Close Latency--Security Trade-off for the Nakamoto Consensus

Bitcoin is a peer-to-peer electronic cash system invented by Nakamoto in 2008. While it has attracted much research interest, its exact latency and security properties remain open. Existing analyses provide security and latency (or confirmation time) guarantees that are too loose for practical use. In fact the best known upper bounds are several orders of magnitude larger than the well-known private-mining lower bounds. This paper describes a continuous-time model for blockchains and develops a rigorous analysis that yields very close upper and lower bounds for the latency--security trade-off. For example, when the adversary controls 10% of the total mining power and the block propagation delays are within 10 seconds, a Bitcoin block is secured with less than $10^{-3}$ error probability after 5 hours 20 minutes of confirmation time, or with less than $10^{-10}$ error probability after 12 hours 15 minutes. These confirmation times are merely a few hours away from their corresponding lower bounds. To establish the tight results, the mining of some special blocks are shown to be renewal processes. The moment generation functions of their inter-arrival times are derived in closed form. The general results are applied to study the latency--security trade-off of several well-known proof-of-work longest-chain cryptocurrencies. Guidance is also provided on how to set parameters for different purposes.