COMPARISON OF BLOCK EXPECTATION TIME FOR VARIOUS CONSENSUS ALGORITHMS

Context. We consider security properties of decentralized blockchain-based consensus protocols. The object of research is block confirmation time for users to get assurance that their transaction will not be reverted. Objective. The goal of the paper is to analyze double-spend attacks on the different blockchain-based systems and compare resulting probabilities of attacker’s success. Method. We presented two models for two types of attacks on the Ouroboros protocol (for the general and covert adversaries). The models allow calculating the exact number of slots needed to achieve the required level of security. It was shown that the Ouroboros protocol allows achieving the required security level with significantly shorter confirmation period in comparison with Bitcoin. We estimated minimal number of confirmation blocks and compare estimation time for Bitcoin, GHOST and Ouroboros protocols. As a measure of comparison, we considered transaction confirmation time for which the probability of a double-spend attack is less than 0.1%. We use different standard probability distribution and different properties of Markov chains and Random Walks to get comparison of estimated security properties of Bitcoin blockchain against three different models of Bitcoin double spend attack. The splitting attack based on the model where resources of honest participants are divided to compete different chains is applied to Bitcoin and GHOST consensus protocols. Properties of Markov chains and Random Walks are also applied to obtain security estimations for the Ouroboros protocol. Results. We developed methods to get specific numbers for average block confirmation time for Ouroboros protocol. We compared minimal number of confirmation blocks needed to ensure a high security for considered protocols: Bitcoin, GHOST and Ouroboros. Conclusions. The obtained results allow determination of security bounds for the Bitcoin, GHOST and Ouroboros consensus protocols. Users of the practically deployed blockchain systems may get specific parameters for a given assurance level.


INTRODUCTION
The Bitcoin is a payment system where digitally signed transactions are grouped into blocks and stored securely in a structure called blockchain. A blockchain is a sequence of blocks linked via hash pointers where each new block contains a hash of the previous block. This structure preserves an ordered list of transactions that uniquely determines the state of the system.
Unlike other centralized payment systems, in Bitcoin, once a transaction is added to the blockchain, it could not be considered as confirmed immediately. A user needs to wait some time to be sure that the transaction is set in stone in the blockchain. This is because of decentralized nature of the system where everyone can add blocks to the blockchain. To provide consistency among different users and to preserve inability to revert previously added blocks, a special mechanism is used called proof-of-work. The following idea underlies a proof-of-work system: a computational effort (calculation of a hash value below some target) should be applied to produce a block. Only a chain of blocks with the most computations would be considered valid.
As the blockchain technology evolves, the alternatives to the computationally heavy proof-of-work mechanism appear. The most promising one is called proof-of-stake: it does not require heavy computations to produce blocks, instead, a block producer is chosen through a fair procedure among all stakeholders in the system. The Ouroboros is a good example of such a system [1]. To the best of our knowledge, it is the first provably secure proof-of-stake protocol with rigorous security guarantees.
The concept of a blockchain could be undermined if someone would have a possibility to revert blocks by submitting a chain that would substitute the one currently accepted. For example, such possibility can result in the following attack: some buyer pays to a merchant with bitcoins, after the corresponding transaction is included into the blockchain, the merchant accepts a payment and sends a product to the buyer; upon receiving the product the buyer issues a conflicting chain of blocks which does not contain the payment to the merchant but instead sends coins back to the buyer. So as long as the merchant cannot be sure that the payment is irreversible, it would not be secure to deliver the product.
S. Nakamoto argues [2] that the system is secure (with some probability) against such attacks, unless 50% or more of the total computational power possessed by an adversary.
The described double-spend attack is relevant not only for Bitcoin, but also for other proof-of-work systems, for instance, those based on the GHOST algorithm [3], as well as for proof-of-stake systems, like Ouroboros.
The object of study is to focus on the block confirmation time needed to provide reasonable security guarantees for the users.
The subject of study is comparison of block expectation time for popular proof-of-work and proof-ofstake consensus algorithms.
The purpose of the work is to analyze known double-spend models for Bitcoin and evaluate how effective an adversary can be in terms of probability of successful attack. For that purpose we present new mathematical models for the Ouroboros protocol that allows calculating the security bounds for different types of adversaries. We also provide the results of splitting attack simulations for Bitcoin and GHOST algorithms.

PROBLEM STATEMENT
In this paper we describe known double-spend models for Bitcoin and present new mathematical models for the Ouroboros protocol that allow calculating the security bounds for different types of adversaries.
Suppose there is the set of miners which is divided into honest miners and malicious miners.
The input values are p, q and α = 0,001. The problem is: given p, q, α, find the minimal number z of confirmation blocks, that the probability of double-spend attack after these blocks is less than α.
We build the estimation for minimal number of confirmation blocks and also compare estimation time for different protocols: Bitcoin, GHOST and Ouroboros.

REVIEW OF THE LITERATURE
The existing mathematical models of the Bitcoin double-spend attack are presented in [1,2,4,5,6].
The first model of double-spend attack was introduced by S. Nakamoto in the original Bitcoin white paper [2]. S. Nakamoto considers the scenario when an adversary tries to generate secretly an alternate chain that would be longer (in terms of computational difficulty) than the honest chain.
M. Rosenfeld improved the Nakamoto's model in [5], but did not give any rigorous justification for it. Mathematically description of the attack was given for the first time in paper [6] by Grunspan and Perez-Marco. We also look into two models proposed by C. Pinzon et al. [4] that introduce a notion of time advantage to the original model that was analyzed by Nakamoto and Rosenfeld.
The splitting attack was described in [7] and could be considered as a variation of a double-spend attack since the main goal is to create a fork of the required length. The splitting attack for the GHOST protocol is slightly different compared to Bitcoin [7].
Let's consider a double-spend attack that could happen in a blockchain-based system [8]. As we briefly mentioned before, it does not really matter what type of consensus mechanism underlies the system, a doublespend could happen in both proof-of-work and proof-ofstake systems. Here we describe the main essence of the attack.
As it follows from the name, the whole idea of a double-spend attack is to use the same coins twice. In general, it implies that someone pays for some goods, but after receiving them, he/she reverts the payment so both goods and money are in the hands of the attacker. While it is infeasible to change the transaction with the payment itself (because that would require falsifying of a digital signature), it is possible to reject an entire block which includes the transaction. For doing this, an attacker needs to substitute a valid sub-chain of blocks with a new one that has a bigger score (score calculation depends on the actual blockchain type). Even though this attack requires tremendous resources (computational in the case of a proof-of-work or financial in the case of a proof-of-stake system), it could be profitable.
The attack involves next steps: 1. An adversary A wants to buy some goods from a merchant .
B To do this, A creates a transaction 1 tx with a payment to B and sends it to the blockchain (Fig. 1).
2. B receives the payment from A , he waits for sufficient number of confirmations in the blockchain and then sends goods to A (Fig. 2). 3. A creates a conflicting transaction 2 tx where he redirects coins to his address, and tries to generate a forked block containing this transaction. Given that B waits for additional confirmations on top of the block with the payment, A needs to overcome all those blocks in his chain and create a fork with a higher score (Fig. 3).
4. If A is lucky to produce a fork of the main chain, the transaction 1 tx would be removed from the blockchain. Instead, the transaction 2 tx would be included. The network will continue with the chain of the adversary, so the payment to the merchant B would be lost forever (Fig. 4). At the same time, the adversary A seizes both goods and money.  Even though specific techniques of fork creation could vary for different consensus protocols, the essence of the described attack remains the same for all of them. Now we give an overview of the existing mathematical models of the Bitcoin double-spend attack.
In S. Nakamoto's model [2] given that an adversary starts with some deficit K (the honest chain is longer than adversarial on K blocks), the probability that an adversary would ever catching up with the honest chain is analogous to the Gambler's Ruin problem and could be calculated as follows: Assuming that an adversary starts to work on the malicious fork right after the payment transaction is included into the blockchain (so does not wait for z blocks after which it is confirmed by the merchant), he may have mined some number of blocks so the deficit K is reduced. The adversarial progress will be a Poisson distribution with the expected value = q z p λ .
The overall probability of the successful double-spend attack can be found by multiplying the Poisson density for each possible amount of progress by the probability of catching up with the remaining deficit: However, these results were obtained under assumptions that do not quite correspond to the real model. The first assumption that is also present in almost all other papers is the assumption that the time of generation of the block and the time of its appearance in the network coincide, so the block propagation delay is zero. But from this assumption it follows that the probability of an "accidental" fork is zero, and reality shows that such forks happen about 6 times per month. The second assumption is even more incorrect. It is as follows: if the probability of an event is p , then the number of tests in which there will be exactly n events, is exactly n p . In fact, this means replacement of the random variable with its mathematical expectation, that is not entirely correct, to say it mildly. Another well-known mathematical model for the Bitcoin double-spend attack, in addition to those presented by Nakamoto, is the model of M. Rosenfeld. In [5] he clarifies and expands the work of S. Nakamoto. The same basic model is taken: for a successful doublespend attack an adversary needs to catch up with = z n m − blocks where n is the number of confirmations that a user waits to before sending goods, and m is the number of blocks that an adversary is expected to mine during the confirmation period.
M. Rosenfeld considers the catching-up process as a Markov chain, where each step is defined as finding of a block by an honest node or by an adversary: 1 1 with probability , = 1 with probability .
In this case, the probability to catch up with z blocks can be defined as follows: In the paper by Rosenfeld [5], other, and, as it turned out, more accurate analytical expressions for these probabilities were proposed, while a slightly different model was chosen for their production than those used by Nakamoto. M. Rosenfeld models the progress as a negative binomial distribution. The probability that an adversary will mine a given number of blocks m during an honest miner will mine n blocks is n m m n P m pq m It follows that the probability of a successful doublespend attack, where a merchant waits for n confirmations and an adversary succeeds to find 1 m + blocks during the confirmation period is equal to However, this paper did not provide any justification for this chosen model. The authors simply assumed that the appearance of "honest"/"dishonest" blocks in the network is described by a negative binomial distribution; though, this assumption was not substantiated there. In [5], the results were also obtained under the assumption that the propagation time of the block in the network is zero. Regarding Nakamoto's second assumption, it is unclear how far the authors have noticed this fallacy; however, they did not use this assumption. For this reason, the numerical results in this paper differ from the results by Nakamoto, i.e. for the same probability of attack, Rosenfeld's paper requires more confirmation blocks.
An interested reader could find more rigorous description of this model in the original paper [5].
It is worth to mention two theoretical models that were presented by C. Pinzon et al. [4].
The first one generalizes the model of M. Rosenfeld by adding an extra parameter that represents timeadvantage of an adversary.
The second one that is called "a time-based model" is completely different from those described above. In this model, the lengths of the valid and adversarial chains are assumed to be equal. Instead, the authors are focused on the time parameter t that represents the time difference between the th n block in both the adversarial and honest chains.
Wonderful from the mathematical point of view, Grunspan's paper [6] impresses with the mathematical rigor of his presentation and substantiation. In this paper, the authors prove what Rosenfeld suggested without proof -that the process of generating "honest"/"dishonest" blocks in the network is described by a negative binomial distribution. However, the authors could not, and even did not try to get rid of the same assumption on the instantaneous propagation of the block in the network.
As far as these models are consistent with the model of M. Rosenfeld and give almost the same results, we do not examine them deeply. Short descriptions are given in the Appendices A and В.
Since all considered models are intended to estimate the probability of the same double-spend attack in Bitcoin, the results are similar except differences between the models of S. Nakamoto and others. The models of C. Grunspan, M. Rosenfeld and C. Pinzon et al. give exactly similar results (assuming that time advantage in the models of C. Pinzon is equal to zero).
The Table 1 shows the values computed for different models. It represents the number of blocks that a user should wait for to be 99.9% sure that his transaction would not be reverted by an adversary. It is worth noting that the presented theoretical models for the double-spend attack could also be applied to another Bitcoin-like proof-of-work systems. Now let's consider the splitting attack [7] which is targeted at the proof-of-work based protocols with a short block generation time that is comparable to the block propagation time in the network.
We will start with a general overview of a splitting attack, and then provide some experimental results showing possibility of its application to different proofof-work consensus protocols.
In contrast to the classic double-spend attack, where an adversary is supposed to create a fork secretly and publish it after getting goods and only in case if his chain is longer, the splitting attack is public for all nodes from the beginning. Moreover, not only an adversary contributes blocks into the forked branches but also honest nodes.
The idea of the attack is the following: when a fork of depth 1 accidentally happens, an adversary splits its hashing power on both branches to keep their lengths equal as long as possible. In this case honest miners would also be split due to their arbitrary choice between branches of equal lengths. When honest miners publish a new block in one of the branches, an adversary publishes block in the other branch to keep the fork running (see Fig. 5). If branches are of the same length, then adversary does nothing so again honest miners are split in half.
So the adversary tries to keep both chains balanced by their lengths. If lengths differ, the adversary extends the chain that is behind by publishing some amount of blocks needed to equalize lengths of both chains. The attack continues till the adversary has sufficient amount of blocks for each chain in his reserves. If he cannot equalize chains' lengths at the end of some round, then the attack is finished. A notion of a round was initially taken from [9]; it represents a complete round of information propagation to all nodes in a p2p network. In practice, information propagation is a random variable with an order of tens of seconds. In the described model, it is assumed that one full communication round takes 12.6 seconds (this is the average block propagation time in the Bitcoin network [10]).
A general essence of the splitting attack is the following: when the time of block generation is comparable to the time of block propagation, then the probability of generation of 2 or more blocks in the same round (and at the same block height) becomes nonnegligible. In this case, at the beginning of the next round the network would be split into two branches. An adversary leverages such block collisions to keep the fork running.
Thus, an important parameter that facilitates a splitting attack is the number of PoW solutions (mined blocks) per complete round of information propagation. In [7], where this parameter is designated as f , it was shown that when f decreases and gets closer to 0, then the probability of a splitting attack decreases too (an adversary needs almost 50% of the hashing power to make a split). And vice versa, when f increases, the security bound becomes worse (the attack becomes feasible with less than 50% of the hashing power). The splitting attack is the most effective when 1 f ≥ , i.e., at the rate of 1 block per round or more.
It follows from the above that a short block generation time (relative to the block propagation time) creates favorable conditions for a splitting attack to occur. Hence, it becomes interesting to investigate resistance of proofof-work protocols with different values of the parameter f .
Let's consider the splitting attack on GHOST. GHOST protocol was initially proposed as an improvement of the Bitcoin protocol that allows to reduce time between blocks while preserving the same level of security [3,11].
The main modification that was suggested is that blocks not included into the main chain can still contribute to the chain's irreversibility. The basic observation behind the protocol is that the blocks that are built on top of some block B add additional weight to block B even if they are not in the main chain. So, in contrast to the Bitcoin protocol, where only the blocks that are in the main chain contribute to the difficulty of this chain, in GHOST a whole sub-tree of blocks is considered (Fig. 6). See for more information [3,11].
Since it was declared by the authors that the GHOST protocol has a comparable security even with short block generation time (it is stated that even when blocks are issued every second, the security level is the same as in the original Bitcoin protocol, [3]), we found a few serious mistakes in their works that puts to doubt their assertions and results. So it becomes interesting to investigate resistance of the GHOST protocol against a splitting attack. The splitting attack for the GHOST protocol is slightly different compared to Bitcoin [7]. There are two differences: -An adversary has to compensate the difference in the total number of honestly mined blocks in both branches at the end of each round, while in Bitcoin-like protocols he has to compensate only the maximal number of honestly mined blocks to keep both chains balanced.
-All blocks produced by an adversary are always valid. This facilitates an attack for adversary, because he can just mine the first nodes after the common prefix of the two branches. In contrast, in Bitcoin an adversary has to extend only the head of diverging chains, so all blocks must be recent. Now let's consider the double-spend attacks on Ouroboros. As stated in [1], it is the first provably secure proof-of-stake blockchain protocol with rigorous security guarantees, comparable to those achieved by the Bitcoin blockchain protocol. First we briefly discuss the protocol itself, and then present two models for different types of adversaries.
As previously stated, the Ouroboros is a proof-ofstake protocol, thus it does not require heavy computations for block production. While in the proof-ofwork protocols like Bitcoin the blocks are produced by the miners (which do not necessarily have a stake in the system), in Ouroboros only the stakeholders can produce blocks. Given that the stakeholders are well incentivized to keep the overall stability of the system (as it would consequently keep the value of their coins), it creates an additional incentive for block producers to act honestly, thus making a system more secure in general.
The main idea behind the protocol is that the time is divided into so called epochs, and each epoch consists of a predefined number of slots. Each slot has an associated stakeholder that should produce a block during the time of that slot. The model requires synchrony among stakeholders, and the blocks that are produced in the incorrect timeslots are considered invalid. At most one block could be produced in the given slot (Fig. 7).
The owners of the slots are chosen randomly before the beginning of the epoch. Randomness for a selection procedure is generated collectively by a set of stakeholders by means of a special cryptographic protocol based on the PVSS scheme [12]. The time is divided into slots, each slot has an associated stakeholder who should produce a block in this slot. It is not necessary that the block in the given slot will be produced (for instance, a corresponding stakeholder could be offline at the moment), but there is a strict rule that only one block can be produced in the slot.
Following the terminology given in [1], an attack that consists in a fork creation is called an attack on a common prefix. There are two possible models for an adversary that is going to create a fork: the one that immediately demonstrates an adversarial behavior and the one that leaves an adversary covert. We will briefly describe both of them.
Despite of the rule that a slot winner can produce only one block per slot in the given chain of blocks, nothing can prevent him from creating several blocks in the same slot but in different chains, thus creating a fork (see Fig. 8). An adversary can facilitate an attack by publishing blocks in both chains forcing honest slot winners to be split between them. In what follows, we will call such adversary a general adversary. While the described attack provides an adversary with significant opportunities, it leaves a suspicious "audit trail" -multiple signed blocks at the same slot that immediately signals malicious behavior. That motivates to consider a restricted class of covert adversaries, who produce not more than one block per slot (though not necessarily in the expected slot [1]).
An interested reader could find more details in [1,13]. [1] is the notions of the characteristic and forkable strings. A characteristic string is a binary string {0,1} n where each element indicates a slot that is assigned either to an adversary (denoted with 1) or to an honest user (denoted with 0). A forkable string is a characteristic string with such disposition of adversarial slots that allows fork creation.

Let's consider Ouroboros general adversary model. A central point of the security arguments given in
Understanding density of the forkable strings among all characteristic strings will help to determine the probability of an attack. The paper [1] gives an upper bound on the probability of a string being forkable. In our research, we are interested in the exact probabilities of forks. To obtain such probabilities, we utilize a recursive algorithm that detects a forkable string (see lemma 4.18 in [1] for more details): Given a characteristic string w and the initial state ( m ε ), the state is updated sequentially with each element of the string. Finally, when all elements from w are processed, the variable μ is checked: if 0 μ ≥ then the string w is forkable, otherwise it is not.
Having such an algorithm, it is possible to calculate the overall probability of a fork for a string of particular length. It could be done by constructing of a matrix of probabilities for all possible states (Fig. 9).
The matrix could be calculated iteratively using the following rules (based upon the algorithm (5) Finally, the probability that an adversary with the fraction of stake q would be able to create a fork of n slots could be defined as follows: n n n i j i j DS q n p ∑∑ (6) Note that it is also possible to estimate the probability of a fork by simulating an attack directly. It could be done by generating of random binary strings (taking into account the probability of an adversarial slot) and checking them with the algorithm (5). The results conform with those obtained analytically with the equality (6). Now let's consider Ouroboros covert adversary model. As stated previously, a covert adversary tries to keep an attack in secret, until he creates a branch of sufficient length. In this case, an adversarial behavior would be to refrain from publishing of blocks in the honest chain (Fig. 10). In the classical double-spend attack it is assumed that an adversary has to create a fork of at least n blocks, where n is the number of confirmations that a user waits for before sending of goods or providing of a service. In this formulation, the attack with a covert adversary is basically close to the Bitcoin double-spend attack. Therefore, the probability of a fork after n blocks could be easily calculated using, for instance, the model of S. Nakamoto (see section 2, eq. 1).
Because of the deterministic nature of the block creation process in the Ouroboros protocol, it is more convenient to consider security bounds as the number of slots that a user should wait for to be sure (to some degree) that a fork cannot be created (opposite to the number of blocks in the classical model).
In our model, for a successful attack an adversary needs to create a fork of l slots (or longer). To do this, he needs to possess at least half of the slots at some point after the slot l . The probability of this event consists of two components: the ability of the adversary to accumulate some slots before the slot l , and the ability to catch up with the deficit (if any) after the slot l . We assume that neither honest users nor the adversary do not skip their slots, so there are no gaps.
The number of slots that an adversary would get during the period of l slots is a random variable that follows a binomial distribution. The probability to get exactly m slots is the following: The probability of catching up with = z n m − slots (where = n l m − is the number of honest slots) could be In order to get insights on the density of forks produced by different types of adversaries and to compare them with other consensus protocols, we made a calculation using the expressions above. The results are shown in Table 2.
Because synchrony between time slots is assumed in the Ouroboros protocol, it does not make sense to consider the parameter k (time between blocks) as we did for other consensus protocols.

EXPERIMENTS
Firstly, in our experiments, we took two most widespread protocols: Bitcoin and GHOST and obtained experimental results during the computational modeling for both protocols.
As it is known, the average block generation time in Bitcoin is equal to 10 minutes [2]. Given that the average block propagation time is 12 made in Bitcoin, and see how security degrades in the case when k decreases. To accomplish this, we perform an experimental analysis of the described attack.
The next experiments included comparison among different consensus protocols and adversarial models described in the previous sections. As a unified measure, we took the number of block confirmations (or time slots in the case of Ouroboros) needed to be sure that a given block cannot be removed from the blockchain with the probability of at least 99.9% (in other words, the longest fork that an adversary with a certain hashing power/stake can create with the probability of at least 0.1%).
The chosen measure appears to be relevant for a realworld application because it shows how long a user should wait before accepting a payment transaction, thus decreasing the possibility of the considered attacks to a sufficient level.
To get further insights on the usability of the considered protocols, it is helpful to compare them by the average confirmation time. As long as different protocols have different time between blocks, this would give us more accurate picture of the security guarantees provided by protocols against different types of attacks.
The time between two consecutive slots in the Ouroboros system is expected to be 20 seconds. The average time to mine a Bitcoin block is 10 minutes [2]. During the analysis of the splitting attack, we also estimated the security bounds for the Bitcoin with reduced block generation time (12.6 seconds per block). The GHOST values of block generation time is the same as for Bitcoin.

RESULTS
Let's consider experimental results during the computational modeling for Bitcoin and GHOST protocols.
The results of the simulations for Bitcoin are summarized in Fig. 11. It is shown what fork length an adversary can maintain with the probability of success of at least 0.1%. It is easy to see that when the time between blocks decreases, an adversary gets a chance to create a longer fork.
Our simulation shows that for the choice of = 47.6 k (like in Bitcoin) 6 confirmations are needed to be sure that the probability of a splitting attack is less than 0.1% (considering an adversary that possesses 35% of the hashing power). If we assume that the average block generation time is equal to the block propagation time (so that = 1 k ) then 9 confirmation is needed for the same level of security. The results of the simulation (Fig. 12) for GHOST show that the attack is extremely effective when the parameter k is near to 1.
The summarized results of protocols' comparison are presented in Table 3. It includes two models for Ouroboros (with general and covert adversaries), classic Bitcoin double-spend attack, Bitcoin splitting attack (including hypothetical Fast Bitcoin with reduced block generation time to one per communication round, e.g. 12.6 sec) and GHOST splitting attack (both with 10 min and 12.6 sec blocks).
The Table 4 and Figure 13 show how long (in minutes) a confirmation period should be to reduce the probability of an attack to less than 0.1%.   Figure 13 -Comparison of the expected confirmation periods (in minutes) for different protocols and adversarial models 6 DISCISSION From the Table 4 and Figure 13 we can note that the Ouroboros protocol allows to confirm the block in 5 minutes in the worst case (considering an adversary with 10% of the total resources) while Bitcoin needs almost 60 minutes to provide the same level of security.
The splitting attack is more effective for the systems with short block generation time, but in general case, it is not better than the classical double-spend attack. Our simulations showed possibility of the attack for the Bitcoin and GHOST protocols with 10 min and 12.6 sec blocks. Not surprising that shorter blocks increase the required number of blocks to confirm a transaction but, despite this, the overall confirmation time is significantly reduced due to fast blocks.

CONCLUSIONS
In this paper we presented an analysis of the different consensus protocols and adversarial models. The main goal was to compare the well-known proof-of-work protocol that underlies Bitcoin with the new proof-ofstake algorithm that was introduced in Ouroboros. We also had a look at the GHOST algorithm that is initially intended to improve Bitcoin consensus. As a measure of comparison, we considered transaction confirmation time that allows to be sure that the probability of a doublespend attack is less than 0.1%.
The scientific novelty of obtained results: we presented two models for two types of attacks on the Ouroboros protocol (for the general and covert adversaries). The models allow calculation of the exact number of slots needed to achieve the required level of security. It was shown that the Ouroboros protocol allows achieving of the required security level with significantly shorter confirmation period compared to Bitcoin.
The practical significance consists in the fact that obtained results allow determination of the security bounds for the Ouroboros system. It becomes extremely important for a real-world application because it will help users to figure out how long they should wait before accepting the transaction.

APPENDIX A. THE GENERALIZED MODEL OF C. PINZON ET AL.
The model proposed by C. Pinzon et al. [4] generalizes the model of M. Rosenfeld by adding of an extra parameter that represents time-advantage of an adversary.
As in the previous models, a successful double-spend attack consists of two constituents: the progress of an adversary during the confirmation period of m blocks and his ability to catch up with the deficit = z m n − . The catch-up function is the same as originally used by S. Nakamoto (which occurs in Gambler's Ruin Problem).
The improvement of this model lies in the modified progress function. It is represented as follows: ( , , , ). P q m n t Basically, the function P represents the probability of an adversary mining exactly n blocks once the honest network mines m blocks, assuming that an adversary has been additionally mining secretly for t time units. While the first three parameters ( , , ) q m n are well-known from the previous models, the time-advantage t is the new one. It represents an amount of time since the th n block is found by an adversary until the th m block is found by the honest network. This time period t potentially increases the probability of an adversary to find the next block faster than the honest network thus giving him an advantage.
In order to define the function P , it is necessary to define the function ( , , ) a q t k that represents the probability to mine exactly k blocks during the time period t with a fraction q of hashing power (the proof could be found in the original paper [4]): authors are focused on the time parameter t that represents time difference between the th n block in adversarial and honest chains.
We will not go deep into the details of this model, instead we will only present the final equation for calculation of the probability of a double-spend attack. We refer an interested reader to the original paper [4] to find more details about this model.
Let P be the progress function from the generalized model (eq. (9)) and T C is the catch up function for the time-based model that is defined as follows: The parameters in (11) are the same as in (10).