Guarantees of the final calculation, or how to evaluate blockchains

How long does it take to finalize transactions on major blockchains?alongBitcoin transactions can be considered perfect? What are the risk factors that need to increase the number of expected confirmations? How do confirmations affect transaction settlement?

Surprisingly, none of these questionsthere is no good answer, even in 2019, 10 years after the extraction of the first block of Bitcoin. A thorough study of the properties of proof-of-work is hampered by the idea that this is only a temporary solution on the way to some better consensus mechanism that is resistant to Sibylla attack, and, on the other hand, the bitcoiners are convinced of the unshakable advantages of this algorithm.

But these are fundamental questions. If you think that public blockchains with open groups of validators and distributed convergence mechanisms will exist and will be used to transfer value in the foreseeable future, then these issues are worth considering. And if you manage the exchange and your financial wealth depends on the correct assessment of the required number of confirmations on various blockchains, then they are absolutely crucial. To begin with, let me explain why I think that transaction settlement guarantees (their finalization) are the main things that you should pay attention to when considering any public blockchain.

What is the most important thing about Bitcoin?

Oddly enough, this question is not so simpleto answer. Ask it to ten bitcoiners and you will get ten different answers. The fundamental disagreements on the question of what Bitcoin is intended for, its theologies, practically split the community in 2014-2017. Last year, Hasu and I tried to briefly capture these competing views. Others noticed our initiative and developed this topic. I would especially single out an article by Murad Makhmudov and Adam Tasha. Daniel Kravitz also addressed this topic in 2014.

According to Kravitz, Bitcoin is understood very differently by two main categories of users: investors and entrepreneurs.Investors, he writes, see Bitcoin as a new form of highly efficient monetary base that primarily supportsInvestors tend to believe that Bitcoin will getFor them, evangelism has no effect on the innate power of its monetary properties.Entrepreneurs, in Kravitz's understanding, are more interested in Bitcoin as a global payment system, and pay attention toAs anyone who has followed the crypto sphere in 2015-2017 knows, the disagreements between the two camps led to a bitter "civil war" to define Bitcoin's purpose, with size as the main battlegroundBlocks.

I tend to think that the most important thing about Bitcoin is its ability to facilitate transferI believe that Bitcoin is a new institutional technology – a technology for storing and transferring value with a high level of guarantees andwithoutreliance on the state or the financial system, which will open up new models of human organization and allowConduct productive commercial activities in places where property rights are poorly enforced.

So, if the key features of the system areguarantees regarding settlement of transactions, how can we evaluate them? And how to make a consistent comparison between Bitcoin and other systems with open validation?

Transaction Finalization Assessment

So exactly what is meant by guaranteestransaction accounting? This implies the ability of the system to provide the recipients of funds with confidence that the incoming transaction will not be canceled. Electronic money transfers through financial messaging systems (such as SWIFT) are popular in part because they are almost impossible to cancel. They are considered safe for recipients, since the sending banks will only release funds if they are fully present on the sender's account.

That's why the thieves who organized the billionthrobbery of the central bank of Bangladesh, used SWIFT and bank transfers: they wanted to use guarantees of final settlement. In other words, they decided to use a system for theft that they knew was hard to reverse. As a result, $ 61 million of those stolen in this robbery were never returned. This is not proof of the failure of the SWIFT system and bank payments, but rather shows the strengths of the system. Even in this case, when almost all parties involved in these transactions wanted to cancel them, they could not do it. The system is resistant to transaction cancellation, discretion, and retrospective change. This does not make it a bad system. On the contrary, this makes it a system that provides counterparties with a high degree of confidence in the finality of transactions.

Likewise, Bitcoin is a useful system because it provides users with powerful guarantees of the finality of the settlement.How muchThis system is good, we don't know exactly. LaurentMT has written probably the most scientific study of this topic.Although, in general, the properties of Bitcoin's PoW are not yet fully understood.There are several episodes of reorganization in its history, but as far as we know, these were not deliberate reorganizations for the purpose of embezzlement.And we know that miners dedicate huge real-world resources to mining transactions.This means that recipients of bitcoin transactions can have extremely high confidence that after receiving multiple confirmations, the transaction is unlikely to happenCanceled.

However, this cannot be said of many others.cryptocurrencies. Although outwardly in many cases they may seem similar to Bitcoin, none of them can provide users with equal guarantees of the final settlement. This is not necessarily a consequence of some design flaws, just the space of Bitcoin blocks has a higher accumulated cost - and therefore the cost of attack - per unit time, and in addition, Bitcoin has almost a monopoly on its hash function, and is used for mining specialized equipment. Surprisingly, many weaker blockchains were not hacked, even if the cost of attacking them was relatively low. This is most likely due to the fact that to monetize an attack 51% need a stock exchange, which creates additional difficulties. And, frankly, most of the small coins are quite small (and almost illiquid), which significantly limits the profitability of the attack.

In order to get an ideahow vulnerable are many cryptocurrencies, take a look at crypto51.app. The resource methodology is based on the somewhat unrealistic assumption that an attacker can rent enough equipment on Nicehash, but it allows you to determine the lower limit of the cost of an attack on these systems.

So what are the key variables to measuretransaction finalization in public blockchain systems? I propose first to classify these variables on the basis of convenience for a quantitative assessment: those that are easier and those that are more difficult to evaluate in this way.

Quantifiable Variables

Cumulative registry value

The accumulated value (or "costliness") of a ledger is the deepest and most immediate variable available to us for assessing the guarantees of finality of transactions on the blockchain.Simply put, it is equivalent to the amount paid to validators/transaction selectors per unit of time.In Bitcoin, miners are rewarded with block subsidies and transaction fees, which givesThey have a financial incentive to "play by the rules" by conscientiously performing their tasks.In proof-of-work algorithms, miners provide irrefutable proof that they have consumed some amount of electricity and therefore incurred costs for each block they propose.At the time of mining a block, the miner must spend resources, the cost of which, with rare exceptions, is approximately equivalent to the cost of the block (usually with a small margin).Therefore, miners have an incentive to create valid blocks that comply with the rules of the network.

It's like a school project in which you needread the book and submit its written analysis. You need to provide the teacher with proof that you have read the book, so you write analytical work on it (as a valid block hash with enough leading zeros), which you can only do if you really read the book (calculated enough hashes). Since your teacher is also very attentive to the style of the text, you will need to format your work correctly (create a well-formed and valid block). It would be a tragedy to read the whole book just to present an incorrectly formed work and to get unsuccessful. Proof-of-work works in a similar way: the work is done first, and the reward for it is received later. You bear real expenses and your business depends on the correct implementation of all the bureaucratic steps necessary to receive remuneration, so you do everything possible so as not to spoil this part. Recently, the miner did all the work necessary to form the block, but stumbled at the last stage, creating an invalid block. (For a more complete description of how the incentive system works in PoW, read the article by Hugo Nguyen.)

So why is the larger accumulated per unitDoes the registry cost mean more security for counterparties? Because the larger remuneration of miners (it is assumed that we are talking about conscientious miners) means that in order to defeat them you will need to collect more mercenaries. These resources must come from somewhere: you will need to mobilize resources and equipment capable of producing hashes, electricity, and so on. (There is an argument that since attackers receive a block subsidy in 51% attack, the network security in PoW is really only ensured by commissions. Here I will not go into a full analysis of this topic - for now, I will just proceed from that that subsidies, especially when using specialized equipment, are like a huge lump that first needs to be cleaned up of all the excess before it can be theorized on the subject of attack scenarios 51%.)

To summarize, try to beat the multitudehonest miners who faithfully produce Bitcoin blocks are very expensive. Their total income today is $ 6.9 billion per year, and many of them have allegedly invested heavily in this business in anticipation of future cash flows (this means that the amount of equipment active on the network may be even greater than correlated with the current gross income of miners).

Thus, Bitcoin is protected not only by the reward that the protocol pays to the miners now, but also by the discounted reward that these miners expect to receive in the future.

We don’t have an easy way to simulateexpectations, so the simplest thing that can be done is to take the miner's income per unit of time and compare the blockchains on this basis. Even if at this you stop reading the article and just remember the last thought, you will already have a better understanding of blockchain security than most people. Very few actors, even those for whom the stakes are very high - like exchanges - give themselves the trouble to conduct such a comparative analysis of blockchains.

Anthony Lusardi has already done a greatoutreach on this topic. He introduced the BitConf (from the English confirmation - confirmation), an indicator of how many confirmations are required by other blockchains, such as Litecoin, to achieve a level of security equivalent to one Bitcoin confirmation.

Suffice it to say that most people don't use BitConf and don't try to index the calculationIn the "popular" view, calculation, finalization, is a linear function of the number of confirmations.Even on the Litecoin Foundation's website, the following statement is implicitly allowed:

Litecoin transactions are confirmed faster than inmost cryptocurrencies, such as Bitcoin, because in Litecoin a block is generated every 2.5 minutes, in contrast to the 10-minute interval in the Bitcoin network. This means that your money reaches the recipient faster.

The moment of initial transaction selection fromThe mempool and its inclusion in the chain in Litecoin really comes faster, but in cryptocurrencies, transaction calculation should be considered in a probabilistic manner. In other words, if you are only concerned with the first confirmation, then Litecoin is really faster, but as soon as you are interested in a longer term finalization (through a lot of confirmations), it becomes clear that Litecoin is much slower.

If you believe that each confirmation inLitecoin and in Bitcoin give equal guarantees of the final settlement, then graphically this can be expressed as follows; and Bitcoin in this case is obviously slower:

But it's not right. Litecoin generates more blocks per unit of time, but it accumulates the registry value much more slowly. In fact, Bitcoin pays its army of miners much better, and as a result, they produce significantly greater security in the form of hashes per minute.

Even if Litecoin had a 10-minute block interval, Bitcoin would still cost 14.5 times more than Litecoin.In fact, the confirmations do not matter much.which is important.

Alternatively, you can visualizethe accumulated value of the registry in the form of blocks accumulated on top of its predecessors, where transactions become more and more final as they sink deeper into the array of blocks.

The block width is approximately proportional to the relative security costs of each blockchain.

As more is added to the array andmore blocks, the probability of canceling previous blocks is reduced, and transactions are becoming more final. In this figure, I scaled the width of the blocks according to the accumulated relative cost of the registry and depicted crushing into blocks.

The bottom line here is that the settlement of transactions inblockchain systems is a stream. The interval between blocks by and large does not matter. Ethereum creates a lot more blocks per hour than Bitcoin, but the calculation of transactions in these blockchains should be compared based on the cost of the registry, not the number of confirmations.

Cancellation Profitability: Transaction Size

The accumulated value of the register is not the only thing that matters for the finality of the calculation.There is also an important incentive for someone to cancel the transaction.If you are the recipient of a 50,000 BTC transaction, you may want to wait longer than the generally accepted 6 confirmations as a precaution.If you get 1000 satoshis, one confirmation will probably be enough.That is, depending on the size of the transaction, they may have more or less perceived "finalizability", an acceptable number of confirmations before the settlementcan be considered final.

Elaine Wu formalized this concept ina wonderful article for Bloomberg in which she claims that transaction settlement can be considered perfect when the accumulated registry value is equal to the transaction value.

Elaine's wording successfully combines twoThe most important quantitative variables in blockchain calculations: registry value and transaction cancellation profitability. If you would like to wait for the final settlement of an incoming transaction for $ 10 million in BTC, then in accordance with this rule the waiting period would be about 60 blocks, or 10 hours. (Coincidentally, at the BTC / USD exchange rate of $ 13,330 that existed at the time of writing, Bitcoin accumulated the cost of the registry at a rate of $ 1 million / hour.)

Now that we have named the two most important variables for finalization, let's substitute the numbers and compare the result for the largest PoW networks.

Needless to say, the final calculation forBitcoin blockchain transactions so far are the fastest (assuming only these two variables, without other important indicators). Calculation of an incoming transaction of even $ 1 million in size on many blockchains can occur extremely slowly. With the exception of Bitcoin, Ethereum and Litecoin, in any other decentralized registry this process takes more than a day (I do not consider Ripple and Stellar, because the validation process in them is not decentralized). Smaller blockchains simply do not pay miners enough remuneration for the final settlement of transactions to occur in a reasonable amount of time.

At Howmanyconfs, comparative information about the required number of confirmations is presented in the form of a dynamically updated table.

It's also worth noting that Bitcoin Cash and Bitcoin SV have the final settlementtransactions are 33 and 69 times slower, respectively, than in Bitcoin.While functionally identical in many ways to Bitcoin, they are de facto significantly slower as they offerThis is in direct contrast to the usual positioning as "faster" blockchains.

It can also serve as a great example.how Bitcoin resists duplication. You can create something that looks like Bitcoin, but you can’t reproduce its guarantees of the final calculation arising from the accumulated cost of the registry. Miners exist in economic reality and cannot be persuaded to support a protocol that pays for their insufficient work. In fact, as we learn in the next section, Bitcoin Cash and Bitcoin SV are even weaker than shown in this table, due to the presence of the third variable.

Monopoly on its own hash function

So far I have not mentioned the third criticala variable that directly affects the guarantees of the final settlement of transactions on a particular blockchain: does it have an actual monopoly on equipment working with its hash function. As I said, Bitcoin Cash and Bitcoin SV are extremely disadvantaged compared to Bitcoin, being supported only by a negligible share of all functioning SHA-256 ASIC miners. This means that any pool, even of medium or small size, the mining Bitcoin, can temporarily redirect its hashing power to one of Bitcoin's smaller forks and carry out an attack of 51% on it.

That these blockchains have not yet been attacked,does not guarantee their future safety. This may well be due to the fact that at the moment there are no manners in Bitcoin who want to maliciously interfere with the work of any fork, but the dependence on the goodwill of the miners makes the security model of these forks extremely weak. Since this risk is constantly present, it can be argued that no such blockchain in principle can ensure the final settlement of transactions, regardless of the number of confirmations. This is due to the fact that in Bitcoin there are more than enough mining pools that could easily reorganize the BSV blockchain into 100 or more blocks in depth.

This variable makes analysis more difficult. A larger hash by itself does not necessarily mean that the blockchain is more secure; it should also be supported by a larger share of specialized equipment.

In this example, I would describe blockchain Aas less secure compared to B, even though it has a higher registry value in absolute terms, because it is theoretically easier to attract enough equipment to attack blockchain A.

So this variable should be considered aslogical: if the blockchain has an actual monopoly on equipment compatible with it, then the analysis is simple. If it is in an unsuccessful position, when equipment for working with the same hash function is also used for mining on other blockchains, and only a relatively small fraction of these hashing capacities is supported, then such a blockchain is probably fundamentally unsafe. Although it is difficult to determine just how unsafe it is, the risk of an attack depends on the ability of the attackers to attract enough electricity and equipment.

Less quantifiable variables

The three variables mentioned above are notcomprehensive, they are simply easier to quantify. With them, you could probably build a plausible model that surpasses those used by most exchanges today. But there are many more factors that also need to be considered.

Cancellation Profitability: The Goldfinger Attack

The name "Goldfinger" is borrowed from the James Bond film, in which the villain plans toirradiate all the gold at Fort Knox, and thus increase the value of theownThis term describes a class of attacks where the attacker's actions are motivated by some financial incentive that exists outside the protocol.Joseph Bonnet more scientifically describes them as attacks in which "attackers [have] an extrinsic motivation to disrupt the consensus process."

Quantify the risk of such attacks practicallyimpossible, because the attackers can have a variety of motives and, as a rule, do not reveal them before the attack. Here I will give two other examples in which the profitability of transaction cancellation increases sharply, which may call into question the guarantees of the final settlement of transactions.

Top layer overload

This refers to a condition in which a largethe amount of financially significant assets is created in the form of tokens on top of some protocol of the base layer - as Omni assets on Bitcoin or ERC20 on Ethereum. Since these tokens inherit their security from the base layer and depend entirely on it, they are vulnerable to attacks on the base blockchain.

As asymmetries between value developtools of the second and more levels and the cost of attacking the base layer, the problem of overloading the upper layers begins to appear. If the asymmetry becomes large enough, an attacker can try to open a short position on some of the top-level tools and simultaneously attack the underlying blockchain, either by mining empty blocks and DoS attacks on the corresponding tokens, or by reorganizing the blockchain and creating confusion.

We already have real-world examples of consequences forsystems with overloaded top layers. Attackers recently began to regularly attack the base index, which sets the price for BitMEX derivatives. Due to the significant asymmetry between the collateral present on BitMEX (top) and the underlying reference market (basis), it becomes profitable to burn funds in market orders on Bitstamp, because an attacker can make a profit by triggering an exaggerated price movement on BitMEX due to the elimination of margin positions .

I do not think any of the blockchainsfaces such a problem today, but as more and more financial instruments are converted to tokens existing on top of blockchains, the profitability of an attack on the base layer will increase.

Liquidity Derivatives Markets

This is explained quite simply. Derivative financial instruments, and, in particular, options, give financial market participants the opportunity to trade with greater leverage and receive more income even as a result of a relatively small change in the price of the underlying asset. As in the case of overloading the upper layers, the risk for the blockchain arises when there is a significant asymmetry between the cost of attack and its profitability.

Creating liquid derivatives markets allowsattackers increase their profits from predicting price movements; and if they can provoke a fall in the price of an asset by attacking it, then the guarantees for calculating transactions in the blockchain are potentially at risk. As the profitability of the attack increases, the amount of resources that the attacker is ready to use in it increases. So the increase in leverage on the sale side potentially weakens the guarantees of the final settlement on the blockchain. But due to the heterogeneity of the actors and the uncertainty about the ability to monetize such an attack, it becomes impossible to quantify this risk, adjusted for the security level of the blockchain.

Of course, one of the counterbalances to such attacks couldthere is a potential unwillingness of the exchange to pay profit on the position if it has suspicions that the corresponding trader has coordinated his actions with an attacker attacking the blockchain.

Additional aspects regarding equipment

As for the hardware for working with a certain hash function, it should be noted that coins with GPU miningcan nothave a monopoly on the use of hardware, as there are too many GPUs in the world (thanks to games and other non-cryptocurrency applications).

Thus, for GPU mining coins alwaysmore confirmation should be required. It is difficult to say exactly how the ratio of the unit of accumulated value of the registry with GPU mining and the registry with ASIC mining should be. But absolutely precisely, building a security model based on GPU mining should be regarded as an additional risk factor. At least because of the simplicity of mobilizing equipment for GPU mining.

Case Study: Kraken Confirmation Requirements

Surprisingly, from many of my conversations withrepresentatives of exchanges, who have something to lose from poorly balanced rules for calculating transactions, it seems that they usually think little about the rules of confirmation. I could not find detailed information on how many confirmations of the exchange consider incoming transactions to be finalized. Fortunately, Kraken has published its criteria.

I decided to compare the confirmation requirements on Kraken with the naive implementation of BitConf from Lusardi - simply requiring all blockchains to provide the equivalent of six confirmations in Bitcoin.

The results are amazing. Depending on the point of view, it can be said that Kraken imposes either extremely stringent requirements for Bitcoin transactions, or underestimated requirements for transactions on other blockchains. Requiring six confirmations for Bitcoin to deposit a deposit, they ask for only 12 confirmations for Litecoin (where 174 confirmations would be equivalent to Bitcoin in terms of security), 30 for Ethereum (equivalent to Bitcoin: 173) and 15 for Monero (equivalent to Bitcoin: 2000).

My guess is that sixconfirmations are clearly redundant for Bitcoin, and in this light, Kraken's less demanding on other blockchains looks somewhat more reasonable. Nevertheless, the results of comparison with the consistent use of the variable accumulated value of the registry sometimes look even comical. QTUM, for example, to meet the same level of security will require 67,000 confirmations, or 115 days of waiting. (QTUM, however, may well have some alternative unfamiliar mode of calculating transactions: my calculations are simply based on the amount of payments to validators).

Of course, this is a very naive implementation of the model. A more complex version would have to take into account the higher security requirements for non-monopoly ones in terms of equipment of blockchains, GPU mining coins, large incoming transactions, etc. I would recommend that all exchanges consider introducing a systematic set of rules for incoming transactions, if they have not already done so. Regardless of the formula chosen, the result is likely to be fewer confirmations for Bitcoin and more for smaller scale blockchains.

Some conclusions

What practical value does all this have? Well, while we continue to expect formalization of these variables within the framework of a well-meaningful model that is directly applicable to the daily use of cryptocurrencies, here are a few conclusions that can be drawn now:

I. The interval between the blocks can be anything, it changes little

The only thing that changes the shorter interval betweenblocks, - this reduces the discrepancy in the waiting time for initial confirmation. An impatient person will probably prefer a blockchain with a 2.5-minute interval between blocks, but this does not mean at all that the calculation of transactions on it will be any faster. This will not affect the accumulation rate of the registry value, which is a function of the rate of issue and the price of coins.

Indeed, bitcoin can reduce sizeblock by 25% and reduce the interval between blocks to 2.5 minutes - and no one will notice the difference. The system would remain functionally identical, only the generally accepted rule of six confirmations would be replaced by the rule of 24 confirmations. Satoshi chose a 10-minute interval because he did not know how easily the system could come to convergence. Delays and large blocks interfere with validation and make convergence between nodes difficult. A healthy 10-minute interval between the blocks leaves the system a sufficient margin, and also gives us an idea of what kind of system Satoshi planned (hint: not suitable for small money transfers).

It's true that the first confirmation matters as your transaction can'tbegin to dive deeper under the weight of subsequent blocks until she isIn addition, the smaller interval between blocks reduces theHowever, with these caveats, the interval between blocks can beIn addition toqualitiesaccumulating the value of the registry,the finality of settlement of transactions is also determined by security costs per unit of time. A smaller interval between blocks only means that you are breaking that security flow into smaller chunks. This does not make the final calculation any faster.

II. Either Bitcoin's security is redundant, or other blockchains are fundamentally unsafe.

This is the clearest conclusion that can be drawn fromall the exercises in the comparative analysis that I did for this article. If we compare blockchains solely by the parameter of the amount of payments to transaction selectors (miners and validators) per unit time, then for the most part they look catastrophically weak compared to Bitcoin. Just take a look at this chart. In addition to Bitcoin, Ethereum and Litecoin, the rest of the cryptocurrencies on it are almost indistinguishable - their security costs are so minimal.

It's not necessarily fatal.Maybe Bitcoin is significantly overpaying for security and proof-of-work is actually «better» than we think. In fact, this is the view I'm currently leaning towards: due to the current size of block subsidies, combined with the high value of BTC, Bitcoin is likely spending "too much" on security. But this creates a margin of safety that will provide him with a good degree of protection in the future transition period.

So these results are not necessarilyapocalyptic for small blockchains. In the end, even though Satoshi blessed the rule of six confirmations, it may well be that for most transactions one or two blocks are enough. This would reduce the load on other blockchains trying to somehow match the costs of Bitcoin security.

III. Finalizing transactions is always probabilistic.

I admit that I got a little carried away with regard towhen new blockchains gain «absolute finality». The only way to actually get final transactions is for some organization to vouch for them, guaranteeing their finality, that is, essentially approving them. But in this case, authorities who may have an interest in reversing transactions (for example, if they suspect they are related to criminal activity) will usually require the organization to reverse the relevant payments, which undermines the perceived finality of settlements.

Let's take EOS as an example. EOS has the concept of «last irreversible block» (Last Irreversible Block), in relation to transactions in which, according to EOS Canada,

you can have 100% confidence that they are final, fully confirmed and unchanged. If the block number is less than the last irreversible block, then it is considered final.

According to EOS Network Monitor, the top of the blockchainafter the current last irreversible block (at the time of writing), totaled 330 blocks, which is equivalent to about 2 minutes and 40 seconds. Together, this makes the claimed time to finalization in the EOS blockchain very small.

In addition, there is such a nuance: EOS has a (or was it?) a bureaucratic process through which users can contact the EOS Central Arbitration Forum (ECAF) and ask them to freeze and return the allegedly stolen funds to the victims and actually cancel the long-finalized transactions. A series of such cancellations was made in July 2018. This was possible due to the fact that there were only 21 entities (producer of blocks), which were instructed to process transactions, and each of them was well known to management and, therefore, accountable.

Although many observers welcomed the returnstolen funds, from the point of view of transaction calculation, this eliminates the qualities that counterparties are looking for in the blockchain. In practice, any transaction cancellation cancellation mechanism can be used for abuse. The reason for including commissions in bank card transactions is the prevalence of refund fraud.

Imagine a complicated scam in which someoneI sold EOS for fiat in a p2p transaction, and then appealed the transaction to ECAF and managed to get these EOS back, declaring the transaction fraudulent. This kind of scheme becomes possible when there are administrative exceptions to the finality of transactions.

I could give many examples on this subject, butI’ll limit myself to one. In practice, many blockchains, declaring their full and valid finality, also leave in their systems the ability to selectively cancel transactions and block accounts. In any case, you need to consider the probability of a transaction being canceled, even if it is not explicitly stated in the code.

IV. Being open about its security model, Bitcoin's PoW algorithm is completely transparent.

Quoting again Elaine W, one of the most usefulThe qualities of the Bitcoin security model are its openness and comprehensibility. It is not easy to determine the exact size of guarantees (how many confirmations are needed to calculate a billionth transaction?), But you can determine the amount of resources spent on maintaining the viability of the system. At any time, the observer can easily determine how many hashes and how much energy is required to surpass the system. Over the past years, it has become clear that not a single entity, with the exception of the most powerful states, can mobilize enough resources to outweigh the bona fide majority.

In contrast to the simplicity of the Bitcoin model,other blockchains attempt to improve security through hiding, increasing complexity, or using opaque institutional finalization regimes. Verge, for example, combined five different hash functions in its exotic proof-of-work model, and this ultimately caused failure. The attacker realized that he could carry out a «Time Warp» attack. (time distortion), choosing only one of the hash functions as a target and gradually reducing the complexity to 1. Increasing the complexity of the system not only does not improve its security, but also adds new attack vectors.

Summarizing

If you choose the most important thing that I would like,that you brought out of this article, it will be as follows. Instead of considering the calculation of transactions as a function of a certain predetermined number of confirmations, consider the calculation in a proof-of-work system as a process of slow fossilization of wood. It proceeds at a given speed, which cannot be artificially increased. The speed is determined by the variables listed above: mainly, the accumulated cost of the registry, the size of the transaction and the availability of equipment used in mining. At the end of the process, the wood is replaced by minerals and hardens. The shapes and characteristics of wood will freeze over time.

Similarly, and blockchains, according to the wordingNika Szabo, this is computational amber. Initially, amber is a tree sap and only becomes harder over time in the process of preserving pieces of information (insect DNA, etc.). The most important process of burying past registry changes under falsified value, provided by proof of the costs incurred, provides the same guarantees of slow finalization. With the accumulation of a large number of blocks, blockchain gravity manifests itself, making a deep change in the history of its records expensive and inconvenient.

Remuneration available to miners - and,therefore, the costs incurred - is a function of the rate of release, unit price and commissions. None of these indicators, with the exception of the rate of release, can be directly programmed. And the high rate of release alone cannot guarantee security, since investors must invest in the blockchain, thereby ensuring its value. In this sense, reliable guarantees of the final settlement of transactions in the proof-of-work-system cannot be planned, they can only arise in the process. Whether this conclusion is gloomy or not is up to you.

In this article I tried to talk aboutvariables that I consider most important for assessing guarantees of final settlement on blockchains, especially with proof-of-work. But, as you probably noticed, I do not give a formal model or recommended solution to the problem. Many of these variables are not easy to quantify, and I probably overlooked some of the variables. The creation of a more voluminous or practical implementation model I will leave to subsequent authors.

If we ignore these issues, sooner orlater they will inevitably arise before us anyway. The emergence of liquidity on the side of the sale for most of the market will entail the discovery of new types of attacks, which will most often target exchanges. In the same way, when large custodians and clearing houses start working with cryptocurrency deposits worth hundreds of millions or even billions of dollars, they will need to develop formal rules for what is considered to be a calculation for transactions on blockchains. They should seriously think about the security of the blockchains they rely on.