for a few bitcoins more · 2020-04-29 · for a few bitcoins more: fraud risk assessment within...

For a few bitcoins more:Fraud risk assessment within blockchain transactions

Pierre-Olivier Go�ard

Institut de Science Financière et d'Assurances

April 29, 2020

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 1 / 15

Questions

• What is bitcoin?

• What is the blockchain?

• Who is Satoshi Nakamoto?

• What is the double-spending problem?

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 2 / 15

Mining a block

Consider block number n,

• Miner compute the hash of the block as

f(n) ∼ {1, 2, . . . 2256}

• if f(n) < L, where L denotes the target, then the block ismined.

• Readjustment of the target every 2, 016 blocks

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 4 / 15

Double-spending

(1) Mary transfers 10 BTCs to John

(2) The honest transaction is recorded in the honest chain and Johnships the good.

(3) Mary transfers to herself the exact same BTCs

(4) The malicious transaction is recorded into a hidden, dark, secretchain• Mary has friends among the miners to help her out• The two chains are copycat up to the one transaction

Fact (Bitcoin has only one rule)

The longest chain is to be trusted

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 6 / 15

Satoshi's view on the double spending problem

Let

• {R(t) , t ∈ N} be the di�erence between the number of blocksin the honest chain and the dishonest chain.

Assume that

• R(0) = z ≥ 1 (the honest chain is z blocks ahead)

• at each time unit a block is created

↪→ in the honest chain with probability p↪→ in the dishonest chain with probability q = 1− p

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 8 / 15

The process {R(t) , t ∈ N} is a random walk on Z with

R(t) = z + Y1 + . . .+ Yt,

where Y1, . . . , Yt are the i.i.d. steps of the random walk.

• The double spending occurs at time

τz = inf{t ∈ N ; R(t) = 0}.

• The double-spending probability is given by,

P(τz <∞) =

(q

p

)z, if p > q.

S. Nakamoto.

Bitcoin: A peer-to-peer electronic cash system.

Available at https://bitcoin.org/bitcoin.pdf, 2008.

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 9 / 15

Goal and scope of the paper

Re�ne the model underlying the double spending problem

• Let the length of honest and dishonest chain be driven bycounting processes

• Honest chain ⇒ {z +N(t) , t ≥ 0}, where z ≥ 1.

• Malicious chain ⇒ {M(t) , t ≥ 0}• Study the distribution of the �rst-rendez-vous time

τz = inf{t ≥ 0 , M(t) = z +N(t)}.

Pierre-O. Go�ard.Fraud risk assessment within blockchain transactions.Advances in Applied Probability, 51(2):443�467, 2019.

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 10 / 15

t

n

∆T1

∆T2

∆S1

∆S2

∆S3

∆S4

∆S5

S1

•S2

•S3

•S4•

T1

•

1−

2−

z = 3−

4−

τz×

Figure: (blue) trajectory of the process {z +N(t) , t ≥ 0}, (red) trajectory of the process{M(t) , t ≥ 0}

Risk theory 101

De�ne the risk process as

R(t) = z + p(t)− L(t), t ≥ 0.

• z is the initial reserve,

• p(t) is the premium income (= c× t),• L(t) is the liability

(=∑N(t)

k=1 Uk

).

S. Asmussen and H. Albrecher.Ruin Probabilities.World Scienti�c, Singapore, 2010.

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 12 / 15

Risk theory 101

De�ne the ruin time as

τz = inf{t ≥ 0 ; R(t) ≤ 0},

and the ultimate ruin probability as P(τz <∞).

FactThe �rst-rendez-vous time

τz = inf{t ≥ 0 ; M(t) = z +N(t)}

is the ruin time associated to the risk process

R(t) = z +N(t)−M(t), t ≥ 0.

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 13 / 15

Poisson processes

Suppose that

N(t) ∼ Pois(λt) and M(t) ∼ Pois(µt)

such that λ > µ.

⇒ The di�erence of two Poisson processes is Lévy, thus

P(τz <∞) =(µλ

)z.

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 14 / 15

Conclusion

• Interesting research topic and research questions

Rodney Garratt and Maarten RC van Oordt.Why �xed costs matter for proof-of-work based cryptocurrencies.Available at SSRN, 2019.

• Interesting case: Non-homogeneous Poisson process

λ(t) =H(t)L(t)

2256

R Bowden, HP Keeler, AE Krzesinski, and PG Taylor.Block arrivals in the bitcoin blockchain.arXiv preprint arXiv:1801.07447, 2018.

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 15 / 15

De�nition (Renewal process)

{N(t) , t ≥ 0} is a renewal process if the inter-arrival times{∆T

k , k ≥ 1} are i.i.d..

De�nition (Order Statistic Point Process)

{N(t) , t ≥ 0} is an OSPP if the arrival times satis�es

[T1, . . . Tn|N(t) = n]D= V1:n, . . . , Vn:n

where V1:n, . . . , Vn:n are the order statsitics of n i.i.d. randomvariables on (0, t) with c.d.f. Ft(s), for s ≤ t.

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 15 / 15

Risk Theory 101

Theorem (Wald exponential Martingale)

If {S(t) , t ≥ 0} is a Lévy process or a random walk then

{exp [θS(t)− tκ(θ)] , t ≥ 0}, is a martingale,

where κ(θ) = logE(eθS(1)

).

Let γ be the unique non-negative solution of κ(θ) = 0.

Fact

{eγS(t) , t ≥ 0} is a martingale!

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 15 / 15

Risk Theory 101

Theorem (Representation of the ruin probability)

If

• S(t)a.s.→ −∞,

• There exists γ > 0 such that {eγS(t) , t ≥ 0} is a martingale

then

P(τz <∞) =e−γz

E [eγξ(z)|τz <∞],

where

ξ(z) = S(τz)− z denotes the de�cit at ruin.

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 15 / 15

Renewal processes

Assume that {N(t) , t ≥ 0} and {M(t) , t ≥ 0} are two renewalprocesses.

• The risk reserve process is R(t) = z +N(t)−M(t).

• The claim surplus process is S(t) = M(t)−N(t).

Assumptions

(A1) E(∆S) > E(∆T ),

(A2) The equation

logE[eθ(∆

S−∆T )]

= 0,

has a unique non-negative solution γ.

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 15 / 15

Renewal processes

Theorem (Cramèr-Lundberg bound)

The probability of successful double spending attack is bounded as

P(τz <∞) < E(e−γ∆S

)z−1

.

Ingredient of the proof

• Duality, swapping the role of space and time

• Plain risk theory

• full details in [?]

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 15 / 15

t

n

S1

•S2

•S3

•S4

• S5•T1

•T2

•1−2−3−

z = 4−5−6−

τz×

t

n

S1

•S2

•S3

•S4

• S5•T1

•T2

•1−2−3−

z = 4−5−6−

τ̃z×

tt̃

n

S1•S2•S3•S4•S5•

T1•

T2•

1•

2•

z − 1•

4•

5•

n

t̃

Sz−1 = S3•S4•SσSz−1

+z−1 = S5•

T1•

T2•

1•

σSz−1•3•

LaGau�re DualityDe�ne the discrete-time risk process

R∗(n) = Sz−1 +n∑k=1

(∆Sz−1+k −∆T

k ), n ≥ 1.

The ruin time is de�ned as

σSz−1 = inf{n ≥ 1 ; R∗(n) ≤ 0},

and the claim surplus process is given by

S∗(n) =n∑k=1

(∆Tk −∆S

z−1+k).

We have thatτz

a.s.= SσSz−1+z−1

,

and thereforeP(τz <∞) = P(σSz−1 <∞).

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 15 / 15

End of the proof

Assumptions

(A1) E(∆S) > E(∆T ),

(A2) The equation

logE[eθ(∆

S−∆T )]

= 0,

has a unique non-negative solution γ.

• (A1) implies that S∗(n)a.s.→ −∞.

• (A2) implies the existence of γ > 0 such that

κ(θ) = log[eθS

∗(1)]

= 0.

• Conditionning upon the values of Sz−1 yields

P(σSz−1 <∞) =E(e−γSz−1)

E[eγξ(Sz−1))

∣∣σSz−1 <∞] < E

(e−γ∆S

)z−1

.

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 15 / 15

P.d.f. of τz

TheoremIf {N(t) , t ≥ 0} is an OSPP and {M(t) , t ≥ 0} is a renewal process then the p.d.f. of τz is

given by

fτz (t) = E[(−1)N(t)hN(t)(t, z)f

∗[N(t)+z]

∆S (t)], t ≥ 0,

where

hn(t, z) = E{Gn[0∣∣Ft(Sz), . . . , Ft(Sn+z−1)

] ∣∣∣Sn+z = t},

and Gn(0|.) is an Abel-Gontcharov polynomial .

CorollaryIf {N(t) , t ≥ 0} is a mixed Poisson process then the p.d.f. of τz is given by

fτz (t) = E[

z

z +N(t)f∗[N(t)+z]

∆S (t)

], for t ≥ 0.

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 15 / 15

S.f. of τz

TheoremIf {N(t) , t ≥ 0} and {M(t) , t ≥ 0} are two OSPPs then the s.f of τz is given by

P(τz > t) = E(AM(t)

{1∣∣0, . . . , 0, F ∗

t [V1:N(t)], . . . , F∗t [VM(t)+1−z:N(t)]

}IM(t)≤N(t)+z−1

),

for t ≥ 0, where An(1|.) is an Appell polynomial.

CorollaryAssume that z = 1. If {N(t) , t ≥ 0} and {M(t) , t ≥ 0} are two OSPPs such thatFt(s) = F ∗

t (s) for every s ≤ t then the s.f. of τ1 is given by

P(τ1 > t) = E(N(t)−M(t) + 1

N(t) + 1IM(t)≤N(t)

), for t ≥ 0.

Pierre-Olivier Go�ard (ISFA) For a few bitcoins more: April 29, 2020 15 / 15