« Si personne ne sait qui prend les décisions le jour J, vous perdez du temps. Et dans une usine à l’arrêt, le temps c’est de l’argent »

Une cyberattaque, ce n’est pas qu’un problème informatique. C’est une crise d’entreprise, avec tout ce que cela implique de décisions à prendre vite, sous pression, dans un contexte dégradé. Et comme toute crise, elle révèle les failles organisationnelles autant que les failles techniques.

Ce que l’on observe systématiquement sur le terrain, c’est que ce qui aggrave la situation n’est pas tant la sophistication de l’attaque que l’absence de préparation de ceux qui doivent y répondre. Les chiffres sont sans appel : 58 % des entreprises admettent ne pas savoir comment réagir face à une cyberattaque et seulement 2 à 4 % se déclarent vraiment prêtes. Quant aux plans de réponse à incident, 45 % des organisations n’en disposent pas, et parmi celles qui en ont un, 42 % ne le mettent jamais à jour. Autrement dit, la majorité des entreprises industrielles entreraient en crise sans feuille de route. DG, DAF, DSI, Directeur de production : chacun a un rôle précis à jouer. Encore faut-il l’avoir défini avant que la crise éclate.

Ce qui se passe vraiment dans les premières heures

Avant même de parler de réponse à la crise, il y a un sujet que l’on sous-estime : la détection. Les attaquants ne se signalent pas. Leur objectif est de rester le plus longtemps possible invisibles dans le système (en moyenne 2 à 3 semaines), le temps de se déplacer, de gagner des droits, d’identifier les actifs les plus précieux et de mettre en place leurs canaux d’exfiltration. Ce n’est qu’une fois ce travail accompli qu’ils déclenchent l’attaque visible : le ransomware, le chiffrement, le blocage.

Résultat : quand l’entreprise réalise qu’elle est compromise, il est souvent déjà trop tard pour limiter l’étendue de la compromission. D’où l’importance cruciale de se doter des bons outils de détection, ceux qui permettent d’identifier une situation anormale avant qu’elle ne devienne incontrôlable.

Vient ensuite le premier réflexe, souvent mauvais : tout éteindre. L’intention est compréhensible, stopper la propagation, mais la conséquence est contre-productive. En éteignant les machines, on efface les mémoires temporaires, et avec elles toutes les traces qui permettront d’analyser l’attaque et d’identifier les vecteurs d’entrée. La bonne pratique, c’est de déconnecter du réseau pour stopper la propagation, sans pour autant couper l’alimentation des systèmes compromis. Une nuance technique, mais qui change tout pour la suite des investigations.

Le temps : la variable que tout le monde sous-estime

Dans une situation de crise, le temps est l’ennemi numéro un. Chaque heure perdue à chercher qui décide, qui appelle qui, comment on communique, c’est de l’argent qui part et de la crédibilité qui s’érode.

Une usine à l’arrêt ne produit pas. Ne livre pas. Ne facture pas. Les pénalités de retard s’accumulent, les clients s’impatientent, les partenaires s’inquiètent. Et si c’est l’ERP qui est touché, ce système central qui orchestre commandes, production, expéditions et facturation, c’est toute la chaîne opérationnelle qui se bloque simultanément. Dans l’industrie manufacturière, la paralysie dure en moyenne 12 jours. Douze jours sans produire, sans livrer, sans facturer.

C’est précisément là que la préparation fait la différence. Une organisation qui a anticipé, documenté ses processus de crise et formé ses équipes va prendre ses décisions en minutes là où une autre mettra des heures. Et dans ce contexte, quelques heures gagnées peuvent représenter des centaines de milliers d’euros préservés.

Qui fait quoi : le rôle de chaque décideur

Une crise cyber n’est pas l’affaire du seul service informatique. C’est une mobilisation collective, où chaque décideur a un périmètre d’action précis. Le problème, c’est que ces rôles sont rarement définis avant la crise. On se retrouve alors à se marcher dessus, à perdre un temps précieux en arbitrages improvisés, au moment où tout le monde devrait être concentré sur l’essentiel.

• Le DSI / RSSI pilote la réponse technique : identifier l’étendue de la compromission, activer les procédures de confinement, coordonner les équipes IT et les prestataires externes. C’est lui qui tient le fil opérationnel de la crise.
• Le Directeur de production décide de ce qui continue et de ce qui s’arrête. Quelles lignes peut-on maintenir en mode dégradé ? Quels processus sont absolument critiques ? Il doit avoir réfléchi à ces questions avant le jour J, pas en pleine crise.
• Le DAF active les assurances cyber, évalue les pertes financières en temps réel, arbitre les dépenses d’urgence. Il est aussi celui qui pose la question que personne ne veut entendre : combien ça nous coûte si on paie, combien ça nous coûte si on ne paie pas ?
• Le DG est le directeur de crise. Il tranche, il arbitre, il communique vers l’extérieur ; clients, partenaires, actionnaires, régulateurs. Son rôle n’est pas technique. Il est décisionnel et représentatif. Et pour le tenir correctement, il doit avoir été impliqué dans la préparation bien en amont.
• Les équipes communication et RH ont également leur partition à jouer : préparer les messages adaptés à chaque audience (collaborateurs, clients, presse), gérer les aspects RH liés à la mobilisation des équipes en situation de crise. Si les trames de communication ne sont pas prêtes, on perd une demi-heure à rédiger sous stress ce qui aurait pu être préparé en trente minutes de calme.

Ce qui se joue avant la crise

La vraie question n’est pas « sera-t-on attaqués ? » mais « quand ? ». Les groupes cybercriminels sont aujourd’hui structurés comme de véritables entreprises, avec des outils, des process, des spécialisations. Les incidents se comptent en dizaines par jour. Pour un industriel, la probabilité d’être ciblé un jour n’est pas une hypothèse d’école.

Ce qui distingue les organisations qui s’en sortent bien de celles qui subissent des semaines d’arrêt, c’est une seule chose : la préparation.

Concrètement, cela signifie trois choses.

• Documenter. Identifier en amont quels sont les systèmes prioritaires à remettre en ligne en premier, puis comment redémarrer l’ERP, qui appelle quel prestataire, quel est le numéro d’urgence du bon interlocuteur. Ces informations semblent évidentes en temps normal. Sous stress, elles disparaissent.
• Définir les rôles. Qui prend les décisions dans la cellule de crise ? Qui tient la main courante ? Qui gère la logistique ? Tant que ces rôles ne sont pas écrits et connus de tous, la crise sera gérée dans la confusion.
• Tester. Un plan de crise sur le papier est toujours parfait. Dans la réalité, il dévie. Les exercices permettent de vérifier que les numéros sont les bons, que les contrats prestataires couvrent bien les bons scénarios, que les équipes réagissent bien sous pression. Un dispositif non testé est un dispositif non fiable. Pourtant, seulement 30 % des organisations effectuent des tests et entraînements réguliers, ce qui signifie que 7 entreprises sur 10 découvriront les failles de leur plan le jour où elles n’ont plus le droit à l’erreur.

NIS2 et ISO 27001 : des cadres pour structurer la préparation

La réglementation pousse de plus en plus les industriels dans cette direction. NIS2, dont les exigences sont contraignantes pour les entreprises qui y sont soumises, impose explicitement de définir des processus de gestion des incidents, de continuité d’activité et de reprise et d’en tester régulièrement l’efficacité. Ce n’est pas une option, c’est une obligation.

L’ISO 27001, norme volontaire, offre quant à elle un cadre structurant pour construire cette maturité dans la durée : identifier ce qui est critique, mettre en place les mesures adaptées, les maintenir et les améliorer en continu.

Dans les deux cas, le message est le même : la préparation à la crise ne s’improvise pas. Elle se construit, se documente, se teste et elle implique la direction, pas seulement les équipes IT.

La cyber, un enjeu de direction — pas un sujet informatique

C’est peut-être le message le plus important à retenir. La cybersécurité reste trop souvent cantonnée à la salle serveurs. Or une cyberattaque qui paralyse l’ERP, c’est une crise qui touche la production, les finances, la relation client, la réputation. C’est un sujet business, qui doit être porté au niveau du CODIR.

Si la direction ne s’empare pas du sujet, il restera en coin de table, sous-financé, sous-préparé. Et le jour où la crise arrive, parce qu’elle arrivera, personne ne sera vraiment prêt.

Se faire accompagner sur ces sujets suppose de travailler avec des interlocuteurs qui parlent les deux langues : celle de la cybersécurité et celle de l’ERP. Là où un expert cyber externe doit d’abord comprendre votre environnement ERP avant de l’auditer, TVH Consulting et sa filiale Fidens partent déjà de l’intérieur. Une longueur d’avance qui, le jour J, peut faire toute la différence.

Advanced Custom Fields is a WordPress plugin which allows you to add extra content fields to your WordPress edit screens. These extra content fields are more commonly referred to as Custom Fields and can allow you to build websites faster and educate your clients quicker. In this guide, you’ll learn how to:

• Install the ACF plugin
• Create new fields
• Create field content
• Display fields in your theme
• Register custom post types and taxonomies

The Basics

Custom fields are a native part of WordPress and appear on pages, posts and custom post types, however, the native custom field interface is not very user friendly. With ACF installed, you can tailor what fields to show and what they look like. For instance, you may require a ‘Hero Image’ to be selected for your home page. You can use ACF to easily create this Image field and show it when editing the home page! Here is the difference between native custom fields and Advanced Custom Fields.

With your fields created, it’s time to start editing your content! All our fields are very intuitive to use and display seamlessly with the WordPress admin style. You don’t need to trigger any event to show or edit custom fields, they will appear and function just like the WP post_title and post_content fields! Simply enter your content and update the post!

Displaying field values is ACF’s party piece! Any field value can be returned as a PHP variable or output as HTML via the magical functions get_field() and the_field(). These functions (alongside many others) provide a developer friendly way to customize your WordPress theme without spending hours reading our docs! Here is some example code to see how our intuitive API works!

This is an excellent post in english. Never have I seen such a great post in my life.

MultilingualPress AutoTranslate streamlines the translation process for multilingual WordPress sites by automating the translation of core WordPress blocks, taxonomies, and comments.

This feature supports seamless content translation across various elements of a WordPress site, ensuring that posts, pages, custom post types, categories, tags, and even comments are automatically translated.

Integration with top providers like DeepL, OpenAI, and Amazon Translate ensures the translations are high-quality and context-aware.

Hello Folks,

It’s been quite some time (almost 3 months) since my last blog post. But finally, I’m back, and let’s get started! Moving forward, my blogs will primarily focus on interesting research papers in the LLM and GenAI space. I’ll be discussing problem statements that I encounter in my day-to-day life, in what we like to call “story time,” as many of you might remember from my past blogs. This will be followed by a deep dive into the technical aspects of those problem statements. In addition to explaining the research papers, I’ll share experiences and practical examples, and I’ll also elaborate on technical details that the papers might skip, assuming the reader already knows them. So, let’s dive in!

Just a few days ago, one of my family friends visited our place. They have a lovely 8-year-old daughter. It was August 15th, India’s Independence Day, and her school had given her an assignment to write an essay on Independence Day with a strict requirement of “at least 10000 words”. Now that’s really a lot! I really don’t know if I should call this an essay or a mini-book for an 8-year-old child! As usual, the parents started drafting it on behalf of their child. The first thing that comes to everyone’s mind is ChatGPT or something similar. At first, the parents were very relaxed and thought, “Let’s start drafting this on August 14th, just a day before, since it’s just a matter of ‘prompting the LLM model’ and getting the output.” On the night of August 14th, they did just that, but any guesses what happened? The model, though it gave a good output, struggled to maintain the following: Relevance, Accuracy, Coherence, Clarity, Breadth and Depth, and Reading Experience. Additionally, when the model is asked to output strictly 10k words, it repeats the context and significantly goes out of context.

Now, you all might be wondering, what are these six dimensions? For that, let’s continue with the further reading and dive into the problem statement of “limitations of current long-context large language models (LLMs) in generating ultra-long outputs.” In this blog, we’ll explore an interesting research paper titled “LONGWRITER: UNLEASHING 10,000+ WORD GENERATION FROM LONG CONTEXT LLMS.” Even though these models can process inputs up to 100,000 tokens, they typically struggle to produce outputs longer than 2,000 words. The primary reason for this limitation is attributed to the supervised fine-tuning (SFT) datasets, which lack examples of long outputs, capping the models’ ability to generate extended text. So in this blog, let’s understand the intriguing technique the authors have used to improve long output responses and make sure parents’ lives become easier in the future! And what about the kids? These days, I leave that up to their destiny with the advancements in AI and the way life has become easier for them with limited use of their mental capabilities! Anyway, let’s get started.

Introduction

Now, let’s get into the borderline understanding of the paper. It kicks off by highlighting an interesting challenge with long context LLMs. These models, which can process over 100,000 tokens of input, still struggle to generate outputs longer than 2,000 words. This is a significant issue because, in some cases, more than 1% of user requests actually need longer responses.

The core problem? The supervised fine-tuning (SFT) datasets that train these models just don’t include enough examples of long outputs. So, even though the models are capable of handling long inputs, they haven’t been trained to produce long outputs effectively. This limitation has stuck around because many LLMs rely on these same datasets.

To tackle this, the authors introduce AgentWrite — a new approach that helps these models generate longer texts by breaking down the task into smaller parts. This method can push output lengths up to 20,000 words, far beyond what’s usually possible.

The paper also brings in LongWriter-6k and LongBench-Write, a dataset and benchmark created to train and test models on their ability to generate these ultra-long texts. The idea is to push the boundaries of what LLMs can do, making them more capable of handling tasks that require extended output.

Now let’s understand what is Agentwrite and how it works:

Step I: Plan
First things first, AgentWrite starts with a plan — just like how you’d outline an article before diving into writing. The model creates a detailed outline based on the given instructions, laying out the main content and specifying word counts for each section. Think of it as the model’s roadmap. For instance, if tasked with writing a 30,000-word piece on the Roman Empire, the plan might look something like this:

Paragraph 1: Introduction to the origins of the Roman Empire (700 words)

Paragraph 2: Founding of the Roman Empire (800 words)

…

Paragraph 15: Summary of the Roman Empire’s history (500 words)

This structured approach ensures the model knows exactly where it’s headed, making it easier to manage the task of generating lengthy outputs. Here you can look below how the author’s structure the input:

author

: Satoshi Nakamoto

email

: satoshin@gmx.com

site

: http://www.bitcoin.org/

Abstract. A purely peer-to-peer version of electronic cash would
allow online payments to be sent directly from one party to another
without going through a financial institution. Digital signatures
provide part of the solution, but the main benefits are lost if a
trusted third party is still required to prevent double-spending. We
propose a solution to the double-spending problem using a peer-to-peer
network. The network timestamps transactions by hashing them into an
ongoing chain of hash-based proof-of-work, forming a record that cannot
be changed without redoing the proof-of-work. The longest chain not only
serves as proof of the sequence of events witnessed, but proof that it
came from the largest pool of CPU power. As long as a majority of CPU
power is controlled by nodes that are not cooperating to attack the
network, they\’ll generate the longest chain and outpace attackers. The
network itself requires minimal structure. Messages are broadcast on a
best effort basis, and nodes can leave and rejoin the network at will,
accepting the longest proof-of-work chain as proof of what happened
while they were gone.

Introduction

Commerce on the Internet has come to rely almost exclusively on
financial institutions serving as trusted third parties to process
electronic payments. While the system works well enough for most
transactions, it still suffers from the inherent weaknesses of the trust
based model. Completely non-reversible transactions are not really
possible, since financial institutions cannot avoid mediating disputes.
The cost of mediation increases transaction costs, limiting the minimum
practical transaction size and cutting off the possibility for small
casual transactions, and there is a broader cost in the loss of ability
to make non-reversible payments for nonreversible services. With the
possibility of reversal, the need for trust spreads. Merchants must be
wary of their customers, hassling them for more information than they
would otherwise need. A certain percentage of fraud is accepted as
unavoidable. These costs and payment uncertainties can be avoided in
person by using physical currency, but no mechanism exists to make
payments over a communications channel without a trusted party

What is needed is an electronic payment system based on cryptographic
proof instead of trust, allowing any two willing parties to transact
directly with each other without the need for a trusted third party.
Transactions that are computationally impractical to reverse would
protect sellers from fraud, and routine escrow mechanisms could easily
be implemented to protect buyers. In this paper, we propose a solution
to the double-spending problem using a peer-to-peer distributed
timestamp server to generate computational proof of the chronological
order of transactions. The system is secure as long as honest nodes
collectively control more CPU power than any cooperating group of
attacker nodes.

Transactions

We define an electronic coin as a chain of digital signatures. Each
owner transfers the coin to the next by digitally signing a hash of the
previous transaction and the public key of the next owner and adding
these to the end of the coin. A payee can verify the signatures to
verify the chain of ownership.

The problem of course is the payee can\’t verify that one of the owners
did not double-spend the coin. A common solution is to introduce a
trusted central authority, or mint, that checks every transaction for
double spending. After each transaction, the coin must be returned to
the mint to issue a new coin, and only coins issued directly from the
mint are trusted not to be double-spent. The problem with this solution
is that the fate of the entire money system depends on the company
running the mint, with every transaction having to go through them, just
like a bank.

We need a way for the payee to know that the previous owners did not
sign any earlier transactions. For our purposes, the earliest
transaction is the one that counts, so we don\’t care about later
attempts to double-spend. The only way to confirm the absence of a
transaction is to be aware of all transactions. In the mint based model,
the mint was aware of all transactions and decided which arrived first.
To accomplish this without a trusted party, transactions must be
publicly announced[^1], and we need a system for participants to agree
on a single history of the order in which they were received. The payee
needs proof that at the time of each transaction, the majority of nodes
agreed it was the first received.

Timestamp Server

The solution we propose begins with a timestamp server. A timestamp
server works by taking a hash of a block of items to be timestamped and
widely publishing the hash, such as in a newspaper or Usenet
post[^2][^3][^4][^5]. The timestamp proves that the data must have
existed at the time, obviously, in order to get into the hash. Each
timestamp includes the previous timestamp in its hash, forming a chain,
with each additional timestamp reinforcing the ones before it.

Proof-of-Work

To implement a distributed timestamp server on a peer-to-peer basis, we
will need to use a proof-of-work system similar to Adam Back\’s Hashcash
[^6], rather than newspaper or Usenet posts. The proof-of-work involves
scanning for a value that when hashed, such as with SHA-256, the hash
begins with a number of zero bits. The average work required is
exponential in the number of zero bits required and can be verified by
executing a single hash.

For our timestamp network, we implement the proof-of-work by
incrementing a nonce in the block until a value is found that gives the
block\’s hash the required zero bits. Once the CPU effort has been
expended to make it satisfy the proof-of-work, the block cannot be
changed without redoing the work. As later blocks are chained after it,
the work to change the block would include redoing all the blocks after
it

The proof-of-work also solves the problem of determining representation
in majority decision making. If the majority were based on
one-IP-address-one-vote, it could be subverted by anyone able to
allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. The
majority decision is represented by the longest chain, which has the
greatest proof-of-work effort invested in it. If a majority of CPU power
is controlled by honest nodes, the honest chain will grow the fastest
and outpace any competing chains. To modify a past block, an attacker
would have to redo the proof-of-work of the block and all blocks after
it and then catch up with and surpass the work of the honest nodes. We
will show later that the probability of a slower attacker catching up
diminishes exponentially as subsequent blocks are added.

To compensate for increasing hardware speed and varying interest in
running nodes over time, the proof-of-work difficulty is determined by a
moving average targeting an average number of blocks per hour. If
they\’re generated too fast, the difficulty increases.

Network

The steps to run the network are as follows:

1. New transactions are broadcast to all nodes.
2. Each node collects new transactions into a block.
3. Each node works on finding a difficult proof-of-work for its block.
4. When a node finds a proof-of-work, it broadcasts the block to all
   nodes.
5. Nodes accept the block only if all transactions in it are valid and
   not already spent.
6. Nodes express their acceptance of the block by working on creating
   the next block in the chain, using the hash of the accepted block as
   the previous hash.

Nodes always consider the longest chain to be the correct one and will
keep working on extending it. If two nodes broadcast different versions
of the next block simultaneously, some nodes may receive one or the
other first. In that case, they work on the first one they received, but
save the other branch in case it becomes longer. The tie will be broken
when the next proof-of-work is found and one branch becomes longer; the
nodes that were working on the other branch will then switch to the
longer one.

New transaction broadcasts do not necessarily need to reach all nodes.
As long as they reach many nodes, they will get into a block before
long. Block broadcasts are also tolerant of dropped messages. If a node
does not receive a block, it will request it when it receives the next
block and realizes it missed one.

Incentive

By convention, the first transaction in a block is a special transaction
that starts a new coin owned by the creator of the block. This adds an
incentive for nodes to support the network, and provides a way to
initially distribute coins into circulation, since there is no central
authority to issue them. The steady addition of a constant of amount of
new coins is analogous to gold miners expending resources to add gold to
circulation. In our case, it is CPU time and electricity that is
expended.

The incentive can also be funded with transaction fees. If the output
value of a transaction is less than its input value, the difference is a
transaction fee that is added to the incentive value of the block
containing the transaction. Once a predetermined number of coins have
entered circulation, the incentive can transition entirely to
transaction fees and be completely inflation free.

The incentive may help encourage nodes to stay honest. If a greedy
attacker is able to assemble more CPU power than all the honest nodes,
he would have to choose between using it to defraud people by stealing
back his payments, or using it to generate new coins. He ought to find
it more profitable to play by the rules, such rules that favour him with
more new coins than everyone else combined, than to undermine the system
and the validity of his own wealth.

Reclaiming Disk Space

Once the latest transaction in a coin is buried under enough blocks, the
spent transactions before it can be discarded to save disk space. To
facilitate this without breaking the block\’s hash, transactions are
hashed in a Merkle Tree[^7][^8][^9], with only the root included in the
block\’s hash. Old blocks can then be compacted by stubbing off branches
of the tree. The interior hashes do not need to be stored.

A block header with no transactions would be about 80 bytes. If we
suppose blocks are generated every 10 minutes, 80 bytes * 6 * 24 *
365 = 4.2MB per year. With computer systems typically selling with 2GB
of RAM as of 2008, and Moore\’s Law predicting current growth of 1.2GB
per year, storage should not be a problem even if the block headers must
be kept in memory.

Simplified Payment Verification

It is possible to verify payments without running a full network node. A
user only needs to keep a copy of the block headers of the longest
proof-of-work chain, which he can get by querying network nodes until
he\’s convinced he has the longest chain, and obtain the Merkle branch
linking the transaction to the block it\’s timestamped in. He can\’t
check the transaction for himself, but by linking it to a place in the
chain, he can see that a network node has accepted it, and blocks added
after it further confirm the network has accepted it.

As such, the verification is reliable as long as honest nodes control
the network, but is more vulnerable if the network is overpowered by an
attacker. While network nodes can verify transactions for themselves,
the simplified method can be fooled by an attacker\’s fabricated
transactions for as long as the attacker can continue to overpower the
network. One strategy to protect against this would be to accept alerts
from network nodes when they detect an invalid block, prompting the
user\’s software to download the full block and alerted transactions to
confirm the inconsistency. Businesses that receive frequent payments
will probably still want to run their own nodes for more independent
security and quicker verification.

Combining and Splitting Value

Although it would be possible to handle coins individually, it would be
unwieldy to make a separate transaction for every cent in a transfer. To
allow value to be split and combined, transactions contain multiple
inputs and outputs. Normally there will be either a single input from a
larger previous transaction or multiple inputs combining smaller
amounts, and at most two outputs: one for the payment, and one returning
the change, if any, back to the sender.

It should be noted that fan-out, where a transaction depends on several
transactions, and those transactions depend on many more, is not a
problem here. There is never the need to extract a complete standalone
copy of a transaction\’s history.

Privacy

The traditional banking model achieves a level of privacy by limiting
access to information to the parties involved and the trusted third
party. The necessity to announce all transactions publicly precludes
this method, but privacy can still be maintained by breaking the flow of
information in another place: by keeping public keys anonymous. The
public can see that someone is sending an amount to someone else, but
without information linking the transaction to anyone. This is similar
to the level of information released by stock exchanges, where the time
and size of individual trades, the \”tape\”, is made public, but without
telling who the parties were.

As an additional firewall, a new key pair should be used for each
transaction to keep them from being linked to a common owner. Some
linking is still unavoidable with multi-input transactions, which
necessarily reveal that their inputs were owned by the same owner. The
risk is that if the owner of a key is revealed, linking could reveal
other transactions that belonged to the same owner.

Calculations

We consider the scenario of an attacker trying to generate an alternate
chain faster than the honest chain. Even if this is accomplished, it
does not throw the system open to arbitrary changes, such as creating
value out of thin air or taking money that never belonged to the
attacker. Nodes are not going to accept an invalid transaction as
payment, and honest nodes will never accept a block containing them. An
attacker can only try to change one of his own transactions to take back
money he recently spent.

The race between the honest chain and an attacker chain can be
characterized as a Binomial Random Walk. The success event is the honest
chain being extended by one block, increasing its lead by +1, and the
failure event is the attacker\’s chain being extended by one block,
reducing the gap by -1.

The probability of an attacker catching up from a given deficit is
analogous to a Gambler\’s Ruin problem. Suppose a gambler with unlimited
credit starts at a deficit and plays potentially an infinite number of
trials to try to reach breakeven. We can calculate the probability he
ever reaches breakeven, or that an attacker ever catches up with the
honest chain, as follows[^10]:

| p = probability an honest node finds the next block
| q = probability the attacker finds the next block
| qz = probability the attacker will ever catch up from z blocks behind

$$\begin{aligned}
q_z =
\begin{cases}
1 & \text{if } p \leqslant q\
\left(q/p\right)^z & \text{if } p > q
\end{cases}
\end{aligned}$$

Given our assumption that p > q, the probability drops exponentially as
the number of blocks the attacker has to catch up with increases. With
the odds against him, if he doesn\’t make a lucky lunge forward early
on, his chances become vanishingly small as he falls further behind.

We now consider how long the recipient of a new transaction needs to
wait before being sufficiently certain the sender can\’t change the
transaction. We assume the sender is an attacker who wants to make the
recipient believe he paid him for a while, then switch it to pay back to
himself after some time has passed. The receiver will be alerted when
that happens, but the sender hopes it will be too late

The receiver generates a new key pair and gives the public key to the
sender shortly before signing. This prevents the sender from preparing a
chain of blocks ahead of time by working on it continuously until he is
lucky enough to get far enough ahead, then executing the transaction at
that moment. Once the transaction is sent, the dishonest sender starts
working in secret on a parallel chain containing an alternate version of
his transaction.

The recipient waits until the transaction has been added to a block and
z blocks have been linked after it. He doesn\’t know the exact amount of
progress the attacker has made, but assuming the honest blocks took the
average expected time per block, the attacker\’s potential progress will
be a Poisson distribution with expected value:

$$\lambda = z \frac{q}{p}$$

To get the probability the attacker could still catch up now, we
multiply the Poisson density for each amount of progress he could have
made by the probability he could catch up from that point:

$$\begin{aligned}
\sum _{k=0}^\infty \frac{\lambda ^k e^{-\lambda}}{k!} \cdot
\begin{cases}
\left(q/p\right)^{(z-p)} & \text{if } k \leqslant z \
1 & \text{if } k > z
\end{cases}
\end{aligned}$$

Rearranging to avoid summing the infinite tail of the distribution…

$$1 – \sum _{k=0}^z \frac{\lambda ^k e^{-\lambda}}{k!} \left(1 – \left(q/p\right)^{(z-k)}\right)$$

Converting to C code…

#include <math.h>
double AttackerSuccessProbability(double q, int z)
{
    double p = 1.0 - q;
    double lambda = z * (q / p);
    double sum = 1.0;
    int i, k;
    for (k = 0; k <= z; k++)
    {
        double poisson = exp(-lambda);
        for (i = 1; i <= k; i++)
            poisson *= lambda / i;
        sum -= poisson * (1 - pow(q / p, z - k));
    }
    return sum;
}

Running some results, we can see the probability drop off exponentially
with z.

q=0.1
z=0 P=1.0000000
z=1 P=0.2045873
z=2 P=0.0509779
z=3 P=0.0131722
z=4 P=0.0034552
z=5 P=0.0009137
z=6 P=0.0002428
z=7 P=0.0000647
z=8 P=0.0000173
z=9 P=0.0000046
z=10 P=0.0000012

q=0.3
z=0 P=1.0000000
z=5 P=0.1773523
z=10 P=0.0416605
z=15 P=0.0101008
z=20 P=0.0024804
z=25 P=0.0006132
z=30 P=0.0001522
z=35 P=0.0000379
z=40 P=0.0000095
z=45 P=0.0000024
z=50 P=0.0000006

Solving for P less than 0.1%…

P \< 0.001
q=0.10 z=5
q=0.15 z=8
q=0.20 z=11
q=0.25 z=15
q=0.30 z=24
q=0.35 z=41
q=0.40 z=89
q=0.45 z=340

Conclusion

We have proposed a system for electronic transactions without relying on
trust. We started with the usual framework of coins made from digital
signatures, which provides strong control of ownership, but is
incomplete without a way to prevent double-spending. To solve this, we
proposed a peer-to-peer network using proof-of-work to record a public
history of transactions that quickly becomes computationally impractical
for an attacker to change if honest nodes control a majority of CPU
power. The network is robust in its unstructured simplicity. Nodes work
all at once with little coordination. They do not need to be identified,
since messages are not routed to any particular place and only need to
be delivered on a best effort basis. Nodes can leave and rejoin the
network at will, accepting the proof-of-work chain as proof of what
happened while they were gone. They vote with their CPU power,
expressing their acceptance of valid blocks by working on extending them
and rejecting invalid blocks by refusing to work on them. Any needed
rules and incentives can be enforced with this consensus mechanism.

References

[^1]: W. Dai, \”b-money,\” http://www.weidai.com/bmoney.txt, 1998.

[^2]: H. Massias, X.S. Avila, and J.-J. Quisquater, \”Design of a
secure timestamping service with minimal trust requirements,\”
In 20th Symposium on Information Theory in the Benelux,
May 1999.

[^3]: S. Haber, W.S. Stornetta, \”How to time-stamp a digital
document,\” In Journal of Cryptology, vol 3, no 2, pages
99-111, 1991.

[^4]: D. Bayer, S. Haber, W.S. Stornetta, \”Improving the efficiency
and reliability of digital time-stamping,\” In Sequences II:
Methods in Communication, Security and Computer Science, pages
329-334, 1993.

[^5]: S. Haber, W.S. Stornetta, \”Secure names for bit-strings,\” In
Proceedings of the 4th ACM Conference on Computer and
Communications Security, pages 28-35, April 1997.

[^6]: A. Back, \”Hashcash – a denial of service counter-measure,\”
http://www.hashcash.org/papers/hashcash.pdf, 2002.

[^7]: R.C. Merkle, \”Protocols for public key cryptosystems,\” In Proc.
1980 Symposium on Security and Privacy, IEEE Computer Society, pages
122-133, April 1980.

[^8]: H. Massias, X.S. Avila, and J.-J. Quisquater, \”Design of a
secure timestamping service with minimal trust requirements,\”
In 20th Symposium on Information Theory in the Benelux,
May 1999.

[^9]: S. Haber, W.S. Stornetta, \”Secure names for bit-strings,\” In
Proceedings of the 4th ACM Conference on Computer and
Communications Security, pages 28-35, April 1997.

[^10]: W. Feller, \”An introduction to probability theory and its
applications,\” 1957.

Welcome to WordPress. This is your first post. Edit or delete it, then start writing!