Lecture 2

How Bitcoin Achieves Decentralization

Background: Blockchain
Structure of a bitcoin block
Block Structure — Bitcoin. Number in brackets is the size in bytes. Each
individual cell is 1 byte. Hence a field of 4 bytes occupies 4 cells. Fields from
Version till Nonce form the block header (Total 80 bytes)
• Merkle tree
• Each transaction is hashed twice
• Hash of Transaction A = Hash[Tx(A)] = SHA256 (SHA 256 (Transaction A))
• The total number of leaves should always be even
• if that is not the case then the last leaf is repeated twice
• Timestamp
• Encoded as a Unix ‘Epoch’ timestamp which is based on the number of seconds elapsed from January 1, 1970, midnight
UTC/GMT
• It is ACCEPTED only if it is greater than the median timestamp of previous 11 blocks, and less than the network-adjusted time + 2 hours.
• Network-adjusted time is the median of the timestamps returned by all nodes connected to you
• Block times are accurate only to within an hour or two thereby it more difficult to hash the block and hence more difficult to hack it
• Difficulty
• Difficulty is a measure of how difficult it is to find a hash below a given target. The Bitcoin network has a global block
difficulty. Valid blocks must have a hash below this target
• For every 2016 blocks, the difficulty will change
• Nonce
• The "nonce" in a bitcoin block is a 32-bit (4-byte) field whose value is adjusted by miners so that the hash of the block will
be less than or equal to the current target of the network.
• As this iterative calculation requires time and resources, the presentation of the block with the correct nonce value constitutes proof of
work
• A golden nonce in Bitcoin mining is a nonce which results in a hash value lower than the target
• Target
• The target is a 256-bit number (extremely large) that all Bitcoin clients share. The SHA-256 hash of a block's header must
be lower than or equal to the current target for the block to be accepted by the network
• he lower the target, the more difficult it is to generate a block.
• Mining
• Any change to the block data (such as the nonce) will make the block hash completely
different.
• Since it is believed infeasible to predict which combination of bits will result in the right hash,
many different nonce values are tried, and the hash is recomputed for each value until a hash
less than or equal to the current target of the network is found
• mining is doing the work of finding nonce so that sha256(sha256(data+nonce)) < target
• HashCash based Proof of Work
• Sender side
• Sender prepares a header and appends a counter value initialized to a random number. It then computes the
160-bit SHA-1 hash of the header.
• If the first 20 bits (i.e. the 5 most significant hex digits) of the hash are all zeros, then this is an acceptable header
• If not, then the sender increments the counter and tries the hash again
• Out of 2160 possible hash values, there are 2140 hash values that satisfy this criterion
• Thus the chance of randomly selecting a header that will have 20 zeros as the beginning of the hash is 1 in 220
• No more efficient method than this brute force approach is known to find a valid header.
• Receiver side
• The recipient's computer calculates the 160-bit SHA-1 hash of the entire string.
• If the first 20 bits are not all zero, the hash is invalid
• If the date in the header is not within two days of the current date, it is invalid
• whether the e-mail address in the hash string matches any of the valid e-mail addresses registered by the recipient
Bitcoin
• Is a peer to peer network that maintains a public decentralized ledger of digital math
based assets known as bitcoins
• The integrity of these ledgers is backed and secured by a sub-network of computers (miners) who
audit and archive its transactions for a reward
• Transaction named sending a bitcoin sends an instruction to the network to change the
custody in the public ledger.
• However, the ownership cannot be changed till more than half of the nodes in the network has to
authenticate it.
• How the bitcoin solves the problem of double spending attack?
• This is the central idea behind Bitcoin to solve the double spending problem:
• Due to the inclusion of the previous block's hash in data (this links the blocks to form a chain) and the
fact that the honest nodes of the network always do their work on the longest chain of blocks,
• a double spending attack involves calculating (and later publishing) a forked block chain in secret that is longer
than the "honest chain" (containing the transaction that should be undone).
• Due to the work required to do this, this race can only be won if the attacker has greater computation
power than the rest of the network together.
• Since using such computation power to honestly mine is likely more profitable than pulling a double-spend, the
incentive for doing a double-spend attack is low.

• How the bitcoin network verify the new block?

• Mining
• Bitcoin miners find a random number (called a "Nonce") that when inserted into the current block
makes the hash be below the current target. They then send that current block around the network.
• Verification
• Everyone checks their work (the proof-of-work) by hashing the block and checking if the result is
below the current target. In mining pools, miners do the same thing, but the current target is much
higher (so it's easier). When they find one of these, it's called "mining a share". A small percentage of
the "shares" will actually have a hash below the actual target, and the pool will make it's 25BTC profit,
then distribute it out to the miners who found a share (normally using some über-complicated
method to prevent cheating/pool hopping)
• What is blockchain?
• A data store which usually contains financial transactions that are replicated over a
number of systems that are reside in a peer-to-peer network where each read and write
requests are validated by cryptographic functions which makes them to hard to change
the past records.
• What are the types of blockchain?
• Public (permissionless) or (Pseudonymous)
• Anyone can read/write the transactions
• Private (permissioned) or (identified)
• participants are known and trusted
• Data storage
• A blockchain is just a file
• competing most closely with a database
• Blocks in a chain = pages in a book
• Blocks contains content and header
• Block ordering is based on the block’s hash value
• Data distribution
• Peer to peer network
• Challenge in determining the real or true state or value of the data
• if all the nodes are trusted but working in a different speed and have slightly different states
• If some/all of the nodes are untrusted how do you ensure that the system can’t easily be corrupted by bad
peers?

• CONSENSUS: How do you resolve conflicts?

• Conflict #1: A common conflict is when multiple miners create blocks at roughly the same
time. Because blocks take time to be shared across the network, which one should count
as the legit block?
• Apply Longest chain rule: If you see multiple blocks, treat the longest chain as legitimate.
• Scenario: If three miners across the world create ‘Block 81’ at roughly the same time,
which ‘Block 81’ should be considered valid?
• Since they will certainly contain a different payment address for the 25 BTC block reward;
and they may contain a different set transactions: 81a, 81b, 81c
• Consider you assume 81a is valid and started to create 82a, in the mean time, 82b came to you
following that 83b comes. As per the longest chain rule 80-81a is smaller than 80-81b-82b
• UPGRADES
• Suggest the change – Bitcoin Improvement Proposal(BIP):
• BIPs are nothing but improvements are proposed, discussed, and written up into the Bitcoin core
software
• Adopt the changes by the miners
• upgrade can be downloaded by nodes and block makers (miners) and run, but only if they want to
• Miner node
• Download the bitcoin core software and install it in your node then full node capable of:
• Connecting to the bitcoin network
• Downloading the blockchain
• Storing the blockchain
• Listening for transactions
• Validating transactions
• Passing on valid transactions
• Listening for blocks
• Validating blocks
• Passing on valid blocks
• Creating blocks
• ‘Mining’ the blocks
• DEFENCE: How do you make it hard for baddies?
• A dishonest miner can:
• Refuse to relay valid transactions to other nodes
• Attempt to create blocks that include or exclude specific transactions of his choosing
• Attempt to create a ‘longer chain’ of blocks that make previously accepted blocks become ‘orphans’
and not part of the main chain
• He can’t:
• Create bitcoins out of thin air*
• Steal bitcoins from your account
• Make payments on your behalf or pretend to be you
• With transactions
• Very limited effect. The honest simply reject any invalid transactions from him
• With blocks
• If he has sufficient block creation power, he can delay your transaction by refusing to include it in his
blocks
• your transaction will still be known by other honest nodes as an ‘unconfirmed transaction’, and they will
include it in their blocks
• Worst case scenario – Double spending attack
• create a longer chain of blocks than the rest of the network, and invoking the “longest
chain rule” to kick out the shorter chains. This lets him unwind a transaction.
• Create two payments with the same bitcoins: one to an online retailer, the other to yourself (another
address you control)
• Only broadcast the payment that pays the retailer
• When the payment gets added in an honest block, the retailer sends you goods
• Secretly create a longer chain of blocks which excludes the payment to the retailer, and includes the
payment to yourself
• Publish the longer chain. If the other nodes are playing by the “longest chain rule” rule, then they will
ignore the honest block with the retailer payment, and continue to build on your longer chain. The
honest block is said to be ‘orphaned’ and does not exist to all intents and purposes.
• The original payment to the retailer will be deemed invalid by the honest nodes because those
bitcoins have already been spent (in your longer chain)
• How do you make it hard for dishonest miners to create blocks?
• computationally expensive to add blocks
• guessing game where block-makers need to guess a number, which when
crunched with the rest of the block data contents, results in a hash / fingerprint
that is smaller than a certain number
• INCENTIVES: How do you pay validators?
• miners do lots of mining, increasing the difficulty and raising the walls against network
attacks. They are rewarded in bitcoin according to a schedule, and in time, as the block
rewards reduce, transaction fees become the incentive that miners collect.
Bitcoin
• Bitcoin
• Is a decentralized electronic payment system based on cryptographic proof instead of
trust thereby enabling two willing parties to transact directly with each other without
the need for a trusted third party like centralized bank.
• cannot be printed
• resilient to any manipulations
• backed by hard and complex energy intensive math problems
• Inflation proof
• Take the power back from the governments
• Moves faster and quicker
• Fixed supply of bitcoin 21Million
Centralization vs. decentralization
Centralization vs. decentralization
• Competing paradigms that underlie many digital technologies

• Centralized: Online Social Networking Services (Facebook,

Google)

• Decentralized: Internet, Email service and the SMTP protocol

• Decentralization is not all-or-nothing: For example, E-mail.

Email has a decentralized protocol (e.g., SMTP), but dominated
by centralized webmail services
Comparison between banking and bitcoin network
Banking network Bitcoin network
• trusted third parties to process electronic • transact directly with each other without
payments the need for a trusted third party
• Completely non-reversible transactions • an electronic payment system based on
cryptographic proof instead of trust
are not really possible
• financial institutions cannot avoid • Transactions that are computationally
mediating disputes impractical to reverse would protect
sellers from fraud
• cost of mediation increases transaction • system is secure as long as honest nodes
costs, limiting the minimum practical collectively control more CPU power
transaction size and cutting off the
possibility for small casual transactions • double-spending problem using a peer-
to-peer distributed
• Demands more information than they • timestamp server to generate
would otherwise need computational proof of the chronological
• A certain percentage of fraud is accepted order of transactions
as unavoidable
Aspects of decentralization in Bitcoin
1. Who maintains the ledger? Our focus in this chapter

2. Who has authority over which transactions are valid?

3. Who creates new bitcoins?
4. Who determines how the rules of the system change?
5. How do bitcoins acquire exchange value?

Beyond the protocol:

Exchanges, Wallet software, Service providers...
Aspects of decentralization in Bitcoin
1. Peer-to-peer network:
Open to anyone, Low barrier to entry

2. Mining:
Open to anyone, but inevitable concentration of power
often seen as undesirable

3. Updates to software:
Core developers trusted by community, have great power
 Needs of decentralization in Bitcoin
• Objective: A purely peer-to-peer version of electronic cash would allow online
payments to be sent directly from one party to another without going through a
financial institution
• Challenge: Double spending attack
• Solution:
• Digital signatures provide part of the solution
• Main benefits are lost if a trusted third party is still required to prevent double-spending
• Solution for double-spending problem using a peer-to-peer network
• network timestamps transactions by hashing them into an ongoing chain of
hash-based proof-of-work, forming a record that cannot be changed without
redoing the proof-of-work
• longest chain not only serves as proof of the sequence of events witnessed,
but proof that it came from the largest pool of CPU power
• Benefit: As long as a majority of CPU power is controlled by nodes
that are not cooperating to attack the network, they'll generate the
longest chain and outpace attackers
Distributed consensus
Bitcoin’s key challenge
• Key technical challenge of decentralized e-cash:
distributed consensus

• or: how to decentralize ScroogeCoin

Why consensus protocols?

• Traditional motivation: reliability in distributed systems

• Distributed key-value store enables various applications: DNS,

public key directory, stock trades …
Defining distributed consensus
• There are “n” nodes, each have an input value. Some nodes are
faulty or malicious. A distributed consensus protocol has the
following two properties:

1. The protocol terminates and all honest nodes are in agreement on

the same value

2. This value must have been proposed by some honest node

What does this mean in the context of Bitcoins?

Bitcoin is a peer-to-peer system
When Alice wants to pay Bob:
she broadcasts the transaction to all Bitcoin nodes

signed by Alice
Pay to pkBob : H( )

Note: Bob’s computer may not be in the picture or online!

In fact, running a Bitcoin node is not important for Bob to
receive the funds. The Bitcoins will be his regardless
What nodes need to reach a consensus on?
● Which transactions were broadcast on the network
● Order in which these transactions occurred

 Result of the consensus protocol: Single, global transaction

ledger for the system
Signature verification
How consensus could work in Bitcoin
At any given time (in the bitcoin peer-to-peer network):

● All nodes have a sequence of blocks of transactions (called,

ledger or block chain) they’ve reached consensus on
● Each node has a set of outstanding transactions it’s heard
about (but not yet included in the block chain)
● For these transactions consensus has not yet happened
● Each node may have a slightly different outstanding transaction
pool
How consensus could work in Bitcoin
Tx
Tx
…
Tx
Tx Tx Tx
Tx Tx Tx
… … …
Consensus
Tx Tx Tx
protocol

Tx Tx
Tx Tx
… …
Tx Tx

OK to select any valid block, even if proposed by only one node

Why consensus is hard (esp. in the Bitcoin
context)?
Nodes may crash
Nodes may be malicious

Peer-to-peer network is imperfect

• Not all pairs of nodes connected (and may participate)
• Faults in network
• Latency

No notion of global time  constraints the set of

consensus algorithms that can be used
Many impossibility results
• Byzantine generals problem: Consensus impossible
to achieve if 1/3 or more generals are traitors

• Fischer-Lynch-Paterson (deterministic nodes):

consensus impossible with a single faulty node
(under certain conditions)
Some well-known protocols
•Example: Paxos

•Never produces inconsistent result, but can

(rarely) get stuck
Understanding impossibility results
• The earlier results proven for specific models
• Specifically, distributed databases
• A distributed database model (and assumptions under it)
doesn’t carry over to Bitcoins!
• These results say more about the model than about
the problem
• What does it mean?
• It may be possible to develop consensus protocols that
work for Bitcoin networks
Bitcoin consensus: theory & practice
• Bitcoin consensus works better in practice than in
theory

• Theory is still catching up

• BUT theory is important, can help predict

unforeseen attacks
So why is the problem of consensus different in
Bitcoins?
Introduces incentives
• Possible only because it’s a currency!
• So in Bitcoins we do not have to solve the consensus problem in general, but only
the one for a currency system

Embraces randomness
• Does away with the notion of a specific starting and ending point for consensus
• Consensus happens over long time scales — about 1 hour
• In summary, consensus in Bitcoins is not deterministic – Even at the end of 1 hour
nodes may not be 100% sure that their view of the block chain is the consensus view
• Although the probability of that not being the case is very low
Consensus without identity: using a block chain
Bitcoin’s consensus algorithm
Bitcoin nodes don’t have long-term identities
Why?

1. Identity is hard in a P2P system — Sybil attack

2. Pseudonymity is a goal of Bitcoin

Why having identity is useful for consensus?
Answer: It makes the consensus protocol easy to design! But
how?
1. Pragmatic: some protocols need node IDs
• Protocols could have instructions of the form “Now node with lowest ID,
do something..”
• Without identities, instructions are constrained
2. Security: assume less than 50% malicious
• If nodes have identities, and difficult to create new node identities then
some assumptions about the number of malicious nodes can be made
• This can be used to prove certain security properties
How to overcome lack of identity in Bitcoins?
• Weaker assumption: select random node in the bitcoin network

• Analogy: lottery or raffle

• When tracking & verifying identities is hard, we give people tokens,
tickets, etc.

• Key assumptions:
• Now we can pick a random ID & select that node
• Multiple sybil nodes by the adversary are able to get only a single token
(random ID)
Key idea: implicit consensus
1. In each round (corresponds to a different block in the
block chain), random node is picked

2. This node proposes the next block in the chain

• No consensus or voting done by this node!

3. Other nodes implicitly accept/reject this block

• by either extending it
• or ignoring it and extending chain from earlier block

4. Every block contains hash of the block it extends

Consensus algorithm (simplified)
1. New transactions are broadcast to all nodes
2. Each node collects new transactions into a block
3. In each round a random node gets to broadcast its block
4. Other nodes accept the block only if all transactions in it
are valid (unspent, valid signatures)
5. Nodes express their acceptance of the block by including
its hash in the next block they create
Now let’s analyze if this works!
Assume a malicious adversary.

Can this adversary subvert the implicit

consensus process by:

1. Stealing Bitcoins?
2. Denial of service?
3. Double spend?
 What can a malicious node do?
Double-
signed by A spending
CA → B
Pay to pkB : H( ) attack

signed by A CA → A’
Pay to pkA’ : H( )

Honest nodes will extend the longest valid branch

In practice nodes extend the block that they first detect on the peer-to-peer network
(not a solid rule)
From Bob the merchant’s point of view
1 confirmation 3 confirmations

CA → B

Double-spend probability
CA → A’ double-spend decreases exponentially
attempt with # of confirmations

Hear about CA → B transaction Most common heuristic:

0 confirmations 6 confirmations
Recap

• Protection against invalid transactions is cryptographic,

but enforced by consensus

• Protection against double-spending is purely by consensus

• You’re never 100% sure a transaction is in consensus branch.

Guarantee is probabilistic
Incentives and proof of work
Assumption of honesty is problematic
Can we give nodes incentives for behaving honestly?
Can we reward nodes
that created these blocks?

Can we penalize the node

that created this block?

Everything so far is just a distributed consensus protocol

But now we utilize the fact that the currency has value
Incentive 1: Block Reward
Creator of block gets to
• include special coin-creation transaction in the block
• choose recipient address of this transaction

Value is fixed: currently 12.5 BTC, halves every 210,000 blocks created (or
every 4 years at the current rate of block creation)
• We are now in the third period – first period block reward was 50 BTC

Block creator gets to “collect” the reward only if the block ends up on long-
term consensus branch!
• Subtle but powerful trick: Incentivizes nodes to behave in way that will get other
nodes to extend their block
 There’s a finite supply of bitcoins
Total supply: 21 million

Block reward is how

Total bitcoins in circulation

new bitcoins are created

First inflection point:
reward halved from 50BTC to 25BTC
Runs out in 2040. No new bitcoins
unless rules change

Does that mean that after 2040,

nodes will no longer have incentive
Year
to behave honestly?
Not really!
Incentive 2: Transaction Fees
• Creator of transaction can choose to make output
value less than input value

• Remainder is a transaction fee and goes to block

creator (that first puts that transaction into that block)

• Purely voluntary, like a tip

• But system will evolve, and will become mandatory, as Block
rewards run out
Remaining problems
1. How to pick a random node?

2. How to avoid a free-for-all due to rewards?

• Everybody may want to run a bitcoin node in order to get
this free reward (lock reward and Transaction fee)

3. How to prevent Sybil attacks?

• An adversary may create a large number of Sybil nodes to
subvert the consensus process
Proof of work
To approximate selecting a random node: select nodes in
proportion to a resource that no one can monopolize (we
hope)
• In proportion to computing power: proof-of-work
(Used in Bitcoins)
• In proportion to ownership of the currency: proof-of-
stake (Not used in Bitcoins – but a legitimate model used in
other cryptocurrencies)
Equivalent views of proof of work

1. Select nodes in proportion to computing power

2. Let nodes compete for right to create block

3. Make it moderately hard to create new

identities
Hash puzzles
nonce
To create block, find nonce s.t. prev_h
Tx
H(nonce ‖ prev_hash ‖ tx ‖ … ‖ tx) is very small Tx

In other words, H(nonce ‖ prev_hash ‖ tx ‖ … ‖ tx) < target

Output space of hash

Target If hash function is secure (satisfies puzzle-friendliness):

space only way to succeed is to try enough nonces until you get lucky
Advantage of such a PoW system?
• It completely does away with the problem of magically picking
a random node (to propose a block)

• Nodes independently compete by attempting to solve hash

puzzles
• Once in a while, one will succeed and propose the next block

• Result: Such a system is completely decentralized  No one

gets to decide which node proposes the next block
PoW property 1: difficult to compute
• Difficulty varies with time

• As of 2015: difficulty level is over 1020 hashes/block

• i.e., size of target space <= 1/1020 size of hash’s output space
• Such a computation not possible with commodity laptops

• Only some nodes bother to compete — miners

• This process of repeatedly solving hash puzzles is called bitcoin mining

• Technically anyone can mine  however mining power is concentrated in a

mining ecosystem
PoW property 2: parameterizable cost
Nodes automatically re-calculate the target (size of target space
as a fraction of the output space) every two weeks

Goal: average time between blocks = 10 minutes

In other words, recalculation takes place after 2,016 blocks!

Prob (Alice wins next block) =

fraction of global hash power she controls
Why is such a re-adjustment needed?
• It is inefficient if blocks are proposed too close to each other

• Would not be able to put multiple transactions in a single

block!

• Why 10 minutes?
• Not significant!
• Can change it to 5 minutes, and system would still work
Key security assumption

Bitcoin attacks infeasible if majority of miners

weighted by hash power follow the protocol (or are
honest)

This will ensure a more than 50% chance that the

next block is proposed by a honest node!
Solving hash puzzles is probabilistic
10
minutes
Probability density

Time to next block (entire network)

PoW property 3: trivial to verify
Nonce must be published as part of block

Other miners simply verify that

H(nonce ‖ prev_hash ‖ tx ‖ … ‖ tx) < target

Advantage?
No centralized verifier needed! Any node or miner can
verify that the block was correctly mined
Mining economics
mining cost
If mining reward
> (hardware + → Profit
(block reward + Tx fees)
electricity cost)
Complications:
• Fixed (hardware) vs. variable (electricity) costs
• Reward depends on rate at which miners propose blocks (ratio of their
hash rate to the global hash rate)
• Cost in dollars, but reward in BTC  profit depends on exchange rate
Solving more than 1020 hashes to obtain 12.5 BTC at current
exchange rate is profitable!
Putting it all together
Recap
Identities Block chain & consensus

Transactions Hash puzzles & mining

P2P network
Bitcoin is bootstrapped
security of
block chain

health of
value of
mining
currency
ecosystem
What can a “51% attacker” do?
Steal coins from existing address? ✗

Suppress some transactions?

• From the block chain ✓
• From the P2P network ✗

Change the block reward? ✗

Destroy confidence in Bitcoin? ✓✓

Remaining questions

1. How do we get from consensus to currency?

2. What else can we do with consensus?