原文翻译
11. Calculations
We consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain. Even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker. Nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them. An attacker can only try to change one of his own transactions to take back money he recently spent.
The race between the honest chain and an attacker chain can be characterized as a Binomial Random Walk. The success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attacker's chain being extended by one block, reducing the gap by -1.
The probability of an attacker catching up from a given deficit is analogous to a Gambler's Ruin problem. Suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to reach breakeven. We can calculate the probability he ever reaches breakeven, or that an attacker ever catches up with the honest chain, as follows [8]:
p = probability an honest node finds the next block
q = probability the attacker finds the next block
qz = probability the attacker will ever catch up from z blocks behind
Given our assumption that p > q, the probability drops exponentially as the number of blocks the attacker has to catch up with increases. With the odds against him, if he doesn't make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind.
We now consider how long the recipient of a new transaction needs to wait before being sufficiently certain the sender can't change the transaction. We assume the sender is an attacker who wants to make the recipient believe he paid him for a while, then switch it to pay back to himself after some time has passed. The receiver will be alerted when that happens, but the sender hopes it will be too late.
The receiver generates a new key pair and gives the public key to the sender shortly before signing. This prevents the sender from preparing a chain of blocks ahead of time by working on it continuously until he is lucky enough to get far enough ahead, then executing the transaction at that moment. Once the transaction is sent, the dishonest sender starts working in secret on a parallel chain containing an alternate version of his transaction.
The recipient waits until the transaction has been added to a block and z blocks have been linked after it. He doesn't know the exact amount of progress the attacker has made, but assuming the honest blocks took the average expected time per block, the attacker's potential progress will be a Poisson distribution with expected value:
To get the probability the attacker could still catch up now, we multiply the Poisson density for each amount of progress he could have made by the probability he could catch up from that point:
Rearranging to avoid summing the infinite tail of the distribution...
Converting to C code...
#include <math.h>
double AttackerSuccessProbability(double q, int z)
{
double p = 1.0 - q;
double lambda = z * (q / p);
double sum = 1.0;
int i, k;
for (k = 0; k <= z; k++)
{
double poisson = exp(-lambda);
for (i = 1; i <= k; i++)
poisson *= lambda / i;
sum -= poisson * (1 - pow(q / p, z - k));
}
return sum; }
Running some results, we can see the probability drop off exponentially with z.
q=0.1
z=0 P=1.0000000
z=1 P=0.2045873
z=2 P=0.0509779
z=3 P=0.0131722
z=4 P=0.0034552
z=5 P=0.0009137
z=6 P=0.0002428
z=7 P=0.0000647
z=8 P=0.0000173
z=9 P=0.0000046
z=10 P=0.0000012
q=0.3
z=0 P=1.0000000
z=5 P=0.1773523
z=10 P=0.0416605
z=15 P=0.0101008
z=20 P=0.0024804
z=25 P=0.0006132
z=30 P=0.0001522
z=35 P=0.0000379
z=40 P=0.0000095
z=45 P=0.0000024
z=50 P=0.0000006
Solving for P less than 0.1%...
P < 0.001
q=0.10 z=5
q=0.15 z=8
q=0.20 z=11
q=0.25 z=15
q=0.30 z=24
q=0.35 z=41
q=0.40 z=89
q=0.45 z=340
11.计算
我们考虑攻击者试图比诚实链更快地生成替代链的情景。就算攻击者完成了这一步骤,也不会讲系统至于可随意修改的境地,例如凭空创造价值或拿走从不属于攻击者的钱。节点不会接受一个不合法的支付,诚实的节点永远不会接受一个包含这样交易的区块。攻击者只能试图改变一个他自己的交易拿回他不久前花出去的钱。
诚实节点和攻击者之间的竞争可以被特征化为Binomial Random Walk。成功的事件是诚实的链被延伸一个区块,将领先优势提高+1,并且失败事件是攻击者的链被延长一个块,将间隙减少-1。
攻击者从特定亏损中赶超的可能性类似于赌徒的破产问题。假设一个拥有无限信用的赌徒开始出现赤字并且可能会进行无数次试验以试图达到盈亏平衡。我们可以计算他达到盈亏平衡的概率,或者说攻击者赶上诚实的链条的概率,就像接下来这样。
p = 诚实节点找到下一区块的可能性。
q = 攻击者找到下一区块的可能性。
qz = 攻击者从落后z个区块赶上诚实的链条的概率
就算我们假设p > q,随着攻击者必须赶上的数量增加,概率呈指数下降。如果他没有能够在早期进行一次幸运的冲刺,那么随着他会落后更远,他的机会就会变得越来越小。
我们现在考虑新交易的收款者需要等待多长时间才能充分确定付款者无法篡改交易。我们假设支付者是一个希望收款人在一定时间范围内相信他付了钱d的攻击者,他会经过一段时间后,将交易返还给自己。收款人那时会收到警告,但支付者希望那时就太晚了。
收款者生成一个新的钥匙对,然后并在签署前不久将公钥提供给付款人。这防止了付款人通过持续工作,直到他足够幸运,远远超前准备一连串的区块,再在这个时候执行交易。一旦交易发出,这个不诚实的付款者就对一个包含其交易的备用版本的并行链进行工作。
收件人开始等待,直到交易已添加到块并且有z块已经被添加在它后面。他不知道攻击者取得的确切进展,但假设诚实的区块花费了每块的平均预期时间,攻击者的潜在进展将是具有预期值的泊松分布:
为了得到攻击者依然可以赶上对可能性,我们将他本可以取得的每一个进展量的泊松密度乘以他从那一点赶上来的概率:
重新排列,以避免总结分布的无限尾...
转换为C代码......
#include <math.h>
double AttackerSuccessProbability(double q, int z)
{
double p = 1.0 - q;
double lambda = z * (q / p);
double sum = 1.0;
int i, k;
for (k = 0; k <= z; k++)
{
double poisson = exp(-lambda);
for (i = 1; i <= k; i++)
poisson *= lambda / i;
sum -= poisson * (1 - pow(q / p, z - k));
}
return sum; }
跑出一些结果,我们可以看到可能性随着z的增大呈指数下降。
q=0.1
z=0 P=1.0000000
z=1 P=0.2045873
z=2 P=0.0509779
z=3 P=0.0131722
z=4 P=0.0034552
z=5 P=0.0009137
z=6 P=0.0002428
z=7 P=0.0000647
z=8 P=0.0000173
z=9 P=0.0000046
z=10 P=0.0000012
q=0.3
z=0 P=1.0000000
z=5 P=0.1773523
z=10 P=0.0416605
z=15 P=0.0101008
z=20 P=0.0024804
z=25 P=0.0006132
z=30 P=0.0001522
z=35 P=0.0000379
z=40 P=0.0000095
z=45 P=0.0000024
z=50 P=0.0000006
解出P小于 0.1%...
P < 0.001
q=0.10 z=5
q=0.15 z=8
q=0.20 z=11
q=0.25 z=15
q=0.30 z=24
q=0.35 z=41
q=0.40 z=89
q=0.45 z=340细节解读
《Bitcoin: A Peer-to-Peer Electronic Cash System》论文原文地址如下:https://bitcoin.org/bitcoin.pdf
版权所有声明
版权所有归属作者,未经允许不得转载、复制或用作它途。否则作者将具有追究法律责任的权利。
Copyright Clarify
Copyright ownership belongs to the author, shall not be reproduced, copied, or used in other ways without permission. Otherwise, the author will have the right to pursue legal responsibilities.