pith. sign in

arxiv: 2601.09082 · v3 · submitted 2026-01-14 · 💻 cs.CR

Rigorous and Generalized Proof of Security of Bitcoin Protocol with Bounded Network Delay

Christopher Blake , Chen Feng , Xuechao Wang , Qianyu Yu This is my paper

Pith reviewed 2026-05-16 15:05 UTC · model grok-4.3

classification 💻 cs.CR
keywords bitcoinsecurity proofnetwork delayblockchain consensushonest blocksadversary miningprobability one
0
0 comments X p. Extension

The pith

The Bitcoin protocol produces infinitely many honest blocks with probability one if the fully-delayed honest mining rate exceeds the adversary mining rate.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proves that the Bitcoin protocol will generate infinitely many honest blocks with probability one as long as the honest mining rate after fully accounting for bounded network delays exceeds the adversary mining rate. It generalizes the model to blocks with different scores and corrects an error in previous random walk arguments by using a punctured block arrival process. A reader would care because this shows an adversary cannot censor transactions in perpetuity, rendering the protocol useless. The proof is rigorous under the assumption of uniform bounded delay.

Core claim

In the computational model where an adversary can delay block transmissions by at most time Δ, the generalized Bitcoin protocol with blocks of different scores produces infinitely many honest blocks with probability one whenever the fully-delayed honest mining rate exceeds the adversary mining rate. This is proven using the punctured block arrival process to avoid the flaws of random walk theory.

What carries the argument

The punctured block arrival process, which modifies the standard arrival process to enable a correct proof of the infinite honest blocks property.

If this is right

  • An adversary cannot censor a user's transactions indefinitely.
  • The security result applies to the generalized protocol with variable block scores.
  • Only a uniform bound on network delay is needed, without assumptions on specific network structures.
  • The random walk approach used in prior work is shown to be incorrect via counterexample.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If real-world delay measurements confirm the rate condition, the protocol will produce honest blocks infinitely often in practice.
  • The puncturing technique could be adapted to prove security for other delayed consensus protocols.
  • Extending to stochastic delays might still preserve the result if the expected delay satisfies the inequality.

Load-bearing premise

The model assumes a uniform bounded delay Delta for all block transmissions and that the mining rates satisfy the required inequality after accounting for the maximum delays.

What would settle it

A scenario or simulation where the fully-delayed honest mining rate exceeds the adversary rate but only finitely many honest blocks appear would falsify the central claim.

Figures

Figures reproduced from arXiv: 2601.09082 by Chen Feng, Christopher Blake, Qianyu Yu, Xuechao Wang.

Figure 1
Figure 1. Figure 1: Diagram representing the past and future honest and adversary growth intervals used in the definitions of [PITH_FULL_IMAGE:figures/full_fig_p005_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Figure representing the punctured arrival process. [PITH_FULL_IMAGE:figures/full_fig_p009_2.png] view at source ↗
read the original abstract

A proof of the security of the Bitcoin protocol is made rigorous, and simplified in certain parts. A computational model in which an adversary can delay transmission of blocks by time $\Delta$ is considered. The protocol is generalized to allow blocks of different scores and a proof within this more general model is presented. An approach used in a previous paper that used random walk theory is shown through a counterexample to be incorrect; an approach involving a punctured block arrival process is shown to remedy this error. Thus, it is proven that with probability one, the Bitcoin protocol will have infinitely many honest blocks so long as the fully-delayed honest mining rate exceeds the adversary mining rate. This means that an adversary cannot censor future transactions of a user in perpetuity, which would render the protocol useless.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 1 minor

Summary. The paper presents a rigorous proof of Bitcoin protocol security in a model with uniform bounded network delay Δ, generalizing the protocol to blocks with varying scores. It identifies a flaw in a prior random-walk argument via counterexample and replaces it with a punctured block arrival process construction. The central result is that, with probability one, there are infinitely many honest blocks whenever the fully-delayed honest mining rate strictly exceeds the adversary mining rate; this implies an adversary cannot censor transactions indefinitely.

Significance. If the central claim holds, the work supplies a clean, parameter-free almost-sure guarantee of liveness under the stated rate condition and bounded delay, extending prior analyses to heterogeneous block scores. The explicit counterexample to the random-walk approach and the punctured-process remedy are concrete contributions that clarify the conditions under which Bitcoin remains secure against perpetual censorship.

major comments (1)
  1. [generalized model and punctured process construction] The punctured arrival process construction (generalized model section) must be shown to preserve strict rate dominance after removal of delayed or superseded blocks when scores vary arbitrarily. The abstract and sketch do not supply an explicit bound on score ratios or a recurrence argument establishing that the honest subprocess retains positive drift almost surely; an adversary block superseding multiple honest blocks inside one delay window could violate the required inequality even when the nominal rates satisfy the hypothesis.
minor comments (1)
  1. [model definition] Notation for the fully-delayed honest rate and the puncturing operator should be introduced with a single consistent symbol set before the main theorem statement.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the careful reading and for identifying the need for greater clarity on the generalized model. We address the major comment below and will revise the manuscript accordingly.

read point-by-point responses

  1. Referee: [generalized model and punctured process construction] The punctured arrival process construction (generalized model section) must be shown to preserve strict rate dominance after removal of delayed or superseded blocks when scores vary arbitrarily. The abstract and sketch do not supply an explicit bound on score ratios or a recurrence argument establishing that the honest subprocess retains positive drift almost surely; an adversary block superseding multiple honest blocks inside one delay window could violate the required inequality even when the nominal rates satisfy the hypothesis.

    Authors: The full proof in Section 4 defines the punctured process by excising any honest block delayed beyond Δ or superseded by a higher-score block (adversary or honest) within a delay window. The 'fully-delayed honest mining rate' is the long-run rate of score contribution from the remaining honest blocks. Because scores are positive and the nominal honest rate strictly exceeds the adversary rate, the expected score increment per unit time for the honest punctured process remains strictly positive. Supersession of multiple honest blocks by one adversary block is already folded into the rate comparison: each such event removes at most a bounded number of honest blocks (at most those arriving in one Δ-window), but the strict rate gap ensures the net drift stays positive. The recurrence argument tracks the cumulative score difference and shows that the probability of returning to zero infinitely often is zero under the rate hypothesis; the counterexample to the plain random-walk argument is precisely avoided by the puncturing step. No uniform bound on individual score ratios is required, as the argument works with the aggregate rates. We will add an explicit lemma (new Lemma 4.3) stating the drift preservation after puncturing and a short paragraph in the generalized-model section spelling out the supersession accounting. revision: partial

Circularity Check

1 steps flagged

Minor self-citation to prior random-walk argument that is explicitly refuted

specific steps
  1. self citation load bearing [Abstract]
    "An approach used in a previous paper that used random walk theory is shown through a counterexample to be incorrect; an approach involving a punctured block arrival process is shown to remedy this error."

    The text references prior work (likely overlapping authors) on random walks but immediately replaces it; however, the citation still appears as the starting point for motivating the new punctured-process argument, creating a light self-referential framing even though the actual proof does not inherit correctness from the refuted prior result.

full rationale

The derivation starts from the model assumptions (bounded delay Delta and honest mining rate strictly exceeding adversary rate after delays) and constructs a punctured arrival process to prove almost-sure recurrence of honest blocks. The only self-reference is to a prior paper whose random-walk method is shown incorrect via counterexample; the new proof does not rely on that prior result for its validity. No parameters are fitted to data, no quantity is defined in terms of itself, and the central claim remains an independent mathematical argument from the stated rate inequality. This qualifies as a minor self-citation that is not load-bearing.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The central claim rests on standard domain assumptions about bounded delays and Poisson-like mining processes; no free parameters are fitted to data and no new entities are invented.

axioms (2)
  • domain assumption Network transmissions are delayed by at most a fixed bound Delta
    Core modeling choice stated in the abstract for the adversarial network.
  • domain assumption Mining arrivals follow a process allowing rate comparison after delays
    Implicit in the fully-delayed honest mining rate definition.

pith-pipeline@v0.9.0 · 5432 in / 1194 out tokens · 46721 ms · 2026-05-16T15:05:51.988363+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

14 extracted references · 14 canonical work pages · 1 internal anchor

  1. [1]

    Bitcoin: A peer-to-peer electronic cash system,

    S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” 2008

    work page 2008

  2. [2]

    Majority is not enough: bitcoin mining is vulnerable,

    I. Eyal and E. G. Sirer, “Majority is not enough: bitcoin mining is vulnerable,”Commun. ACM, vol. 61, no. 7, pp. 95–102, Jun. 2018

    work page 2018

  3. [3]

    The Balance Attack Against Proof-Of-Work Blockchains: The R3 Testbed as an Example

    C. Natoli and V . Gramoli, “The balance attack against proof-of-work blockchains: The r3 testbed as an example,”ArXiv, vol. abs/1612.09426, 2016

    work page internal anchor Pith review Pith/arXiv arXiv 2016

  4. [4]

    The bitcoin backbone protocol: Analysis and applications,

    J. Garay, A. Kiayias, and N. Leonardos, “The bitcoin backbone protocol: Analysis and applications,” inAnnual Int. Conf. Theory and Applications of Cryptographic Techniques. Springer, Apr. 2015, pp. 281–310

    work page 2015

  5. [5]

    Analysis of the blockchain protocol in asynchronous networks,

    R. Pass, L. Seeman, and A. Shelat, “Analysis of the blockchain protocol in asynchronous networks,” inAnnual International Conference on the Theory and Applications of Cryptographic Techniques, April 2017, pp. 643–673

    work page 2017

  6. [6]

    Secure high-rate transaction processing in bitcoin

    Y . Sompolinsky and A. Zohar, “Secure high-rate transaction processing in bitcoin.” inFinancial Cryptography, ser. Lecture Notes in Computer Science, R. Böhme and T. Okamoto, Eds., vol. 8975. Springer, 2015, pp. 507–527

    work page 2015

  7. [7]

    Everything is a race and nakamoto always wins,

    A. Dembo, S. Kannan, E. N. Tas, D. Tse, P. Viswanath, X. Wang, and O. Zeitouni, “Everything is a race and nakamoto always wins,” inProc. 2020 ACM SIGSAC Conf. on Comp. and Comm. Security. New York, NY , USA: ACM, 2020, pp. 859–878

    work page 2020

  8. [8]

    Tight consistency bounds for bitcoin,

    P. Gaži, A. Kiayias, and A. Russell, “Tight consistency bounds for bitcoin,” inProc. 2020 ACM SIGSAC Conf. on Comp. and Comm. Security. ACM, Nov. 2020, pp. 819–838

    work page 2020

  9. [9]

    Merged bitcoin: Proof of work blockchains with multiple hash types,

    C. Blake, C. Feng, X. Wang, and Q. Yu, “Merged bitcoin: Proof of work blockchains with multiple hash types,” 2025, in preparation

    work page 2025

  10. [10]

    Analysis of nakamoto consensus,

    L. Ren, “Analysis of nakamoto consensus,” Cryptology ePrint Archive, Report 2019/943, 2019

    work page 2019

  11. [11]

    Les probabilités dénombrables et leurs applications arithmetiques,

    E. Borel, “Les probabilités dénombrables et leurs applications arithmetiques,”Rend. Circ. Mat. Palermo, vol. 2, no. 27, pp. 247–271, 1909

    work page 1909

  12. [12]

    Sulla probabilità come limite della frequenza,

    F. Cantelli, “Sulla probabilità come limite della frequenza,”Atti Accad. Naz. Lincei, vol. 26, no. 1, pp. 39–45, 1917

    work page 1917

  13. [13]

    S[n][represents the] difference between the increase inD h and the number of adversary arrivals

    M. Mitzenmacher and E. Upfal,Probability and Computing, 2nd ed. Cambridge: Cambridge University Press, 2017. APPENDIXA PRIOR PAPER FLAW We will prove using a counterexample a flaw with the prior proof in [7]. The authors of [7] state in Appendix C.1: “S[n][represents the] difference between the increase inD h and the number of adversary arrivals.” In this...

    work page 2017

  14. [14]

    Indeed, a generalized random walk does not necessarily behave like a simple random walk

    do not flow from the arguments. Indeed, a generalized random walk does not necessarily behave like a simple random walk. For example, consider a process that starts out deterministically leaving the origin, returning, and then continuing on forever as a normal random walk with positive drift. This process is similar to a simple random walk, and the averag...

    work page