Masaryk University Faculty of Informatics P2P Cryptocurrency Exchange and Blockchain Size Reduction Ph.D. Thesis Proposal Michal Zima Advisor: Eva Hladká Brno, Autumn 2017 Signature of Thesis Advisor Contents 1 Introduction 1 2 Preliminaries in Bitcoin Blockchain 4 2.1 Blockchain ...........................4 2.2 Merkle Trees ..........................7 2.3 Transaction Structure .....................8 2.4 Scripting ...........................9 2.5 Simple Payment Validation .................. 10 2.6 Spendability of Transactions ................. 10 3 State of the Art 12 3.1 Exchanging Cryptocurrencies without Intermediaries .... 12 3.2 Pruning of Merkle Trees ................... 14 3.3 Pruning with UTXO Set ................... 15 3.4 Redactable Blockchain ..................... 16 3.5 Mini-blockchain ........................ 16 3.6 UTXO Set Commitment ................... 18 3.7 Merged Mining ........................ 19 4 Aims of the Thesis 21 4.1 Objectives and Expected Results ............... 21 4.2 Plan of Work ......................... 22 5 Achieved Results 24 5.1 Decentralisation of Cryptocurrency Exchange ........ 24 5.2 Scheme of Sustainable Blockchain .............. 25 5.3 Hash Reduction ........................ 27 6 Author’s Publications 29 Bibliography 30 A Publications 35 A.1 Cryptography Enhanced Ad-Hoc Approach to P2P Overlays 36 A.2 Coincer: Decentralised Trustless Platform for Exchanging Decentralised Cryptocurrencies ................ 42 i 1 Introduction Digital money was for a long time a goal of many efforts. Indistin- guishability of originals from copies served as the most challenging point. There had to be a central database system that allowed verifi- cation of money and execution of transfers. Naturally, this approach caused concerns about users’ privacy. David Chaum in 1990 addressed this issue by introducing a cryptographic approach to anonymous digital money [1]. Nonetheless, it was not until Satoshi Nakamoto invented Bitcoin in 2008 that anonymous digital money came into general use. Using a novel combination of several known cryptographic primitives and P2P networking he devised trustless digital money which lacks any central authority or centralised database. Being a new approach to digital money, Bitcoin also brought new challenges. One of them has been its scalability in recent years. As of early 2017 Bitcoin’s distributed database (called blockchain) is capable of storing 1MB of data per 10 minutes on average, which translates into approximately 3–4 transactions per second1. For comparison, PayPal processed 200 transactions per second on average in 2016 [2] and Visa 2,600 transactions per second [3]. Since popularity of Bitcoin rises (evidenced also by its rising ex- change rate to traditional fiat currencies [4]), this throughput limitation becomes more visible. There are also SPAM attacks against Bitcoin [5] that cause transaction fees to rise for ordinary users to get their transactions verified. Proposals for scaling Bitcoin in general revolve around increasing the main limit of 1MB per 10 minutes (either di- rectly [6, 7, 8, 9, 10, 11, 12] or only effectively [13]), although this is not the only proposed measure. While this may lessen current issues, it may as well worsen other aspects. The Bitcoin blockchain is designed as an ever growing storage that contains all transactions since Bitcoin’s inception. Due to this fact, the blockchain size is at 119GiB as of July 2017. The aforementioned limit restricts the growth to approximately 49GiB per year. Growth of blockchain size can be observed on Fig. 1.1 and while it may seem to grow exponentially, the 49GiB limit says that it is in fact on linear 1. Given the average size of a transaction in 2016 of 515 bytes. 1 1. Introduction 140 Bitcoin blockchain size 120 100 80 GB 60 40 20 0 2010 2011 2012 2013 2014 2015 2016 2017 Time Figure 1.1: Cumulative size of the raw blockchain data. growth trajectory in 2017. Yet the steepness of the linear curve slowly starts to change as of August 2017 with deployment of a new scaling approach called Segregated Witness [13]. While it is said [14] that Bitcoin nodes may only store small block- chain metadata (amounting to 36MiB as of July 2017) and not the whole data, there is a trade-off between the size of the stored data on one side and security and privacy on the other. Moreover, these lightweight nodes cannot exist on their own—they depend on other nodes (so called full nodes) that do store the full blockchain data. However, with such a growth it becomes increasingly costly to run a full node. Besides the storage itself, among rising demands are bandwidth, computational resources (due to the need to verify all the data) and time for initial synchronisation with the Bitcoin network. As a result, less nodes can afford to be full nodes, thence decentralisation suffers. An obvious way towards solving this issue is through pruning the blockchain data from data that should not be needed anymore, i. e., data of already spent transactions as described in Sect. 7 of [14]. This 2 1. Introduction approach serves as a basis for further approaches, nonetheless, it does not stop the blockchain from unbounded growth in size. There are many transactions that we know cannot be ever spent (for instance [15]), but from computational point of view it is an undecidable prob- lem. Besides centralisation risks stemming from blockchain growth, cryptocurrencies suffer from centralisation on a level of entry and exit points for users—cryptocurrency exchanges [16]. Success of the Bitcoin model led to emergence of countless alternative cryptocur- rencies following the principles of Bitcoin. A natural consequence was demand of their users to exchange and trade these cryptocurren- cies which further led to a rise of many exchange platforms focused specifically on cryptocurrencies. Centralisation to a limited number of exchanges attracts attackers who successfully exploit vulnerabilities in the platforms, which accounts for more than 26 million USD of losses as of 2017 [17]. To date, various approaches were developed. There are methods for exchanges to easily prove their solvency [18, 19], but neither they were widely adopted nor they could solve the aforementioned prob- lem. Different approach is to completely remove intermediaries from the process of exchanging cryptocurrencies. However, even though the first solution was proposed in 2013 [20], due to its real-world limi- tations it has never had any practical, decentralised implementation. Aim of my work is focused on two important challenges that can improve decentralisation of cryptocurrencies ecosystem. First, I plan to develop a set of network and cryptocurrency protocols for safe decentralised trading of different cryptocurrencies. My second goal is to propose both technical and incentive mechanisms for maintaining a blockchain with a bounded size. The remainder of this thesis proposal is organised as follows. In- troduction to the area of blockchain and cryptocurrencies is given in Chap. 2. Chapter 3 describes state-of-the-art decentralised cryptocur- rency exchange and blockchain minification approaches. Chapter 4 sets goals of my work and outlines a time plan for them. An overview of achieved results is provided in Chap. 5, followed by a list of publi- cations in Chap. 6. The proposal concludes with a bibliography and a selection of my published papers. 3 2 Preliminaries in Bitcoin Blockchain This chapter introduces the terminology and the basics of Bitcoin and blockchain. 2.1 Blockchain Blockchain is a database of transactional data. It is a decentralised system without any central coordinator where all data are distributed over a network of interconnected nodes. This eliminates the need for trusted parties as each node can independently verify integrity and validity of all stored data by themselves. Since contents of blockchain are shared among all nodes in its network, it is important that it converges to a single shared state. This is achieved by grouping transactions into blocks every 10 minutes on average. Hence, the blocks fulfil a role of synchronisation points. Blocks form a chain by being linked into a hash chain: each block (except the first one, so called genesis block) includes a link (i. e., hash) of the previous block, as illustrated in Fig. 2.1. An important property inherited from a regular hash chain is immutability of stored data. To change a block inside a hash chain, it is required to also update all links to previous blocks inside blocks following the changed block. The change is therefore easily detectable. 2.1.1 Mining/Proof of Work Practical immutability of blockchain data is secured by a condition that each block’s hash1 has to meet requirements for a proof of work. 1. In this work all mentions of “hash” mean output of a cryptographic hash function, e. g., SHA-2. h(root) h(node 1) h(node 2) root node 1 node 2 node 3 (node 0) Figure 2.1: Illustration of the hash chain/blockchain structure: hash of each node in the chain is influenced by contents of all preceding nodes through their direct predecessor’s hash. 4 2. Preliminaries in Bitcoin Blockchain Proof of work is a mechanism that certifies that a certain amount of computational work was performed. In Bitcoin, the proof of work consists of a double SHA-256 hash of a block header. The bitcoin protocol computes in a decentralised manner a difficulty of the required proof. The difficulty is a parameter that sets a constraint on the value of the proof of work hash. Every 2016 blocks the difficulty gets adjusted by the network so that the interval between blocks is on average 10 minutes, regardless of the computational power dedicated for mining. Mining is a process of finding a valid proof of work hash by iterating through anonce space in the block header. 2.1.2 51% attack Security of Bitcoin lies to some extent on economic incentives. Miners are motivated to behave honestly and work on a single, longest chain of blocks.