Extrapolation to Calculate the Probability of a Double Spending Attack

Extrapolation to Calculate the Probability of a Double Spending Attack NikolayPoluyanenko N. KarazinKharkiv National University

Svobody sq., 4 61022 Kharkiv Ukraine

Simon Kuznets Kharkiv National University of Economics

Nauky avenue 9а 61166 Kharkiv Ukraine

Extrapolation to Calculate the Probability of a Double Spending Attack 266F634DBE2077815AED4FE4F6605E08 GROBID - A machine learning software for extracting information from scholarly documents blockchain technology consensus protocols proof-ofwork double-spending attack polynomial interpolation binomial approximation

One of the important aspects of the efficiency of modern distributed networks built using blockchain technologies is the study of the security of consensus protocols. In particular, the most common cryptocurrencies and blockchain systems with probabilistic consensus protocols are subjects to so-called double-spending attack. The basis of such an attack is the use of the attacker's computing capabilities to form alternative blockchains. If the generated sequence is longer than the public chain of blocks, the attacker can present it as the proof of work and thus disrupt the correct functioning of the network. In this article we explore the probability of a successful double-spending attack, derive formulas for evaluating the corresponding events, consisting of the formation by the attacker of an alternative sequence of blocks. These formulas are extremely cumbersome and difficult to calculate. The paper proposes simplified analytical expressions to quickly assess the probability of a successful doublespending attack. For this we use the extrapolation of intermediate calculations using the Lagrange interpolation formulas, as well as binomial approximation. The simulation results show that the use of simplified expressions allows us to provide acceptable accuracy of calculations.

Introduction

Modern decentralized systems are a real alternative to the classical centralized approach in creating of complex information and telecommunication systems and networks [1][2][3][4]. For example, it is advisable to use decentralization in complex systems of corporate relations, in the provision of state and administrative functions, to build independent cryptocurrencies, as well as to create secure registers, cadastres, etc. [1][2][3]. These and many other aspects show the clear advantage of decentralized systems built on blockchain technology [5,6]. At the same time, for the most developed and studied blockchain networks with probabilistic consensus protocols, there is a risk of a double-spending attack. The essence of the attack is to use the features of consensus building protocols. For example, in the proof-of-work protocols, each record in the protected registry (each block of records) can be made only by the participant who was the first to solve the exhaustive task of finding the preimage of the cryptographic hash function. The block chain stores all the important records, and each following record (block of records) is connected with the previous ones through a one-way hash function. This is a reliable and safe way to save critical data, protect it from falsification, alteration, intentional or accidental modification. At the same time, an attacker who has sufficient computing resources may try to form an alternative chain of blocks (with other records in previous blocks). This will give him the opportunity to disrupt the proper functioning of the blockchain network, for example, by spending the same assets twice (cryptocurrencies, tokens, etc.). The probability of such unauthorized interference is extremely small (with the small computing capabilities of an individual attacker it is almost impossible). However, when building a critical information infrastructure, an extremely important aspect is the assessment of various risks and threats to information security, including the probabilities of successful implementation of various attacks. Therefore, assessing the security of blockchain systems and, in particular, assessing the likelihood of a successful implementation of a double-spending attack in systems with probabilistic consensus protocols, is an urgent and practically important scientific task.

In this article, we consider consensus protocols with probabilistic completion (such as proof-of-work), and assess the probability of a successful double-spending attack. For this, we use the model of independent players (as in our previous works [4]). This model differs from the gambler's ruin model adopted in [2,3] by both the number of elementary outcomes and general expressions for assessing the probability of a successful attack. To simplify computational calculations, we use polynomial interpolation, as well as binomial coefficients to extrapolate intermediate calculations. The results of numerical simulation show that simplified formulas can significantly reduce computational costs and obtain approximate estimates with acceptable accuracy of calculations. These results can be used to calculate the security indicators of blockchain networks with probabilistic consensus protocols.

The probabilities of forming a chain of blocks under the same initial conditions

To obtain the formula for the probability of a successful double-spending attack, let us consider the following possible probabilities and combinations in which the attacker succeeds:

1. Success is not possible on the first attempt (

1 0 0 1 t N j k       

). The attacker may form no more than one block in one attempt, and in order to succeed, he needs to wait for the generation of the block by the honest network and extend the chain of blocks to one more. Thus, the attacker needs to form at least two blocks. The probability of success of the attacker is defined as:

1, 0, 0 0 N j k PI     2.

The attacker may succeed on the second attempt ( 0 1 2 t N     ) if he managed to form on both attempts per block, and the honest network will form only one block (no matter on the first or second attempt).The total probability of this event:

          2 1, 0, 1 1 1 2 1 N j k PI p p qq p p qq p p q                   3. On the third attempt ( 0 2 3 t N     ).

If the honest network forms a block on the first or second attempt, then the second block should be formed by the attacker only on the third attempt, otherwise (if the second block is formed on the second attempt) there is a previous case (as for

1, 0, 1 N j k PI    ).

If the honest network forms the second block on the third attempt, there are no restrictions on the formation of blocks for the attacker. The total probability of the event will be calculated similarly to the events described above. Thus, the total probability will be:

        2 1 1 2 1, 0, 2 2 1 1 2 3 2 1 2 1 1 3 1 . N j k PI p p q q p p q q q                           4.

On the fourth attempt ( 0 3 4 t N     ) similar to the situation described in the previous paragraph, the total probability for the attacker to succeed will be equal to:

          3 2 1 2 1, 0, 3 3 2 1 1 2 3 4 3 1 3 1 1 6 1 4 1 . N j k PI p p q q p p q q q q q                               5.

On the t -th attempt ( 0 t N k    ) the probability of success of the attacker is equal to:

        1 1, 0, 1 1 2 2 0 1 1 1 1 1 1 1 1 0 1 k N j k k k k k PI p p k k k q q q q q q                                                    

Carrying out similar constructions and summing all the 0,1, 2, k   , we find the probability of a successful double-spending attack, provided that the honest network is formed of no more than 1 N  blocks:

        1 2 1, 0 1 1 0 1 1 1 1 1 1 1 1 . 0 1 k k N j k k k PI p p k q q k k q q q q                                                             Let us consider the case when 2, 0 N j   .

If 0 k  , as well as in the previous case, success is impossible. If 1 k  and, therefore, 0 1 3 t N     , the probability of success of the attacker is equal to:

  2 3 2, 0, 1 3 1 . N j k PI p p q         If 2 k  ( 4 t  ), the probability of successful attack is equal to:         2 2 3 2, 0, 2 2 2 3 4 3 1 3 1 3 1 4 1 . N j k PI p p q q p p q q q                              If 3 k  ( 5 t 

), the probability of success of the attacker is equal to:

          3 2 2 3 2, 0, 3 3 2 1 2 3 4 5 6 1 6 1 4 1 10 1 5 1 1 . N j k PI p p q q p p q q q q q                                  

The above results allow us to obtain expressions for arbitrary values of N and k :

      2 1 1 , 0 1 0 1 1 1 1 1 1 . 1 k k N N N N j k N t i i i t PI p p q q N t t q q N i                                                            Let us consider the case for 1, 1 N j   . If 0 k  attacker's success is impossible If 1 k  the probability of success of the attacker is equal to:     1, 1, 1 1 N j k PI p p p q q q           . If 2 k  ( 4 t  ) the probability of the attacker's success is equal to:       2 2 3 1, 1, 2 1 1 3 2 2 . N j k PI p p q q                 If 3 k  ( 5

t  ) the probability for the attacer to succeed is equal to:

    1 1 1, 1, 3 1 1 1 1 2 2 3 . 1 2 1 2 1 2 k k N j N j N j k PI p p q q k t k t k t                                                                       

Thus, summarizing the results for arbitrary initial values, we obtain the probability of a successful double-spending attack ( PI ) on blockchain systems using the consensus algorithm Proof of Work based on a hash function (without the attacker's advantage in one pre-formed block):

                      2 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 , k k N N k N t i i i k k N j N j p j k t PI p p q q N t t q q N i p q sum p q                                                                                     ( 1 )

where

t N j k    ;   ( ) ( 1 ) ( ) 2 3 1 2 1 2 1 1 1 1 1 N j N j N j k k t t p q ip ip ip ip ip ip ip sum sum                                           ;           ( )( 1 ) ( ) ( 1 )

( 2 )

2 3 2 1 2 1 ( 1) ( ) 1 1 2 1 1 1 1 m a x 1 , m a x 1 , max 1, 1 . N j N j N j j j j j j q t j t j k k t t iq iq iq iq iq iq iq ip iq iq ip iq iq ip sum                                                                          

Although the expression (1) provides an accurate quantitative result on the probability of successful double-spending attacks, it also has limitations on its use, which is related to the polynomial complexity of computational calculations. In this paper, we propose using an approximate formula to calculate the probability of a successful attack. For this, simplified expressions based on polynomial interpolation can be used. In addition, we explore other approximation methods, including using binomial coefficients. However, given the limited number of calculated coefficients of p sum , the expres- sion (1) gives a good match with the experimental data (setting up the computational experiment is given in [4]) when the probabilities q and p significantly (twice or more) differ from each other. However, there is no need to calculate the large number of values in the sum by j , that allows to be limited to some small pre-calculated set of values of p sum . Also, at , 0,2 q p  the blocks will be formed with a relatively high probability, that makes it possible to significantly reduce the sum by k . In addition, for smaller values N , the sum p sum grows more slowly, making it possible to calculate p sum for more values j and k . However, in order to improve the accuracy of the calculation (increasing the calculated coefficients j and k ), it is possible to extrapolate the values of p sum using polynomial approximation. Thus, for 1 j  the value p sum is very well approximated (within known values of k ) and extrapolated (beyond calculated values of k ) by a polynomial:

Extrapolation of the sum in the formula of calculation of the probability of success of the attacker4 3 2 0,125 0, 4167 0,375 0 ( 1, 1, ) ,0833 p sum k k k k k N j           ,p k k k k s m j k k k u N                

Extrapolation is also well done by j , and the value of k is fixed. As established experimentally, it is desirable to use the Lagrangian interpolation polynomial for computational methods (see, for example, [7] or [8]). The essence of which is as follows. We know some values of p sum at the first values of i x (we assume i

x to be i k or i j ), where 1, 2, , i n   , and n is the number of points by which the Lagrangian polynomial is constructed (in our case, for 1 N  , n must be chosen as 3 2 n j    for extrapolations by k and as 2 1 n k    for extrapolations by j ), then we can extrapolate p sum by Lagrange interpolation polynomial: 0 0, ( )

n n s p p i i s i s s i x x sum sum x x x                    .

The results of the extrapolation of value of p sum are illustrated in Figure 1, which shows a graph of the dependence of precisely calculated values of p sum (solid line) by formula (1) and its approximation and extrapolation (dashed line).

Extrapolation using a polynomial gives a very good accuracy, but with increasing k ( j ) increases the number of first values of p sum that must be known and whose values are taken into account in the Lagrangian interpolation polynomial. Given that we are aware of a rather limited number of p sum (for example, in Table 2 for 7 k  this is only for 15 j  ) polynomial extrapolation will also have some limits. The next extrapolation method we have applied is binomial extrapolation, that is, extrapolation using binomial coefficients of the form

2 1 i p N j k sum d N j            

where d -some coefficient 0 1 d   , which is selected experimentally. Binomial extrapolation gives much less precision than polynomial, but better than neglecting additives in general. This is especially noticeable when q p  and a significant number of coefficients j and k must be considered. Thus, the results obtained can significantly reduce the complexity of the calculations when calculating the probability of a successful double-spending attack. In particular, to calculate the probabilities by the formula (1), it is necessary to calculate an infinite number of sums p sum , each of which in turn is formed by summing a large number of terms. We were able to simplify these intermediate sums by introducing interpolation polynomial equations. By extrapolating the sums to a larger data range, we can replace complex and cumbersome calculations with simple and convenient calculations based on interpolation polynomials. The simulation results show that the values calculated in this way almost 100% repeat the results obtained by exact expressions using formula (1). These results can be useful for assessing the security of blockchain networks with probabilistic consensus building [9][10][11]. In particular, practical recommendations for constructing asset transfer protocols in decentralized systems can be justified through restrictions on the probability of corresponding risks. For example, given the restrictions on the admissible probability of loss of an asset as a result of a double-spending attack, our formulas allow us to calculate the minimum number of confirmed transactions (length of a chain of blocks) and these calculations can be performed very quickly even in the conditions of a rapid change in the share of controlled computing resources. These and other studies are our promising areas of further work.

Conclusions

This paper address in detail one of the main vulnerabilities of blockchain systems built by consensus with probabilistic completeness -the double-spending attack.

Basing on the model of "independent players", we have obtained the analytical expression of the probability of a successful double-spending attack on a blockchain system which uses the consensus algorithm Proof of Work (PoW) based on a hash function depending on the number of confirmations used and the number of attempts and hash rate of both the honest network and the attacker.

The adopted model of "independent players" and the resulting formula (1) eliminates the significant disadvantages inherent in other work in this field, namely:

 the race between two participants of the network does not have to be endless, it is enough to be limited by some fixed number of attempts;  uses a more adequate, in the authors' view, model of "independent players", which includes a space of four elementary events, instead of two, used in the model of "gambler's ruin";  the probability of forming a block with the honest network and the attacker are independent quantities that are directly determined by the capacities possessed by the participants, and the mentionedprobabilities are independent on each other, that is, the requirement 1 p q   is optional;  it is calculated the probability for the attacker to be ahead of the honest network, and not only the probability of catching up with it, that is, when the attacker does not have an advantagein one pre-formed block.

The quantitative values obtained by the expression (1) of the probability of a successful attack for different opportunities of the attacker (the probability of forming a block), the different number of formed blocks after which the agreement is considered confirmed, the different duration of the race (the number of blocks during which the attacker continues to catch up the network) are given. To simplify the numerical calculations, it is proposed to use polynomial approximation. In particular, the intermediate sums in formula (1) were able to be approximated by Lagrange interpolation polynomials. In addition, we used binomial extrapolation. However, the simulation results show that polynomial interpolation provides greater accuracy. The formulas obtained make it possible to quickly assess the probability of a successful doublespending attack using these simplified formulas.

This study can be useful for modeling and evaluating the effectiveness of blockchain networks, as well as in other practically important applications [12][13][14][15][16].

Fig. 1 .1Fig. 1. Dependencies of values of

Table 1 .1Values ofThe value of sums (p sum andq sum ) is increasing very fast and even atj 10andk 15the calculation becomes a very difficult task. For example, ifj 20and7 k  the sump sum 16 570 275 123(this value was calculated by the computer forseveral hours). On the other hand, these sums for each value N could be calculatedonce and used for different probabilities. Tables 1, 2, as an example, provide calcu-lated values ofp sum forN 1, 5and some values of j and k .p sum in the expression(1) forN 1jk12345671 1725651402664622 11158210602147031923 11611756320736327167974 1222131314604122528717755 129359276115495693052609236 1375705345359501899098339187 14686396907692747376823995658 156125716648154007109359663274759 16717732734929159223646421549874210 17924344325652652048356063563916011 19232656622591269594235497758672312 1106429398570152690717608428 16100716513 11215547143133247603131706737 32028835514 11377058203359390580855248173 61362947815 11548859283376601142593484314 113670903516 1172109853880809050125154064036 204278375717 11911347352322513356092 247916850 357165770218 12111636269551819357870 390392550 609068855219 12321969391271927598589 602713571 1015189035320 125423509118374638759285 913805304 16570275123

Table 2 .2Values ofp sum in the expression (1) for5 N  .jk12345671 1436315335317951482195751072 15190091006421535070915782143 16012651518512592579983441455054 1701745246002372791736315102770505 1812361386614293873587388240538486 1933136590457482307079128533816647 11064095878501259860134002681129007888 112052651276602056860244348382286742509 1135667518161532662534308499544551429510 1151835625348650590637371004983812821411 1168103413477557661745122712954 152767545712 11861266546970011369715199311469 270584588413 12051536562548516563225316537844 466921378014 12251848082225523725842492518292 786741592015 124622051106823633465804752091712 1296966901216 126826121137284046540540112883617217 129130735174677563884655166758158718 131535940220216086641695242749787719 1340417852752645116200021 348585970620 1366483213413536154233135 4942601727

EZaghloul TLi MWMutka JRen ArXiv, abs/1904.11435 Bitcoin and Blockchain: Security and Privacy 2019 Bitcoin: A Peer-to-Peer Electronic Cash System SNakamoto 2009 MRosenfeld Analysis of hashrate-based double-spending 2014 Simulation of double spend attack on the "Proof of Work" consensus protocol NAPoluyanenko AAKuznetsov 10.30837/rt.2019.3.198.11 Radiotekhnika 3 2019 in Russian) EZaghloul TLi MWMutka JRen Bitcoin and Blockchain: Security and Privacy 2019 An Explanation of Nakamoto's Analysis of Double-spend Attacks APOzisik BNLevine 2017 Fundamentals of numerical methods LITurchak PVPlotnikov 2003 304 Moscow, Fizmat in Russian) 10.3840/001276 Interpolating Polynomial 2007 MPilkington 10.4337/9781784717766.00019 Blockchain technology: principles and applications Probabilistic Blockchains: A Blockchain Paradigm for Collaborative Decision-Making TSalman RJain LGupta 10.1109/UEMCON.2018.8796512 9th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON) IEEE 2018. 2018 A Probabilistic Analysis on Crypto-Currencies Based on Blockchain MBhat SVijayal 10.1109/ICNGCIS.2017.37 2017 International Conference on Next Generation Computing and Information Systems (ICNGCIS) IEEE 2017 Performance of Hash Algorithms on GPUs for Use in Blockchain AKuznetsov KShekhanin AKolhatin DKovalchuk VBabenko IPerevozova 10.1109/ATIT49449.2019.9030442 IEEE International Conference on Advanced Trends in Information Theory (ATIT) IEEE 2019. 2019 Modelling instruments in risk management SBondarenko BLiliya KOksana GInna International Journal of Civil Engineering and Technology 10 1 2019 On the convergence of fourier means and interpolation means KRunovski HSchmeisser Journal of Computational Analysis and Applications 6 3 2004 Numerical-analytic method for finding solutions of systems with distributed parameters and integral condition BPTkach LBUrmancheva 10.1007/s11072-009-0064-6 Nonlinear Oscillations 12 2009 Controlled Markov Fields with Finite State Space on Graphs RKChornei VMDaduna HKnopov PS 10.1080/15326340500294520 Stochastic Models 21 2005