Making possible the impossible
A classic result shows that in the fully deterministic setting, it is impossible to get consensus with even a single corrupt player. However Bitcoin does the impossible by achieving only a probabilist consensus. Although one is never 100% certain that the blockchain cannot be revised, the possibility to revise the block chain is an exponentially unlikely event, with the exponent being in the depth back from the head of the blockchain where the revision is to take place.
While there can be disagreements in the very head of the block, this is called a fork, as minors build on the forks one becomes dominant and the other goes fallow, and soon the fork is decided forever. Soon is often taken to be six deep, and this is called confirmations.
The attack model, however, requires a bound on corrupted players. If, as a limiting case, all players were corrupted, then there could of course be no reliable consensus. Every player does what it wants, believes what it wants, and the players can agree on anything they want.
Proof of Work.
The attack model therefore assumes at least a majority honest players. The question is how to measure the majority. It cannot be measure in a sort of head-count of honest players, as dishonest players would clone themselves in a so-called Sybil Attack.
What is measured, instead, is computational power. A Sybil Attack would require the attackers to have a majority of the computational power, and one expects this to be limited by the financial cost of obtaining such power; and that this be measured against the possible financial game exploitable once having achieved a majority.
I method is also required for players to prove that amount of computation they spent. Else, the attacker could simply claim to have spent a great deal of computation. This is done by having the so-called miners, those players that can propose blocks, provide the solution to a puzzle, and that puzzle not be known to have a solution except through the expenditure of a great deal of computation. This is called a Proof of Work.
In the case of Bitcoin, the Proof of Work is a nonce r, such that when hashed with data d in a block, H(r,d), gives a hash value with k leading zeros. If the hash function H acts as a random function, the probability of H(r,d) having this form, considering r as a random choice, is 1/2k, since the value of H is assumed to be "assigned" randomly to an output, and only 1 in 2k numbers have k leading zeros.
Double Spending
A crucial difficulty in electronic money is preventing double spending, since digital tokens can be copied. Bitcoin addresses this using a public ledger in which all transactions are recorded in a chain of blocks.
Miners may occasionally produce competing valid blocks at similar times, creating temporary forks. All nodes verify block validity deterministically, rejecting any block that violates protocol rules, but valid competing blocks may still exist.
The protocol rule is to extend the valid chain with the greatest cumulative proof-of-work. Under the assumption that a majority of mining power follows the protocol, the honest chain has a probabilistic advantage that causes it to grow faster in expectation than any competing chain, making deep reorganizations exponentially unlikely.
This provides a probabilistic notion of finality: the deeper a transaction is buried, the lower the probability of reversal. However, this security argument assumes miners publish blocks immediately and extend the longest known valid chain.
That is the probabilistic guarantee. Not that it is impossible, but that the possibility is negligible. It is considered that a block being buried by 6 bocks is enough to make the transactions in that block irreversible. At 10 minuts a block, Bitcoin transactions take 1 hour to settle. Besides the enormous amount of power needed by Bitcoin (exceeding the entire electrical consumption of Austria), this slowness to settle is a disadvantage to Bitcoin. Abstractly, these two costs, energy and delay, attest to the difficulty of the problem Bitcoin solved.
Selfish mining
Satoshi assumed that if honest miners control a majority of hash power, the blockchain will converge on a single valid history with overwhelming probability, and that miners will follow the protocol because doing so is economically rational.
This analysis relies on the assumption that miners immediately publish newly found blocks and always extend the longest known chain.
The selfish mining result shows that this assumption is not incentive stable: a miner (or coalition) can improve its expected rewards by withholding blocks and selectively releasing them, thereby causing honest miners to waste effort on stale branches.
This does not break consensus safety under majority honest hash power, but it does show that mining is not necessarily incentive compatible below 50%, and that smaller coalitions may profit from deviation depending on network conditions.
The exact threshold at which selfish mining becomes profitable is not a universal constant; it depends on propagation dynamics and tie-breaking behavior.
author: burton rosenberg
created: 20 Feb 2019
update: 23 Apr 2026