KasMedia Logo

(This post is part of the Understanding GHOSTDAG series)

The safety property of blockChains is a statement about how quickly the confidence in a transaction increases as it lingers on the main chain.

The statement is that the longer transaction stays on the selected chan, the less likely it is to revert. The definition of safety says that the longer a transaction is on the selected chain, the less likely it is to revert. Interestingly, this definition does not say anything directly about whether the selected chain changed. It requires the revert probability to keep decaying even if the chain selection rule switches between two chains containing the transaction. Even if the transaction was on different blocks of the chain, like here:

13

We all know the adage that “Bitcoin is secure as long as 50% are honest”, but that is not quite the case. A more accurate description is that for any fixed α<1/2\alpha < 1/2, the network is secure against an α\alpha attacker. What is the significance of this difference? Essentially, it is true that for any fixed α<1/2\alpha<1/2, the expected time to reach confidence ε\varepsilon is finite. However, this time grows infinite as α\alpha becomes closer to 1/21/2. Hence, we must look at each α\alpha separately.

This foreshadows a bit about the next post, namely, why we talk about confirmation times, plural, and not just confirmation time. The reason is that for any choice of 0<α<1/20<\alpha<1/2 and 0<ε0<\varepsilon, there is a different time the receiver will have to wait. That is, the time to gain 1%-confidence against a 20% attacker differs from the time it takes to gain 0.1%-confidence against a 10% attacker.

A nice property of the confirmation times is that they are monotonic in α\alpha. Your security is not risked if you overestimate the adversary and wait longer.

Another clear fact is that for a fixed α<1/2\alpha<1/2, the time it takes to reach a confidence of ε\varepsilon goes to infinity as ε\varepsilon goes to 00. Unlike with α\alpha, which we consider fixed, we require that the rate at which this happens is slow. That is, we want the time it takes to reach a confidence of ε\varepsilon will increase mildly as we greately decrease ε\varepsilon.

First Attempt at a Formal Definition*

We can try to quantify the intuitive discussion above. Ostensibly, we only need to specify what “slow” means. Unsurprisingly, we require it to grow logarithimically. That is, we require it to be O(log(1/ε))O(\log(1/\varepsilon)).

We can pack all this discussion nicely into the following:

Definition? For a given blockChain protocol, let S(α,ε)S(\alpha,\varepsilon) be the expected time it takes to gain ε\varepsilon-confidence against an α\alpha-attacker. The protocol is safe if for any α<1/2\alpha<1/2 we have that S(α,ε)=O(log(1/ε)).S(\alpha,\varepsilon) = O(\log(1/\varepsilon))\text{.}

The definition above is, in fact, not the correct definition of safety. It is almost there but is just a hair too strict, and in fact, no PoW blockChain can satisfy it as it is written. If you read the previous section carefully, you already know what we neglected: orphans. Once we discuss orphans and understand their math better, we will note that this definition is almost correct and fix it.

Safety of Bitcoin in an Orphanless World

Say an adversary has α<1/2\alpha<1/2 of the hash rate, and assume that the honest network never has orphan blocks. That is, the block tree looks something like this:

10

where tx is the transaction the adversary tries to double-spend, and tx’ is a transaction that conflicts with it. To double-spend successfully, the adversary must wait for when her chain is longer than the honest chain.

Since the adversary has a fraction α\alpha of the hash rate, for every α\alpha blocks she creates, the honest network creates 1α1-\alpha blocks. By assumption, 1α>1/2>α1-\alpha > 1/2 > \alpha, so the honest network has a higher production rate of blocks.

In other words, the expected gap between the weight of the honest chain and the adversarial chain constantly increases in favor of the honest network. Intuitively, this implies that as time progresses, it becomes less likely that the attacker ever succeeds as she accumulates a larger gap to cover.

Turning this intuition into a solid mathematical argument requires some sophistication. We provide a sketch of the full proof later in the chapter.

Orphans and the Scaling Problem

The argument above assumes that orphan blocks do not exist, and this assumption is generally not true. What happens if we do have orphans? Say that the orphan rate is δ>0\delta>0. That is, one in every 1/δ1/\delta honest blocks is orphaned. Then for every α\alpha blocks created by the adversary, the honest network still creates 1α1-\alpha blocks, but only (1δ)(1α)(1-\delta)(1-\alpha) of them will be on the selected chain.

12

To adapt the argument above, it is no longer sufficient to require that α<1α\alpha<1-\alpha. The reason we made this requirement is to assure the honest selected chain grows faster than the adversarial chain. Hence, the correct requirement is actually α<(1δ)(1α)\alpha < (1-\delta)(1-\alpha).

Note that in the no-orphans case we have δ=0\delta=0, so (1δ)(1α)=1α(1-\delta)(1-\alpha)=1-\alpha. Hence, our new expression is a generalization of the one we used in the orphanless case.

The next order of business is to find out which values of α\alpha satisfy the new equation. It is easy to see that (for α0\alpha\ge 0) the condition α<1α\alpha<1-\alpha is equivalent to α<1/2\alpha<1/2. So it is natural to compute an expresssion to show how far from the non-orphan case we are. By isolating α\alpha and some grade-school symbol manipulation we get at the following equation: α<12(1δ2δ).\alpha<\frac{1}{2}\left(1-\frac{\delta}{2-\delta}\right)\text{.}We see that it is very similar to the original α<1/2\alpha < 1/2 condition except there is this additional (1δ2δ)\left(1-\frac{\delta}{2-\delta}\right) factor. As expected, if are no orphans (δ=0\delta = 0) this factor is just 11, but goes to 00 as the orphan rates grows to 11.

The following graph illustrates this point by showing what α\alpha is required for a double-spend attack when the orphan rate is δ\delta:

11

If we are being strict, this means that Bitcoin could never satisfy our definition of safety. The orphan rate in a blockchain is always positive. So we can say something along the line of “Bitcoin is very close to being safe assuming δ\delta is very small In Bitcoin, the most pro-orphan estimations say that δ<1150\delta<\frac{1}{150}, meaning that Bitcoin is “only” safe against 49.999% attackers.

To understand the repercussions of orphans we ask ourselves: what determines δ\delta?

Delta is determined by two quantities: the block delay λ\lambda and network latency DD. The block delay is a parameter set by the protocol designer, and it determines what should be the expected time between consecutive blocks. The network latency DD is how long it takes for the entire network to learn of a newly mined block. It is not controlled directly by the protocol designer, but is affected by various design choice. Most importantly, since any node has to verify each block, and the time it takes depends on the amount of information on the block, it follows that increasing the block size begets larger DD.

It is clear that as λ\lambda decreases blocks are generated more rapidly, this increases the chances that two blocks will be created at very close times to each other, increasing the orphan rate δ\delta. It is also clear that as the latency increases the probability that two blocks are created also simultaneously increases. Hence, increasing block sizes or block rates will increase orphan rates. Formally, the security of Bitcoin only holds as long as λD\lambda\gg D. This requirement is more commonly known as “the Bitcoin scaling problem”.

The Math of Orphans**

With some work, we can quantify the effect of λ\lambda on δ\delta.

An orphan is only created if two blocks are created within a period of DD (this is not a sufficient condition, but it is neccesary). In the appendix, we saw that the number of blocks we see in this period distributes like Poi(D/λ)Poi(D/\lambda). We can work out the probability that at least two blocks are created by taking the complement of the probability less than two blocks is created:

P[Poi(Dλ)2]=1P[Poi(Dλ)<2]=1P[Poi(Dλ)=0]P[Poi(Dλ)=1]=1(D/λ)0eD/λ0!(D/λ)1eD/λ1!=1eD/λDλeD/λ=1eD/λ(1+Dλ)1(1Dλ)(1+Dλ)=(D/λ)2\begin{aligned}\mathbb{P}\left[Poi\left(\frac{D}{\lambda}\right)\ge2\right] & =1-\mathbb{P}\left[Poi\left(\frac{D}{\lambda}\right)<2\right]\\& =1-\mathbb{P}\left[Poi\left(\frac{D}{\lambda}\right)=0\right]-\mathbb{P}\left[Poi\left(\frac{D}{\lambda}\right)=1\right]\\& =1-\frac{\left(D/\lambda\right)^{0}\cdot e^{-D/\lambda}}{0!}-\frac{\left(D/\lambda\right)^{1}\cdot e^{-D/\lambda}}{1!}\\& =1-e^{-D/\lambda}-\frac{D}{\lambda}\cdot e^{-D/\lambda}\\& =1-e^{-D/\lambda}\left(1+\frac{D}{\lambda}\right)\\& \approx1-\left(1-\frac{D}{\lambda}\right)\left(1+\frac{D}{\lambda}\right)\\& =\left(D/\lambda\right)^{2}\end{aligned} (where we used the Taylor series approximation).

This gives us the amount of orphans we expect per network delay. If we want to get the number of orphans per block delay we multiply everything by λ/D\lambda/D to obtain the simple expression D/λD/\lambda.

The catch is that the approximation phase we did assumes that D/λD/\lambda is much smaller than one. Once we enter the regime of block delays comparable (or even smaller than) the network delay, it breaks. However, we can still see quite clearly that in the λD\lambda\gg D regime the orphan rate is inversely proportional to the block delay. In the Bitcoin network, the latency is in sub-seconds and yet, decreasing the block delay from 10 minutes to 30 seconds will increase orphan rates by a factor of at least 20.

Actually, increasing the block rates like this will increase orphan rates by a lot more. The calculation we did assumes that orphan blocks never point at each other, and completely disregards orphan chains. That is, chains of two or more blocks that are outside the selected chain. These are very rare for small orphan rates, but become meaningful as the orphan rates increase.

Fixing the Definition*

A correct definition of safety must take orphans into account. A definition that does not depend at all on δ\delta should raise suspicion. We need a definition that only requires security for α\alpha sufficiently smaller than δ\delta. It might be tempting to use the expression for α\alpha we derived above, but that would be a mistake: this computation is specific to Bitcoin and could not be used for a general definition. The correct way, it seems, is to consider the ratio D/λD/\lambda, and require that the maximum α\alpha attacker we can deal with approaches 1/21/2 as this ratio approaches 00 (that is, as the block delay becomes much larger than the network delay). This leads to the following:

Definition: For a given blockChain protocol, let S(α,ε)S(\alpha,\varepsilon) be the expected time it takes to gain ε\varepsilon-confidence against an α\alpha-attacker. The protocol is qq-safe if for any α<(1/2q)\alpha<(1/2-q) we have that S(α,ε)=O(log(1/ε)).S(\alpha,\varepsilon) = O(\log(1/\varepsilon))\text{.} The protocol is safe if it is O(D/λ)O(D/\lambda)-safe.

Orphans and Difficulty

It is a common misconception that “orphan rates decrease gains for miners”. This misunderstanding follows from the reasonable thought that if we have to throw blocks in the garbage then whoever mined this block is in the loss.

However, that is not quite the case. The difficulty adjustment algorithm only controls the issuance rate of non-orphan blocks. There is no other way: since difficulty has to be in consensus, the difficulty of each block can only depend on the chain leading from this block to genesis.

In particular, if we have, say, 20% orphan rates, then mining blocks will be 20% easier, increasing the block rates to compensate. Yes, one fifth of the blocks you make will go to the trash, but you will make 1.25 times more blocks, giving you the same rate of non-orphan blocks.

You might be tempted to think that a 20% orphan rate implies only 80% of the hash rate you see on the blockchain goes towards non-orphan blocks. So if the difficulty requires one tera hash per second to see a block every ten minutes, then an adversary will only need 800 giga hash to 51% attack the network. Again, this is not the case, the hash rate read off the difficulty only takes non-orphan blocks into account. This (combined with the fact that nodes do not broadcast blocks they see as orphans) makes measuring orphan rates in practice extremely difficult (especially if we consider that old orphans can be forged for cheap).

That being said, there are adverse consequences to high orphan rates (besides the wasted work): they introduce noise that increases confirmation times, and increase the advantage for miners with a better internet connection.

Enjoyed reading this article?

More articles like this

Comments

No comments yet!

Post a comment

KasMedia logo