T}t\right)}^{N_{BC}}}{\left(N_{BC}-1\right)!}\left(e^{p_A{\lambda }_{T}t}-{\displaystyle \sum _{i=0}^{N_{BC}}\frac{{\left(p_A{\lambda }_{T}t\right)}^i}{i!}}\right)+\left(1-{\mathbb{P}}_{DSA}\right)\delta \left(t-\infty \right),\end{array}$$

(20)

where ${}_p{F}_q\left(a;b;x\right)$ is the generalized hypergeometric function (See Appendix E for definition) with the parameter vectors

$$a=\left[\begin{array}{c}{N}_{BC}+1-j/2\\ N_{BC}+1/2-j/2\end{array}\right]$$

(21)

and

$$b=\left[\begin{array}{c}2N_{BC}+2-j\\ N_{BC}+1\\ N_{BC}+1/2\end{array}\right].$$

(22)

Proof. 

See Appendix C. □

By Definition 2, the probability ${\mathbb{P}}_{AS}$ that a DS attack $\mathrm{DS}\left(p_A,t_{cut};N_{BC}\right)$ succeeds equals

$${\mathbb{P}}_{AS}\left(t_{cut}\right)=\mathrm{Pr}\left(T_{DSA}<t_{cut}\right)$$

(23)

Note that for a special case of $t_{cut}=\infty$, ${\mathbb{P}}_{AS}\left(t_{cut}\right)={\mathbb{P}}_{DSA}$, which coincides with the result in Rosenfeld [6].

It will be shown to be convenient to define the attack success time $T_{AS}$ of a DS attack as

$$T_{AS}:=\left\{\begin{array}{cc}{T}_{DSA},& if T_{DSA}<t_{cut},\\ \mathrm{not} \mathrm{defined},& otherwise.\end{array}\right.$$

(24)

A random variable for $T_{DSA}>t_{cut}$ does not need to be defined since it is not useful. The PDF $f_{T_{AS}}$ of $T_{AS}$ is just a scaled version of $f_{T_{DSA}}\left(t\right)$ for $0<t<t_{cut}$, which is given in Equation (20), with a scaling factor of ${\mathbb{P}}_{AS}{}^{-1}$. Formally, the PDF $f_{T_{AS}}\left(t\right)$ equals

$$f_{T_{AS}}\left(t\right)=\left\{\begin{array}{cc}\frac{f_{T_{DSA}}\left(t\right)}{{\mathbb{P}}_{AS}},& for 0\le t<t_{cut},\\ 0,& for t\ge t_{cut}.\end{array}\right.$$

(25)

The expectation of attack success time is computed as

$${𝔼}_{T_{AS}}\left(t_{cut}\right)=\frac{{\displaystyle {\int }_0^{t_{cut}}t{f}_{T_{DSA}}\left(t\right)dt}}{{\mathbb{P}}_{AS}\left(t_{cut}\right)}.$$

(26)

The following Proposition 2 gives an explicit formula of ${𝔼}_{T_{AS}}$ for the special case when $t_{cut}=\infty$.

Proposition 2.

Let $p_M:=\max \left(p_A,p_H\right),$ $p_m:=\min \left(p_A,p_H\right).$ If $t_{cut}=\infty$ , the expectation ${𝔼}_{T_{AS}}\left(t_{cut}\right)$ has a closed-form expression:

$$\underset{t_{cut}\to \infty }{\lim }{𝔼}_{T_{AS}}\left(t_{cut}\right)=\frac{{\lambda }_T{}^{-1}\left({\displaystyle \sum _{j=N_{BC}}^{2N_{BC}}\left(\begin{array}{c}j-1\\ N_{BC}-1\end{array}\right)Z_j}+\frac{N_{BC}}{p_H}\right)}{{\mathbb{P}}_{DSA}},$$

(27)

where

$$Z_j:=p_A{p}_m{}^{N_{BC}}{p}_M{}^{-\left(N_{BC}-j+1\right)}\left(\frac{2N_{BC}-2j{p}_m+1}{p_M-p_m}\right)-j{p}_A{}^{-\left(N_{BC}-j\right)}{p}_H{}^{N_{BC}}.$$

(28)

Proof. 

See Appendix B. □

4. Profitable DS Attacks

The previous probabilistic analyses in [1,6] have shown that the success of DS attacks is not guaranteed when $p_A<0.5$. However, DS attacks with $p_A<0.5$ can be vigorously pursued as long as they bring profit.

We analyze the profitability of DS attacks and to this end, we define a profit function $P$ of a DS attack $\mathrm{DS}\left(C,p_A,t_{cut};N_{BC}\right)$, where $C$ is the value of a fraudulent transaction, in terms of revenue and operating expense (OPEX) of the computing power.

The OPEX $X$ (e.g., the rental fee for the computing power) and the block mining reward $R$ tend to increase with respect to ${\lambda }_A$ and the time $t$ consumed during the attack. Thus, $X$ and $R$ are expressed as functions of ${\lambda }_A$ and $t$, and they can be any increasing function; e.g., linear, exponential, or logarithm. We define $X$ and $R$, respectively, as follows:

$$X\left({\lambda }_A,t\right):=\gamma {\lambda }_{A}t{\left({\log }_{x_1}{x}_2\right)}^{{\lambda }_A}{\left({\log }_{x_3}{x}_4\right)}^t$$

(29)

for real constants $\gamma >0$, $x_1,x_2>1$, and $x_3,x_4>1$, and

$$R\left({\lambda }_A,t\right):=\beta {\lambda }_{A}t{\left({\log }_{r_1}{r}_2\right)}^{{\lambda }_A}{\left({\log }_{r_3}{r}_4\right)}^t$$

(30)

for real constants $\beta >0$, $r_1,r_2>1$, and $r_3,r_4>1$. We denote the ratio of $\gamma$ and $\beta$ by

$$\mu :=\beta {\gamma }^{-1}.$$

(31)

With regards to $P$, if an attack succeeds, the revenue comes from $C$, as it is double-spent, added to $R$ for the number of blocks mined during the time duration $T_{AS}$, i.e., $R\left({\lambda }_A,T_{AS}\right)$. In this case, the cost is the OPEX for the time duration $T_{AS}$, i.e., $X\left({\lambda }_A,T_{AS}\right)$. If the attack fails, the cost is the OPEX $X\left({\lambda }_A,t_{cut}\right)$ for the time duration $t_{cut}$, and there is no revenue. Hence, for a DS attack $\mathrm{DS}\left(C,p_A,t_{cut};N_{BC}\right)$, we define $P$ as follows,

$$P:=\left\{\begin{array}{cc}C+R\left({\lambda }_A,T_{AS}\right)-X\left({\lambda }_A,T_{AS}\right),& if T_{DSA}<t_{cut},\\ -X\left({\lambda }_A,t_{cut}\right),& otherwise.\end{array}\right.$$

(32)

Subsequently, the expected profit function is

$$\begin{array}{ll}{𝔼}_P& ={\mathbb{P}}_{AS}\left(t_{cut}\right)\cdot \left(C+𝔼\left[R\left({\lambda }_A,T_{AS}\right)\right]-𝔼\left[X\left({\lambda }_A,T_{AS}\right)\right]\right)-\left(1-{\mathbb{P}}_{AS}\left(t_{cut}\right)\right)X\left({\lambda }_A,t_{cut}\right)\\ & ={\mathbb{P}}_{AS}\left(t_{cut}\right)\cdot \left(C+𝔼\left[R\left({\lambda }_A,T_{AS}\right)\right]\right)-{𝔼}_X,\end{array}$$

(33)

where ${𝔼}_X$ is the expected OPEX defined as

$${𝔼}_X:={\mathbb{P}}_{AS}\left(t_{cut}\right)𝔼\left[X\left({\lambda }_A,T_{AS}\right)\right]+\left(1-{\mathbb{P}}_{AS}\left(t_{cut}\right)\right)X\left({\lambda }_A,t_{cut}\right).$$

(34)

Definition 5.

A DS attack $\mathrm{DS}\left(C,p_A,t_{cut};N_{BC}\right)$ is said to be profitable if and only if the expected profit ${𝔼}_P>0$ , where ${𝔼}_P$ is defined in Equation (33).

The key factor in determining the profitability of DS attacks is the value C of the fraudulent transaction. Thus, attackers would be interested in the minimum value required for profitable DS attacks [25]. Definition 5 implies that a DS attack $\mathrm{DS}\left(C,p_A,t_{cut};N_{BC}\right)$ is profitable if and only if $C>C_{\mathrm{Req}.}$, where the required value of target transaction $C_{\mathrm{Req}.}$ is

$$C_{\mathrm{Req}.}=\frac{{𝔼}_X}{{\mathbb{P}}_{AS}}-𝔼\left[R\left({\lambda }_A,T_{AS}\right)\right].$$

(35)

The following results in Theorem 1 and Theorem 2 focus on the case where both $X\left({\lambda }_A,t\right)$ and $R\left({\lambda }_A,t\right)$ are linearly increasing functions of ${\lambda }_A$ and $t$.

Theorem 1.

Suppose $x_1=x_2$ and $x_3=x_4$ in Equation (29), and $r_1=r_2$ and $r_3=r_4$ in Equation (30). Then, a DS attack $\mathrm{DS}\left(C,p_A,t_{cut};N_{BC}\right)$ for any $p_A\in \left(0,1\right)$ and for any $t_{cut}\in \left(0,\infty \right]$ is profitable if and only if $C>C_{\mathrm{Req}.}$, where

$$C_{\mathrm{Req}.}=\frac{\left(1-{\mathbb{P}}_{AS}\left(t_{cut}\right)\right)}{{\mathbb{P}}_{AS}\left(t_{cut}\right)}\gamma {\lambda }_A{t}_{cut}-\left(\mu -1\right)\gamma {\lambda }_A{𝔼}_{T_{AS}}\left(t_{cut}\right).$$

(36)

Proof. 

Substituting $x_1=x_2$, $x_3=x_4$, $r_1=r_2$, and $r_3=r_4$ into Equation (35) results in Equation (36). □

Theorem 1 shows that not only superior attackers with $p_A\in \left(0.5,1\right)$ but also inferior attackers with $p_A\in \left(0,0.5\right)$ are able to expect profitable DS attacks once a high enough value $C$ greater than $C_{\mathrm{Req}.}$ of the target transaction is designed. The condition $C_{\mathrm{Req}.}$ in Equation (36) can be pre-computed before carrying out an attack, as it stochastically estimates the future expected cost, for a given position $p_A\in \left(0,1\right)$ and a cut-time $t_{cut}$ of an attacker, and a given set of network environment parameters $\gamma$ and $\beta$.

Table 1. Numerical computations of required resources for profitable double-spending (DS) attacks with $p_A=0.35$ when $t_{cut}=c{N}_{BC}{\lambda }_H^{-1}$ with $c=4$.

$$\mathbf{Block} \mathbf{Confirmation} \mathbf{Number} \left(N_{BC}\right)$$	1	3	5	7	9
$$\mathrm{Attack} \mathrm{success} \mathrm{probability} \left({\mathbb{P}}_{AS}\right)$$	0.315	0.279	0.218	0.170	0.132
$$\begin{gathered} \mathrm{Expected} \mathrm{attack} \mathrm{success} \mathrm{time} \left({𝔼}_{T_{AS}}\right) \\ (\mathrm{Scaled} \mathrm{by} {\lambda }_H{}^{-1}) \end{gathered}$$	2.004	5.518	8.681	11.694	14.607
$$\mathrm{Expected} \mathrm{OPEX} ({𝔼}_X)(\mathrm{Scaled} \mathrm{by} \gamma )$$	1.815	5.487	9.440	13.588	17.859
$$\mathrm{Required} \mathrm{value} \mathrm{of} \mathrm{target} \mathrm{transaction} (C_{\mathrm{Suf}.})(\mathrm{Scaled} \mathrm{by} \gamma )$$	$$1.079\cdot \left(1-\mu \right) + 4.680$$	$$2.971\cdot \left(1-\mu \right) + 16.68$$	$$4.675\cdot \left(1-\mu \right) + 38.62$$	$$6.297\cdot \left(1-\mu \right) + 73.84$$	$$7.866\cdot \left(1-\mu \right) + 127.00$$

and

Table 2. Numerical computations of required resources for profitable DS attacks with $p_A=0.4$ when $t_{cut}=c{N}_{BC}{\lambda }_H^{-1}$ with $c=4$.

$$\mathbf{Block} \mathbf{Confirmation} \mathbf{Number} \left(N_{BC}\right)$$	1	3	5	7	9
$$\mathrm{Attack} \mathrm{success} \mathrm{probability} \left({\mathbb{P}}_{AS}\right)$$	0.411	0.419	0.376	0.334	0.297
$$\mathrm{Expected} \mathrm{attack} \mathrm{success} \mathrm{time} \left({𝔼}_{T_{AS}}\right)(\mathrm{Scaled} \mathrm{by} {\lambda }_H{}^{-1})$$	1.953	5.338	8.434	11.418	14.325
$$\mathrm{Expected} \mathrm{OPEX} ({𝔼}_X)(\mathrm{Scaled} \mathrm{by} \gamma )$$	2.106	6.139	10.436	14.977	19.716
$$\mathrm{Required} \mathrm{value} \mathrm{of} \mathrm{target} \mathrm{transaction} (C_{\mathrm{Suf}.})(\mathrm{Scaled} \mathrm{by} \gamma )$$	$$1.302\cdot \left(1-\mu \right) + 3.819$$	$$3.559\cdot \left(1-\mu \right) + 11.10$$	$$5.622\cdot \left(1-\mu \right) + 22.15$$	$$7.612\cdot \left(1-\mu \right) + 37.25$$	$$9.550\cdot \left(1-\mu \right) + 56.96$$

list the resources including $C_{\mathrm{Req}.}$, ${𝔼}_X$, and ${𝔼}_{T_{AS}}$ required for profitable DS attacks respectively using $p_A=0.35$ and $p_A=0.4,$ when $t_{cut}=c{N}_{BC}{\lambda }_H^{-1}$ with $c=4$. Note that the expectation of the time spent for the block confirmation equals $N_{BC}{\lambda }_H^{-1}$, and we let $t_{cut}$ linear to it. In other words, as normal traders wait for $N_{BC}{\lambda }_H^{-1}$ seconds on the average, attackers shall be tolerable as well and wait for the same scale of time duration. Note that the ${\mathbb{P}}_{AS}$ for $N_{BC}=1$ is smaller than that for $N_{BC}=3$ due to not long enough $t_{cut}$. We scaled the results by parameters ${\lambda }_H$ and $\gamma$, which we will explain how to obtain from the internet in the next subsection.

The following Theorem 2 is for the inferior attackers with $p_A\in \left(0,0.5\right)$ and shows the importance of setting a finite $t_{cut}$.

Theorem 2.

Suppose $x_1=x_2$ and $x_3=x_4$ in Equation (29), and $r_1=r_2$ and $r_3=r_4$ in Equation (30). Then, a DS attack $\mathrm{DS}\left(C,p_A,t_{cut};N_{BC}\right)$ with $p_A\in \left(0,0.5\right)$ is profitable only if $t_{cut}<\infty$.

Proof. 

For any $p_A\in \left(0,0.5\right)$, it always holds that ${\mathbb{P}}_{AS}<1$. In this case, if $t_{cut}\to \infty$ then $C_{\mathrm{Req}.}\to \infty$ from Equation (36); i.e., infinite value $C$ of fraudulent transaction is required for a DS attack $\mathrm{DS}\left(C,p_A,t_{cut};N_{BC}\right)$ to be profitable. Thus, for a DS attack with $p_A\in \left(0,0.5\right)$ to be profitable, a finite cut-time $t_{cut}<\infty$ must be set. □

Theorem 2 shows that for $p_A\in \left(0,0.5\right)$, setting $t_{cut}=\infty$ is expected to incur infinite deficit. On the contrary, for $p_A\in \left(0.5,1\right)$, what we have numerically checked out but omitted due to space limitation is the result that ${𝔼}_P$ is an increasing function of $t_{cut}$; i.e., setting $t_{cut}=\infty$ is the optimal choice in the superior attack regime. Applying $p_A\in \left(0.5,1\right)$ and $t_{cut}=\infty$ into Equation (36) leads to ${\mathbb{P}}_{AS}=1$, and thus $C_{\mathrm{Req}.}$ turns into

$$C_{\mathrm{Req}.}=-\left(\mu -1\right)\gamma {\lambda }_A{𝔼}_{T_{AS}},$$

(37)

where a closed-form expression of ${𝔼}_{T_{AS}}$ is given in Proposition 2. In this case, if $\beta >\gamma$; i.e., $\mu >1$, DS attacks are always profitable regardless of $C$. According to nicehash.com, most networks maintain $\beta >\gamma$ by the economic equilibrium. As the result, in addition to the results in [1] and [6] that DS attacks with $p_A\in \left(0.5,1\right)$ guarantee probabilistic success, we show that such attacks guarantee economic gain as well.

5. Practical Example of Profitable DS Attacks against BitcoinCash

We analyze resources required for profitable DS attacks against BitcoinCash network. The resources include the computing power proportion $p_A$, expected OPEX ${𝔼}_X$, expected attack success time ${𝔼}_{T_{AS}}$, and the required value of fraudulent transaction $C_{\mathrm{Req}.}$.

To this end, we first recall the parameters involved in block mining reward $R$ and the OPEX $X$. The parameters used in Equation (29) and Equation (30) are assumed to $x_1=x_2$, $x_3=x_4$, $r_1=r_2$, and $r_3=r_4$ which lead to linear functions $X\left({\lambda }_A,t\right)$ and $R\left({\lambda }_A,t\right)$ with respect to ${\lambda }_A$ and $t$. There are three more parameters: $\gamma$, $\beta$, and ${\lambda }_H{}^{-1}$. From Equation (29) and Equation (30), the parameter $\gamma$ is the expected cost spent per generating a block; and the parameter $\beta$ is the reward per generating a block. Parameter ${\lambda }_H{}^{-1}$ is the average block generation time of the honest chain. All the parameters are different for each blockchain network.

In BitcoinCash, the reward $\beta$ per block mining was 12.5 BCH (without transaction fees), which is around $\beta =0.44$ BTC per block mining (as of 26 February 2020). The average block generation time was fixed at ${\lambda }_H{}^{-1}=600$ seconds.

The parameter $\gamma$ is obtainable from nicehash.com. BitcoinCash uses the SHA-256 cryptographic puzzle for which the unit of computation is hash. As of 26th Feb. 2020, the rental fee for 1-peta (P) hashes per second for a day was around 0.017 BTC, which was around $1.97\times {10}^{-7}$ BTC per second. In other words, the rental fee was approximately $1.97\times {10}^{-22}$ BTC per the computing of a hash. Referring to BTC.com, the network’s computing speed is 3.57-exa (E) hashes per second; i.e., $3.57\mathrm{E}\cdot 600=2142\mathrm{E}$ hashes are needed to generate one block on the average. As the result, the parameter $\gamma$ is obtained as

$$\begin{array}{c}\gamma =1.97\times {10}^{-22} \left[\mathrm{BTC}/\mathrm{hash}\right]\times 2142\mathrm{E}\left[\mathrm{hashes}/\mathrm{block} \mathrm{mining}\right]\\ \approx 0.422 \left[\mathrm{BTC}/\mathrm{block} \mathrm{mining}\right].\end{array}$$

(38)

Note that it holds $\beta >\gamma$. From Equation (37), this relationship makes DS attack $\mathrm{DS}\left(C,p_A,t_{cut};N_{BC}\right)$ with $p_A>0.5$ and $t_{cut}=\infty$ always profitable regardless of the value $C$ of target transaction.

In case of DS attacks with $p_A<0.5$, the cut-time $t_{cut}$ must be determined as a finite value for profitable DS attacks by Theorem 2. We set $t_{cut}=c{N}_{BC}{\lambda }_H^{-1}=12000$ seconds with $c=4$ and $p_A=0.35$. We compute the resources required for profitable DS attacks against BitcoinCash when $N_{BC}=5$. Results are obtainable from the values in Table 1 and Table 2 by multiplying the scaling parameters $\gamma =0.422$ and ${\lambda }_H{}^{-1}=600$ and by substituting $\mu =\beta {\gamma }^{-1}=1.04$ and $c=4$.

As the results, we obtain ${\mathbb{P}}_{AS}\approx 0.218$, ${𝔼}_{T_{AS}}\approx 5200$ seconds, ${𝔼}_X\approx 3.98$ BTC, and $C_{\mathrm{Req}.}\approx 16.22$ BTC. One can compute expected running time; i.e., the expected time spent for a single DS attack attempt as ${\mathbb{P}}_{AS}{𝔼}_{T_{AS}}+\left(1-{\mathbb{P}}_{AS}\right)t_{cut}$, which is around 2 h and 55 min. That is to say, attackers can repeatedly perform $n$ number of attacks every 2 h and 55 min on the average. With the value $C$ of target transaction, by the strong law of large numbers, the multiple attack attempts will return net profit $n{P}_{AS}\left(t_{cut}\right)\cdot \left(C-C_{\mathrm{Re}q.}\right)$ as $n\to \infty$ with probability 1.

6. Related Works

By Nakamoto [1] and Rosenfeld [6], the probabilities have been studied that a DS attack will ever succeed when there is no time limit, i.e., the cut-time is set to $t_{cut}=\infty$. Both of them applied PCPs to model the growth of chains $H\left(t\right)$ and $A\left(t\right)$. On one hand, the main difference between them was in probability calculations of the block confirmation process in Definition 1. Rosenfeld applied the PCPs to both $H\left(t\right)$ and $A\left(t\right)$, whereas Nakamoto assumed the time spent for $H\left(t\right)\ge N_{BC}$ deterministic to simplify the calculation. On the other hand, they both used the gambler’s ruin approach to obtain the asymptotical behavior of $S_i$ as $i\to \infty$ by manipulating the recurrence relationship between two adjacent states. Namely, their results are based on an assumption that an indefinite number of attack chances are given [12].

On the contrary, we introduce the cut-time $t_{cut}$ which generalizes analytical framework to the more interesting finite attack time and inferior attacker regime. By setting $t_{cut}$ infinite, the same result ${\mathbb{P}}_{DSA}$ was obtained in [6] as well. By setting a finite $t_{cut}$, our results shall be useful when attack chances are limited due to limited amount of resources such as time and cost. In addition, we show in Theorem 2 that DS attacks with $p_A<0.5$ must set a finite $t_{cut}$ in order to expect a non-negative profit. It shall be noted that there has been no intermediate result like $p_{DSA,i}$ in Lemma 1. We use Lemma 1 to derive the novel results.

Rosenfeld [6] and Bissias et al. [13] have analyzed the profitability of DS attacks. However, they put additional assumptions on the attack scenario to simplify the calculation of the attack time. Specifically, Rosenfeld assumed the attack time to be a constant. Bissias et al. assumed that the attack stops if either the normal peers or the attacker achieves the block confirmation first. On the contrary, in our model, an attack can be continued for a random attack time as long as it brings profit, even if the normal peers achieve the block confirmation before the attacker does.

In Zaghloul et al. [14], the profit of DS attack has been analyzed. Interestingly, they have discussed the need of cut-time for DS attacks with $p_A<0.5$, which is theoretically proven in this paper in Theorem 2. They also calculated the profit of DS attacks with a finite time-limit (see Section IV-C in [14]), but their calculation was not as precise as ours in three points:

First, the probability of attack success within a finite time-limit, i.e., ${\mathbb{P}}_{AS}\left(t_{cut}\right)$ in Equation (23) was never considered, which requires the distribution of the DS achieving time, i.e., T_DSA given in Proposition 1. Instead, their calculation used ${\mathbb{P}}_{DSA}$ referring to the result in Rosenfeld [6]. This contradicts their time-limited attack scenario, since ${\mathbb{P}}_{DSA}$ in [6] was resulted from the assumption of infinite time-limit.

Second, they approximated costs and revenues of DS attack spent within a time-limit. Estimation of the costs and revenues requires estimations of the numbers of blocks respectively mined by honest nodes and attackers within a time-limit, but those were assumed to be constant. This was due to the absence of the time analysis we provide in Proposition 1.

Third, they assumed the average block generation rates ${\lambda }_H$, ${\lambda }_A$ respectively by honest miners and by attackers are always the same. Since, the proportions $p_H$, $p_A$ of computing power occupied by the two groups can be quite different in general, such a result is not very useful. We agree to their assumption that most blockchains control the difficulty of block mining puzzle to keep the average speed of block generation constant, and thus ${\lambda }_H$ can be considered as a constant. However, ${\lambda }_A$ should be left as a varying quantity by $p_A$. The fact is that the computing power invested by the attacker cannot be monitored by the honest network and thus it cannot be reflected in the difficulty control routine.

Budish [15] conducted simulations on the profitability of DS attacks only in the cases of $p_A>0.5$. Under the cases, a condition on the value of the target transaction that makes DS attacks not profitable has been given based on the simulations. We give theoretical and numerically-calculable results for any $p_A\in \left(0,1\right)$, which do not require massive simulations.

Gervais et al. [16] and Sompolinsky et al. [12] have used a Markov decision process (MDP) to analyze profits from DS attacks. These works differ from our contributions in the following regards:

First, they did not follow the DS attacks scenario considered by Nakamoto [1] and Rosenfeld [6]. Instead, the scenario in [12] was a special case of the pre-mining strategy which was introduced in [17,18]. We show that the success of DS attack under this scenario is even more difficult to occur than the success of the DS attack under the scenario of Nakamoto and Rosenfeld (see Appendix D for details). Also, the attack scenario in [16] went even further by modifying the condition for block confirmation in Definition 1. Specifically, under our definition, it is required for the honest chain to have added $N_{BC}$ blocks, while under their condition it was fraudulent for the chain to do so (see Section 3 of [16]). Thus, it was not ensured that the potential victim has shipped the goods or service, and an attack success did not guarantee for the attacker to obtain the benefit of attacking.

Second, one important new advance in this paper is the derivation of the time analysis $f_{T_{AS}}$ given in Proposition 1. When one uses the MDP framework, one can obtain similar information such as the estimations for the attack success time $E_{T_{AS}}$, the future profit P that an attacker will earn in the end, and the minimum value of target transaction $C_{\mathrm{Req}.}$. However, using MDP to make such estimations would have required extensive Monte Carlo simulations. Using our mathematical results, such estimations can be obtained without Monte Carlo simulations.

In addition, we believe that our mathematical results can be utilized in the MDP frameworks to improve the reliability of analyses. Conventionally, a rational user of an MDP will make a decision at every state whether to stop or to continue the process by comparing the rewards that will be incurred in the future by his/her decision. The rewards for stop actions are clear because such actions are either an attack success or a give-up. The reward for the continue action is complex because it needs to consider all the actions in all future possible states as well. In [12,16], the rewards for the continue action were over-simplified as they were evaluated only for the very next state and did not include the estimation of the profits in further future actions. To improve the reliability, the PDF $f_{T_{AS}}$ in Proposition 1 can be used at any intermediate Markov state to estimate the future profits. Specifically, the conditional expectation of the time left for an attack success $T_{AS}$ given $T_{AS}>\tau$ can be calculated using $f_{T_{AS}}$, where $\tau$ is the observable time elapsed for reaching the current state. Once the time left is estimated, the estimation of future profits can be updated by substituting it into Equation (33). That is to say, at each state, the estimation of profits can be updated and used as the rewards resulting from the continue action.

Goffard [19] and Karame et al. [20] have derived the PDFs of attack success time, but none of their DS attack scenarios matched with ours in Definition 1. In [19], Goffard derived the PDF of catch-up time spent for the fraudulent chain to catch up with the honest chain given that the length of honest chain is initially ahead by several blocks. The author used counting processes such as order statistic point process and renewal process which are more general than PCP, but there was no analytic result similar to what is given in Proposition 1. In [20], Karame et al. derived the PDF of the first attack success time under a fast-payment model which fixed $N_{BC}=0$. To sum up, the attack success time in neither analysis included the time spent for achieving the first condition: the block confirmation should be realized.

7. Discussion and Conclusions

We showed that DS attacks using 50% or a lower proportion of computing power can be profitable and thus quite threatening. We provided how much quantitative resources are required to make a profitable DS attack. We derive the PDF of attack success time which enables us to figure out the operating time and the expense of mining rigs. We provided MATLAB codes on the website (https://codeocean.com/capsule/2308305/tree) for numerical evaluation of the expected profit function in Equation (33). We also listed an example of the minimum resources required for a profitable DS attack, which is applicable to any blockchain networks by substituting the network parameters $\gamma$, $\beta$, and ${\lambda }_H$. We also showed a more specific example of the required resources against BitcoinCash network.

Our results quantitatively guide how to set a block confirmation number for a safe transaction. The lower the block confirmation number is, the lower the minimum resource is required for a profitable attack. A solution can be utilized by the network developers to discourage such an attack. On the one hand, given a block confirmation number, we can have the value of any transaction to be set below the required value of making a profitable attack in a given network. On the other hand, given the value of transaction, the network can provide a service to inform the payee with the lowest block confirmation number that leads to negative DS attack profit.