Why is 6 the number of confirms that is considered secure?

114

23

Why is 6 is the number of confirmations that is considered secure? I haven't found any mathematical explanation or otherwise that explains why it is 6 and not 5 or 7. Is there a historical reason for 6? Is there a specific way to calculate it so 6 is just a number that was chosen?

Well I have a coinbase transfer that's been pending for nearly 24 hours and it has 19 confirmations. Wtf. I could've just used a credit card for all this hassle – user609926 – 2018-01-06T09:43:30.443

20

Here are some of the relevant sections from Satoshi's paper: http://bitcoin.org/bitcoin.pdf

"11. Calculations We consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain. ... The race between the honest chain and an attacker chain can be characterized as a Binomial Random Walk. The success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attacker's chain being extended by one block, reducing the gap by -1. ... The probability of an attacker catching up from a given deficit is analogous to a Gambler's Ruin problem. ...

p = probability an honest node finds the next block q = probability the attacker finds the next block qz = probability the attacker will ever catch up from z blocks behind

Given our assumption that p > q, the probability drops exponentially as the number of blocks the attacker has to catch up with increases. With the odds against him, if he doesn't make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind ... the attacker's potential progress will be a Poisson distribution ... To get the probability the attacker could still catch up now, we multiply the Poisson density for each amount of progress he could have made by the probability he could catch up from that point.

Converting to C code..

include <math.h>
double AttackerSuccessProbability(double q, int z)
{
double p = 1.0 - q;
double lambda = z * (q / p);
double sum = 1.0;
int i, k;
for (k = 0; k <= z; k++)
{
double poisson = exp(-lambda);
for (i = 1; i <= k; i++)
poisson *= lambda / i;
sum -= poisson * (1 - pow(q / p, z - k));
}
return sum;
}


Running some results, we can see the probability drop off exponentially with z. "

6Could you summarize the relevant part? – Chris Acheson – 2011-09-21T20:41:56.680

The conclusion is that the probability of someone being able to generate blocks drops off exponentially. We know they can in fact do this if they have 51% of the network. So it seems that if someone had say 10% of the network, they could pull off a double spend sometimes with 0 confirms, and the odds of them getting 2 blocks, or 3, or more...drops off exponentially. This is how I am interpreting this, I don't understand in detail the math he solves for. Im still not seeing any rational for 6 blocks, as opposed to 4 or 8. Perhaps there is non, and this was just a nice number that was picked. – osmosis – 2011-09-23T03:35:22.420

With 30% and 6 blocks the probability of success is much higher than 1/2000, it's closer to 13% (I'm interpolating from Satoshi's results). – Meni Rosenfeld – 2011-11-03T20:22:58.800

3@MeniRosenfeld Crap your right. I looked up wrong value. I am deleting my prior comment because it is factually wrong. – DeathAndTaxes – 2011-11-04T00:48:09.940

67

I believe this is addressed in page 8 of Satoshi's Bitcoin paper when showing the probability of an attacker catching up.

The wiki states:

"Only 6 blocks or 1 hour is enough to make reversal computationally impractical."

The key word is "impractical".

The important sentence in Satoshi's paper is:

"Assuming the honest blocks took the average expected time per block, the attacker's potential progress will be a Poisson distribution".

So, it is not that someone couldn't create the worlds first and own a \$50 million ASIC farm, so as to have the ability to overtake the blockchain from a fork six blocks prior but that doing so would be a.) a massive undertaking, b.) obvious to all and c.) terrifically unprofitable to the attacker.

35It's also noteworthy that it's largely understood to be "6 blocks or 1 hour" whichever is greater. One of the big misconceptions we've spent a long time fighting (especially in the case of alternate blockchains) is the idea that faster confirmations change anything. A network with a one-minute block time would require 60 confirmations to be considered secure, not 6. – David Perry – 2011-09-20T22:38:36.870

3That helps some, but it opens up another question. Why is it that 1 hour is expected to be enough to make reversal computationally impractical? – osmosis – 2011-09-21T06:46:21.690

3

There's a lot of math behind it, but in my (limited) understanding the key is the Poisson Distribution bit. The chances of a modestly armed attacker getting "lucky" and successfully double-spending without having at least 51% of the network falls along such a distribution, and 60 minutes of computing time is the point at which it is adequately unlikely that a transaction may be undone (i.e. the point where the "long tail" of the distribution begins).

– David Perry – 2011-09-21T16:09:20.270

should I assume that David is correct rather than Meni since he's received more votes? – Griffin – 2013-07-13T01:53:28.470

6

@Griffin: Have a look at https://bitcoil.co.il/Doublespend.pdf and judge for yourself.

– Meni Rosenfeld – 2013-11-05T15:17:04.953

1@MeniRosenfeld Thank you Meni Rosenfeld! I was plotting the relative suggested high confidence confirmation rates for bitcoin & litecoin, and extrapolating logarithmically, I came to the conclusion that a 1s transaction verification could be confirmed with the same confidence in 2.3 minutes. For vanity's sake, I'll assume you proved me right. ;)) – None – 2013-12-23T10:18:16.027

13David, I'm afraid you're the one who has a misconception. The math parts which relate to the Poisson distribution and such talk about number of blocks, not time. 6 blocks is what guarantees that someone with, say, 10% of the hashrate, has a negligible chance to succeed double-spending. If each block is 1 minute then that's 6 minutes. The time (1 hour) only matters if we assume the attacker can't maintain his high hashrate for that long. – Meni Rosenfeld – 2011-11-03T14:30:55.120

43

Many people misquote Satoshi paper and assume 6 is some hard value.

Satoshi's paper outlines the number of confirmations necessary to be 99.9% sure (less than 1 in 1000 chance of success) that an attacker couldn't build a longer chain to reverse the transaction.

http://bitcoin.org/bitcoin.pdf

P < 0.001
q=0.10   z=5
q=0.15   z=8
q=0.20   z=11
q=0.25   z=15
q=0.30   z=24
q=0.35   z=41
q=0.40   z=89
q=0.45   z=340


p is the chance of attacker eventually getting longer chain and reversing a transaction (0.1% in this case). q is the % of the hashing power the attacker controls. z is the number of blocks to put the risk of a reversal below p (0.1%).

So you can see if the attacker has a small % of the hashing power 6 blocks is sufficient. Remember 10% of the network at the time of writing is ~100GH/s. However if the attacker had greater % of hashing power it would take increasingly longer to be sure a transaction can't be reversed.

If the attacker had significantly more hashpower say 25% of the network it would require 15 confirmation to be sure (99.9% probability) that an attacker can't reverse it.

If the attacker has q of >50% ("the 51% attack") then given unlimited time the attacker will inevitably end up with the longest chain.

On edit: to clarify the "unlimited time" the chain with the higher hashrate will inevitably end up the longest however probability still comes into play. We can not say with 100% certainty how long it will take at best we can provide a confidence interval. If the attacker is just barely faster than the good miners (51% vs 49%) then it can take a very long time for an attacker to overcome a deficit of 6 blocks. The more the attacker dominates (i.e. 70% vs 30%) the quicker the shorter the 95% confidence interval is reached.

1My point with unlimited time is that we don't know exactly how long it will take for an attacker to pull ahead. Even with >50% of the hashpower the attacker is still affected by luck (good or bad). The most that can be said is with a certain confidence interval. i.e. "With 95% confidence, an attacker with x% of the hashrate will have the longest chain after y blocks". At just above 50% hashrate the amount of time to have a 95% confidence is very long and even that isn't a guarantee. The chain With >50% hashrate will inevitably end up the longest but the time required is probabilistic. – DeathAndTaxes – 2013-12-03T17:20:47.000

Are these based upon test observations or an educated theory? – None – 2013-12-23T10:18:54.637

1It is basic probability, I would call it math more than a theory however one could observe it using a Monte Carlo simulation. – DeathAndTaxes – 2013-12-23T16:08:41.120

If the attacker has a q >50%, he needs not unlimited time, but only enough time to produce more hashes than those contributed to the "honest" blockchain. – Streblo – 2012-10-16T22:36:10.337

10

The figure of 6 blocks is completely arbitrary. It is based on the assumptions that the attacker will not amass more than 10% of the network hashrate, and that a negligible chance of 0.1% for successfully double-spending is acceptable.

A more detailed analysis of this is available at Analysis of Hashrate-Based Double-Spending

1

With more confirmations probability of making a successful double-spend decrease. While it is possible to perform a double-spend with less than 51% of hashing power it requires one to be luckier than the rest of the miners, ie. solve blocks faster than others. This will go on forever (to be correct: it is very unlikely) so the attacker will not be able to fork the whole chain. With pools until very recently controlling 30-40% of total hashing power the 6-confirmation rule would not have been safe if the pool operator had decided to commit a malignant act.