Talk is from 1:25pm to 215pm
Joint work with George Bissias, Pinar Ozisik, Gavin Andresen, and Amir Houmansadr
Bitcoin is a protocol for exchanging a digital currency via a "blockchain-based" distributed consensus algorithm. In these systems, transactions move coin from, for example, a consumer to a merchant by writing the transaction to a chain of blocks. Bitcoin and other blockchain system offer little clarity on how merchants can avoid "double-spend” attacks in which, after the consumer receives the goods, she uses resources to rewrite the chain as if her money was never spent. The basic defense against double spending is for merchants to not transfer goods to the consumer until the associated transaction is z blocks deep in the chain.
In this talk, we answer the question, how large should z be given the value of the transaction? The results quantify Bitcoin's security in economic terms for the first time. We show that the correct attacker model considers not just the depth of the block and the attacker's mining power, but also the summed value of coin that is exchanged between individuals (turnover) in the z blocks, as well as each block's coinbase reward.
To given a concrete example, an attacker with resources equal to about 1% of the current mining power (perhaps obtainable via a botnet) can expect to profit from attempting the doublespend attack on transactions worth about 12 BTC or less (roughly US$7k). However, to protect against attacks supported by the most powerful mining polls (with about 20% of the mining power), transactions worth 1,000 BTC or less (roughly US$650,000) need to be at least 5 blocks deep.