Bitcoin Calculations

# 11. Calculations

We consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain. Even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker. Nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them. An attacker can only try to change one of his own transactions to take back money he recently spent.

> 💡 In plain terms
> An important clarification upfront: even if an attacker controls the majority of mining power, they cannot steal bitcoin from other people's wallets.
> They cannot create Bitcoin out of thin air.
>
> The only thing a majority attacker can do is attempt a "double-spend" on their own recent transactions — pay for something, receive the goods, then rewrite the recent blockchain to erase that payment as if it never happened.
>
> This is a serious concern, but it's a far more limited attack than people often imagine.
> The entire rest of the monetary system — everyone else's balances and transactions — remains completely intact.

The race between the honest chain and an attacker chain can be characterized as a Binomial Random Walk. The success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attacker's chain being extended by one block, reducing the gap by -1.

The probability of an attacker catching up from a given deficit is analogous to a Gambler's Ruin problem. Suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to reach breakeven. We can calculate the probability he ever reaches breakeven, or that an attacker ever catches up with the honest chain, as follows:

- **p** = probability an honest node finds the next block
- **q** = probability the attacker finds the next block
- **q_z** = probability the attacker will ever catch up from z blocks behind

> 💡 In plain terms
> This is the mathematical heart of Bitcoin's security model.
>
> Think of it as a race:
> - The honest network keeps mining new blocks (moving the finish line forward)
> - The attacker mines a secret competing chain, trying to catch up
>
> If the attacker controls less than 50% of the mining power (q < p), each block is more likely to be won by the honest network.
> The attacker is like a gambler who loses slightly more often than they win — and the "Gambler's Ruin" theorem tells us that such a player will eventually go broke (fall infinitely behind) with probability 1.
>
> The critical insight: the probability of the attacker catching up drops exponentially with each confirmation block.
>
> This is why Bitcoin exchanges and merchants wait for "confirmations":
> - 1 confirmation: the transaction is in a block
> - 6 confirmations (~1 hour): the probability of reversal is negligibly small
>   for any attacker with less than ~30% of total mining power

If p > q, the probability drops exponentially as the number of blocks the attacker has to catch up with increases. With the odds against him, if he doesn't make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind.

The recipient waits until the transaction has been added to a block and z blocks have been linked after it. The attacker's potential progress will follow a Poisson distribution with expected value λ = z(q/p).

The results show the probability drop-off with z confirmations:

**q = 0.10 (attacker has 10% of mining power)**

| Confirmations (z) | Attack Success Probability |
|---|---|
| 0 | 1.0000000 |
| 1 | 0.2045873 |
| 2 | 0.0509779 |
| 5 | 0.0009137 |
| 10 | 0.0000012 |

**q = 0.30 (attacker has 30% of mining power)**

| Confirmations (z) | Attack Success Probability |
|---|---|
| 0 | 1.0000000 |
| 5 | 0.1773523 |
| 10 | 0.0416605 |
| 24 | 0.0024804 |
| 50 | 0.0000006 |

> 💡 In plain terms
> The table tells a clear story:
>
> Even if an attacker controls 30% of all Bitcoin mining power in the world — a formidable and expensive position — waiting for just 24 confirmations reduces their chance of success to 0.24%. Waiting for 50 confirmations makes it less than 1 in a million.
>
> With only 10% of mining power, 5 confirmations drops the risk to 0.09%.
>
> This is why different transaction sizes warrant different waiting times:
> - Small purchases (coffee): 1–2 confirmations is reasonable
> - Medium purchases: 3–6 confirmations is the common standard
> - Large transactions (property, large wire equivalents): 20+ confirmations
>
> The math gives you a precise, calculable security guarantee based on how long you're willing to wait.

> ⚡ Why It Works vs. Traditional Finance
> Bank fraud is mitigated through reversibility — charge-backs, fraud departments, insurance — all of which add cost and complexity, and none of which provide mathematical certainty.
>
> Bitcoin provides quantifiable, probabilistic security guarantees: you can calculate exactly how secure a transaction is based on the number of confirmations and the assumed attacker hash rate.
>
> No bank can tell you "the probability that this transfer will be reversed is less than 0.001%." Bitcoin can — and does — with public math, open for anyone to audit.

Bitcoin Calculations

// COMMENTS

ON THIS PAGE