The Back-of-Envelope Calculation of the Transaction Confirmation Number
Think of the chain quality attack as a gambler's ruin problem. The attacker has an infinite number of coins, but the honest miners have , which is the transaction confirmation number. In each round, one player wins a coin, and the other loses a coin. The honest miner loses if there is no coin in his hands. The attacker never gives up—note that this assumption requires that the attacker controls less than a third of the total mining power.
Now analysis of the gambler's ruin tells us the probability that the attacker wins the game is
where is the probability that the attacker wins a coin. If we consider the attacker as a selfish miner with perfect network propagation advantage, we have
where is the attacker's mining power share, is the proportion of orphaned blocks among all the blocks. See this paper for the rationale behind the above equation. Note that this orphan rate definition is slightly different from the orphan rate in the NC-Max paper. Now we have
If we assume and in Bitcoin, , to get the same probability that the attacker wins the game, we need to have
In Nervos CKB, when , ; when , .
If we assume, similar to Bitcoin, , , and , to achieve the same level of security in Nervos CKB, when , we have .
If we assume, similar to Ethereum, , , and , to achieve the same level of security in Nervos CKB, when , we have .
In reality, can be estimated as , where is the number of uncle blocks embedded in the last 200 main chain blocks. By definition cannot be smaller than 6; when , use 30 as an upper bound.