All,

I poked a bit trying to find out what's the actual cost of a successful attack given an AD value and the amount of hashpower that an attacker have at his disposal.

You could find all the data here:

https://docs.google.com/spreadsheets/d/15PFggIxjhMwRZ3WXfFELsstvRvyYwKB4EIX26LhfMY8/edit?usp=sharing
Let me just summarize how I manage to get to the cost of the attack.

1) use

@awemany /

@dgenr8 method to compute a probability of a single

successful event,

*P(e) *3rd column, given a particular value of AD and

attacker hashrate,

*p* (1st column).

(see

https://gist.github.com/awemany/d9d2eb0eb17c4c51b896df13fbfd0def)

*P(e)* could be computed using a Binomial distribution or an Erlang distribution the

script provide both

2) Calculate the number of trials to first success (4th column). Such number is

equal to

*1/P(e)*. Demonstration available here:

http://www.cut-the-knot.org/Probability/LengthToFirstSuccess.shtml
3) Now we need to know how many blocks an attacker is going to main for every trial on avg.

Since every trial is just a Bernoulli process (

https://en.wikipedia.org/wiki/Bernoulli_process)

and the number of mined blocks in the first

*2*AD+1* step has a binomial distribution with

parameter

*n = 2*AD + 1 *and prob of success p (attacker hash rate). The avg number of block

per trial will be

*n * p *= (2 * AD + 1) * p

Such number is placed in the 6th column

4) Finally in the last column you have the cost of a successful attack in USD given the

current exchange rate (~775$). To use

@dgenr8 word:

*"[the] cost is measured by *

the time spent mining on a chain known not to be longest."
The formula is pretty simple:

*12.5 * btc_value_in_usd * (AD + 1) + 12.5 * btc_value_in_usd * (1/P(e) -1) * ((2*AD+1) * p)*
the first term is the cost of single successful attack it means, here you need to mine AD + 1

block faster than the honest part of the network

the second term is the avg mined block per failed attempts

*(2*AD+1) * p* multiplied by the

number of trials to first success minus one (

*1/P(e) -1) *multiplied by the value in usd per block

*(12.5 * btc_value_in_usd)*

Summarizing:

* increasing the AD increase the cost of the attack in a superlinear way.

* If an attacker has more that 30% of the hash power the cost of the attack is relatively low.

on the other hand as you can see increasing the AD significantly increase the cost exponentially.

this is the same that for an attacker with the 25% of the hash rate: