An empirical study of and lessons for decentralized namespace design

Harry Kalodner*, Miles Carlsten*, Paul Ellenbogen*, Joseph Bonneau†, Arvind Narayanan* *{kalodner,carlsten,pe5,arvindn}@cs.princeton.edu †[email protected] Princeton University

Abstract can be thought of as implementing a namespace. To be memorable by humans, namespaces must sup- Secure decentralized namespaces have recently port arbitrary user-chosen strings as names. To be become possible due to technol- secure, namespaces must map each name to the ogy. They enable a censorship-resistant domain- same value for all users; adversaries shouldn’t be name system outside the control of any single en- able to convince a user that any other value is cor- tity, among other applications. Namecoin, a of rect. , is the most prominent example. We initiate the study of decentralized names- The problem of decentralized namespaces has paces and the market for names in such systems. long been recognized as an important one. The Our extensive empirical analysis of Namecoin re- DNS is a critical yet centralized component of the veals a system in disrepair. Indeed, our methodol- and those who control it can alter the web ogy for detecting “squatted” and otherwise inactive for all users. The controversies around the shut- domains reveals that among Namecoin’s roughly downs of .org and the 2011 domain 120,000 registered domain names, a mere 28 are name seizures by the U.S. DoJ and DHS illustrate not squatted and have nontrivial content. Further, why many researchers and activists have sought de- we develop techniques for detecting transfers of do- centralized alternatives [1]. mains in the Namecoin block chain and provide The above three properties — security, user- evidence that the market for domains is thin-to- chosen names, and — are known nonexistent. as Zooko’s triangle [2]. Until 2011, designing a We argue that the state of the art in mecha- system that exhibited all three was conjectured to nism design for decentralized namespace markets be impossible [3]. The rationale was that enforc- is lacking. We propose a model of utility of differ- ing the uniqueness of name-value mappings and a ent names to different participants, and articulate consistent view of the directory for all participants desiderata of a decentralized namespace in terms would require a centralized server or a hierarchy. of this utility function. We use this model to ex- plore the design space of mechanisms and analyze and Namecoin. Cryptocur- the trade-offs. rency technology enables building a namespace with all three properties. Put simply, the block chain is a global, distributed data structure that can 1 Introduction be repurposed as a directory. Miners execute a con- Decentralized namespaces. We initiate the sensus protocol to establish the state of the system study of decentralized namespaces from an eco- and are incentivized to do so by mining rewards nomic perspective. A namespace, as we define it, they receive in exchange for their participation. As is an online system that maps names to values. The long as a majority of miners — weighted by com- (DNS) is the most promi- puting power — follow the protocol, all users will nent example. A web service such as that see a consistent view of the directory when they allows users to claim usernames and create profiles query it. This in turn gives the system, and hence

1 the underlying currency, economic value, making names (Section 4). This allows us to iteratively fil- miners’ actions profitable to them. ter our dataset of around 120,000 registered names Namecoin is a cryptocurrency that realizes a de- in Namecoin, leaving a mere 28 that are not squat- centralized namespace. It is the first altcoin from ted, and have nontrivial content. Bitcoin with its own block chain. It offers the We then delve deeper into the economics of same features as Bitcoin with the addition of a names. Namecoin has a built-in ability to transfer name/value store that can be used to hold arbitrary names, which is a secure way to trade them using data (see Section 2). The name/value store supports the block chain. However, it is not obvious which various applications; primarily, Namecoin has been transactions correspond to such sales, as opposed to used for domain-name resolution for the ‘.bit’ alter- regular name updates. We develop a novel analytic native TLD, and by the online identity service, One- technique to distinguish the two types of transac- Name, which utilizes the Namecoin block chain to tions and find evidence for about 250 transactions record data about its members. in the entire history of Namecoin that may represent Namecoin offers a novel solution to the techni- sales of names (Section 5). Of course, it is possible cal challenges of decentralized namespaces. How- that more sales have occurred off the block chain, ever, there are also economic challenges. These but there doesn’t appear to be a widely known mar- arise from the fact that although namespaces theo- ketplace for Namecoin names. retically support infinitely many names, the supply Based on all the empirical evidence we present, of names that are memorable and meaningful to hu- we are left to conclude that the Namecoin ecosys- mans is scarce. Allocating these names to users is tem is dysfunctional. The vast majority of regis- therefore a mechanism-design challenge. The cen- tered names represent squatting and there is little tral thesis of this work is that this mechanism de- evidence of a secondary market for names. While sign challenge is far harder than realized. A system there could be many factors that explain the lack that gets it wrong may “work" in a narrow technical of adoption, there appears to be clear room for im- sense, but may not be useful to real users. provements in the design to minimize squatting and Specifically, there are several crucial questions to other problems. To this end, in Section 6, we ex- consider: how do we model the economic behavior plore the design space of decentralized namespaces of the users of a namespace and what are the goals and make recommendations. of mechanism design for namespaces? How well Why study namespaces? Although we find does Namecoin succeed at attaining these goals and that the Namecoin ecosystem is in disrepair, study- what are its limitations? If Namecoin is not the ing namespaces is important. While there cur- ideal design, can we analyze the design space as a rently doesn’t seem to be widespread dissatisfaction guide to the creators of future decentralized names- with today’s DNS causing users to seek censorship- paces? resistant alternatives, the existence of such alter- Our contributions. Along the above lines, we natives provides a valuable hedge against a poten- make the following contributions. We begin by tially abusive central authority. Besides, domain proposing a model of utility of different names to names are just one application of namespaces. Cen- different participants and articulating desiderata of tralized directories for user public keys have fared a decentralized namespace in terms of this utility much less well than DNS, and the service One- function (Section 3). We highlight the difficulty of Name, which we discuss in Section 8, is an inter- mechanism design even in a toy model and explain esting alternative. Yet other applications for names- the importance of making the model more realistic paces such as control of digital assets have been by incorporating extensions such as time-varying proposed. And of course, the problems posed by preferences. namespaces are intellectually interesting to study. The central contribution of this paper is a thor- We think decentralized namespaces have many im- ough empirical analysis of the Namecoin ecosys- portant applications, but their promise hasn’t been tem. We develop a series of criteria based on the realized so far. Our work helps understand why this block chain, network behavior, as well as content to might be and lays the groundwork for a more rigor- distinguish active websites from parked or squatted ous approach to building such systems.

2 2 Background: Namecoin published in an append-only hash chain, called the In this section we cover the background of block chain. The block chain can be extended with Namecoin. We begin by looking at the history of new transactions by any participant, and such par- the cryptocurrency and then explain why a block ticipants (known as miners) obtain newly minted chain can be used for our definition of a namespace. Namecoin currency (NMC) and transaction fees We then proceed to discuss the technical design of from the transactions for performing this function. Namecoin and the mechanisms used in the design. Extensions to the block chain require a proof-of- We conclude this section with a discussion about work that rate-limits the process (to approximately the applications of Namecoin. one extension every ten minutes) which enables a A note about the term ‘namespace’. In com- steady inflation rate, ample competition among par- puter science, a namespace is simply a container ticipants to extend the block chain, and adequate for a set of names, so that names in a single names- time to obtain and verify the history of the block pace must be unique but the same name can exist chain for new participants. Informally, the proof- in different namespaces. We have chosen to use the of-work protocol in Namecoin is intended to main- term in a related but different way: it’s a system that tain the following two essential properties about the includes client and server software, users, a mecha- block chain: nism, and so on. In fact, Namecoin contains names- • Every party eventually agrees on the order and paces in the computer science sense, which we term correctness of transactions in the block chain. subspaces in this paper. • Any party can publish a transaction (for a 2.1 History fee), which will then be verified and, if valid, Namecoin is an alternative cryptocurrency, or alt- included in the block chain within a small coin, modeled after Bitcoin [4]. Furthermore, it is bounded delay. the first altcoin in the sense that it was the first to create its own block chain, separate from Bitcoin’s. One use case for a block chain is a tamper- Namecoin shares many similarities with Bitcoin, evident log. That is, it can be used as a data struc- including the same method for proof-of-work, the ture that stores user-supplied data, and allows users same coin cap, the same block creation time, and to append data to the end of the log. Each new block all of the same transaction operations (with a few has a hash of the previous block, so if data that is additions). Namecoin was inspired after discus- earlier in the log is altered, it will be detected. If sions about a BitDNS [5] protocol using a block an adversary wants to tamper with data anywhere chain to manage a domain name lookup service. in this entire chain, in order to keep the hash point- The motivation was that a central authority man- ers consistent, he will have to tamper with the hash aging domain names, such as ICANN, requires too pointers all the way up to and including the cur- much trust in a single entity and represents a sin- rent block. Thus it emerges that by just remember- gle point of failure. The first Namecoin block was ing the single hash pointer of the head of the chain, mined in April 2011, and as of this writing, over users essentially remember a tamper-evident hash 215,000 total blocks have been mined in the Name- of the entire list, all the way back to the genesis coin system. Because of its similarities with Bit- block. Namecoin, and all block chain based cryp- coin, Namecoin was able to be merge-mined and tocurrencies, use this tamper-evident log in order to has been merge-mined with Bitcoin since October record all the transactions between users. 8, 2011 (see the next subsection). Block chain security. The value and stability of a cryptocurrency are directly related to the amount 2.2 Description of the block chain of proof-of-work involved in the calculations of the Namecoin is minted and maintained by a decen- blocks because this work is what keeps the data tralized peer-to-peer network.1 Namecoin transac- distributed and secure in the tamper-evident block tions require the digital signature of the account chain. For both Bitcoin and Namecoin, the proof- holder to prevent theft, and every transaction is of-work is shown by calculating the hash of a new 1This description is adapted from [6]. block and a random nonce over and over until the

3 calculated hash has a certain number of leading ze- than in plaintext, is to prevent front-running, which ros. The number of leading zeros required by the we will explain in Section 6. The NAME_NEW op- hash is referred to as the difficulty threshold. Name- eration acts as a signal in the block chain for name coin enjoys a very high difficulty threshold for the parsers to indicate that the next part of the script- proof-of-work because it is similar to Bitcoin and PubKey will be the hash commitment to a name. supports “merge mining” with Bitcoin. This means NAME_FIRSTUPDATE. After doing this, and that miners who are mining Bitcoin can also choose waiting for 12 or more blocks on top of the one to mine Namecoin at the same time with no ex- containing the NAME_NEW transaction (to ensure tra work. Essentially, this is because the miner is that the block chain reaches consensus on the using their computational power to solve a crypto- NAME_NEW transaction), the same user can use graphic puzzle that satisfies the proof-of-work for the output of the NAME_NEW transaction as the both block chains at the same time. This is advan- input for the NAME_FIRSTUPDATE transaction. tageous for the miners because they are rewarded Once completed, this will associate the chosen with coins from both systems, and helps Namecoin name with value selected by the user. Simi- because it gives the Namecoin network a vastly in- lar to NAME_NEW, NAME_FIRSTUPDATE allows creased amount of hash power over what it would data to be posted in the block chain as part of the have if it did not support merged mining. Includ- scriptPubKey of a special transaction. To create a ing the merge miners, Namecoin has aproximately NAME_NEW transaction, a user will select, as input, one third the hash rate of Bitcoin. This provides the output of the NAME_NEW transaction. They will resilience to a 51% attack, although a sufficiently then use another address they control as the out- large Bitcoin could still execute this put for the transaction. The scriptPubKey of this attack. transaction will contain a NAME_FIRSTUPDATE, the name desired, the random nonce used in the 2.3 Technical details of names NAME_NEW hash commitment, and the first value In this subsection and the next, we present details for the name to take.2 In order for this transaction to of Namecoin, separating the technical solution from be valid, a miner will verify that the name and the the mechanism design choices. provided nonce do, in fact, hash to the commitment The feature that separates Namecoin from Bit- in the appropriate NAME_NEW transaction. The out- coin is that Namecoin is a namespace, and can be put of this transaction now contains the token repre- used to register name/value pairs that can be stored senting the name/value pair for name and value, in the block chain and traded amongst individu- and whoever can unlock and spend the output can als. This registration is done using the three script utilize the final new operation, NAME_UPDATE. operations exclusive to Namecoin: NAME_NEW, NAME_UPDATE. The third and final new op- NAME_FIRSTUPDATE, and NAME_UPDATE. In eration in Namecoin is the NAME_UPDATE opera- order to understand the registration process, we tion. Again, this operation’s arguments (the name think it is helpful to walk through the registration and newValue) are stored in the scriptPubKey of process of name, roughly following Figure 1. a special transaction. This transaction must have as NAME_NEW. To start, the user will need to se- input a NAME_FIRSTUPDATE or NAME_UPDATE lect a coin to be crafted into a token (or special output with the same name. This operation has coin) that represents a name and whose value can three uses: updating, renewing and trading a name. be changed by whoever possess the token. The If the user wants to change the value associated next step to register a name is to make a transac- with a given name, they will update name with tion that uses the NAME_NEW script operation in a this operation, providing a newValue. If names transaction sending the token from one of their ad- can expire, as they do in Namecoin, then this opera- dresses to another. Using NAME_NEW, a user can tion can also be used to renew a name by providing indicate an interest in name for a name/value pair a newValue that is the same as the old value. by posting a hash commitment of the desired name 2There are also other operations that exist for reasons of in the scriptPubKey of the transaction. The reason compatibility with Bitcoin; this seems to exist to minimize the user posts the name in hashed form first, rather changes to Bitcoin’s script handling code.

4 Figure 1: Namecoin name registration protocol described in Section 2.3

In either of these cases, the user will use an ad- client, is 0.005 NMC on each transaction. Histori- dress they control as an output of the transaction. cally, Namecoin also had a network fee attached to The final reason to make a NAME_UPDATE trans- the NAME_FIRSTUPDATE transaction. The net- action is to trade the special coin to another user. work fee is different from the transaction fee; the In this case, the user will put, as an output, one transaction fee is paid to the miners, whereas the of the other user’s addresses instead of their own. network fee was destroyed (with an OP_RETURN) Once the transaction resolves, the other user will when a NAME_FIRSTUPDATE transaction was have control over the special coin and can change confirmed. The network fee varied over time — the value to whatever they deem fit. Because the it started at 50 NMC at the genesis block, but de- ownership of name is associated with the owner- creased by a factor of 2 every 8192 blocks (which ship of the special coin, if the buyer is paying for is approximately 2 months). The purpose of the net- the name with Namecoins, the exchange between work fee was to have a large initial cost to claiming the payment and the name can be atomic (meaning names to deter users from quickly claiming all the they happen in the same transaction and either are desirable names, but then decay off so that eventu- only valid if the other is as well). ally the cost of registering a name becomes negli- gible. As of block 85585, the network fee became 2.4 Mechanism design small enough that it rounds to 0 and is no longer added onto the transaction. The current implemen- Fees. Namecoin has been implemented with tation of Namecoin has no fees other than the trans- various fees and protocols to incentivize the be- action fees and the investment of the token coin. haviors of the users. The special token used in the NAME_NEW transaction has a value of 0.01 Expiration. Namecoin has an expiration NMC. This coin will be not be spendable like time for names. Originally, the time period other Namecoins while it has a name attached for a name to expire was 12,000 blocks, but to it. For all of the transactions, NAME_NEW, by March 2012, the expiration period was in- NAME_FIRSTUPDATE, and NAME_UPDATE, the creased to 36,000 blocks (which comes out to default behaviour is to have the user pay a transac- about 250 days). If a particular name hasn’t tion fee to the miner. The current expected transac- been mentioned in a NAME_FIRSTUPDATE tion fee, which is programmed into the Namecoin or NAME_UPDATE in 36,000 blocks, the name

5 becomes available again for any user to claim There are a number of ways to resolve .bit do- with NAME_NEW and NAME_FIRSTUPDATE. mains to IP addresses with varying levels of se- Similarly, a NAME_UPDATE must cite a curity. The most secure option is running local NAME_FIRSTUPDATE or NAME_UPDATE DNS resolution software. The three major projects that is less than 36,000 blocks old as input. created for this purpose are NMControl [8], a lo- Changing the protocol. Changing the protocol cal DNS server, FreeSpeechMe [9], a add- in a cryptocurrency requires a “hard fork” or a “soft on, and DNSChain [10], another browser extension. fork” depending on the extent of the change. In a NMControl and FreeSpeechMe both hold a local mature system like Bitcoin, this is very difficult. copy of the block chain and query it for values as- In a fledgling system like Namecoin, however, it sociated with .bit domains. They parse the value is much easier has happened multiple times. Both of the name using the specification and seamlessly the addition of merge mining with Bitcoin, and the direct the user to the resolved IP address. increase in expiration length were not initially in There are a couple less secure options to access the design of Namecoin and required hard-forking .bit domains. Users can connect to specific DNS changes. In order to make these changes, the servers such as OpenNic [11] which support resolv- Namecoin community decided on arbitrary blocks ing .bit domains. However this requires trusting at which point the new protocol would be enforced. that the DNS server is working properly and ac- Explicitly, up to block 19,199 blocks that were curately reporting results. A final option is using merge mined with Bitcoin were not allowed into the a proxy server hosted in a standard TLD. This re- Namceoin block chain, but starting on block 19,200 quires no local configuration, but users must go to they were. example.bit by visiting example.bitproxy.com. OneName. The name/value data store in Name- 2.5 Applications coin has applications beyond DNS. OneName is an There are many different subspaces in Namecoin, online identity service that runs on top of Name- and the different subspaces correspond to applica- coin, making use of the data store. OneName is tions. When claiming a name, a user prepends the a centralized service, but one can use other clients name with a subspace ID and a slash. Namecoin to interact with the block chain in a way that’s was created to be very general so that it would be interoperable with OneName. The idea behind useful for any application that would benefit from OneName is that a user can have a name/value an online name/value store. While d/ has the most pair in the block chain that associates said name registered names, there are many used subspaces in with different online identities such as an email, Namecoin. The separation of namespaces is not GitHub, Twitter, and Bitcoin address. A One- enforced by the protocol in any way, but merely Name user can then confirm ownership of ac- agreed upon by consensus of all users, analogous counts on any of these services by referencing their to open web standards. OneName name through some messaging channel .bit Domains. The vision for Namecoin was in each respective system. For example, if Al- to use one of these subspaces for DNS lookup in ice wants to tie her twitter username to her One- the .bit TLD. Explicitly, Namecoin names associ- Name username, she must tweet the message “Ver- ated with .bit domains are prepended with the sub- ifying that +Alice is my openname (my Bitcoin space ID d/. If a user wanted the domain exam- username). https://onename.com/Alice”. ple.bit, they would claim the name d/example. This is similar to the verification scheme Keybase The owner of example.bit would then set the value [12] uses. A OneName account also has an asso- to their server address in a way that would be under- ciated Bitcoin address so users can easily find an stood by .bit compliant DNS servers as described in address to use to send to a particular indi- the .bit specification [7]. vidual, if they want. Most major web servers, such as Apache, ngnix, In order to make a OneName identity, a user and lighthttpd will accept connections through .bit can visit OneName’s website to create an account. domains with minor modifications to their per-site A user makes an account by selecting a username configuration files. and then optionally entering in their actual name,

6 their account names, a short biography and picture, and participation in the primary market requires the and a Bitcoin address. OneName takes the infor- associated cryptocurrency, the currency becomes mation given to it and automatically puts it into valuable. This incentivizes miners, making the sys- a name/value pair, with the name equal to the se- tem secure. lected username, and the value containing all the The (non) role of trademarks. Scarcity is also other data. If the username is not already claimed an issue in centralized namespaces, but it manifests by some user in the Namecoin subspace u/, then in different ways. One key goal of most central- OneName posts this pair into the block chain. If it ized systems is trademark protection. The trade- is already taken, the website will ask the new user mark system can be seen as a legal mechanism to to select a different username. If a user so desires, address the problems of name scarcity and limits of they can alternatively manually create a name trans- human memorability in the real world, independent action using the Namecoin client to create a name of any particular technological system. Most cen- value pair with a name in the u/ subspace and a tralized systems support some form of arbitration or value formatted to match the OneName specifica- dispute resolution in which trademark plays a role.3 tions. To incentivize using their website interface, In a decentralized system, on the other hand, there OneName covers the Namecoin fees for their users. is no easy way to enforce any rules that cannot be encoded algorithmically. As of yet there is no way 3 Modeling namespaces to cryptographically assert that one is the owner of a trademark, and this may be impossible given the Names are scarce. Many types of systems map complexity and nuance of modern trademark law. keys or names to values. In his essay introducing Primary and secondary markets, algorithmic his triangle, Zooko considers naming systems that agents. We use the term primary market to mean include a system mapping PGP key fingerprints to the part of the market where new names are issued keys. Fingerprints are hashes of keys. This would to users for the first time. By contrast, the sec- not qualify as a namespace by our definition be- ondary market deals with the sale of a name already cause users cannot pick arbitrary names — that in use. would require finding the hash pre-image of an ar- Whom do names “belong to” before they are sold bitrary name (fingerprint), a hard problem by the on the primary market? To answer this, we must un- definition of a hash function. Zooko (and similar derstand decentralized agents. Any cryptocurrency prior work) considers such systems to lack human can be thought of as an algorithmic agent executed memorability of names. We replace this criterion as a global, distributed computation. The agent has with that of user choice of names, which is roughly no capability to store private information but it can equivalent but easy to define rigorously. hold funds and transact with users of the system. In a system that maps key fingerprints to keys, Bitcoin encodes a very simple agent whose only names are fungible and essentially infinite, and thus function is to release currency into circulation at a not scarce and have no market value. On the other pre-specified rate.4 hand, in any system that we call a namespace, In a nutshell, the agent implemented by a names- scarcity is an almost inevitable consequence of free pace initially owns all names and sells them to user choice. Even when names are scarce, the sys- users. As we’ll see in Section 6, there are tem architecture can make names more or less valu- many variants including whether names are sold or able. For example, usernames on Twitter are more leased, whether or not they can be bought back, valuable than on Facebook — the username or han- how names are priced, what the agent does with the dle is a relatively important way to find a user on funds received as payment, and so on. Twitter, whereas on Facebook it is done more often by navigating the social graph. 3For example see ICANN’s Uniform Domain-Name The scarcity of names makes the design of Dispute-Resolution Policy [13]. 4 namespaces challenging. But it also makes the At the other extreme, altcoins such as allow any user to create an agent by making the central agent “Turing problem particularly amenable to cryptocurrency- complete,” that is, flexible enough to execute arbitrary pro- based solutions. Since names have market value, grams specified by users on their behalf.

7 The most straightforward implementation of a name to a given user may vary with time. This secondary market is to leave it entirely external to is particularly relevant to cryptocurrency-based the system. This is the approach taken by Name- namespaces — in addition to the usual network ef- coin, but again, a variety of choices are possible. fects that make the adoption of some new products We elaborate in Section 6. challenging, cryptocurrencies need to “bootstrap,” Squatting. Even though names are scarce, it’s which presents an additional difficulty in getting not obvious what “squatting” means. After all, ma- off the ground. A cryptocurrency may not be suf- terial goods are scarce, but we don’t usually char- ficiently secure if it has too few users. Thus, many acterize car owners as squatting on them. The dif- users may have a zero or negligible utility for all ference is that names have (vastly) different utility names until they decide that the namespace is se- to different users. A squatted name is one that is cure enough and has enough users to be worthy of owned by a user whose utility for that name is close taking seriously. to zero (or very small compared to the user who has Another aspect of complexity of the utility func- the most utility for that name), purchased in hopes tion is diminishing marginal utility. A user named of selling to another user whose utility is higher. John Smith may want either the name JohnSmith Is squatting a problem for the system? This is a or john-smith but not necessarily both. Time- tricky question. If squatting exists merely because variation and diminishing marginal utility make the one side of the primary market is an algorithm and mechanism design problem very tricky. doesn’t charge market price, then squatters could Suppose, to the contrary, that utility functions are be seen as analogous to brokers or ticket scalpers. time invariant, and utility functions of a user for dif- Such agents are sometimes considered to perform ferent names are independent. Then we may state a useful function as market makers [14], or at least the goal of the system as ownership of each domain tolerated, but not considered an existential threat to by the user with the maximum utility (or willing- the functioning of the market. ness to pay) for that domain, as long as that value is On the other hand, squatters can be viewed as above some threshold. We can easily realize this by analogous to land speculators. This analogy is sup- making the primary market a second-price auction ported by the fact that names, like land but unlike with a reserve price. No secondary market would tickets, are not fungible. The speculator may have be necessary. zero utility for a name and makes no use of the Of course, this is oversimplified. Let’s add di- name himself; he hopes that demand for a name minishing marginal utility to this model. Sup- will rise in the future, and may therefore not sell pose there are 10 John Smiths in the world and to a buyer who has a positive utility today. This 10 variations of the name JohnSmith. A 10x10 could lead to a market failure in a few ways. The matrix describes the utility of each user for each uncertainty around future demand means that some name. Further, none of these users has any util- names may be squatted indefinitely, while legiti- ity for more than one name. Now we can state a mate users may end up with sub-optimal names. If welfare-maximization goal of finding the assign- most valuable names are locked up by squatters, it ment of names to users that maximizes the sum may prevent the growth of the system, in turn pre- of each user’s utility for his assigned name, which venting the growth in market price for names that translates to a maximum weighted graph matching speculators are hoping for. Land speculation has problem. Or we could be happy with a Pareto- also been criticized as contributing to a market fail- efficient assignment; since this is one-sided market ure [15]. (names aren’t agents), this is the house allocation In this view, squatting may exist and may be problem [16]. This shows that even in a highly sim- problematic even if the primary market is able to plified setting with a finite number of names and the discover the market price. But if the primary mar- same number of users, the mechanism design ques- ket is algorithmic, it only exacerbates the squatting tion is very tricky. problem. When we add time-varying preferences to the Complexity of the utility function. Our argu- model, it is unclear if we can even formally state ment above is essentially that the utility of a given a goal for the system. The harder we make it for

8 a user to hold on to a purchased name, the easier it becomes for an adversary to “seize” a name (see below). At any rate, the fact that preferences are time varying appears to be part of the reason that names in Namecoin expire and must be renewed; in effect, they are leased rather than purchased outright. Seizures. The Namecoin community considers it a major goal to prevent “seizures” of domain names by adversaries [17]. To prevent seizures, then, it must be easy to hold on to a name after buying it. This is in tension with preventing speculation, which works by buying a name and holding on to it Figure 2: Analysis of squatting. Names whose despite other people wanting it. values occur more than about 10 times can The reason it is even technically possible to pre- be safely considered to be squatted. In fact, vent such censorship in the face of a well-funded the graph shows that the majority of names adversary is that the adversary can’t possibly pre- are held by prolific squatters who control thou- emptively buy up all the names that the victim sands of names. might use. For example, Wikileaks might find any name with the string “wikileaks" in it to be accept- However, many squatters are easily identified able, even if not ideal, for their purposes. In other through the values they set for the names they own. words the victim’s utility function has a large sup- Since there is no built-in functionality for the list- port; the adversary’s utility for a name is contingent ing and sale of names in Namecoin, squatters use on the victim owning that name. the values of names they own to display contact information. This information generally comes in 4 Analysis of .bit domains the form of either contact information stored di- In this section we analyze the current state of .bit rectly in the value of a name, or contact information domains. We begin at the highest level, looking at stored at the IP address to which the name resolves. the repetition of values in order to detect squatters. We observed that a squatter’s contact information is Next we look at how many .bit domains are set up generally constant among all the names they own. with query-able values. Finally we actually visit Thus, by measuring the extent to which values are these query-able names and analyze the content we duplicated on the block chain, we can estimate the find there. ratio of squatters to genuine users. Regular .bit domain owners are unlikely to use 4.1 Detecting squatters values that are highly replicated. The value of a We investigate the balance between squatters and domain points to an individual server and most are other users in the .bit subspace. As we discussed in unique. Repetition may occur in this circumstance 3, squatting is a critical issue in any decentralized is when multiple names resolve to the same point. namespace. We look at Namecoin in order to get a This could occur when a single DNS server is re- realistic view on the proliferation of squatting. solving a large number of names to different web- Namecoin possesses the same pseudonymity sites. However when we performed the content properties as Bitcoin and thus it is difficult to group analysis described in Section 4.3, we found that this names by their owner. Names are owned by indi- does not happen currently. vidual addresses rather than by identities and it is There is no definitive threshold for deciding ex- a common practice to keep each purchased name actly how often a value has to occur in order to under a different address. Because of this, it is dif- assume a squatter has been detected. However ficult to assess how many names any single entity even the coarsest grained approach displays a mas- owns. sive amount of squatting on the block chain. Of

9 Type of resolution Count Criteria applied Count Nameserver URL 3200 Total Names 196,023 Nameserver IP 148 Valid DNS 9354 Single IP 5848 Curlable 5374 Multiple IP 2 Not squatter 745 Single IPv6 2 Without duplicates 455 Multiple IPv6 1 Without errors 278 9 With content 222 Alias 23 Without ICANN hostname 28 Only subdomains 2 Total 9354 Table 2: Number of .bit domains which resolve to real content Table 1: Comprehensive list of .bit domain res- olution methods currently in use. how people are setting up their domains. The vast majority of names point directly to an address. This the 196023 currently active names, there are only includes people using IP, IPv6, and Tor. This is by 34361 unique values. far the most privacy preserving method since the IP In Figure 6 we examine the fraction of current address is drawn directly from the block chain. A .bit names that are squatted. We sorted all of the client can simply look up a name in the block chain values that occur by the number of times they oc- and immediately connect to the server. However, cur. The graph has a very sharp initial drop as we this privacy comes at the cost of flexibility since the remove all names with values that occur only a few server is directly encoded in the block chain and can times. This leaves the majority of domains to drop not be changed without an update. off very slowly as we remove bigger and bigger The much more flexible configuration, also com- squatters. Using a cut-off of n = 10, it appears safe monly used, is name server delegation. Rather than to say that at least 76% of .bit domains are held by directly listing an IP address in the block chain, one squatters. or more name servers are listed. This way a name 4.2 DNS records owner can update their IP address without modi- fying the block chain. However this is an inse- We now examine how .bit domains are used by cure delegation since Namecoin can not enforce any genuine users. Only 9354 out of the 119624 .bit do- properties regarding the action of the external name mains make any attempt to resolve to an IP address. server. The server will have full control over its Out of these a variety of types of IP resolution are interaction with users including the ability to track employed. lookups or return results which aren’t globally con- In order to support DNS lookups, Namecoin pro- sistent. vides a specification that allows for the support of most DNS record types. A name’s configuration is 4.3 Domain content analysis stored in a JSON dictionary object which is placed in a name’s value. Domain’s can be configured After understanding how people connect their in a number of different ways. The main meth- names with IP addresses, we explored what sort ods are directly setting one or more IP (or IPv6) of content is reachable through .bit domain names. addresses or setting one or more secondary name- We attempted to download the front page of each servers which hold information about a domain. of these 9354 domains over port 80 (HTTP). 3881 Additionally records can link a name to a number of these domains were unreachable or didn’t serve of hidden-services URL schemes like .onion [18] web content, leaving us with only 5374 responsive and .i2p [19]. domains. Namecoin supports a number of different name Looking at the content of the servers’ responses, resolution methods. Different methods have differ- we found that of the responsive 5374 domains, ent properties and thus it is interesting to inspect 4629 are owned by 3 different squatters. These do-

10 mains serve nothing of value and caused massive inflation in our reachable domain count. Removing the squatters, we count 745 viable do- mains. However, many of these pages are mirrors or duplicates of each other. After removing 290 such duplicates, 455 domains remained. A large number of pages were either error re- sponses from the server or default pages from vari- ous web servers. Neither of these can be considered useful content. There were 177 such domains, and removing them left us with 278 domains. Out of the remaining sites, many had very small amounts of content consisting of only a few words on a blank page like, "Welcome to mysite.bit." Figure 3: For each 1 ≤ n ≤ 1,000,000, the prob- These pages, though valid uses of Namecoin, pro- ability that .bit versions of domains with Alexa vide minimal utility to a visitor. Thus, we decided rank approximately n are registered. to look at only pages consisting of 15 or more words and images which brought us down to 222 domains. These 222 domains make up the only websites desirability, one using Alexa ranking, and one using reachable through .bit domain names which have the length of the name. any real content on them at the time of this analy- We can see from Figure 3 and Figure 4 that there sis. We are further interested in the subset of these are patterns to the names that squatters have ac- pages which don’t come from a server that is acces- quired. In Figure 3, we can see that squatters have sible through a standard ICANN TLD as well. 83 of claimed the majority of very high ranking Alexa the pages directly redirect the user to a standard do- sites. main and 111 were manually identified as pointing In Figure 4 we see that there is a preference for to the same site as a standard domain. The domains shorter names. Table 3 shows that in fact all one- which had ICANN hostname’s along with their .bit and two-character names are taken. It is not un- hostname were manually identified and pinged to til we get to names with at least three characters ensure matching IP addresses. that there are names available to register. Beyond This left us with 28 pages serving non-trivial three characters, the combinatorial nature of name content that is uniquely available via .bit. strings makes it infeasible to register all names of Our approach to analyzing content suffers from that length. There are more names with a length a few limitations. First of all we only queried the of 4 available than there are total names registered main domain over port 80, thus if any of the servers currently. only respond to subdomains or only serve content Alexa ranking and name length are not an ex- over HTTPS, they are not included. Additionally haustive description of squatter behavior. Future when we detect how much content is on each page, work would attempt to better model the valuation we do not follow links and thus content could be that squatters and other namespace participants put hidden behind links. Despite these limitations we on names. believe that we have missed very few legitimate do- mains. 5 Secondary market analysis 4.4 Examining Squatter Name Choice Next, we seek to understand and quantify how As we have seen, many individual squatters buy names move between users. Our basic scenario up very large numbers of domains. We now explore is that Alice owns the name ‘d/example’ and Bob what sort of categories these names fall into and try would like to purchase it from her. We explore var- to interpret the decisions these squatters have made. ious ways this sale can occur and how these sales Here we explore two potential measures of name can be detected.

11 Figure 5: Anatomy of an atomic name transfer. Both the name and the payment are included in the same transaction, so one cannot fail to transfer to the other party without the other failing to transfer.

5.1 Detecting atomic transfers The safest way to buy and sell Namecoin names is through the use of atomic transactions. This is an important technique in cryptocurrencies whereby two parties can exchange digital assets (such as a name in exchange for currency) without a trusted intermediary without either worrying that the other will abscond after receiving her half of the bargain. We show how these transactions work in Figure 5. In an atomic transaction, Alice and Bob make their exchange in a single transaction. In the simplest form of atomic name transfer, Bob creates a trans- action which transfers his payment to Alice and transfers ‘d/example’ to him. He then sends this Figure 4: The number of Namecoin names transaction to Alice, the owner of the name, who registered as a function of name length. verifies it, signs, and broadcasts the transaction to the block chain. Both Alice and Bob’s signatures are locked to the inputs and outputs of the transac- Name length Percent registered tion so neither input can be spent individually with- 1 100.00% out the full transaction. This transaction provides 2 100.00% cryptographic security to both Alice and Bob since 3 58.61% either both the name and coins will be exchanged or 4 1.00% nothing will. Although there is nothing inherently 5 0.02% different looking about this transaction on the block . . chain, there are a few possible techniques to detect . . them by implementation quirks. Table 3: Percent of all domains of registered by The Namecoin client is a fairly underdeveloped length. All possible names are counted combi- piece of software and thus there is no built-in natorially using the rules given by [7]. method of performing atomic transactions. In or- der to accomplish this task, the Namecoin RPC

12 client must be used from the command line. In order to simplify this task, a Namecoin developer created ANTPY [20], a piece of software to auto- mate the creation of atomic transactions. This soft- ware has the quirk that the buyer’s payment goes to the address that the seller held the name in. To find these transactions we queried the block chain for transactions with a NAME_FIRSTUPDATE or NAME_UPDATE input from the same address as a non name output. We then further reduced this set by eliminating transactions where the name stayed at the same address. We searched throughout the history of the Name- Figure 6: Number of transfers detected based coin block chain for transactions fitting this specifi- on squatting threshold. For each n on the x- cation. Our query returned 13 transactions which axis (5 ≤ n ≤ 25), we plot the number of squat- we believe represent all transactions built by the ter → non-squatter transactions detected if we ANTPY script. However this by no means repre- characterize names whose values occur n or sents all sales on the block chain. We next attempt more times as squatted. to discover atomic transactions in a different way. A implementation-agnostic method for detecting atomic name transfers is to find transactions that chain. Whereas atomic transactions, can (some- clearly use change addresses. This occurs when times) be recognized simply from their contents, there are two non-name outputs in a transaction other name sale transactions are not recognizable. that has a name input. In this case the buyer did Here the payment could be a separate transaction or not want to pay all of his input to the seller and even made in a currency other than Namecoin. We thus kept some for himself. This leaves the transac- would hope that we could detect changes in name tion with 3 outputs. Under normal circumstances, ownership by looking at changes in which key owns NAME_UPDATE transactions will only have two a name. However, since the Namecoin client de- outputs, a name output and a change address. Thus faults to sending names to new addresses on update, every transaction with three outputs is very likely there is no way to look at an update and tell whether an atomic name transfer. or not a name is being transferred between owners. In the history of the Namecoin block chain, we In order to detect non-atomic transactions we found 6 transactions fitting this form. However 5 of must expand our view to the prior value of a name the 6 were also detected by the previous (ANTPY) being updated. Certainly if the value does not criterion. change then the transaction is simply renewing the The 14 atomic transactions which we detected name, not transferring it. However considering all are a lower bound for the number of name trans- other transactions to be name transfers is far too fers. We are unable to query for all atomic trans- conservative of a criterion. Users freely update the actions since if the buyer doesn’t want any change values of names whenever information in them be- from a purchase and the seller gives the buyer a new comes outdated. address to send payment to, the transaction is indis- Although there doesn’t seem to be a way to de- tinguishable from a regular non-transferring name tect non-atomic name transfers generally, there is update. an important subclass of these transactions which can still be detected — transfers from squatters to 5.2 Deriving an upper bound on number regular users. In the previous section we discussed of sales our detection of squatters in the block chain which Following up on our lower bound from the pre- produces a list of values which with a high proba- vious section, we now derive an upper bound on bility belong to squatters. Detecting transfers from the number of name sales using data from the block squatters by finding names that change from one of

13 these values to a value outside this set gives us a When a name is controlled by a user, how strong strategy to detect transfers. is that control? We can consider a hierarchy of in- We employ an additional criterion to eliminate creasingly weaker forms of control. false positives to tighten our upper bound. If a 1. Control lasts forever and names cannot be name’s value includes an info or email field and that transferred. It is straightforward to design a names- stays the same in the updated value we can assume pace in such a way that names are non-transferable this is simply an update by the squatter. (in Namecoin, it would be a matter of requiring the input and output of a NAME_UPDATE transaction Applying this analysis at various squatter thresh- to have the same address). Making names non- old values, we see that the total number of squatter transferable would lock authority to update to the → non-squatter transactions detected holds at ap- value restricted to the key used to first register the proximately 250 transactions. We emphasize that name. Such a system could deter speculative squat- this value is likely an upper-bound since our cri- ters because a speculator would not be able to sell teria for reducing the number of transactions were a name to another individual. While it would be quite conservative. possible to transfer the private key that controls a To summarize, we would expect that given the name, the user receiving it would have no crypto- high percentage of squatted .bit names, if there is graphic assurance that the original owner does still a flourishing secondary market it would be domi- posses a copy of the key. On the other hand squat- nated by sales from squatters to regular users. Yet ters who wish to censor names or simply damage we are able to upper bound the number of such the system would be undeterred by the inability to transfers to about 250, a tiny fraction of the number transfer names. of squatted names. Further, even though Namecoin As we noted in Section 3, utility functions supports a secure way to transfer names, we find are time-varying, so a technical restriction against strong evidence based on known tools supporting name transfer goes against the logic of the market. this functionality that its usage is very low. It is possible that most names would be controlled by squatters who act as dealers and lease names to users. Essentially this would make the system 6 Exploring namespace design a hybrid between a centralized and a decentralized choices namespace. Throughout this section we will refer to the con- 2. Control lasts forever except if the user chooses cept of the decentralized algorithmic agent that we to transfer or sell the name. This approach is easy introduced in Section 3. Several of the options we to understand as it is the most similar to physical explore will require this agent to implement rather property. A practical problem with this approach is complex algorithms. We will not directly address that if a user loses her key, any names controlled the question of practical feasibility of complex de- by that user or key are lost forever. This may also centralized agents. We note, however, that based on happen if a user leaves the system, but this prob- proposed designs, these agents can be surprisingly lem can be alleviated by having the primary market powerful; we refer the reader to [6, 21, 22]. agent buy back names from users. This incentivizes the user to give up the name before leaving the sys- 6.1 Control of names tem even if she can’t find a seller for it. The agent essentially acts as an automated market maker. At any point in time, each name is either con- 3. Names expire after a fixed period, except if trolled by some user or is unclaimed. In the latter the user renews it. This is a practical choice that case, it can be considered to be owned by the de- avoids the problems pointed out above, especially centralized agent encoded into the cryptocurrency, if the renewal fee is very small compared to the and is on the primary market. Any user can attempt price of the name on the primary market. We ex- to purchase any name on the primary market. We pect that a rational user will keep renewing a name will return later to the question of how the name is she controls unless her utility drops to near-zero, or priced. she loses the associated private key and therefore

14 can’t update the name. If the renewal fee is sub- tors based on publicly available data can be incor- stantial, this becomes similar to a lease instead of porated into the pricing model: name length, fre- ownership. The renewal fee is paid to the agent. quency of the name (treated as a word) in text found Finally, the agent may pay the user if she lets her on the web, traffic rank of the corresponding .com name expires, returning her original fee to her. This domain, and so on. Pricing can also vary with time; is analogous to a deposit. a blended model between auctions and algorithmic 4. Names always expire after a fixed period and pricing would see initial prices decided algorithmi- return to the primary market. Seizure or censor- cally which decline steadily over time in a form of ship becomes easy. Additionally, if we imagine that Dutch auction. Again the challenges in implement- names appreciate in price by being used, just as ing this are practical: incorporating data external to land that is developed increases in value, this dis- the block chain into the computation of distributed incentivizes users from putting names to use since agents is possible, but very complex and has not they have no expectation of being able to hold on been successfully demonstrated in practice. If the to them. So this model is clearly inappropriate for secondary market is implemented within the sys- applications like domain names, but perhaps useful tem (see below), then the agent has access to pric- in other contexts. ing data for other similar names as well as for the 5. Control over names may be preempted by same name if it was previously sold on the sec- other users. This is an idea that has been proposed ondary market. several times in the context of Namecoin, allowing There is an interesting technical limitation of users to either force a name to return to the primary agents which affects algorithmic pricing. Since the market or even directly acquire it by paying the a agent doesn’t have private storage, an adversarial fee to the agent and/or the current owner. This is in- node in the peer-to-peer network can intercept a tended to alleviate squatting, but it is hard to imag- user’s request to the agent to purchase a name, and ine this approach being superior to a functioning try to purchase that name ahead of the user, per- secondary market. On the other hand, the down- haps in the hope of turning around and selling it sides are clear: seizures are now possible, and as to the user. This is analogous to front running. In before, uncertainty over future ownership may dis- fact, front running is a problem in the current DNS courage legitimate use. as well, carried out by intermediaries that provide domain registry search services [23]. Fortunately, 6.2 Markets and fees in the cryptocurrency context there’s a simple cryp- Primary market: auctions vs. algorithmic tographic solution: the user first presents a sealed pricing. There are essentially two choices for the bid to the agent (here it is the name that needs to primary market: auction and algorithmic pricing. be sealed, not the price, which is public); after this Auctions are appealing, but there are practical prob- message is confirmed in the block chain, the user lems due to the infinite number of names. For ex- (from the same address) reveals the name. Now the ample, let’s say an auction for a name is triggered adversary cannot front run the user because he can- whenever any user expresses an interest in buying not spoof messages (transactions) from the user’s 5 that name. Since there are a potentially infinite address. number of names that a user is interested in, she Namecoin uses a simple model of a flat fee for all would have to be able to participate in an auction at domains that varies with time (which we can think any time, which is a problematic assumption. Al- of as a trivial case of algorithmic pricing). ternatively, names could go up for auction at fixed Secondary market. As long as the technical ca- times, but this also has practical downsides. pability to transfer names exist, we would expect On the other hand, names can be priced algo- a secondary market to develop without any further rithmically. This is more applicable for applica- design support. In addition, the ability to transfer tions like domain names than for personal names- 5 paces. In the former case the utility of a name is This is the approach used in Namecoin, and the reason why NAME_NEW and NAME_FIRSTUPDATE need to be dis- less dependent on the user and therefore easier to tinct operations separated by a 12-block waiting period, as de- price based on publicly available data. Several fac- scribed in Section 2.3.

15 names and payment in a single atomic transaction cally straightforward to do by structuring payments allows parties to transact without a trusted interme- as transaction fees to be collected by the miner who diary. This is straightforward to implement techni- first mines a block containing that transaction. The cally as we discussed in Section 5; Bitcoin and most other option is to “burn” the coins representing the altcoins including Namecoin support it. payment, i.e., mark them as permanently unspend- However, there are benefits to the capability to able. This is also technically trivial. Assuming that post bids and offers on the block chain as well as the market capitalization of the currency is unaf- execute trades. First, as a practical matter, when fected by burning some of it, it has the effect of dis- cryptocurrencies are in the bootstrapping stage, ex- tributing the agent’s revenue to all holders of the changes may not develop or may be fragmented. currency in proportion to their holding. Both of We see this problem with Namecoin. Secondary these appear to be reasonable options, and Name- markets for DNS names are also fragmented. A coin has used both; it is not clear which is better fragmented or non-existent secondary market may in terms of incentivizing the long-term growth and in turn inhibit adoption of the namespace. Inte- security of the system. grating an exchange (implemented, of course, in a decentralized form) may prevent this problem. 7 Related Work As an interesting historical aside, early versions of ’s Bitcoin code contained ex- Here we discuss attempts besides Namecoin at change functionality in prototype stage, but this decentralized cryptocurrency-based namespaces or was never rolled out [24]. Second, as mentioned domain-name systems and more broadly technolo- above, executing trades via the block chain allows gies that utilize the block chain. the agent direct access to price data, and this may Bitshares is another altcoin that includes propos- help with algorithmic pricing. Finally, integrating als for a namespace as one of its goals [26]. Emer- an exchange allows shaping the secondary market, coin recently emerged as a Namecoin competitor for example, by charging a fee for trades. As men- [27]. tioned earlier, it is technically feasible to deter pri- More broadly, the ability to publish messages vate trades; this would force or incentivize trades to to the block chain immediately allows a variety of happen through the integrated exchange. applications. Physical property, shares of stocks, bonds, or any other real asset can be digitally repre- 6.3 The agent’s finances sented on the block chain. Overlay protocols such In a centralized namespace, the owner of the as Mastercoin and Colored Coins specify a syn- namespace has a clear goal of maximizing revenue tax and semantics for such digital representations from name sales. In a decentralized system, this is [28, 29]. CommitCoin allows for putting hash com- typically not a meaningful goal. After all, the agent mitments on the Bitcoin block chain in order to is not a real-world entity. How, then, should the timestamp data in a trustless manner [30]. agent handle its finances? There are a number of more complex applica- Our first simplifying observation is that there is tions that require additional primitives. Financial no point in the agent holding on to any funds — derivatives are contracts whose value depends, in even if it needs to buy names from users, it can some mutually agreed-upon way, on the price (or simply print money (introduce new coins into the movements in price) of an underlying asset. Im- system) as necessary. Of course, from a practical plementing derivatives of digital assets, then, re- perspective it may be easier to have the agent store quires user-defined logic (or scripts) for transac- funds; this corresponds to the proposal in Name- tion validation. This can be accomplished via an coin to treat registration fees as deposits and to hold altcoin with a flexible scripting language such as them in “escrow” [25]. Conceptually, however, we Ethereum [21]. Furthermore, since derivatives de- can get rid of this option. pend on prices, scripts that implement them require That leaves two options. The first is to distribute access to price feeds as input. Otherwise, it requires its revenue to miners, in proportion to their hash a trusted third party (known by a Bitcoin address) power at the time of the transaction. This is techni- to regularly publish suitably encoded, signed price

16 statements reflecting external reality. These can be where the above weaknesses are fixed, it’s not clear published directly to the block chain or distributed that it would be a viable platform for a decentral- off-chain and only added to the block chain when ized DNS. Namespaces are a solution to the prob- needed to redeem an asset. More generally, such lem of mapping names to values. However, in a entities could publish any data feed representing domain name system, the problem that needs to be news or other events. solved is to map entities — legal entities, brands, or Bitcoin can act as a platform for fair secure mul- identities — to addresses/values. tiparty computation [31, 32, 33]. These are SMC Naturally, mapping entities to names (or directly protocols augmented with Bitcoin operations, e.g., to values) is not a purely technical problem, but re- a payment from one participant to another, or a de- quires human judgment. In the traditional DNS, posit. arbitration based on trademark law is a mecha- Finally, a set of related ideas known as decen- nism to prevent names that are confusingly simi- tralized autonomous organizations (among several lar from being controlled by different entities. This other names) has stirred considerable excitement is augmented with Extended Validation certificates, in the community recently. These combine several which, when used, establish the legal identity of the primitives discussed above — digital assets, long- name owner. With these mechanisms in place, the lived scripts implementing arbitrary logic govern- user must still provide a name to the system, but at ing those assets, data feeds, and out-of-band com- least she can then verify that it corresponds to the munication. Some proposals for DAOs incorporate correct entity she had in mind. This type of verifi- human input in various forms: one is a decentral- cation is much harder to incorporate in a decentral- ized agent farming out computationally intractable ized system. We are not aware of any designs for tasks to humans [34]. Another is voting by share- decentralized systems that attempt to do so. holders of decentralized agents to enable modifica- If such mechanisms are not developed, can de- tions to the logic (i.e., script). centralized namespaces for domain names be viable at all? Or will they depart so far from user expecta- 8 Discussion and Conclusion tions as to be unusable? Other solutions for usability might be possible. Our empirical analysis of Namecoin and explo- Web search engines are used in practice as a way ration of the design space reveal several potential of mapping entities to names. Indeed, such “nav- mechanism design weaknesses. First, Namecoin’s igational queries” are one of the primary ways in fees are far too low to deter squatters. The system which people use search engines.6 Navigational utilizes neither an auction nor algorithmic pricing queries are about equally viable in centralized and that might help price names near their market value. decentralized systems. Presumably, using search Worse, users who paid a high network fee in the engines and following links from other sources (in- early period and who wish to leave the system have cluding bookmarks) will allow a user to gradually no way to recoup any of their investment by return- memorize an entity → name mapping. ing the name to the primary market. Of course, if users always used these nagiva- These problems are exacerbated by the lack of tional aids and relied on them entirely to find the a functioning secondary market. Buying a squat- correct name, then those names don’t have to be ted name, even if contact information is available human-memorable or user-chosen, so one doesn’t on the block chain, is a cumbersome manual pro- need a namespace at all. Indeed, .onion domains cess. There is no way to, say, search for all names force users to rely on navigational aids since names available for sale matching a given string and be- are public keys and can’t be freely chosen by users. low a specified price limit. Namecoin does not in- Anecdotally, however, it is clear that this results in tegrate an exchange into its core functionality, nor poor usability and memorable names would be an have Namecoin developers chosen to build and pro- improvement. mote one outside the system. Is a decentralized namespace for domain 6Bing reports that about 30% of queries are navigational names viable? Even with a hypothetical system [35].

17 We remain neutral on the question of whether and storing the entire block chain, which is cur- a decentralized namespace for domain names can rently about 1.6 GB. Then she must acquire NMC, be viable. But the human factors we discussed do which requires connecting the user’s wallet on a complicate the mechanism design question. In Sec- (which supports Name- tion 3 we proposed utility maximization as a (straw- coin) to her bank account. In our experience, there man) goal of the mechanism, and suggested that is a 3-day wait after registering with an exchange an auction would satisfy this goal. However, in an and being allowed to transfer funds. Now the user auction-based system, it may turn out that an adver- is finally ready to register names, but she must also sary interested in phishing has a higher utility for remember to update names every 250 days or run (say) bankofamerica.com than Bank of Amer- software in the background that will automatically ica does. It is not clear how to design a mechanism handle this. that will discourage such outcomes. In conclusion, designers of decentralized names- Comparison between .bit and OneName. In paces must pay careful attention to mechanism de- contrast to the .bit subspace, the online identity ser- sign to deter squatters and facilitate a healthy sec- vice, OneName, has a very large user base. We ondary market. Further, the usability of the overall found that after limiting the number of name/value ecosystem, which includes not just users who own pairs to only those with unique, well formed entries names but the applications that utilize the names- (using the strategies listed in section 5) OneName pace for web browsing or other tasks, is paramount. has roughly 20,000 pairs, which dwarfs the 1000 Finally, a hybrid model of centralized services or so .bit domains. It is too early to tell whether or that utilize an underlying decentralized platform is not these users are putting their OneName identities worth considering. to any real use, but at least in terms of registration Acknowledgement. We would like to thank Ed numbers, interest appears to be high. Felten and Muneeb Ali for helpful discussions and Perhaps the biggest reason for this is that while feedback. This work was supported in part by NSF scarce, OneName names are not nearly as valuable Grant CNS-1421689. as domain names, and so it is far less important to get the mechanism design right, or have any mech- References anism at all. Unlike domain names that must be [1] Paul Mutton. WikiLeaks.org taken down remembered by humans, users typically find One- by US DNS provider. URL http: Name identities through links from other social me- //news.netcraft.com/archives/ dia services or by searching for the individual’s real 2010/12/03/wikileaks-org-taken- name. down-by-us-dns-provider.html. A second reason is that OneName benefits from [2] Wikipedia. Zooko’s triangle, . URL being a centralized service on top of a decentralized http://en.wikipedia.org/wiki/ protocol, OpenName (which, as of this writing, is Zooko%27s_triangle. implemented on top of Namecoin). If a name is [3] Aaron Swartz. Squaring the triangle: Secure, squatted, a typical user who wants that name might decentralized, human-readable names. URL not even know how to contact the squatter because http://www.aaronsw.com/weblog/ they are trying to register a name through the One- squarezooko. Name website which doesn’t facilitate this process. While a user could technically interact with the ‘u/’ [4] Satoshi Nakamoto. Bitcoin: A peer-to-peer elec- https://bitcoin. subspace of the block chain directly, most One- tronic cash system. URL org/bitcoin.pdf. Name users don’t. The .bit subspace, on the other hand, suffers from [5] appamatto. Bitdns and generalizing bitcoin. the lack of any centralized service providers cou- URL https://bitcointalk.org/index. pled with the poor usability of the client software. php?topic=1790.0. A new user faces many significant hurdles in regis- [6] J Bonneau, J Clark, E Felten, J Kroll, A Miller, tering a name. The first step is acquiring a Name- and A Narayanan. On decentralizing prediction coin client which requires downloading, verifying, markets and order books. In Workshop on the

18 Economics of Information Security, 2014. URL [21] Ethereum white paper, 2015. URL http://weis2014.econinfosec.org/ https://github.com/ethereum/wiki/ papers/Clark-WEIS2014.pdf. wiki/White-Paper.

[7] Domain name specification, 2015. URL https: [22] Bitcoin Wiki. Agents. URL https://en. //wiki.namecoin.info/index.php? bitcoin.it/wiki/Agents. title=Domain_Name_Specification. [23] Wikipedia. Domain name front running, . [8] khalahan. Nmcontrol. URL https://github. URL https://en.wikipedia.org/wiki/ com/khalahan/nmcontrol. Domain_name_front_running.

[9] Freespeechme website. URL http://www. [24] phelixbtc. Bitcoin github. URL https:// freespeechme.org/. github.com/phelixbtc/antpy.

[10] Greg Slepak. Dnschain. URL https:// [25] Namecoin Forum. Idea for better fee struc- github.com/okTurtles/dnschain. ture. URL https://forum.namecoin. info/viewtopic.php?p=6653&sid= [11] Opennic project. URL http://www. 2cf37d245bbc611a8d93ad6ac23b9982. opennicproject.org/. [26] .p2p (bitshares dns), 2015. URL http: [12] Keybase. Keybase. URL https://keybase. //wiki.bitshares.org/index.php/ io/. .p2p_%28BitShares_DNS%29.

[13] Luke A Walker. Icann’s uniform domain name [27] Emercoin, 2015. URL http://emercoin. dispute resolution policy. Berk. Tech. LJ, 15:289, com/. 2000. [28] Mastercoin protocol specification, 2015. URL [14] William L Silber. Marketmaker behavior in an https://github.com/mastercoin- auction market: an analysis of scalpers in futures MSC/spec. markets. The Journal of Finance, 39(4):937–953, 1984. [29] Meni Rosenfeld. Overview of colored coins, 2012. URL https://bitcoil.co.il/ [15] John R Ottensmann. Urban sprawl, land values BitcoinX.pdf. and the density of development. Land economics, pages 389–400, 1977. [30] Jeremy Clark and Aleksander Essex. Commitcoin: Carbon dating commitments with bitcoin. In Fi- [16] Atila Abdulkadiroglu and Tayfun Sönmez. Match- nancial Cryptography and Data Security, pages ing markets: Theory and practice. In Advances 390–398. Springer, 2012. doi:10.1007/978-3-642- in Economics and Econometrics (Tenth World 32946-3_28. Congress), pages 3–47, 2013. [31] Marcin Andrychowicz, Stefan Dziembowski, [17] Daniel. Proposal: Domains should be Daniel Malinowski, and Lukasz Mazurek. regularly auctioned. URL https: Secure multiparty computations on bitcoin. //forum.namecoin.info/viewtopic. In Security and Privacy (SP), 2014 IEEE php?f=11&t=2003. Symposium on, pages 443–458. IEEE, 2014. doi:10.1109/SP.2014.35. [18] Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: The second-generation onion [32] Iddo Bentov and Ranjit Kumaresan. How to use router. Technical report, DTIC Document, 2004. bitcoin to design fair protocols. In Advances in Cryptology–CRYPTO 2014, pages 421–439. [19] Juan Pablo Timpanaro, Chrisment Isabelle, and Springer, 2014. doi:10.1007/978-3-662-44381- Festor Olivier. Monitoring the i2p network. 1_24. 2011. URL https://hal.inria.fr/hal- 00653136/document. [33] Ranjit Kumaresan and Iddo Bentov. How to use bitcoin to incentivize correct compu- [20] ANTPY Github. Bitcoin github com- tations. In Proceedings of the 2014 ACM mit history. URL https://github. SIGSAC Conference on Computer and Commu- com/bitcoin/bitcoin/commit/ nications Security, pages 30–41. ACM, 2014. 5253d1ab77fab1995ede03fb934ed. doi:10.1145/2660267.2660380.

19 [34] Vitalik Buterin. Daos, dacs, das and more: An incomplete terminology guide, 2014. URL https://blog.ethereum.org/2014/ 05/06/daos-dacs-das-and-more-an- incomplete-terminology-guide/.

[35] Bing blogs: Making search yours, 2011. URL http://blogs.bing.com/search/ 2011/02/10/making-search-yours/.

20 A List of significant .bit domains Below is a list of names counted towards the last en- try in Table 2. These domains were determined by the proccess described in Section 4. • alt-freedom.bit • bangkokgroup.bit • bitcoinpl.bit • bitcoinquotes.bit • carnicominstitutemirror.bit • changepurse.bit • columbo.bit • darkfur93.bit • dcinvestments.bit • dealing.bit • deathrowdemocracy.bit • dot-bit.bit • dotbitkittypix.bit • feens.bit • hewgill.bit • hosting.bit • kk-cabrio.bit • lapan.bit • medicinalgenomics.bit • megabrutal.bit • michail.bit • mikeward.bit • namecoin-test-suite-1.bit • onemillionpixels.bit • peterboswell.bit • rmgx.bit • tuler.bit • wikimouto.bit

21