Achieving Security in Proof-of-Proof Protocol with Non-Zero Synchronization Time

Abstract

Among the most significant problems that almost any blockchain faces are the problems of increasing its throughput (i.e., the number of transactions per unit of time) and the problem of a long waiting time before block confirmation. Thus, for example, in the most common BTC blockchain, according to various estimates, throughput is from 3 to 7 tps (transactions per second), and the average block confirmation time (block is considered confirmed if it has at least 6 blocks over it) is 1 h. At the same time, it is impossible to solve these problems directly by increasing the block size or increasing block generation intensity because this leads to essentially a decrease in the security of the blockchain in the first turn against double spend and splitting attacks. Such problems lead to the inconvenience of the practical use of cryptocurrencies to pay for goods and services. Proposed a few years ago, the PoP consensus protocol potentially helps to solve the problem of increasing blockchain throughput, although it was originally intended to ensure the stability of “young” blockchains, with “small” PoW, through the use of a secure blockchain, such as BTC. A blockchain that has provable security is called the security-provided blockchain (SPB), and one that uses SPB to achieve its security is called the security-inherited blockchain. In this paper, we give explicit formulas which describe how the number of confirmation blocks in the security-inherited blockchain, which is sufficient to achieve a given security level of this blockchain to a double spend attack, depends on the parameters of both blockchains. It is essential that we use a realistic model to obtain the results, taking into account the synchronization times of both blockchains. Such a model is much closer to the real situation, but at the same time, it leads to significant analytical difficulties in obtaining results. The obtained formulas are convenient for numerical calculations, the numerous examples of which are also given in this work.

1. Introduction

This paper aims to analyze the security of the Proof-of-Proof (PoP) protocol described in [1]. The primary purpose of this protocol is to strengthen any “light” blockchain–blockchain, where blocks are created with small Proof-of-Work (PoW), but it may also be applied to blockchains with arbitrary consensus protocols to increase their security by binding to a blockchain, which is provably secure.

Note that block intensity generation may be relatively high for blockchains with “small” PoW, so transactions are processed quicker than in a classical “heavy” and secure blockchain. However, it is known that the security of blockchain (for example, against double-spend attacks) decreases when block intensity generation increases. According to various estimates, the number of transactions per second is expected to range from 3 to 7 for the secure BTC blockchain, with the desired speed of up to several thousand. We can say that such “light” blockchains increase throughput and lose out in security. This is the case when the PoP protocol can be used to provide a sufficient level of security for such “light” blockchains with high throughput (or even for blockDAG, but after some significant modification). In other words, it helps to solve one of the main problems of blockchains—the low network throughput.

In the available literature, we can find a plethora of different suggestions for increasing the throughput. These suggestions can be roughly divided into two types:

• Transition from blockchain to block graph (DAG—directed acyclic graph);
• Use various “add-ons” over the blockchain.

The first type includes papers [2,3,4,5,6]. The authors of these papers announce improvements in both throughput and latency until the transaction is fully confirmed. However, none of these papers contains rigorous proofs of the stated results, semiempirical explanations are, at best, what they provide. Some of them also have serious mathematical errors (for example, refs. [2,3,4,5]).

Papers of the second type [7,8,9,10] contain more substantiated statements and more rigorous proofs. However, they solve only one of the existing problems—increasing the throughput. The second currently remains unresolved.

The main idea of the second type of papers is that, in addition to the classic “secure and stable” blockchain (with “slow” block generation, with liveness and consistence properties), which is called MainChain (MC), one can generate additional “separate” blocks or even blockchains that can be produced as quickly as you like (with minimal PoW or Proof-of-Stake (PoS)). Here, we will call such blockchains SideChains (SCs), though they may also have other names (parachain, fruitchain, and so on). SC blocks can refer to each other and to the MainChain. MC blocks (or some of them) may refer directly to SC blocks or may contain some information about a recent SC block, which can be considered as some type of reference.

The SC block B is considered stable (i.e., such that its transactions are irreversible with a probability close to 1) if it is referenced by any stable block of the MC blockchain. That is, the stabilization of a SC block is still a consequence of stabilizing the corresponding block from the MC. Therefore, the time until the block stabilizes remains long.

The PoP protocol suggested in [1] can also be classified as a type 2 blockchain, but its main difference from the protocols indicated in [7,8,9,10,11] is that it uses a “foreign” blockchain as an MC (for instance, BTC blockchain). In this case, there should be a “two-way” communication with the blockchains (i.e., references).

The Veriblock (VB) blockchain with PoP consensus refers to blocks from the MC, and the MC must, at certain limited intervals, refer to the VB. The blockchain that is the $\mathrm{MC}$ is called a security-provided blockchain (SP blockchain) and the VB blockchain is called a security-inherited blockchain (SI blockchain). This protocol increases the throughput (i.e., tps) significantly, but the transaction confirmation time is still fully determined by the “slow” SP blockchain. In addition to this, the VB blockchain itself can act as SP-blockchain for other, different blockchains.

In what follows, we give a short description of the main features of the PoP protocol and then analyze in more detail the procedure of achieving security in this protocol.

We also emphasize that it is essential to consider block synchronization time or time delay for block sharing in security analysis. The importance of this parameter was shown in many works, mainly [12,13,14,15]. Notably, it was shown that if the adversary is well synchronized and honest miners are not, the security threshold (the minimal ratio of adversary, which can attack the blockchain with probability 1 despite the number of confirmation blocks) decreases dramatically. For example, as it was shown in [14], for Bitcoin, if the block synchronization time is 20 s and $\alpha =\frac{1}{600}$, the security threshold is about $49\%$; if the block synchronization time is 60 s, the security threshold is about $47.5\%$. It means that if the ratio of an adversary is not less than $0.49$ or $0.475$, respectively, his attack will be successful with probability 1 and it cannot be prevented with a large number of confirmation blocks. When the adversary’s ratio is smaller than this security threshold, we need to increase the number of confirmation blocks (in comparison with the case of zero synchronization time) to achieve the same security level.

Our security analysis in this work assumes that the synchronization time is non-zero and upperbound with some known value. For example, for the BTC blockchain, the most widely used assumption is that the synchronization time is up to 20 s. We obtain additional confirmation of the non-zero synchronization time in BTC from its regular “forks”, which occurs about 6 times in a month, on average. Thus, such forks (without a doublespend attack) occur when two different mining pools create blocks (of the same height) within a time delay interval.

Of course, we cannot state that time delay is essentially large all the time, but since we cannot define or predict the period when it really is essentially large, it is better to assume that the synchronization time is non-zero all the time in order to guarantee security in the worst case.

The main contribution of this work is the proving of explicit expressions, obtained for model with non-zero time delay, for the calculation of the number of confirmation blocks, which is enough for block stabilization in the SI blockchain. In particular, our results give the following possibilities:

• To calculate the probability of double spend attack for given network parameters (block generation intensity, time delay for block sharing) and given number of blocks generated after the block with transaction (the number of so-called confirmation blocks);
• Given the network parameters and preset (small) probability, to calculate the number of confirmation blocks which guarantees that the probability of double spend attack is not larger than the preset value.

This results are completely new to the realistic model with non-zero time delay. Some known results for synchronous model may be also derived from setting the time delay equal to zero.

2. Materials and Methods

In this section, we first explain the basic idea behind the PoP protocol, as well as some of the details and specifications of this protocol given in [1]. Next, some of the auxiliary statements that are necessary for obtaining the key result are proved. The main result is Theorem 1, which gives the possibility to calculate the required number of confirmation blocks in the SI blockchain, guaranteeing (with overwhelming probability) the stability of a certain block in it.

2.1. PoP Consensus Protocol

The PoP protocol uses the properties of the SP blockchain (liveness, consistence) to provide similar properties to the SI blockchain. Hereinafter, we will assume that the SP blockchain is BTC, and the SI blockchain is VB.

In the SI blockchain, each subsequent block refers to several previous ones according to a specific rule, depending on the parameters of the network.

We introduce the concept of keystone block in order to set the link rule. In addition to this, two parameters related to the SI blockchain and one parameter related to the SP blockchain are set.

The keystone block is every ith block, where $i\ge 2$ is the so-called keystone interval. Each new block in the SI blockchain refers to the previous block, and the r of the last keystone blocks, where $r\ge 2$ is the number referenced keystones.

Therefore, each block contains a reference to r or $r+1$ of keystone blocks $(r+1$—if the block comes immediately after the keystone block).

The VB paper says that each block always refers to precisely i of keystone blocks (table on page 22). However, the second table on page 23 provides an example that contradicts the statement on page 22 but agrees with our statement (that refers to r or $r+1$ of keystone blocks).

We want to emphasize that two parameters i and r relate only to the SI blockchain.

The third parameter, d, relates to the SP blockchain. It shows that, to maintain the validity of the SI blockchain, the interval between references to new keystone blocks does not exceed d of blocks in the SP blockchain, i.e., if at some point, a block number l in the SP blockchain refers to a keystone block number k in the SI blockchain, then no later than in a block number $l+d$ in the SP blockchain, a link to $l+1$th keystone block should appear.

2.2. Achieving Stability in the SI Blockchain

Informally speaking, the idea to achieve stability in the SI blockchain using stability in the SP blockchain can be described as follows: block B in the SI blockchain is stable if the block $B^{*}$ in the SP blockchain is stable, where $B^{*}$ is the first block in the SP blockchain that refers to the block B. In other words, in order to “cancel” block B in the SI blockchain, one needs to perform a long enough fork not only in the SI blockchain, but also in the SP blockchain, which is an arduous computational task. To provide some numerical characteristics to “stability”, the concepts of N-BTC-References and N-BTC-Finality are introduced. The first of them, N-BTC-References, means that after block $B^{*}$ in the SP blockchain, N blocks have already been created, and if an attacker begins to build an alternative branch in the SI blockchain, in which block B is absent, then a necessary condition for its validity is the appearance of reference to its blocks in the SP blockchain. In the paper, this is called an “early attack detection metric”. That is, if after block $B^{*}$ in the SP blockchain N blocks have already been released, and there are no references to the alternative chain in them, then this alternative chain does not exist (someone might have started building it, but now it has lost its validity).

The N-BTC-Finality term means that N blocks after block $B^{*}$ have already been created in the SP blockchain, and this amount is sufficient to guarantee the stability of block $B^{*}$ with a probability almost indistinguishable from 1. Please note that this probability depends on three parameters: the intensity of block generation (for BTC, it is $\frac{1}{600}$), the ratio of the attacker’s hash rate, and the network synchronization time (that is, the block propagation delay time).

That is, the main idea of achieving stability in the SI blockchain can be described as follows:

• We wait until block $B^{*}$ appears in the SP blockchain with reference to block B from the SI blockchain;
• After this moment, we wait for the creation of N blocks after block $B^{*}$, where the value N is determined by the above parameters of the SP blockchain (block generation intensity, the ratio of the attacker’s hash rate, network synchronization time), as well as the desired probability value, which we choose ourselves.

At the same time, the N-BTC-References parameter is intermediate. It simply allows to detect an attack at an early stage but does not guarantee the impossibility of a fork in the SP blockchain with the required (set by us) probability.

The above idea of achieving stability in a “light” blockchain using some other ”heavy and stable” blockchain is proposed (by the authors of [1]) to be generalized and developed further, with the possibility of using not only for the VeriBlock blockchain, but also for any existing altcoin. In this case, the VeriBlock blockchain already acts as an SP blockchain, and the altcoin blockchain, respectively, is an SI blockchain. In this case, to characterize the degree of stability achievement, by analogy, the following parameters are used:

• N-BTC-References;
• N-BTC-Finality;
• N-VBK-References;
• N-VBK-Finality.

2.3. Correlation of the Number of Blocks Created in Different (Independent) Blockchain

A measure of block stability in the blockchain is usually the number of blocks created after it, provided there is no visible fork in this interval. For a splitting attack, at the moment, no working (non-asymptotic) estimates of the attack probability have been obtained, depending on the block depth, for a model with continuous time. For a double spend attack, such estimates were obtained for various mathematical models (with continuous time [12,14,15,16] and with discrete [15]; without taking into account the block synchronization time [16] and taking it into account [12,13,14,15]). Although it is not completely clear from [1], it can be reasonably assumed that the authors used the same quantitative characteristic to guarantee the stability of a block in the SI blockchain. Informally speaking, the reasoning is roughly as follows.

Let us assume that block $B^{*}$ is the first block in the SP blockchain that refers to a block B from the SI blockchain. Then, provided that there are no references to some alternative branch of the SI blockchain in the blocks following the block $B^{*}$, to build this alternative branch of the SI blockchain, you need to fork the SP blockchain, that is, build its alternative branch in which there is no block $B^{*}$. The greater the depth block $B^{*}$ is, the smaller the probability is to create such an alternative branch that will be longer than the existing one. Moreover, we ourselves can set the value of such a probability and, accordingly, choose the block depth in the SP blockchain, which guarantees that the probability of a fork will be no more than a given value. For example, for the probability of a fork to be no more than a certain small $\epsilon$, we just need to build n blocks after the block $B^{*}$. After these blocks are created, the probability of removing the B block from the SI blockchain also does not exceed $\epsilon$. We do not want to look into the SP blockchain every time to check how many blocks there are, and we want to estimate the probability of a fork only by the number of blocks generated in the SI blockchain. Then, we set a small $\delta$ and determine value k such that the probability of the event $A_{n,\ge k}=$ {not less than the $kSP$ blocks that occur during the time when n SI blocks occur} is not less than $1-\delta$. With the obtained value k, the probability of removing block B from the SI blockchain will not be larger than $\epsilon +\delta$. That is, initially, we set the desired upper bound $\gamma$ on the fork probability and then we determine values n and k in a such way that the corresponding sum $\epsilon +\delta$ is not larger than $\gamma$.

The paper provides formulas that are auxiliary for calculating the probability of $A_{n,\ge k}$ event (page 11, 12, and on). These formulas correspond to the probabilities of exponential and inverse binomial distributions. They are correct if the following conditions are met with regard to the considered SP blockchain and SI blockchain:

• The synchronization time in both blockchains is zero, that is, after creating a block, all nodes instantly see it;
• Both blockchains use the PoW consensus protocol.

If at least one of these conditions is violated, then the basic formulae for calculating the probability of creation of exactly k blocks in one blockchain during the time until n blocks are created in another blockchain will be completely different.

In our analysis given below, we get rid of the first assumption and build correspondent probability estimations for the blockchains with non-zero synchronization time bounded with some arbitrary value.

2.4. Main Assumptions, Designations, and Some Auxiliary Statements

In this section, we describe the basic assumptions of our model and introduce the main designations. Sometimes, we will also refer to some statements proved in [16].

We will use SP blockchain for “Security provided blockchain” and SI blockchain for “Security inherited blockchain”. Let us define the following random variables (RVs):

• $T_P$—the RV that is measuring the time it takes to mine a block in the SP blockchain,
• $T_P^{\prime }$—the RV that is measuring the time it takes to mine and share the block in the SP blockchain,
• $T_I$—the RV that is measuring the time it takes to mine a block in the SI blockchain,
• $T_I^{\prime }$—the RV that is measuring the time it takes to mine and share the block in the SI blockchain.

As shown in [16], RVs $T_I$ and $T_P$ have exponential distributions:

$$\begin{array}{cc}\hfill & F_{T_P}\left(t\right)=P\left(T_P<t\right)=1-e^{-{\alpha }_{P}t},\hfill \\ \hfill & F_{T_l}\left(t\right)=P\left(T_I<t\right)=1-e^{-{\alpha }_{l}t},\hfill \end{array}$$

(1)

for some ${\alpha }_P>0,{\alpha }_I>0$. The physical sense of these two parameters is that $\frac{1}{{\alpha }_P}$ and $\frac{1}{{\alpha }_I}$ are the mean rates of block generation in the SP blockchain and SI blockchain, correspondingly. Define $\alpha ={\alpha }_P+{\alpha }_I$.

We also assume that $D_P$ denotes the time it takes in the SP blockchain to share a block (after it was generated) for all nodes in the network. The value $D_I$ is the corresponding time in the SI blockchain. In this very work, we assume that $D_I=0$. The reasons for this assumption are as follows:

• From a security consideration, it is critical that we can guarantee (with a probability close to 1) that during the time of the generation of a certain number of blocks in the SI blockchain, at least a certain number of blocks in the SP blockchain are created;
• The most “terrible” thing that can happen from this assumption is that we will spend “extra” time waiting for a slightly larger number of confirmation blocks in the SI blockchain than is necessary to achieve the declared security, as a result of which, the obtained security will be somewhat higher than the declared one;
• Under the assumption that in both blockchains the synchronization time is nonzero, the mathematical model becomes much more complicated, making it almost impossible to obtain the results we need.

Our assumption means that $T_I^{\prime }=T_I$ and $F_{T_I^{\prime }}\left(x\right)=F_{T_I}\left(x\right)$.

We also should note that, for the sake of simplicity, we assume that the block delay time $D_P$ is the same for all blocks in the SP blockchain. Of course, this is a kind of simplification of the real model, but in an alternative case, it is impossible to take into account all particular time delays. On the other hand, we can consider $D_P$ the largest time delay in the SP blockchain and consider setting the problem “in the worst-case scenario”, that is, when all blocks in the SP blockchain are delivered with the maximum delay. As with the previous assumptions, this also leads to an increase in the blockchain security compared to the declared one.

In these designations, we have

$$T_P^{\prime }=D_P+T_P,T_I^{\prime }=T_I.$$

(2)

Define $p_P$ the probability that the next block in the SP blockchain will be generated before the next block in the SI blockchain (i.e., faster than in the SI blockchain), and $p_I=1-p_P-$ is the probability of the opposite event. Using considerations very similar to those in [16], we obtain

$$p_P=\frac{{\alpha }_P}{{\alpha }_P+{\alpha }_I},p_I=\frac{{\alpha }_I}{{\alpha }_P+{\alpha }_I}.$$

(3)

Actually, in our case, we are interested in two other values that take into account the time delay $D_P>0$. We introduce these values as follows:

• $p_P^{\prime }$—the probability that the next block in the SP blockchain will be generated and shared before the next block in the SI blockchain will be generated and shared for all nodes;
• $p_I^{\prime }$—the probability of the alternative event, $p_I^{\prime }=1-p_P^{\prime }$.

According to their definitions,

$$p_P^{\prime }=P\left(T_P^{\prime }<T_I\right),p_I^{\prime }=P\left(T_I\le T_P^{\prime }\right),$$

(4)

and also $p_P^{\prime }+p_I^{\prime }=1$.

These two values in (4) are much more important than the values in (3) because they take into account time delay $D_P$ and describe the state of the network much more realistically. In what follows, we will show that the relation between the number of blocks in the SP blockchain and the SI blockchain depends on these very values in (4) rather than values in (3). Thus, if $D_P$ is rather large, the “real” hash rate $p_P^{\prime }$ in the SP blockchain is essentially smaller than $p_P$.

Now we are going to find $p_P^{\prime }$ and $p_I^{\prime }$.

Lemma 1.

In our designations, the next equalities hold:

$$\begin{array}{cc}\hfill & p_I^{\prime }=1-e^{-{\alpha }_I{D}_P}\times \frac{{\alpha }_P}{{\alpha }_I+{\alpha }_P}=1-e^{-{\alpha }_I{D}_P}\times p_P;\hfill \\ \hfill & p_P^{\prime }=e^{-{\alpha }_I{D}_P}\times \frac{{\alpha }_P}{{\alpha }_I+{\alpha }_P}=e^{-{\alpha }_I{D}_P}\times p_P.\hfill \end{array}$$

(5)

Proof. 

Note that distribution functions for RVs $T_P^{\prime }$ and $T_B$ according to (2) and (4) are

$$\begin{array}{c}{F}_{T_P^{\prime }}\left(t\right)=P\left(T_P^{\prime }<t\right)=P\left(T_P+D_P<t\right)=\\ =P\left(T_P<t-D_P\right)=\left\{\begin{array}{c}1-e^{-{\alpha }_P(t-D_P)},\mathrm{if}t>D_P\hfill \\ 0,\mathrm{else};\hfill \end{array}\right.\end{array}$$

(6)

$$F_{T_I}\left(t\right)=1-e^{-{\alpha }_{I}t}.$$

(7)

The corresponding densities are

$$\begin{array}{cc}\hfill f_{T_P^{\prime }}\left(t\right)& ={\alpha }_P{e}^{-{\alpha }_P\left(t-D_P\right)};\hfill \\ \hfill f_{T_I}\left(t\right)& ={\alpha }_I{e}^{-{\alpha }_{I}t}.\hfill \end{array}$$

(8)

Then, according to the composite probability formula,

$$\begin{array}{cc}\hfill & p_I^{\prime }=P\left(T_I<T_P^{\prime }\right)=\hfill \\ \hfill & =P\left(T_I<T_P^{\prime }/T_I<D\right)P\left(T_I<D\right)+\hfill \\ \hfill & +P\left(T_I<T_P^{\prime }/T_I>D\right)P\left(T_I>D\right).\hfill \end{array}$$

(9)

However, $P\left(T_I<T_P^{\prime }/T_I<D_P\right)=1$, because from (2) we obtain $T_P^{\prime }\ge D_P$. So

$$P_I^{\prime }=P\left(T_I<D_P\right)+P\left(D_P<T_I<T_P^{\prime }\right)$$

Next, according to (4) and (6)–(8),

$$P\left(T_I<D_P\right)=1-e^{-{\alpha }_I{D}_P};$$

$$\begin{array}{cc}& P\left(D_P<T_I<T_P^{\prime }\right)={\int }_{x,y:D_P<x<y}{f}_{T_l}\left(x\right)f_{T_P}\left(y\right)dxdy=\hfill \\ & {\int }_{D_P}^{\infty }\left({\int }_{D_P}^y{f}_{T_l}\left(x\right)dx\right)f_{T_P}\left(y\right)dy={\int }_{D_P}^{\infty }\left(F_{T_l}\left(y\right)-F_I\left(D_P\right)\right)f_{T_P}\left(y-D_P\right)dy=\hfill \\ & {\int }_{D_P}^{\infty }\left(1-e^{-{\alpha }_{I}y}-\left(1-e^{-{\alpha }_I{D}_P}\right)\right){\alpha }_P{e}^{-{\alpha }_P}\left(y-D_P\right)dy=\hfill \\ & {\int }_{D_P}^{\infty }\left(e^{-{\alpha }_I{D}_P}-e^{-{\alpha }_{I}y}\right){\alpha }_P{e}^{-{\alpha }_P}\left(y-D_P\right)dy=\hfill \\ & {\alpha }_P{e}^{-{\alpha }_I{D}_P}{\int }_{D_P}^{\infty }\left(1-e^{-{\alpha }_l}\left(y-D_P\right)\right)e^{-{\alpha }_P\left(y-D_P\right)}dy=\hfill \\ & {\alpha }_P{e}^{-{\alpha }_I{D}_P}{\int }_0^{\infty }\left(1-e^{-{\alpha }_{I}z}\right)e^{-{\alpha }_{P}z}dz,\hfill \end{array}$$

where $z=y-D_P$.

After integration, we obtain

$$P\left(D_P<T_I<T_P^{\prime }\right)=e^{-{\alpha }_I{D}_P}\times \frac{{\alpha }_I}{{\alpha }_P+{\alpha }_I},$$

and from $\left(9\right)$, we obtain

$$\begin{array}{c}{p}_I^{\prime }=1-e^{-{\alpha }_I{D}_P}+e^{-{\alpha }_I{D}_P}\times \frac{{\alpha }_I}{{\alpha }_P+{\alpha }_I}=\\ =1-e^{-{\alpha }_M{D}_H}\times \left(1-\frac{{\alpha }_M}{{\alpha }_H+{\alpha }_M}\right)=1-e^{-{\alpha }_M{D}_H}\times \frac{{\alpha }_H}{{\alpha }_H+{\alpha }_M}=\\ =1-e^{-{\alpha }_M{D}_H}\times \frac{{\alpha }_H}{{\alpha }_H+{\alpha }_M}=1-e^{-{\alpha }_M{D}_H}\times p_H.\end{array}$$

Respectively, $p_P^{\prime }=1-p_I^{\prime }=e^{-{\alpha }_I{D}_P}{p}_P$, and the Formulas (5) and the lemma are proved. □

2.5. Main Results

In this section, we formulate our main results after some auxiliary lemmas.

Denote $T_P^{\prime }\left(i\right)$ as the time needed in the SP blockchain to form and share the i-th block, i.e., the time from the event “ $i-1$-th block is formed and available for all nodes” till the event ” i-th block is formed and available for all nodes”. Similar to (2), we can also say that

$$T_P^{\prime }\left(i\right)=T_P\left(i\right)+D_P,$$

(10)

where $T_P\left(i\right)$ is the time needed in the SP blockchain to generate the i-th block, after the $i-1$-th block becomes available. Then, $T_P^{\prime }\left(i\right),i\ge 1$, are independent, identically distributed RVs with distribution functions

$$F_{T_P^{\prime }\left(i\right)}\left(t\right)=F_{T_P^{\prime }}\left(t\right)=F_{T_P}(t-D_P)=1-e^{{\alpha }_P(t-D_P)},foralli\ge 1,$$

where the last equality follows from (1).

Additionally, define RVs $T_I\left(i\right),i\ge 1$, in the same way. Then their distribution functions are

$$F_{T_I\left(i\right)}\left(t\right)=1-e^{-{\alpha }_{I}t},\mathrm{for}\mathrm{all}i\ge 1.$$

In addition, for $n\ge 1$, let us define RVs $S_P\left(n\right)$, where

$$S_P\left(n\right)=\sum _{i=1}^n{T}_P\left(i\right)$$

(11)

and RVs $S_P^{\prime }\left(n\right)$, where

$$S_P^{\prime }\left(n\right)=\sum _{i=1}^n{T}_P^{\prime }\left(i\right).$$

(12)

Then $S_P\left(n\right)$ is the time needed to generate (without sharing) n (independent) blocks in the SP blockchain and $S_P^{\prime }\left(n\right)$ is the time needed to generate and share n blocks in the SP blockchain, one after another.

From (10), we obtain that

$$S_P^{\prime }=S_P\left(n\right)+n{D}_P,$$

where $S_P\left(n\right)$ has an Erlang distribution as the sum of independent identically distributed RVs with exponential distribution:

$$F_{S_P\left(n\right)}\left(t\right)=P\left(S_P\left(n\right)\le t\right)=1-e^{-{\alpha }_{P}t}\sum _{i=1}^n\frac{{\left({\alpha }_{P}t\right)}^k}{k!}.$$

(13)

Additionally, define RVs $S_I\left(n\right)$ in the same way:

$$S_I\left(n\right)=\sum _{i=1}^n{T}_I\left(i\right).$$

(14)

Note that $S_I\left(n\right)$ also has an Erlang distribution:

$$F_{S_I}\left(n\right)\left(t\right)=1-e^{-{\alpha }_{I}t}\sum _{i=0}^{n-1}\frac{{\left({\alpha }_{I}t\right)}^k}{k!}.$$

(15)

Let us also define the random process (RP) $N_P\left(t\right)$ as the number of blocks generated in the SP blockchain during the time interval of the length t, if the time delay was equal to zero.

Lemma 2.

The RP $N_P\left(t\right)$ has Poisson distribution with parameter ${\alpha }_{P}t$:

$$P\left(N_P\left(t\right)=n\right)=\frac{{\left({\alpha }_{P}t\right)}^n{e}^{-{\alpha }_{P}t}}{n!}.$$

(16)

Proof. 

The event $\left\{N_P\left(t\right)=n\right\}$ is the same as the event $\left\{S_P\left(n\right)<t\right\}\cap \left\{S_P(n+1)>t\right\}$, where $S_P\left(n\right)$ was defined in (11). We can write the subsequent chain of equalities:

$$\begin{array}{cc}& \left\{N_P\left(t\right)=n\right\}=\left\{S_P\left(n\right)<t\cap S_P(n+1)>t\right\}=\hfill \\ & =\left\{S_P\left(n\right)<t\cap \overline{\left.S_P(n+1)<t\right\}}=\right.\hfill \\ & =\left\{S_P\left(n\right)<t\right\}\setminus \left\{S_P(n+1)<t\right\}.\hfill \end{array}$$

Yet, according to the definition $\left(11\right),\left\{S_P(n+1)<t\right\}\subset \left\{S_P\left(n\right)<t\right\}$, then, using (15),

$$\begin{array}{c}P\left\{N_P\left(t\right)=n\right\}=P\left\{S_P\left(n\right)<t\right\}-P\left\{S_P(n+1)<t\right\}=\\ =F_{S_P\left(n\right)}\left(t\right)-F_{s_P(n+1)}\left(t\right)=\frac{{\left({\alpha }_{P}t\right)}^n{e}^{-{\alpha }_{P}t}}{n!}.\end{array}$$

The lemma is proved. □

Note that for RV $N_I\left(t\right)$, defined in the same way, we also have the same statement:

$$P\left(N_I\left(t\right)=n\right)=\frac{{\left({\alpha }_{I}t\right)}^n{e}^{-{\alpha }_{I}t}}{n!}$$

(17)

Notation 1.

From the properties of the Poison process (independent increments, absence of aftereffects), we get that for any$t_1,t_2>0$the distribution law of$N_M\left(t_2\right)$is the same as the distribution law of

$$N_M\left(t_2+t_1\right)-N_M\left(t_1\right),$$

i.e., the number of events happening during$[t_1,t_1+t_2]$has the same distribution law as the number of events happening during$[0,t_2]$.

Additionally, note that the number of events happening during the period$[0,t_1+t_2]$is the sum of the numbers of events happening during$[0,t_1]$and$[t_1,t_1+t_2]$.

We will use this property in the lemma below.

Additionally, introduce RP $N_P^{\prime }\left(t\right)$ as the number of blocks generated and shared (one after another) in the SP blockchain during the time interval of the length t. Then

$$P\left(N_P^{\prime }\left(t\right)=k\right)=P\left(N_P\left(t-k{D}_p\right)=k\right)=\left\{\begin{array}{c}0,\mathrm{if}t\le k{D}_P,\hfill \\ e^{-{\alpha }_P\left(t-k{D}_p\right)}\times \frac{{\left({\alpha }_P\left(t-k{D}_p\right)\right)}^k}{k!},\mathrm{else}.\hfill \end{array}\right.$$

(18)

Now we can define our purpose as to find, or at least to estimate, the probability

$$P\left(N_P^{\prime }\left(S_I\left(n\right)\right)\ge k\right),$$

(19)

which is the probability of the following event $A_{n,\ge k}$:$A_{n,\ge k}=$ “Not less than k blocks were generated and shared in the SP blockchain during the time when exactly n blocks were generated in the SI blockchain (i.e., during the time $S_I\left(n\right)$)”.

According to our purpose, we need to build lower estimation for $P\left(A_{n,\ge k}\right)$ and then, for fixed k (which corresponds to definite security level $1-\epsilon$ in the SP blockchain) and fixed small $\delta >0$ to define

$$n_0(\delta ,k)=min\left\{n:P\left(A_{n,\ge k}\right)\ge 1-\epsilon \right\}.$$

We can also define $n_0(\delta ,k)$ as

$$n_0(\delta ,k)=\min \left\{n:P\left(\neg A_{n,\ge k}\right)<\epsilon \right\},$$

(20)

where $P\left(\neg A_{n,\ge k}\right)=P\left(N_P^{\prime }\left(S_I\left(n\right)\right)<k\right)$, according to $\left(20\right),\left(21\right)$.

Define

$$C_{n,<k}=\neg A_{n,\ge k}\mathrm{and}{B}_{n,t}=\left\{S_I\left(n\right)>t\right\}\mathrm{for}n\in \mathrm{N},t>0$$

(21)

where

$$P\left(B_{n,t}\right)=e^{-{\alpha }_{I}t}\times \sum _{l=0}^{n-1}\frac{{\left({\alpha }_{I}t\right)}^l}{l!}.$$

(22)

Now, we are ready to formulate our main result about the number of generated blocks.

Theorem 1.

In our designations,

$$\begin{array}{cc}\hfill P\left(C_{n,<k}\right)<& \left(\sum _{l=1}^{n-1}\left(\sum _{i=0}^{k-1}{C}_{n-l+i-1}^i{p}_P^i{p}_I^{n-l}\right)\times \frac{e^{-{\alpha }_{l}k{D}_P}\times {\left({\alpha }_{I}k{D}_P\right)}^{l-1}}{(l-1)!}+\frac{e^{-{\alpha }_{l}k{D}_P}\times {\left({\alpha }_{I}k{D}_P\right)}^{n-1}}{(n-1)!}\right)\times \hfill \\ \hfill & \times e^{-{\alpha }_{t}k{D}_P}\times \sum _{l=0}^{n-1}\frac{{\left({\alpha }_{I}k{D}_P\right)}^l}{l!}+\left(1-e^{-{\alpha }_{l}k{D}_P}\times \sum _{l=0}^{n-1}\frac{{\left({\alpha }_{I}k{D}_P\right)}^l}{l!}\right).\hfill \end{array}$$

(23)

Proof. 

Note that we can rewrite $P\left(C_{n,<k}\right)$ as

$$\begin{array}{c}P\left(C_{n,<k}\right)=P\left(C_{n,<k}/B_{n,k{D}_P}\right)\times P\left(B_{n,k{D}_P}\right)+P\left(C_{n,<k}/\neg B_{n,k{D}_P}\right)\times P\left(\neg B_{n,k{D}_P}\right)=\\ =P\left(C_{n,<k}/B_{n,k{D}_P}\right)\times P\left(B_{n,k{D}_P}\right)+1\times P\left(\neg B_{n,k{D}_P}\right),\end{array}$$

(24)

because $\neg B_{n,k{D}_P}\Rightarrow C_{n,<k}$.

Let us assume that $B_{n,k{D}_p}$ holds. Then, we can define the full group of events ${\left\{H_l\right\}}_{l=1}^n$ as

$H_l=\{$ exactly $l-1$ blocks out of $n-1$ blocks in SI blockchain were generated during the interval $\left.\left(S_I\left(n\right)-k{D}_P;S_I\left(n\right)\right)\right\}$, $l=\overline{1,n}$ (see Figure 1).

Note that n-th block was generated exactly at moment $S_I\left(n\right)$, because of the definition of $S_I\left(n\right)$. Then, under condition $B_{n,k{D}_P}$,

$$\begin{array}{c}P\left(C_{n,<k}\right)={\displaystyle \sum _{l=1}^{n-1}}P\left(C_{n,<k}/H_l\right)P\left(H_l\right)+P\left(C_{n,<k}/H_n\right)P\left(H_n\right)<\\ {\displaystyle \sum _{l=1}^{n-1}}P\left(C_{n,<k}/H_l\right)P\left(H_l\right)+P\left(H_n\right)<\\ {\displaystyle \sum _{l=1}^{n-1}}\left({\displaystyle \sum _{i=0}^{k-1}}{C}_{n-l+i-1}^i{p}_P{}^i{p}_I{}^{n-l}\right)\times e^{-k{\alpha }_l{D}_P}\times \frac{{\left(k{\alpha }_I{D}_P\right)}^{l-1}}{(l-1)!}+e^{-k{\alpha }_l{D}_P}\times \frac{{\left(k{\alpha }_I{D}_P\right)}^{n-1}}{(n-1)!}.\end{array}$$

If $B_{n,k{D}_P}$ doesn’t hold, then $P\left(C_{n,<k}\right)=1$.

Combining these two cases for $B_{n,k{D}_p}$ according to (26) and using (24), we obtain the statement (25) and the theorem is proved.

Note that the expression (25) may also be used as an upper bound of $P\left(C_{n,<k}\right)$ even in the case when $D_P=0$. Thus, in this case, the first sum of $\left(25\right)$ has only one nonzero term when $l=1$. So we have

$$P\left(C_{n,<k}\right)<\sum _{i=0}^{k-1}{C}_{n-1+i-1}^i{p}_P{}^i{p}_I{}^{n-1}$$

which is the probability $P\left(C_{n-1,<k}\right)$ which is large than $P\left(C_{n,<k}\right)$.

Now we give some intuition for how we can use the result of Theorem 1.

Let the block of the deep k in the SP blockchain be considered stable with some overwhelming probability $1-\epsilon$ for some sufficiently small ε. Let for the value $n\in \mathrm{N}$ the next statement hold: □

Statement 1

(related to the number of blocks). “The probability, that during $n\in \mathrm{N}$ blocks were generated in the SI blockchain, not less than $k\in \mathrm{N}$ blocks were generated and shared in the SP blockchain, is not less than $1-\delta$ for some sufficiently small $\delta$”.

According to the PoP concept, to guarantee stability in the SI blockchain for some block B with an overwhelming probability $1-\gamma$ for some given sufficiently small $\gamma$, we need to wait for such a number k of blocks in the SP blockchain after the first reference to B, for which Statement 1 is true, with values $\epsilon$ and $\delta$ such that $\epsilon +\delta >\gamma$. Thus, the stability may fail in only two cases: when Statement 1 fails (with probability $\delta$ ) or when stability in the SP blockchain fails (with probability $\epsilon$ ). Our main task is to find such $n\in \mathrm{N}$ that for a given sufficiently small $\delta$ and $k\in \mathrm{N}$, Statement 1 holds. This is the same as to find such $n\in \mathrm{N}$ that $P\left(C_{n,<k}\right)<\delta$.

3. Numerical Results

We calculate the probabilities of the event $C_{n,<k}$ according to $\left(25\right)$ for different values n from 10 to 400 with step 10, for $k=6$ (which is a common value for BTC), ${\alpha }_P=\frac{1}{600},{\alpha }_I=\frac{1}{30}$, and for different values of $D_P=0,5,10,15,20$ (

Table 1. Probabilities of $C_{n,<k}$ for $n=\overline{20,200}$ with step 10 and $D_P=0,5,10,15,20$.

${\mathit{nlD}}_{\mathit{p}}$	0	5	10	15	20
20	$0.999058$	$0.999403$	$0.999527$	$0.999629$	$0.999712$
30	$0.994254$	$0.995711$	$0.996307$	$0.996837$	$0.997306$
40	$0.980719$	$0.984303$	$0.985876$	$0.987331$	$0.988673$
50	$0.953876$	$0.960391$	$0.963373$	$0.966203$	$0.968881$
60	$0.911192$	$0.920945$	$0.925539$	$0.929971$	$0.934241$
70	$0.852845$	$0.865602$	$0.871736$	$0.877724$	$0.883565$
80	$0.781395$	$0.796501$	$0.803877$	$0.811144$	$0.818299$
90	$0.700909$	$0.717481$	$0.725671$	$0.733798$	$0.741858$
100	$0.615995$	$0.633110$	$0.641650$	$0.650173$	$0.658674$
110	$0.531017$	$0.547845$	$0.556310$	$0.564797$	$0.573303$
120	$0.449588$	$0.465477$	$0.473522$	$0.481621$	$0.489770$
130	$0.374345$	$0.388844$	$0.396227$	$0.403683$	$0.411211$
140	$0.306932$	$0.319783$	$0.326358$	$0.333017$	$0.339760$
150	$0.248116$	$0.259223$	$0.264930$	$0.270724$	$0.276606$
160	$0.197971$	$0.207363$	$0.212206$	$0.217134$	$0.222148$
170	$0.156074$	$0.163864$	$0.167894$	$0.172003$	$0.176191$
180	$0.121689$	$0.128041$	$0.131337$	$0.134702$	$0.138139$
190	$0.093915$	$0.099016$	$0.101669$	$0.104383$	$0.107158$
200	$0.071798$	$0.075839$	$0.077946$	$0.080103$	$0.082313$

and

Table 2. Probabilities of $C_{n,<k}$ for $n=\overline{210,400}$ with step 10 and $D_P=0,5,10,15,20$.

${\mathit{nlD}}_{\mathit{p}}$	0	5	10	15	20
210	$0.054411$	$0.057573$	$0.059225$	$0.060919$	$0.062655$
220	$0.040902$	$0.043348$	$0.044628$	$0.045942$	$0.047292$
230	$0.030515$	$0.032388$	$0.033370$	$0.034380$	$0.035417$
240	$0.022606$	$0.024027$	$0.024773$	$0.025541$	$0.026331$
250	$0.016637$	$0.017706$	$0.018268$	$0.018847$	$0.019443$
260	$0.012170$	$0.012967$	$0.013387$	$0.013820$	$0.014266$
270	$0.008850$	$0.009441$	$0.009753$	$0.010074$	$0.010406$
280	$0.006402$	$0.006837$	$0.007066$	$0.007303$	$0.007547$
300	$0.003300$	$0.003531$	$0.003653$	$0.003780$	$0.003910$
310	$0.002353$	$0.002520$	$0.002608$	$0.002700$	$0.002794$
320	$0.001671$	$0.001791$	$0.001854$	$0.001920$	$0.001988$
330	$0.001181$	$0.001267$	$0.001313$	$0.001360$	$0.001409$
340	$0.000832$	$0.000893$	$0.000926$	$0.000960$	$0.000994$
350	$0.000584$	$0.000628$	$0.000651$	$0.000674$	$0.000699$
360	$0.000409$	$0.000439$	$0.000456$	$0.000472$	$0.000490$
370	$0.000285$	$0.000306$	$0.000318$	$0.000330$	$0.000342$
380	$0.000198$	$0.000213$	$0.000221$	$0.000230$	$0.000238$
390	$0.000137$	$0.000148$	$0.000153$	$0.000159$	$0.000165$

). Additionally, we give calculations for n from 320 to 340 with step 1 in

Table 3. Probabilities of $C_{n,<k}$ for $n=\overline{330,340}$ with step 1 and $D_P=0,5,10,15,20$.

${\mathit{nlD}}_{\mathit{p}}$	0	5	10	15	20
330	$0.001181$	$0.001267$	$0.001313$	$0.001360$	$0.001409$
331	$0.001141$	$0.001224$	$0.001268$	$0.001314$	$0.001361$
332	$0.001102$	$0.001182$	$0.001225$	$0.001269$	$0.001314$
333	$0.001064$	$0.001142$	$0.001183$	$0.001225$	$0.001270$
334	$0.001027$	$0.001102$	$0.001142$	$0.001183$	$0.001226$
335	$0.000992$	$0.001065$	$0.001103$	$0.001143$	$0.001184$
336	$0.000958$	$0.001028$	$0.001065$	$0.001104$	$0.001144$
337	$0.000925$	$0.000993$	$0.001029$	$0.001066$	$0.001104$
338	$0.000893$	$0.000958$	$0.000993$	$0.001029$	$0.001066$
339	$0.000862$	$0.000925$	$0.000959$	$0.000994$	$0.001030$
340	$0.000832$	$0.000893$	$0.000926$	$0.000960$	$0.000994$

. Results from Table 1, Table 2 and Table 3 shows that the value $n_0(\delta ,k)$ increases when $D_P$ increases. For example, as we can see from Table 3, with $\delta ={10}^{-4}$ and $k=6$, we obtain $n_0(\delta ,k)=335$ for $D_P=0$, $n_0(\delta ,k)=337$ for $D_P=5,n_0(\delta ,k)=338$ for $D_P=10,n_0(\delta ,k)=339$ for $D_P=15$ and $n_0(\delta ,k)=340$ for $D_P=20$. Though the difference in these very cases is relatively small, we cannot ignore it in general. Note that it would be essentially large if the block generation rate ${\alpha }_P$ was large (here we take ${\alpha }_P=\frac{1}{600}$, as for BTC).

4. Discussion

We analyzed the block stability in the SI blockchain with the PoP consensus protocol and obtained results in a realistic model, with nonzero synchronization time, which are strictly mathematically proved and allow us to build security estimations of the SI blockchain. Using these results, we also can set the desirable security level for the SI blockchain and calculate the necessary number of confirmation blocks in it, which guarantee this security level, based on the SP blockchain like BTC.

The numerical results obtained using the formulas that are in this paper are completely in line with the expectations and show that the probability of an attack in the SI blockchain increases with increasing the synchronization time in the SP blockchain and, accordingly, more confirmation blocks are required for protection against this attack. It should also be taken into consideration that when the block generation intensity in the SP blockchain increases, the probability of an attack will increase faster with increasing synchronization time.

These results may also be useful for building secure Altchains, which use VeriBlock blockchain as the SP blockchain, if both blockchains are based on a Proof-of-Work protocol.

Note that if at least one of these two blockchains—the SI blockchain or SP blockchain—is based on some other protocol, such as Proof-of-Stake, one must use a completely different approach to build security estimations of such blockchains.

The idea behind the PoP protocol, as well as similar ideas from earlier articles mentioned in the review, allows us not only to ensure the resilience of new blockchains that initially have a small PoW value in the block, but also to build security blockchains with high throughput using any of the existing blockchains with provable security. However, it does not solve the second significant problem of blockchains—reducing block confirmation time, i.e., the time until the moment when transactions in the block may be considered uninvertible with overwhelming probability. Maybe the described problem can be solved, at least partially, if we manage to generalize the PoP consensus to the case of SI DAGchain instead of the blockchain. This approach may be the next direction of further investigations.