Müller, Neumair, Reiser, Dreo Rodosek (Hrsg.): 11. DFN-Forum Kommunikationstechnologien, Lecture Notes in Informatics (LNI), Gesellschaft für Informatik, Bonn 2018 1 TheBitcoin Universe: An Architectural Overviewofthe BitcoinBlockchain
Paul Mueller1,2,SonjaBergsträßer2, Amr Rizk2 andRalf Steinmetz2
Abstract: On January 2009,the emergenceofBitcoin surprised theworld with anew idea involving decentralized secure money transfersoutside theecosystem of FIAT currencies.The concepts behind theBitcoin architecture theblockchain can,however,beextendedto amuch widerrange of economicassetsthan just digitalcurrencies. In general, ablockchainisadistributed, verifiable database,which operates through aconfluenceofpublic-keycryptography, theconceptofproof of work and P2P-systems. In thefollowing article, adetailedoverviewofthe concepts underlyingthe Bitcoinarchitectureis given. Theecosystem as awhole is discussed, starting with some historical aspects. We consider the cryptographicbackgroundasgiven here,asthisarticle discussesmainlythe basicconcepts forkey generation. Here,wefocus on theconceptoftransactionsinthe scope of Bitcoinwhich we break down into single attributes such as thelocking andunlocking scripts. Both,the mining processand theconsensusmechanism areexamined. Furthermore, thedrawbacksofthe wholesystemand the proposed remedies to thesevia Bitcoin Improvement Proposals(BIP) areoutlined. Finally, we addressseveral applications based on theblockchain as well as thequestionofanonymity. Keywords: Bitcoin, blockchain,proof-of-work (PoW), Bitcoin keys,Transactionsscripts,Mining, Consensus, Bitcoindrawbacks, Bitcoin applications
1Introduction
The“bigbang” of theBitcoin blockchain took placeon January 3rd,2009, when thefirst Bitcoinblock,the genesisblock,was established at 18:15:05 GMT.The genesisblock is theonly blockin theblockchain which is hard-coded within thesource code of Bitcoin, rather than theresultofthe mining process. However, thestory of Bitcoin started in 2008, when thedomain name “bitcoin.org” wasregistered anonymously.The basicideas of the blockchain were then published3 by “Satoshi Nakamoto”on Friday,October 31st,4 2008 at 18:10:00 UTCunderthe title“Bitcoin: APeer-to-PeerElectronicCashSystem” [SN08]. Theauthor(s)ofthisdocumentis/arestill unknown. Thecomplexity of theBitcoin ecosystem comes from it aims,i.e., that is that anyone should be able to writeto theBitcoin blockchain,and that thereshouldbenocentralized
1 University Kaiserslautern, Integrated CommunicationSystems Lab(ICSY), Paul Ehrlichstraße34, 67663 Kaiserslautern,[email protected] 2 TU Darmstadt, KOM Multimedia Communications Lab, Rundeturmstraße 10, 64283 Darmstadt, {Vorname.Nachname}@KOM.TU-Darmstadt.de 3 http://article.gmane.org/gmane.comp.encryption.general/12588/ 4 Halloween 2 Paul Mueller, SonjaBergsträßer, AmrRizkand Ralf Steinmetz control. TheBitcoin ecosystemcan be viewed as anetwork of replicated databases, where each databasecontains thesamelistofpreviousBitcoin transactions.Fullnodes (nodes who runs thefullstack of theBitcoin protocol) of thenetwork arecalled “miners”,and thesepropagate “transaction data”(payments)and “block data”(additions to theledger). Each miner independently checks thetransaction and block data passed to it.There are rules in place(theBitcoin protocol) to make thenetwork operatesasintended. The complexity of theBitcoin architecture arises from its aims,which aretobedecentralized, that is,tohavenosinglepoint of control,and to be highly secure andanonymous. This hasinfluenced how Bitcoin hasdeveloped.All blockchain ecosystems need not have the same mechanisms,especiallyifparticipants can be identified andtrusted to behave (e.g. in aprivate blockchain). Theoutline of this paperisasfollows: Firstly,several historical remarks aremade; these arefollowed by adescription of thearchitecturaldesignprinciplesinvolved. This description starts with Bitcoin keys,followedbyadetailed descriptionoftransactions and themining process, andfinisheswith adiscussion of theconsensusapproach used in Bitcoinand thevulnerability of this architecture.Next, thedrawbacksofBitcoin architecture aredescribed,followed by countermeasuresto thesedrawbacks as put forwardinBitcoinImprovementProposals (BIP). Thelastchapter concerns Bitcoin applications,where some concrete applications areintroduced.In theconclusion of the paper, we discussthe questionofanonymity.
2The ArchitectureofBitcoin
With respecttothe architecture (see Fig. 1) of theBitcoin blockchain,several important design aspectsmustbetaken into account:
1. TheBitcoin application itself
2. Theroleofnodes constitutingthe overallblockchain network, and thenode discoveryprocess
3. Transactions,which makeup theblocksrunning in thenodes
4. Thesecurity implementation that generatesthe blocks
5. Theprocessofaddingnew blocks to thechain. Theblockchain itself runs on anetwork of distributed servers.The core applicationisa transactiondatabase modeled as asecure ledger. This is shared by allnodes(servers) that run thefullstack of theBitcoin protocol.Itisthus adecentralized transactionsystem acting as ahighlytransparent ledger. Anyfullnode runningthe blockchain protocolruns theentireblockchainlocally. The Bitcoin Universe 3
After installing thefullstack of thesoftware, theblockchain client syncsupwith theother nodesin thenetwork,in apeer-to-peer fashion [SW05].Hence,thatnodemaintains all Bitcointransactions (or anyother applicationrunning on theblockchain). Theintegrity and chronologicalorderoftransactions (and theaddressesowning thecurrency)are enforced by cryptographic rules.
Fig. 1: TheBitcoin Architecture Thenodesin theoverall network useapeer-to-peer IP network to processand verify transactions.Nodes that have thesame blocks in theirindividual databasesare considered to be in consensus[DW13].
2.1The Design of theBitcoin Blockchain
We now takeacloserlook at theBitcoin blockchain.Asmentioned above, thefirst block of theBitcoin blockchain wasnot aresultofthe Bitcoin consensusmechanism (mining) but washard-coded into thesource code.Itisaspecial case,in thesense that it doesnot referenceaprevious block, and for Bitcoin and almost allofits spinoffs,itproduces an unspendable subsidy(for adetailed descriptionofthe genesisblock,see https://en.bitcoin.it/wiki/Genesis_block). At leastone parameter of theGenesis blockisworthadeeper look.The “coinbase parameter”(codedinhex)contains, along with normal data,the following text: “TheTimes 03/Jan/2009 Chancelloron brinkofsecond bailout forbanks” This may be intended as proof that theblock wascreated on or after January3rd,2009,as mentionedabove;itcould alsoforman argument for anew currency, duetothe instability caused by traditionalbanking. 4 Paul Mueller, SonjaBergsträßer, AmrRizkand Ralf Steinmetz
Anotherarchitecturaldesigndecisionwas thelimited total number of Bitcoins,resulting from thespeed of mining (evaluating) anew blockand therewardthataminer canearn from themining process. On average, anew block is mined every10 minutes (regardless of thetechnology used,asdiscussed later),and themining reward at thebeginning of the system was50Bitcoinsper block. Theblock reward is halved everyfour years(or every 210,000 blocks on average).Asimple calculation showsthatthere will be atotal of 21 million Bitcoins availableasrewardfor miners. Anotherdesign decisionwas theblock size.Currently, theblock size is restricted to 1MB (on average),and oneblock cantherefore coveraround 4000 transactions with an average size of 250 bytes.Thisresults in an overallrateofabout seven transactions perseconds (tps). Compared to PayPal (around200 tps) andVISA(4,000–40,000tps), this is afairly lowrate. An examinationofhttps://blockchain.info/ givesinformationonhow many transactions arecurrentlyincludedin each block, although thereare some blocks with only one transaction, meaningthatthe miner includednotransactions exceptfor theirown reward transaction5.
2.2The StepsofaBitcoinTransaction
Transactions can be broadcast by anynodein thesystematany time.The decision on which transactions of thosebroadcasted to be included in anew block is dependenton the node (the miner)runningthe proof-of-work (PoW) algorithm, sincethe minersare responsible for pickingatransactionfromthe so-called mem-pool whereall validated transactions6 arestored, groupingthemand including them in theblock.The selectionof transactions by theminer depends on thetransaction fee(thestandard feeis1.000 Satoshi =10µBTC=0.01 mBTC =0.0001 BTCper kB), which forms arewardfor theminer’s effortsinadditiontothe coinbase reward.The priority of pickingupatransaction depends on theminer;in general, miners preferlargerfees and smaller transactions,and often prioritize in this way. Transactionportions that is notspent towards recipientofback to thesenderare included as afee.Fees arepaid to miners andcan be used to increasethe speed of transaction confirmationbyincentivizing miners to prioritize thetransaction(s). To initiate atransaction, ausermustgeneratethe necessary Bitcoinkeys(seeFig.2), starting with arandom256-bitprivate key(seeStep1). This privatekey is needed to sign atransaction andthus transfer (spend) Bitcoins.The elliptic curve DSA algorithmisthen used to generate a512-bit public key from theprivate key(seeStep 2). This publickey is used to verify thesignature for atransaction, although thepublickey is notrevealeduntil atransaction is signed. Sincethe 512-bitpublickey is inconveniently large,itishashed down to 160 bits usingthe SHA-256 andRIPEMDhash algorithms (see Step 3).
5 https://blockchain.info/block-height/315076 6 validated transaction: all transactions (payments) whichfollows theBitcoinprotocol rules The Bitcoin Universe 5
Fig. 2: Bitcoinkeysand theirrelationships7 Thekey is then encodedin ASCII usingBitcoin's custom Base58Check encoding (see Step 4). Theresulting addressisthe Bitcoinaddress,which is publishedin orderfor a user to receiveBitcoins. Note that neitherthe public keynor theprivate keycan be determined fromthe Bitcoin address. If theprivate key is lost (for instance,by throwing a hard drive8 away), theBitcoinsare lost forever. When allkeyshavebeen generated, a transaction can be carried out. Atransaction enables atransferofBitcoinsand is broadcasttothe network9 nodes. Transactions arethe main building blocks of theBitcoin system.The Bitcoin architecture is designed to make sure that transactions can be transparentlyadded to thegloballedgeroftransactions. Here, thereisevennoneed to trustthe nodesusedto broadcastthe transaction. Transactions aredatastructuresthatencodeatransferofvaluebetween participants in the Bitcoinsystem. Each transactionisapublic entryinthe Bitcoinblockchain, anda transactionchain is formed (see Fig. 3), meaning that allusers cansee every Bitcoin transactionfromthe genesisblock onwards.
7 Adopted fromhttp://www.righto.com/2014/02/bitcoins-hard-way-using-raw-bitcoin.html 8 https://www.theguardian.com/technology/2013/nov/27/hard-drive-bitcoin-landfill-site 9 Thereare severalscripts availableinBitcointohandlethe valuetransferfromthe source to thedestination. Thesescripts can handleverysimpletorelativelycomplex transactions,depending upon requirements. 6 Paul Mueller, SonjaBergsträßer, AmrRizkand Ralf Steinmetz
Fig. 3: TheBitcoin transaction chain10 Atransaction usually references previous transactionoutputs as newtransaction inputs and uses all input Bitcoin values.Thus,one key elementofaBitcoin transaction is an unspent transactionoutput (UTXO).UTXOs areindivisible pieces of Bitcoincurrency locked to aspecificowner that arerecorded in theblockchain.Although aUTXOcan have anyarbitraryvalue,itisindivisibleoncecreated,justlikeacoin that cannot be cutin pieces.When auserreceives aBitcoin value, theamountisrecorded within theblockchain as aUTXO. Thus,one Bitcoinmay be scattered in theformofUTXOs acrosshundreds of transactions and hundredsofblocks. Thereare no accountsorbalances in Bitcoin; there areonly dispersed UTXOs, locked to specificownersin thetransaction chain. This means that each inputused must be entirely spentin atransaction.Ifanaddress received 12.5 Bitcoins andwants to spendonly12.0Bitcoins,the transaction must spendall 12.5. Hence, one uses asecond output (the change address) for thedifference, which returnsthe 0.5 leftoverBitcoinsbacktothe sender (see Fig.4). Transactions in theblockchain arenot encrypted, and it is therefore possibleto browse and view everytransaction ever made, each of which is stored in ablock related to the Bitcoinaddress rather than thenameofthe user.Oncetransactions receivesufficient confirmations,they can be considered irreversible.All transactions arevisible (the transactionchain which givesthe history of ownership) in theblockchain (which givesthe
10 Adopted fromhttp://www.imponderablethings.com/2013/07/how-bitcoin-works-under-hood.html The Bitcoin Universe 7 transaction ordering in time to avoid double spending) and canbeviewed with ahex editor. Thetransaction itself hasthe generalformatshownin Fig. 5.11
Fig. 4: Inputand outputsofatransaction
In general, aBitcoin transaction is composed of threeparts:
• An input: This is arecord of theBitcoin addressfromwhich theBitcoinstobe spentwereinitially received. • An amount: This is thespecificamountofBitcoin to be sent. • An output: This is thereceiver’s public key, also known as a‘Bitcoinaddress.’ Thetransaction input (or listofinputs)isapointerto aUTXOusing areference to the transactionhashand sequencenumberofthe record in theblockchain.Tospend aUTXO, atransaction input also includesan unlockingscript that satisfies thespending conditions setby theUTXO. Theunlocking script is usuallyasignature proving theownership of the Bitcoinaddress in thelocking script. Theunlocking script is called scriptSig,because it usually contains adigital signature. Atransaction output (or list of outputs) comprises, first, an amountofBitcoins, denominated in satoshis (the smallestBitcoin unit),and secondly, a locking script to "lock" this amountbyspecifying theconditions that must be mettospend theoutput. The locking script is called scriptPubKey,because it usually containsapublic key or Bitcoin address.
11 From https://en.bitcoin.it/wiki/Transaction#general_format_.28inside_a_block.29_of_each_input_of_a_transaction _-_Txin 8 Paul Mueller, SonjaBergsträßer, AmrRizkand Ralf Steinmetz
Fig. 5: Generaltransaction format (from: https://en.bitcoin.it/wiki/Transaction) Breakingdown aconcretetransaction script (with onlyasingle inputand output) andde- serializingit, we obtain thefollowing structure,where values aredisplayed in hexadecimal. 01 {"hash":"8ac3455…", 02 "ver":1, 03 "vin_sz":1, 04 "vout_sz":1, 05 "lock_time":0, 06 "size":224, 07 "in":[ 08 {"prev_out": 09 {"hash":"aee433…", 10 "n":0}, 11 "scriptSig":
Algorithm1:Insideasimpletransaction (one inputand oneoutput) In thefollowing,algorithm1is explained line by line.In Line 1, we seethe remainderof atransaction, 8ac3455....Thisisused as an identifier for thetransaction,followed by theversion number of theBitcoin protocol in Line2and thenumberofinputsand outputs (one of each in this case)inLines 3and 4. The lock_time parameter in Line 5 controls when atransaction should be finalized. FormostBitcoin transactions carried outtoday, the lock_time is setto 0, which meansthe transactionisfinalized immediately. The size of thetransaction in bytes is describedinLine6. The Bitcoin Universe 9
Lines 7to 11 define thetransaction input,which is taken from theoutputofanearlier transaction, andusesthe hash of this earliertransaction in Line 9. Theparameter n in Line 10 denotes that this is thefirst output from that transaction. The scriptSig parameterin Line11containsthe signature of thesender, followedby aspace,and then the corresponding public key (the unlockingscript). Lines 12 to 14 give theoutput of thetransaction: Line 13 givesthe valueofthe output, andLine14 contains the scriptPubKey (the unlocking script)valuewith theBitcoin address (
To verify atransaction, theBitcoin validation engine relieson two typesofscripts: a locking script and an unlocking script, as shown in Fig. 7.
Fig. 6: Bitcoinlocking andunlocking scripts(from:Mastering Bitcoin[AA17]) Here,onlythe standard ‘pay to public keyhash’ (P2PKH) transactionwillbediscussed. P2PKH is themostcommonly used transaction type,and is used to send transactions to Bitcoinaddresses. Bitcoinusesasimple stack-based12 language called a script to describe how Bitcoins can be spentand transferred. It is intentionally not Turing complete,and has no loops to avoidaconditionwhere ascriptruns forever.Thisscripting languageusesa reversePolishnotationinwhich everyoperand is followed by itsoperators.Itisevaluated from left to right,using a‘lastin firstout’(LIFO) stack.Ascript uses various opcodes (operationalcodes)to define itsoperation. Each node examines atransaction as it arrives, and then runsaseries of checks to verify it. Thesechecks13 aredefined in theprotocol rules.Every Bitcoin nodevalidates
12 Note:The stackshold bytevectors.Whenusedasnumbers,bytevectors areinterpreted as little-endian variable-lengthintegers, with themostsignificantbit determiningthe sign of theinteger.Bytevectors areinterpreted as Booleans, whereFalse is represented by any representationofzero andTrue is representedby anyrepresentationofnon-zero. 13 https://en.bitcoin.it/wiki/Protocol_rules 10 Paul Mueller, SonjaBergsträßer, AmrRizkand Ralf Steinmetz transactions by executingthe lockingand unlockingscripts simultaneously14.For each input in thetransaction,the validationsoftwarefirst retrieves theUTXOreferenced by the input.ThisUTXOcontainsthe lockingscript that definesthe conditions required to spend it.The validationsoftwarethentakes the unlockingscript contained in theinput attempting to spendthisUTXO, andexecutes thesetwo scripts. First, theUTXOisunlocked, and then it is spent. scriptSig is provided by theuserwho wishes to unlock thetransaction, while scriptPubKey is part of thetransaction output andspecifies theconditions that need to be fulfilled in order to spend theoutput.
Fig. 7: Bitcoinstack operation Ascriptisaninstructionlistpairedwitheach transactiontodescribehow to gain access to thetransferred Bitcoins.Fig.8showsastep-by-step executionofthe combined script, which will determinewhether or notthisisavalidtransaction.The executionstarts(from leftto right) by pushing thevalue
14 In theoriginalBitcoin client,the unlockingand lockingscripts were concatenated and executed in sequence.For security reasons,thiswas changedin2010. The Bitcoin Universe 11 pushedontothe stack, andthisisduplicated in thenextstep with theoperatorDUP. The operatorHASH160 hashes thetop item of thestack using RIPEMET160(SHA256(pubKey)),and pushesthe resulting valueontothe stack. Thevalue
2.3The BitcoinBlockchain: TheMining Process
Theblockchain is apublic ledgerproviding atimestamped,ordered,and immutable list of alltransactions on theBitcoin network.Due to thedesign decision in theBitcoin network wherebyeach blockcannotexceed alimit of 1MB, theaverage numberof transactions persecond is around seven, i.e.,afairly lownumber. Sincetransactions can be launched any time,the number of transactions waitingin themem-pool15 tends to increase,and reached about50 million in January2018. After validation, thetransaction must be includedintoablock. To do this,the miner (the node)picks transactions fromthe mem-pool, recursively hashing pairsoftransaction hash values untilthere is only oneremaining; this is called theMerkleroot [RM80].The cryptographichash algorithmused in Bitcoin’s Merkle treesisSHA256, applied twice, also knownasdouble-SHA256. We now take acloserlookatablockrespectively theblock chain (see Fig. 9). Consider a blockasadata structure that aggregates transactions.The block consists of aheader with some metadata, mainly followed by thelistoftransactions.The blockheaderhas asizeof 80 bytes,while theaverage transaction is at least250 bytes and ablock cancontain up to 4000 transactions.
15 Mem-pool size: https://blockchain.info/charts/mempool-size? 12 Paul Mueller, SonjaBergsträßer, AmrRizkand Ralf Steinmetz
Fig. 8: Theblockchain Theblock header consists of areference to aprevious blockhash; this connects theblock to theprevious block in theblockchain.The second setofmetadata, containing thetarget, timestamp andnonce,relatetothe miningcompetition. Thethird part of themetadatais theMerkletreeroot, as describedabove. When aminer (a node) hasput thesedatatogether,itcan startthe processoflinking the newblock to theblockchain.Asan incentivetominerstospend computingpower in the mining process, they receivetwo typesofrewards for mining. Firstly, they earn newcoins, which arecreated with each newblock in theso called coinbase transaction automatically. That grantsthe miningrewardto theminer.Secondly,theyreceivetransaction fees from theremainingtransactions includedinthe blockwhich areproportionaltothe size (1000 satoshis perkB). To earn theserewards,all miners competetosolve adifficult mathematicalpuzzlebased on acryptographichash algorithm. Thesolutiontothisproblem,i.e., theproof of work (PoW), is copied into thenew block. ThePoW is seen as proof that aminer spent significant computingeffort.The competition to solvethe PoWalgorithm to earn rewards and theright to add transactions to theblockchain is thebasis of Bitcoin’s security model. To run thePoW,the miner firsthas to hash theblock header,including theblock hash of theprevious block, andcompare it with apredefinedtargetwhich is storedinthe nBits parameter of theheader. Also thetargetisformally definedastarget = 2224/d (where d denotes thedifficulty).Inthe concrete implementation it can be retrievedfromthe hex representation of theblock header (80 bytesintotal) using the73-76 byte.Because this number, however,isinlittle-endian thebytes have to be reversed.Now thetargetcan be (8 (e-3)) calculated fromacompactscientificnotation(target = c*2 )where thefirst byte denotes theexponent e and thenext3bytes thecoefficient c.The proofofwork is formally definedas:
224 PoW= Fd(c|x) ® SHA256(SHA256(h|x) ≦ 2 /d The Bitcoin Universe 13 where h canbeseenasachallenge, x the nonce and d theactual difficulty [RW16].If Fd(h|x) is not smaller than thecurrent target,the miner will modify thenonce (usuallyjust incrementing it by one)and calculate theblock hash again.Atthe currentlevel of difficulty in theBitcoin network, miners have to try quadrillions of times before finding anonce that results in alow enough blockheader hash.The length of time it takes to mine ablock can be controlled with thedifficulty,16 d.Inorder to keep theblock generation time to 10 minutes on averageregardlessofthe technology (increasing computepower of miners) used,the difficulty of mining must be adjusted.Infact, difficulty is adynamic parameter that is periodically(every 2016 blocks or every14days) adjusted to meet a10-minute blocktarget. Adjustment of thedifficultyoccurs automatically andindependently on every fullnode after every2016 blocks,and allnodes retargetthe proof of work difficulty.The equation forretargeting difficultycomparesthe time to find thelast2,016 blocks to 20,160 minutes,i.e., thetimeneededbased on the10-minuteaverage block generation time.This can be putin simple terms as follows: if thenetwork is finding blocks faster than every10 minutes,the difficulty increases; if blockcreation time is slower than expected,the difficultydecreases. Thelaststep in Bitcoin’s consensusmechanism is theindependent validationofeach new blockby everynodeinthe network. As thenewly solved blockispropagated acrossthe network,eachnodeperforms aseriesoftests to validateitbeforepropagating it to its peers. This ensuresthatonly valid blocks arepropagated on thenetwork. This independent validationalsoensures that miners whoact honestlyhavetheir blocks incorporated in the blockchain,thus earning thereward.
2.4The BitcoinConsensus
Whileminingisprimarily incentivized by thegeneration of rewards,the underlying purposeofminingisnot therewardorthe generation of newcoins but theachievementof adecentralized consensusin atrustlessnetwork.Mining enablesanetwork-wide consensuswithout acentral authority. Thefirst practicalimplementation of adistributed consensusin atrustlessnetwork was realized by Bitcoin,which uses public keycryptography with PoWbased on hashcash17 [AB02]. Thekey innovationhereisthe idea of an orderedlistofblockscomposed of transactions andcryptographicallysecuredbythe PoWmechanism. Bitcoin’s decentralizedconsensus arises from theinterplay of four processesoccurring independentlyonnodes acrossthe network:
16 Theblock header also contains thedifficulty target in anotationcalled"difficulty bits"orjust "nBits." This is expressedinacoefficient/exponent format,with thefirst twohexadecimal digits representingthe exponent and thenext sixhex digits thecoefficient.
17 http://www.hashcash.org/ 14 Paul Mueller, SonjaBergsträßer, AmrRizkand Ralf Steinmetz
• Independentverificationofeachtransaction by everyfullnode, basedon a comprehensivelistofcriteria(https://en.bitcoin.it/wiki/Protocol_rules). • Independentaggregation of thesetransactions into newblocksby mining nodes, coupled with computationaleffortsusing aproofofwork algorithm. • Independentverification of thenew blocks by everynode, andassembly into a chain. • Independentselection by everynodeofthe chain with themostcumulative computationaleffort, demonstrated through proof of work.
Fig. 9: The51% attack (calculated from M. Rosenfeld [Ro12]) Becauseofthe distributed nature of Bitcoin, two nodesmay announce avalid block simultaneously,meaningthatthere existtwo blockchainscontaining different transactions.Thissituation depends on theblock creationtimerelativetothe block propagation time,and is addressedbythe Bitcoin network acceptingonly thelongest chain. In this case,the shorter chain will be considered orphaned;thisisapoint at which theBitcoin network is vulnerable. This vulnerabilityisknownasthe 51% attack (see Fig. 9).In this scenario,amineror group of miners (miningpools)thatcontrolamajority (51%) of thetotal network’s hashingpower can attack theBitcoin blockchain.Inthistypeofattacks,the attackerscan leverage/causeforks in theblockchain for theirown benefit. Forexample,one could double-spend transactions or “prohibit”transactions from executing. Adouble-spend attack is onewhere theattackerdeliberatelycausesforks at aprevious position in the The Bitcoin Universe 15 blockchain.With sufficientpower,anattackercan invalidate six or more blocks in arow, causing transactions that were considered immutableto be invalidated.
Fig. 10: Security timeline18
As explainedabove,the chance of asingleminer solvinganewblock beforethe rest of thenetwork,which takes10minutes on average, is very low. Even with substantial computingpower,the olderatransaction/blockbecomes,the harder it wouldbefor an attackertochangeit(Fig. 11).
3The DrawbacksofBitcoin
Although theBitcoin network is themostwell-known example of acryptocurrency, there is currently adiscussion aboutits technicaldrawbacks.
3.1Definingthe Drawbacks
Firstly,the fairly smalltransactiontime of 7tps,which is aresultofthe definedblock size of 1MBand theaverage block creation time of 10 minutes,isunderdiscussion.This limitation, together with thehighpopularity of Bitcoin, hasresulted in adramaticincrease in themem-pool(more than 50 milliontransactionsare currently waitinginthe mem- pool19)and thereforeinamassive delay in transactions. Anotherdrawback concerns scalability.The size of theBitcoin blockchain reached approximately 154GBinFebruary2018,and is growingatarate of 6MBper hour (52GB
18 Adopted from: http://www.imponderablethings.com/2013/07/how-bitcoin-works-under-hood.html 19 https://blockchain.info/charts/mempool-size? 16 Paul Mueller, SonjaBergsträßer, AmrRizkand Ralf Steinmetz peryearonaverage). Although storagecapacityisnot arealissuetoday,itislikely to become an issuefor smalldevices,possiblyinthe IoTarena. Bitcoin transactionfees arealso an issuebecause they depend on theactualBitcoin marketvalue. This depends on avariety of factors,and some wallets allow usersto manuallyset transactionfees,but thestandard feeisabout0.0001BTC/kB.Atthe current marketvalue of about $8,700 perBTC,the standard transaction feeisabout$8 with avery high volatility($52 as of December23rd,2017).For smalltransactionamounts,thisfee is thereforeprohibitively high (for more information, seehttps://bitinfocharts.com/20). At theoutsetofthe Bitcoin network,itwas possibletorun theproof of work algorithmon theCPUs of nearly all computers. However, with theemergenceofGPU andASIC hardware, it hasbecomeincreasingly difficult for singlemining nodes to stay in therace. At this time,miningpools or groups of cooperating miners whoagree to shareblock rewards in proportionto theircontributed mining hash power have come into play.While theseare desirablefor theaverage miner, they unfortunately concentratepower within the mining pools. Today thereare about 20 majormining pools.Relativeto thehashpower controlled by apool and its location, it canbeconcludedthatChinese pools control approximately 81% of thenetwork hash rate.Thisdefacto centralization contradicts SatoshiNakamoto’s original idea of arealdecentralized network of cryptocurrency,and poses athreat to thecoreconceptsunderlying Bitcoin. Last butnot least, thecurrent powerwastage of theBitcoin networkhas been widely discussed in themedia,since alltransactions and themining of blocks (the PoWeffort) aredoneindependently by every miner in theworld.Whenaminer hassuccessfully mined ablock,itispropagated to allthe others,resulting in thecurrent mining processbeing terminated and all otherminerslosing theracefor rewards,thus wasting allthe invested energy.The currentenergy consumptiondue to Bitcoin(as of February2nd,2018)21 is about 46.8TWh; this is theequivalentofthe energy consumption of asmall country such as Denmark.22 This should,however,beviewedincomparisonwiththe power consumptiondue to Googlesearches, Facebook usageand thedatacenters of thefinancial industry, which is alsoknowntobeextremely high.
3.2Countermeasures
Theseissues reviewed aboveare well knowntothe Bitcoincommunity,which is working hard to overcomethese shortcomings.The main approaches aredescribed in theBitcoin ImprovementProposals (BIP)which can be found on Github.23 Numerous scaling solutions have been proposed for theabove drawbacks.
20 https://bitinfocharts.com/ 21 https://digiconomist.net/bitcoin-energy-consumption 22 https://en.wikipedia.org/wiki/List_of_countries_by_electricity_consumption 23 https://github.com/bitcoin/bips/blob/master/README.mediawiki. The Bitcoin Universe 17
Thefirst intuitiveapproach for increasing thetps is to expand theblock size.The current blocksizeof1MB wasset in 2010 forsecurity reasons,toprevent miners from creating large spam blocks.Since thetransaction volume hasincreased with thewidespread usage of Bitcoin, an increasein thelimit of 1MBbecamethe subjectofvociferous debate in 2015. This debate is still ongoing,and themain focusisonwhether such an expansion should support theold versionof1MB (softfork) or not(hard fork). Anotheroptionthathas been discussedistopushthe myriad tiny transactions from gambling or crowd-working sites “off-chain”. This approach is knownasthe Lightning Network24,whereby transactions aresentoveranetwork of micropaymentchannels.This wouldallowtwo userstocarry out theirtransactions in aprivate room,and to then add theirdataback on theblockchainatanagreed time.However,eventhiswould require a soft fork of theprotocol to getstarted.The most prominentcontendertoapply ascaling solution basedonsidechainssuchasthe Lightning Network is Blockstream,25 which offers paid side chain services. Miners arecompensated for theircosts in terms of CPU, network traffic, disk spaceand memory throughfeesthatare proportionaltothe size (inbytes)ofeach transaction. However, each part of atransaction doesnot have an equalimpactonthe cost or theability of Bitcoin to scaletosupportmoretransactions.The most expensiveparts of atransaction arethe newly created outputs,asthey areadded to thein-memory UTXO set, whilethe signatures(witnessdata) add theleastload to thenetwork and thecostofrunning anode, sincewitness data areonlyvalidated onceand then neverused again.Therefore,one idea is to discriminatebetween thesetwo typesofdatarelativeto theburdenatransaction imposes on thein-memory UTXO set. Aproposal called segregated witness(SegWit)26 hasbeen put forwardwhich separates transactionsignaturesfrom thetransactions themselves.SegWittherefore hastwo main effects: it is able to both increasethe number of transactions andto decreasethe cost of transactions (fees).
4The BitcoinApplicationPoint of View
Although theBitcoin architecture wasdesignedprimarily formonetarytransactions,itis also possibletoextend it to smartcontractswith some restrictions.The Bitcoinscripting languageisalsonot Turing complete, anddoesnot allowany algorithmrunningittobe extended beyond apaymentinfrastructure. Sincethe Bitcoin architecture servesto keep internaltransactions valid, it canalsobeused to confirm andvalidatespecific, external, non-Bitcoin transactions.In otherwords,it enables theapplication of decentralized publicledgers for purposesother than digital currencies.Manycompanies such as IBM,SAP, Amazon andothersare therefore
24 http://lightning.network/lightning-network-paper-DRAFT-0.5.pdf 25 https://www.blockstream.com/ 26 https://segwit.org/ 18 Paul Mueller, SonjaBergsträßer, AmrRizkand Ralf Steinmetz experimentingwith blockchain applications.These developments maydisruptthe way peopledo businessinthe future.
Fig. 11:The timestamping proof(www.originstamp.org) Oneremarkableproperty of theblockchain is its time stampfeature.The wholenetwork essentially validates thestate of awrapped pieceofdata(called ahash) at acertain specific time. Theblockchain, hence, essentially confirmsthe existenceofarecord at a stated time, which is provable in acourt of law. Untilnow,onlycentralized notaryservices couldserve this purpose. This proof of existence allows usersto upload afileand pay atransaction feeto have a cryptographicproof (the hash of adocument) includedonthe Bitcoinblockchain, although thefileitselfisnot stored onlineand thereforedoesnot risk unwanted publication (see Fig. 12).The documentishence timestamped usingthe blocktimestamp.Another applicationconcerns decentralizedfile storage on theblockchain,which is likely to disrupt data storageand cloud computingwithin thenextfew years. Platforms likeSia27 or Storj28 useBlockchain technology to decentralize data storageby dividing up files, encrypting and transferring them all around theworld. Theaccompanying
27 https://sia.tech/ 28 https://storj.io/ The Bitcoin Universe 19 cryptocurrencies(Siacoin, Storjcoin)incentivize usageand to create amarketfor decentralizedstorage. Beside theBitcoin blockchain thereare severalother platformsavailable for building distributed applications based on theblockchain technology. BlockApps,for example,is agood waytobuild decentralized blockchain-based applications.STRATO, BlockApps’s29 most prominentproduct,isafull-stack technology solution that allows usersto build applications on top of their owncustomizedpermissioned private blockchain.Thisisbuilt on theEthereumblockchain whichcan be seen as asecond generation blockchain with abuilt in programminglanguage basedonvirtual machine concept. Many of theseapplications arebeingcurrently developed, but thefuturepotential of blockchain applications is stillunfolding.The next fewyearswillinvolveexperimenting and applying this technology to allaspects of theeconomy.Regardlessofwhich applicationcomes firston aglobalscale.The blockchain is here to stay,and is transforming how business functions [DD17].
5Conclusion
Theblockchain technology firstdescribed in 1991 by Haberand Stornetta [HS91],in 1996 by Anderson [An96] and in 1998 by Schneier andKelsey [SK98] got its sheerpopularity through thefirst implementation of this idea as adistributed ledgercalled Bitcoin by SatoshiNakamotoin2008/09. Basedonasimple scripting algorithm, theBitcoin architecture promises secure andanonymous transactions for transferring money. However, theunderlyingblockchain technology hasamuchwider potential than simply transferring money. As shown in this paper, transactions arefirst analyzed basedon Bitcoin’s protocol rules, and then validated usingascriptinglanguagebased on locking and unlocking scripts. If a transactionissuccessfully validated,fullBitcoin nodes(miners) will select transactions from thememory-pool, hashing pairsoftransaction values until only onehash remains (the Merkle root), andthenanchoring thetransaction tree into theblock header.After choosinganonce, thecompleteblock header will be hashed andthe result compared to a defined targetwith thePoW mechanism, as described above.Ifthe hash valueofthe block header is lessthan thetarget, theblock is mined, therewards arepaidout to thesuccessful miner,and thetransaction is includedinthe blockchain.After at leastsix blocks,a transactioncan be considered irreversible. Although thesecurity modelofBitcoin promises complete privacy,itisnot in general anonymous.Asdescribed above, theblockchainispublic, meaning that anyonecan see everyBitcoin transactionfromthe genesisblock onwards.Bitcoin addressescannotbe
29 https://blockapps.net/ 20 Paul Mueller, SonjaBergsträßer, AmrRizkand Ralf Steinmetz directly associated to real-world identities though.Nevertheless, agreat deal of work has been carried outonhow to de-anonymize theBitcoin network.30 Furthermore, identification will be retrospective, meaning that someone who carried outatransaction in 2018 will stillbeidentifiableon thebasis of theblock chain in,say,2040. Even if onedoesnot believein thespecific cryptocurrency Bitcoin itself,the underlying blockchain technology will certainly surviveand gain in relevance. In summary, Bitcoin, and especially theunderlying blockchain system,isavery valuable technology froma scientific computer pointofview (beitincomputer science or otherrelated fields such as information systemsororganization studies), athread for some businesses, and agold minefor speculators [FH17].
6References
[AA17] Antonopoulos, A.M.:Mastering Bitcoin, O'Reilly Media, Inc.,2017. [AB02] Back,A.: Hashcash -Adenial of servicecounter-measure,2002. [An96] Anderson,R.J.: TheEternityService,Pragocrypt,1996. [DD17] Drescher,D.: Blockchain Grundlagen,mitpVerlag, 2017. [DW13] Decker,C.and Wattenhofer, R.:Information propagationinthe Bitcoin network, IEEE P2P2013 Proceedings,2013. [FH17] Fraunhofer-Gesellschaft:BLOCKCHAINUND SMARTCONTRACTSTechnologien, Forschungsfragenund Anwendungen, 2017. [HS91] Haber, S. andStornetta,W.S.: Howto Time-Stamp ADigital Document,Journalof Cryptology,Vol.3,No.2, pp.99-111, 1991. [JB04] Buchmann,J.: Introduction to Cryptography,2004. [RM80] Merkle,R.C.: Protocolsfor publickey cryptosystems, In Proc. SymposiumonSecurity andPrivacy,IEEE Computer Society, 1980. [Ro12] Rosenfeld, M.:Analysisofhashrate-based double-spending, arXiv:1402.2009, 2009. [RW16] Wattenhofer, R.:The ScienceofBlockchain, Inverted Forest Publishing,2016. [SK98] Schneier, B. andKelsey, J.:Cryptographic Support forSecure Logs on Untrusted Machines,in TheSeventh USENIX Security SymposiumProceedings,pp. 53–62. USENIX Press, Januar 1998 [SN08] Nakamoto,S.: Bitcoin: APeer-to-PeerElectronicCashSystem, 2008. [SW05] Steinmetz, R. andWehrle, K.:Peer-to-PeerSystems andApplications, 2005.
30 https://scholar.google.com/scholar?q=de-anonymization