Difficulty Control for Blockchain-Based Consensus Systems
Daniel Kraft
University of Graz
Institute of Mathematics, NAWI Graz
Universit¨atsplatz 3, 8010 Graz, Austria
Email: daniel.kraft@uni-graz.at
March 18th, 2015
Abstract
Crypto-currencies like Bitcoin have recently attracted a lot of interest. A crucial ingredient into
such systems is the “mining” of a Nakamoto blockchain. We model mining as a Poisson process with
time-dependent intensity and use this model to derive predictions about block times for various hash-
rate scenarios (exponentially rising hash rate being the most important). We also analyse Bitcoin’s
method to update the “network difficulty” as a mechanism to keep block times stable. Since it
yields systematically too fast blocks for exponential hash-rate growth, we propose a new method to
update difficulty. Our proposed method performs much better at ensuring stable average block times
over longer periods of time, which we verify both in simulations of artificial growth scenarios and
with real-world data. Besides Bitcoin itself, this has practical benefits particularly for systems like
Namecoin. It can be used to make name expiration times more predictable, preventing accidental
loss of names.
Keywords: Crypto-Currency, Bitcoin Mining, Namecoin, Nakamoto Blockchain, Poisson Process
Published by Springer in Peer-to-Peer Networking and Applications, DOI 10.1007/s12083-015-0347-x.
The final publication is available at http://link.springer.com/article/10.1007/s12083-015-0347-x.
1 Introduction
In recent years, so-called “crypto-currencies” have attracted a growing amount of interest from various commu-
nities. Among them, Bitcoin [14] is the most widely known and the initial system that managed to provide a
digital payment and money system without any central instance, clearing house or issuer of monetary tokens.
Instead, all transactions are performed and validated by a peer-to-peer system, where each node is “equal” and
none has any special authority.
Roughly speaking, the system works by keeping a global ledger with “account balances”, where each account
(Bitcoin address) is represented by an asymmetric cryptographic key pair. Transactions can only be performed
by the owner of the private key, since other network participants only accept them as valid if they carry a valid
signature for the address’ public key. A major difficulty, however, is to ensure that the entire peer-to-peer network
reaches a consensus about the current state of the ledger. In particular, the owner of an address may create two
mutually conflicting transactions, spending the same balance twice to different recipients. This may lead to some
parts of the network considering the first recipient to be the new owner of the coins and rejecting the second
transaction, while the other part of the network has it the other way round. This is called double spending.
Earlier proposals for digital payment systems, such as Chaumian cash [5], had to rely on central instances to
detect and prevent double spending attempts.
Bitcoin’s main innovation is the introduction of a proof-of-work system similar to HashCash [3] that allows
the network to reach consensus even in the face of potential double spendings and in a completely decentralised
fashion. A brief introduction into the basic mechanics of this process, called mining, is given in Section 2. Roughly
speaking, mining network participants use their processing power to solve a proof-of-work puzzle. Whenever a
solution is found, a new block is generated and attached to the so-called blockchain. This data structure represents
the network’s consensus about the transaction history. If a node manages to find a new block, it is allowed to
award itself a certain number of bitcoins. This creates strong economic incentives for the network as a whole to
find a consensus. As more and more processing power is added to the network, the rate at which new blocks are
1
found increases. This is undesirable, because it increases the amount of newly created bitcoins on one hand, and
also causes problems due to network latency on the other hand. A thorough investigation of the latter issue can
be found in [7]. Thus, the Bitcoin network regulates the block frequency by adjusting the proof-of-work difficulty
dynamically.
In this paper, we want to present a mathematical model for the mining process itself and use it to analyse
the properties of Bitcoin’s algorithm for retargeting the difficulty. We will particularly focus on the case of
exponentially rising hash rate, which is the situation observed in practice in accordance with Moore’s law [13].
We will see that Bitcoin’s retargeting method yields blocks that are found too frequently in this situation. This
is empirically well known in the Bitcoin community and not considered a big problem. However, it can pose
a bigger problem for applications based on the same technology but with different goals. In particular, the
blockchain system can also be used to create a naming system that goes beyond “Zooko’s triangle” [20], [19]:
In Namecoin [1], a Nakamoto blockchain is used to provide a name-value database that is secure, completely
decentralised and allows for human-readable names. This has a lot of very interesting potential applications,
including an alternative to centralised domain-name systems and the secure exchange of public keys linked
to human-readable identity names. To prevent names from being lost forever if the owner’s private key is lost
accidentally, names in Namecoin expire after a certain number of blocks (currently 36,000) if they are not renewed
in time. Blocks that are constantly found too frequently cause the expiration to happen too early in terms of
real time. Consequently, name owners that are not cautious enough risk missing the renewal deadline and losing
their names. While individual block times are, of course, random, fluctuations average out over a full expiration
period of many blocks. It is thus very desirable to better understand the systematic “error” introduced by the
difficulty-retargeting algorithm and, potentially, remove it by choosing a different method for controlling the
difficulty. This allows to better match expiration times to real time, which is much easier to handle for users of
the system.
To put our work into perspective, we would also like to refer to other recent publications concerning Bitcoin
mining: [4], [11], [16], [18] All of them deal with possible attacks on mining that would allow an attacker to
double spend transactions, which is a different focus from our work. Most of the models used in the literature to
discuss such attacks assume that mining difficulty is constant. Consequently, the difficulty-update mechanism is
not taken into account at all. We, on the other hand, are not interested in double-spending attacks. Our focus
is the explicit modelling of the difficulty update, which is a feature that sets our model apart from those existing
in the literature. It is also worthwhile to mention that there exists a variety of forks of the Bitcoin code and
network. Some of these so-called “altcoins” implement also changes to the difficulty update. However, we are
not aware of any academic literature analysing or modelling the changed methods. Instead, changes are mostly
made in an empirical, ad-hoc fashion. The goal of these changes is to counteract extreme difficulty changes on
a short time scale if miners quickly switch between different networks. Our work is different, since we assume a
stable base of mining power, and are interested in the behaviour of the difficulty on much longer time scales.
Section 3 will be devoted to modelling the mining process itself without considering difficulty changes. In
Section 4, Bitcoin’s difficulty-update method will be analysed, and in Section 5, we propose an improved update
formula. Section 6 and Section 7, finally, will be used to analyse our models both in theory and with practical
simulations (including for real-world data).
2 Bitcoin Mining and the Blockchain
Before we start our modelling, let us briefly describe how the mining process works. For a thorough discussion
of the involved concepts, see chapters 2, 7 and 8 of [2]. A description can also be found in subsection 2.1 of [11]
and section 2 of [16]. The original introduction of the concept is section 4 of the Bitcoin whitepaper [14].
All transactions that change the distributed Bitcoin ledger are grouped into blocks. Each block represents
thus an “atomic update” of the ledger’s state. In order for a block to be valid, it has to fulfil a proof-of-work
condition: A particular cryptographic hash involving the block’s content is formed, and must be below a threshold
value. In other words, nodes wishing to publish new blocks have to do a brute-force search for a partial hash
collision. This ensures that a block cannot be changed without redoing all the work involved in finding this hash
collision.
In addition to current transactions, each block also contains a reference to a preceding block. In other words,
from a given block, a chain of other blocks linking it to the initial network consensus (the genesis block that is
hardcoded into the Bitcoin client) can be constructed. Such a data structure is called a Nakamoto blockchain.
Following the chain of blocks and performing the encoded transactions allows one to construct a precisely defined
state of the global ledger corresponding to each block. The client is designed to always look for the “longest”
branch in the tree of all known blocks. (Actually, the branch which contains the most proof-of-work. But for a
basic understanding, one can very well imagine it to be the longest branch.) The ledger state corresponding to
this longest branch is considered the “true” state. Furthermore, also mining nodes always build their new blocks
onto the longest known chain.
2
This has an important implication: Assume an attacker wants to revert a transaction to reclaim ownership
over bitcoins that were already spent. In order to construct such an “alternative reality” and to have the network
accept it, the attacker now has to build a chain of blocks forking off the main chain before the point in time
when the coins were spent. But the alternative chain will only be accepted if it becomes longer than the already
existing chain. Since this requires redoing all the proof-of-work that was involved in the main chain, the attack
will only succeed with non-vanishing probability if the attacker controls more processing power than the entire
“honest” network combined. (This is called a “51% attack”.) In practice, this is almost impossible to do given
the existing mining power of the Bitcoin network.
3 Modelling the Mining Process
Now, we are ready to derive a general stochastic model for the mining process described in Section 2. In
particular, we will argue that the mining of blocks can be described by an inhomogeneous Poisson process (see,
for instance, [17] for a general discussion). Our model will consider the hash rate R(t) as well as the network
difficulty D as given input parameters, and we will derive the probability distribution of the resulting individual
block times, the time for M blocks (corresponding to the expiration period), and their expectation values. Later
on, starting in Section 4, we will consider concrete scenarios for R(t) as well as letting D be controlled by some
retargeting algorithm. (In other words, depend, in turn, on the realised block times.) An overview of the notation
used in the models throughout this and the following sections can be found in Appendix A.
As we have seen above, solving the proof-of-work process for a valid block works by calculating cryptographic
hashes in a brute-force way. We may assume that each hash value is drawn from a uniform distribution, say
on the interval [0, 1]. A block is found if the drawn value is less than a target value, which is usually expressed
in terms of the network difficulty D > 0 as
1
D
. Thus, each hash attempt yields a valid block with probability
p =
1
D
. (In practice, the possible hash values are actually 256-bit integers and difficulty is measured in other
units. However, this does not matter for our considerations here, other than a constant factor.) From these
assumptions, it follows that the number N(t) of blocks found after some time t is described by a Poisson process.
If we denote the frequency of hashes calculated per time by R(t), then the intensity of this process is given by
λ(t) = R(t)p =
R(t)
D
.
We are mainly interested in the time for finding M blocks. If we denote the interarrival times of N by X
i
, i ∈ N,
then the time for M blocks is the random variable
S
M
= X
1
+ X
2
+ ··· + X
M
=
M
X
k=1
X
k
.
The following result is well-known, and can be found, for instance, in [17]:
Theorem 1. Let λ be continuous as function of t and define
m(t) =
Z
t
0
λ(τ) dτ.
We will also assume that m is strictly increasing (thus bijective) and that lim
t→∞
m(t) = ∞.
The probability distribution of S
M
is then given by
P (S
M
≤ t) = P (N (t) ≥ M ) =
∞
X
k=M
m(t)
k
k!
e
−m(t)
.
It can be described by the density function
f(S
M
, t) = λ(t)e
−m(t)
m(t)
M −1
(M − 1)!
. (1)
The next goal will be to calculate (as far as possible) the expectation value E (S
M
). As a first step, note that
the substitution u = m(t) can be used to calculate
Z
t
0
λ(τ)e
−m(τ )
m(τ)
M −1
dτ = −Γ (M, m(τ))|
t
0
. (2)
Here, Γ (·, ·) denotes the incomplete gamma function. For more details, see Chapter 8 of [8]. Noting that
Γ (M, 0) = Γ (M) = (M − 1)!, this relation also implies that (1) is properly normalised.
3
0 20 40 60 80 100
0
0.2
0.4
0.6
0.8
1
0 20 40 60 80 100
0
0.01
0.02
0.03
0.04
0.05
0.06
I_M
h_M / (M - 1)!
M = 50
(a)
0 0.5 1 1.5 2
0
0.2
0.4
0.6
0.8
1
Scaled I_M
M = 5
M = 30
M = 100
M = 500
(b)
Figure 1: The functions I
M
and h
M
for M = 50 (left), and
˜
I
M
for different values of M (right).
Lemma 1. Under the conditions of Theorem 1,
Z
t
0
τf(S
M
, τ ) dτ = −
τ
(M − 1)!
Γ (M, m(τ ))
t
0
+
1
(M − 1)!
Z
t
0
Γ (M, m(τ )) dτ. (3)
If we assume in addition that λ(t) ≥ λ for t → ∞ and some λ > 0, then this gives in particular:
E (S
M
) =
1
(M − 1)!
Z
∞
0
Γ (M, m(τ )) dτ (4)
Proof. (3) follows via integration by parts and (2). For E (S
M
), note that the additional assumption ensures that
m(t) ≥ λ
t + C, which in turn gives
lim
t→∞
t · Γ (M, m(t)) = 0.
This implies that the boundary term vanishes, yielding (4).
Before we continue by examining concrete scenarios for the hash-rate development, we would like to stress
that (4) is, unfortunately, hard to calculate for non-trivial functions m. However, note that the integrand (with
x instead of m(τ )) can be more explicitly written as
I
M
(x) =
Γ (M, x)
(M − 1)!
=
Γ (M, x)
Γ (M, 0)
=
R
∞
x
τ
M −1
e
−τ
dτ
R
∞
0
τ
M −1
e
−τ
dτ
=
R
∞
x
h
M
(τ) dτ
R
∞
0
h
M
(τ) dτ
,
where we have introduced the auxiliary function h
M
(τ) = τ
M −1
e
−τ
. In particular I
M
(x) ∈ (0, 1] for all x ≥ 0,
and I
M
is strictly decreasing with I
M
(0) = 1 and I
M
(x) → 0 asymptotically as x → ∞. This behaviour can also
be clearly seen in Figure 1a, which shows I
M
and h
M
for M = 50. The range where I
M
shows the transition from
1 to 0 is where h
M
provides non-vanishing “mass” in the integral, so roughly “around” the maximum of h
M
.
Lemma 2. h
M
has its global maximum at τ
0
= M − 1.
It is strictly increasing on [0, τ
0
] and strictly decreasing on [τ
0
, ∞).
Proof. This follows immediately when considering the sign of h
0
M
(τ) = τ
M −2
e
−τ
(M − 1 − τ).
These considerations motivate us to scale the argument of I
M
such that the transition happens, for all values
of M , at the same position. Thus, let us introduce
˜
I
M
(x) = I
M
((M − 1)x). This function is shown in Figure 1b
for different values of M. One can clearly see that it approaches the step function
I
∞
(x) =
1 x < 1
0 x > 1
in the limit M → ∞. Also note that the values of M that are of practical interest are even larger than the ones
shown in the plot. For instance, M = 2,016 is the number of blocks between changes to the difficulty in the
Bitcoin protocol. Hence, it makes sense to simplify the calculation of (4) by approximating
˜
I
M
≈ I
∞
. To further
justify this approximation, we can also show a formal convergence property:
4
Lemma 3. With the notations as above:
1. lim
M →∞
(M − 1)
h
M
((M −1)τ )
(M −1)!
= 0 for all τ ≥ 0, τ 6= 1.
2.
˜
I
M
→ I
∞
as M → ∞, pointwise for all x ≥ 0, x 6= 1.
Proof. The first part is trivial for τ = 0. For τ > 0 and τ 6= 1, note that
1 + log τ − τ < 0 and M! ≥
√
2πM · M
M
e
−M
.
The latter is a version of Stirling’s approximation (see 5.6.1 in [8]). Thus we get
lim
M →∞
(M − 1)
h
M
((M − 1)τ)
(M − 1)!
= lim
M →∞
M
h
M +1
(Mτ )
M!
≤ lim
M →∞
M(M τ )
M
e
−M τ
√
2πM · M
M
e
−M
= lim
M →∞
r
M
2π
· e
M (1+log τ −τ )
= 0.
For the second part, assume first that x > 1 is fixed. Then
˜
I
M
(x) =
Z
∞
(M −1)x
h
M
(τ)
(M − 1)!
dτ =
Z
∞
x
(M − 1)
h
M
((M − 1)τ)
(M − 1)!
dτ. (5)
Furthermore, if τ ≥ x > 1 and M is sufficiently large,
√
M · e
M (1+log τ −τ )
= exp
log M
2
+ M (1 + log τ − τ)
= exp
M
1
2
log M
M
+ 1 + log τ − τ
≤ exp
1
2
log M
M
+ 1 + log τ − τ
≤ e
2+log τ −τ
.
Since this function is integrable over τ ∈ [1, ∞), we can use Lebesgue’s dominated convergence theorem (Theo-
rem 3 on page 20 of [10]) to get
˜
I
M
(x) → 0 as M → ∞ by applying the first part to (5).
It remains to show
˜
I
M
(x) → 1 if x < 1. For this, note first that
˜
I
M
(x) = 1 −
Z
(M −1)x
0
h
M
(τ)
(M − 1)!
dτ = 1 −
Z
x
0
(M − 1)
h
M
((M − 1)τ)
(M − 1)!
dτ.
Consequently, it suffices to show
lim
M →∞
Z
x
0
(M − 1)
h
M
((M − 1)τ)
(M − 1)!
dτ = 0.
If we use monotonicity of h
M
(see Lemma 2), it follows that the integrand can be estimated by its value at the
upper boundary. Hence
Z
x
0
(M − 1)
h
M
((M − 1)τ)
(M − 1)!
dτ ≤ x · (M − 1)
h
M
((M − 1)x)
(M − 1)!
→ 0
according to the first part.
Having this result in hand, we can use
˜
I
M
≈ I
∞
also for still finite values of M to approximate E (S
M
). To
apply this in a concrete situation, the following reformulation of (4) is useful:
Lemma 4. Assume that the conditions of Theorem 1 are satisfied and that λ(t) ≥ λ
for all t ≥ 0 and some
λ > 0. Then, with the notation from above,
E (S
M
) = (M − 1)
Z
∞
0
m
−1
0
((M − 1)u) ·
˜
I
M
(u) du. (6)
Proof. Note first that our conditions ensure that m is strictly increasing, thus m
−1
exists. Since m
0
(τ) =
λ(τ) ≥ λ > 0 holds true for all τ , also m
−1
is continuously differentiable. Thus we can apply the substitution
τ = m
−1
((M − 1)u), which turns (4) into (6).
Finally, if we replace
˜
I
M
by I
∞
in (6), we get
E (S
M
) ≈ (M − 1)
Z
1
0
(m
−1
)
0
((M − 1)u) du =
Z
M −1
0
(m
−1
)
0
(τ) dτ = m
−1
(M − 1). (7)
5
