> They are the only ones mining on this particular chain, but that's not an advantage either. How mining on a hidden chain is an advantage?

It's easier to see the argument if you have a head start. Imagine you've somehow created a private chain that's 10 blocks ahead of the public chain. You could publish that now and earn 10 blocks of reward, or you could continue mining until the lead diminishes to 0 blocks, earning the same 10 blocks of reward plus however many blocks you've mined in the meantime.

If you have 50%+ε of the hash rate on the network, this argument would have you bully other miners out by almost always stranding their blocks, since in expectation you'll mine blocks faster than your competitors.

The insight is that this same situation can happen probabilistically with a finite but non-majority fraction of the hash rate on the network. With 49% of the hash rate you'll still be able to build a private chain some fraction of the time, so waiting a little bit to see if this occurs might have positive expected value.

But to get 10 blocks ahead you have to withhold blocks before knowing you'll be ahead. If you don't get ahead, you'll likely lose the reward of the blocks you withheld.

So, you have to risk a lot of rewards, and for what potential gain? If you win you get to discard some blocks of others. You don't get more rewards, you just make others earn less (and you push the difficulty down a bit).

I can see how you get a chance to double spend, though. If you want to double spend a transaction with N confirmations, you've to be N+1 blocks ahead in your hidden chain, publish your first transaction, wait for N confirmations on the public chain, and you publish your chain that's still 1 block ahead (and includes your double spend transaction).

Indeed, it's not "51% expensive", but it's still very expensive because of the rewards lost during the failed attempts before you get ahead enough. Actually, it might even be more expensive, because with 51% you're guaranteed to get ahead enough at some point, so you don't really risk your rewards (if you can maintain 51%).

> But to get 10 blocks ahead you have to withhold blocks before knowing you'll be ahead.

You KNOW you are ahead, because you found a block and nobody else has published a block.

Yes, but when you find that block you don't know whether you will be 10 blocks ahead in the future. You have to make the decision to put the reward of this block at risk before you know you'll be able apply your strategy. That's what I meant here. It is very costly on average because of the potential loss of the withheld blocks.

> The probability of finding a block is always the same, given a hashrate.

I think you are missing something very basic here: the longer you compute, the higher the likelihood that you will find the hash before the others.

The extreme case being that if you can try ALL the possibilities before the others can start, then you are guarantee to find the solution before them.

That's only mathematically true. The advantage is way too small to be relevant.

Your advantage is having exhausted a fraction of the search space. But that fraction is tiny.

You're trying to find a hash with a value below a certain threshold (simplified said, a hash starting with a certain amount of zeroes). You do this by trying random inputs to the hash function. Every input has the same probability of getting an output that is low enough in value. You are not advancing by having tried other inputs. It's practically equivalent to rolling multiple dices until enough of them show a one. Every roll has the same probability of succeeding regardless of the rolls before.

> The advantage is way too small to be relevant.

That's the whole question: is it relevant or not? Even if it makes mining slightly more profitable, that's a win. No need to remind you that those who mine do it exclusively for profit.

It's not. Your advancement is that of exhausting a part of the search space of SHA256 inputs for a given output. We would be in deep trouble if you made any significant advancements there or even got close to it by multiple orders of magnitude off.

> We would be in deep trouble if you made any significant advancements there

Not necessarily. The whole idea is that it maybe more profitable to withhold a block for some time. "More profitable" means that you make more money at the end. Not that you make billions in a second.

I'm not commenting on the Bitcoin economics, but on the specific problem of a partial hash inversion which Bitcoin uses. If any amount of compute you can bring up would grant you any significant amount of information about the likelihood of a (partial) hash inversion for an untested input in your search space by means of having searched a significant amount of the search space, SHA256 would be broken.

In hopefully simpler words; You want to find a hash with all zeroes. So you start trying inputs from your search space and hash them to see if they match that criterion. Every single input you try has the same probability of matching. After trying a lot of inputs you have exhausted a part of the search space. You have already tried many incorrect inputs. At some point if you keep only trying incorrect inputs you should have exhausted the whole search space and the last remaining possible input has to be the correct one resulting in an all zeroes hash. So the probability of the next hash being the correct one should go up during your search as you learn information about the remaining candidates in the search space. If this information is in any way significant in practice with any feasible amount of computing power, the cryptographic hash function is insecure. Of course with Bitcoin you aren't searching for a full hash inversion with all zeroes but only for a partial one starting with some zeroes, but that does not change the fundamentals. It should be infeasible to learn any significant information about the output of untried inputs by trying other inputs.

If SHA256 was to be broken in that way, we'd be in big trouble and Bitcoin would be the least of our worries.

the key to realize is that this strategy only makes sense if you have a considerable fraction of total hashrate. If you have 10% hashrate, delaying for 1 block period gives you a 10% chance of finding another block on top (that no one else can search for because you haven't published the first one).

But by withholding you also increase the risk that your first block will never end up in the main chain (if the remaining 90% find a block while you're withholding).

And you would sill have 10% chance of mining another block if you don't withhold.

What advantage does withholding give you?

> What advantage does withholding give you?

One last time. By withholding, you have a headstart on the next block. If you can mine for longer, you increase your chances.

Mining on the hidden chain is not necessarily a head start. It would be if it was certain that this hidden chain will become the main chain. But if it doesn't, then mining on it was a waste, not a head start. Of course you don't know in advance, but that's exactly my point. If you don't know whether you're on the right track, you can't say you have a head start. And in the described situation, it's not guaranteed at all that the hidden chain will become the main chain.

The hidden chain can easily be discarded if the miner of the hidden chain doesn't find a 2nd block and if the miners on the public chain find a block and propagate it before the hidden chain is published. In that case, the public chain and hidden chains will be 2 competing heads, and other miners will decide which one wins. They will generally take the first block they saw, so most likely not the (previously) hidden chain. In that situation, mining on the hidden chain was a waste, not a head start. We could even say that the miners on the public chain had a head start. That's why I say there's no such thing as a head start.

I think that at this point, you would have to learn more about probabilities. You're stuck at "I don't understand how having 51% chances to win is better than having 49%, because you cannot know the result in advance and there is a 49% chance that you lose, in which case you have lost".

No, I'm saying it's not clear at all who is in a better position. I'd even argue that the miner hiding his block is in a worse position.

But I'll stop discussing that with you. It's pointless and you're way too condescending.

> I'd even argue that the miner hiding his block is in a worse position.

That's just an intuition. You keep saying "having a headstart doesn't help, because those are independent probabilities". Which is wrong: having a headstart does help. How much does it help, and is it worth it? That's the whole question. And it would require more work to answer it.