The impossible and doing the impossible
A classic result shows that in the fully deterministic setting, it is impossible to get consensus with even a single corrupt player (see FLP85). The consensus achieved by Bitcoin is probabilistic, in that one is never sure consensus has been achieved. However, for a revision to occur to a block buried k steps back from the head of the blockchain, an event of exponentially small probability would have to occur, where the exponential has k in the exponent.
The attack model, however, requires a bound on corrupted players. If, as a limiting case, all players were corrupted, then there could of course be no reliable consensus. Every player does what it wants, believes what it wants, and the players can agree on anything they want.
Proof of Work.
The attack model therefore assumes at least a majority honest players. The question is how to measure the majority. It cannot be measure in a sort of head-count of honest players, as dishonest players would clone themselves in a so-called Sybil Attack.
What is measured, instead, is computational power. A Sybil Attack would require the attackers to have a majority of the computational power, and one expects this to be limited by the financial cost of obtaining such power; and that this be measured against the possible financial game exploitable once having achieved a majority.
I method is also required for players to prove that amount of computation they spent. Else, the attacker could simply claim to have spent a great deal of computation. This is done by having the so-called miners, those players that can propose blocks, provide the solution to a puzzle, and that puzzle not be known to have a solution except through the expenditure of a great deal of computation. This is called a Proof of Work.
In the case of Bitcoin, the Proof of Work is a nonce r, such that when hashed with data d in a block, H(r,d), gives a hash value with k leading zeros. If the hash function H acts as a random function, the probability of H(r,d) having this form, considering r as a random choice, is 1/2k, since the value of H is assumed to be "assigned" randomly to an output, and only 1 in 2k numbers have k leading zeros.
Double Spending
A crucial difficulty in electronic money, including Bitcoin, is to prevent double spending. Since an electronic token is perfectly reproducible, the presentation of the token is not sufficient to exclude that the token has already been spent. Bitcoin solves the problem by a public ledger, and the creation and use of every Bitcoin is available by inspection.
It is possible for miners, working on different sets of transactions, to nearly simultaneously mine blocks each using a UTXO but for a different transaction. (It is also possible that two miners nearly simultaneously mine blocks and present them as competing possibilities for the next block in the blockchain).
The Bitcoin system cannot prevent a cheating miner from proposing a block that double spends, but the honest miners always verify everything about the block before choosing to mine a block subsequent to proposed block. Seeing how the proposed block attests to wrong data, honest miners will ignore the block. Dishonest minors can accept the block and begin mining off of that.
In sum, then, what will happen is miners choose the head block in longest chain of correct blocks, to mine after. That is, the hash of this head block is placed in the parent field of the mined block, making the mined block the new head in a linked list of blocks running back to the genesis block. With 51% or better of work provided honestly, this chain will grow faster than any block containing a dishonest transaction, and eventually it will become so much longer than any chain containing a dishonest transaction the the probability is negligible that that shorter chain will ever be mined consistently that it catch up in terms of length.
That is the probabilistic guarantee. Not that it is impossible, but that the possibility is negligible. It is considered that a block being buried by 6 bocks is enough to make the transactions in that block irreversible. At 10 minuts a block, Bitcoin transactions take 1 hour to settle. Besides the enormous amount of power needed by Bitcoin (exceeding the entire electrical consumption of Austria), this slowness to settle is a disadvantage to Bitcoin. Abstractly, these two costs, energy and delay, attest to the difficulty of the problem Bitcoin solved.
Selfish mining
Satoshi only conjectured that the guarantee of consensus over correct blocks would be possible with 51% honest miners. It turned out that this is not true, by the discovery of selfish mining. The protocol analysis assumed that a miner having mined a block would immediately announce it. It might not. It might hold back on the block and begin mining the follow on block. It is possible that it finds the follow-on block before another miner finds and announces a block that would compete for the first block found by the selfish miner. The selfish miner then announces both blocks, and secures a lead for it's chain over alternatives. It could be that this lead contains a malicious block. However, in this way a consortium of dishonest miner, of size something like 1/3, can take over the blockchain.
This does not break the blockchain idea, just the bold assumption that anything less than 50% of malicious miners is safe. Perhaps that number is 35%? We don't know. A demonstration of an attack can warn us of how small an attacking coalition might be. However, it we do not know for certain the threshold below which an attacking coalition has negligible chance of succeeding in an attack.
author: burton rosenberg
created: 20 Feb 2019
update: 20 Feb 2019