How secure is a multi-million transaction in Bitcoin?

It’s often argued that Bitcoin is secure because of the immutability of the blockchain on which the currency is built. That’s all well and good. But for many people, Bitcoin is still a new and unfamiliar technology of which they may be suspicious, and anyone conducting transactions where there’s a large amount of money at stake – for example a multi-million Bitcoin payment – is going to want more credible assurance that things really are secure. Providing such assurance involves understanding the technology and what is actually required to hack it. In this article we take a closer look at the mechanisms involved and discuss how the risks can be quantified − and under what circumstances a Bitcoin transaction can be deemed secure.

The security of a Bitcoin transaction depends, among other things, on the immutability of the underlying blockchain, which is ensured by proof-of-work: appending a new block is computationally expensive, such that the costs of modifying a block with several confirmations (subsequent blocks) should be prohibitive. But for a multi-million transaction, how many confirmations makes the costs really prohibitive?

An attack against proof-of-work consists of the following steps: first executing a payment, then waiting for the number of confirmations agreed upon with the receiver, and finally providing an alternative longer (thus prevailing) version of the blockchain not containing the payment in question (which is then erased). Hence, the attacker must compute a longer fork starting before the block containing the payment in question, and is thus in a race against the main blockchain, which keeps growing. A not-so-good strategy would be for the attacker to start computing the fork only after the required number of confirmations is reached: then, the attacker begins behind, and must catch up in order to rewrite the history. A better strategy would be for the attacker to start computing as soon as the payment is executed: then, the attacker does not begin behind, and must only keep pace in order to write an alternative present. That is already a significant improvement, but the idea of starting computing as soon as possible can be pushed even further.

The most effective attack strategy

The most effective strategy is for the attacker to start computing a fork before executing the payment: Then, the attacker needs not start the fork from a fixed block in order to forewrite the future. Indeed, any longer fork (not containing the planned payment, of course) suffices, such that, in the event of being behind, the attacker can restart growing a fork from the topmost block of the main blockchain, rejoining instantaneously instead of catching up. This way, the attacker is provably certain to obtain a fork of any given advance, independently of the computing power available! It is just a matter of time... And ultimately of costs. Therefore, determining the average time needed for to attacker with given computing power to succeed is a key figure for assessing the security of a multi-million Bitcoin payment. Namely, the attack is not expected to be profitable if the average costs exceed the payment in question.

Quantifying the costs of a 50% attack

For quantifying the average costs of the attack considered (forewriting the future), the computing power of the attacker resp. of the main blockchain needs to be estimated, as well as the corresponding costs per time unit. For instance, assuming that the attacker has the same computing power as the main blockchain (50% attack), and that the attacker's target is a fork which is n blocks longer, the average time of computing such a fork is the average time for the main blockchain to compute (n∙(n+1))/2 blocks. That is, the costs of such a 50% attack increase quadratically with the number confirmations required by the receiver.

Comprehensive analysis of an attack

But, in a general setup, how high are the average costs of such an attack? And what is the probability for the attacker to succeed in a given time? The Blockchain team at PwC Zurich has analyzed the Markov process behind such an attack: https://eprint.iacr.org/2020/1367.pdf, where these questions are investigated in depth, as well as further related optimization problems (for instance, what is the optimal computing power for an attacker?); in particular, explicit formulae are given for quantifying the essential characteristics of the attack considered. This knowledge enables PwC to assess under what circumstances a multi-million Bitcoin payment can be deemed secure.