Lecture 2

How Bitcoin Achieves Decentralization

Background: Blockchain
Structure of a bitcoin block
Block Structure — Bitcoin. Number in brackets is the size in bytes. Each
individual cell is 1 byte. Hence a field of 4 bytes occupies 4 cells. Fields from
Version till Nonce form the block header (Total 80 bytes)
• Merkle tree
• Each transaction is hashed twice
• Hash of Transaction A = Hash[Tx(A)] = SHA256 (SHA 256 (Transaction A))
• The total number of leaves should always be even
• if that is not the case then the last leaf is repeated twice
• Timestamp
• Encoded as a Unix ‘Epoch’ timestamp which is based on the number of seconds elapsed from January 1, 1970, midnight
UTC/GMT
• It is ACCEPTED only if it is greater than the median timestamp of previous 11 blocks, and less than the network-adjusted time + 2 hours.
• Network-adjusted time is the median of the timestamps returned by all nodes connected to you
• Block times are accurate only to within an hour or two thereby it more difficult to hash the block and hence more difficult to hack it
• Difficulty
• Difficulty is a measure of how difficult it is to find a hash below a given target. The Bitcoin network has a global block
difficulty. Valid blocks must have a hash below this target
• For every 2016 blocks, the difficulty will change
• Nonce
• The "nonce" in a bitcoin block is a 32-bit (4-byte) field whose value is adjusted by miners so that the hash of the block will
be less than or equal to the current target of the network.
• As this iterative calculation requires time and resources, the presentation of the block with the correct nonce value constitutes proof of
work
• A golden nonce in Bitcoin mining is a nonce which results in a hash value lower than the target
• Target
• The target is a 256-bit number (extremely large) that all Bitcoin clients share. The SHA-256 hash of a block's header must
be lower than or equal to the current target for the block to be accepted by the network
• he lower the target, the more difficult it is to generate a block.
• Mining
• Any change to the block data (such as the nonce) will make the block hash completely
different.
• Since it is believed infeasible to predict which combination of bits will result in the right hash,
many different nonce values are tried, and the hash is recomputed for each value until a hash
less than or equal to the current target of the network is found
• mining is doing the work of finding nonce so that sha256(sha256(data+nonce)) < target
• HashCash based Proof of Work
• Sender side
• Sender prepares a header and appends a counter value initialized to a random number. It then computes the
160-bit SHA-1 hash of the header.
• If the first 20 bits (i.e. the 5 most significant hex digits) of the hash are all zeros, then this is an acceptable header
• If not, then the sender increments the counter and tries the hash again
• Out of 2160 possible hash values, there are 2140 hash values that satisfy this criterion
• Thus the chance of randomly selecting a header that will have 20 zeros as the beginning of the hash is 1 in 220
• No more efficient method than this brute force approach is known to find a valid header.
• Receiver side
• The recipient's computer calculates the 160-bit SHA-1 hash of the entire string.
• If the first 20 bits are not all zero, the hash is invalid
• If the date in the header is not within two days of the current date, it is invalid
• whether the e-mail address in the hash string matches any of the valid e-mail addresses registered by the recipient
Bitcoin
• Is a peer to peer network that maintains a public decentralized ledger of digital math
based assets known as bitcoins
• The integrity of these ledgers is backed and secured by a sub-network of computers (miners) who
audit and archive its transactions for a reward
• Transaction named sending a bitcoin sends an instruction to the network to change the
custody in the public ledger.
• However, the ownership cannot be changed till more than half of the nodes in the network has to
authenticate it.
• How the bitcoin solves the problem of double spending attack?
• This is the central idea behind Bitcoin to solve the double spending problem:
• Due to the inclusion of the previous block's hash in data (this links the blocks to form a chain) and the
fact that the honest nodes of the network always do their work on the longest chain of blocks,
• a double spending attack involves calculating (and later publishing) a forked block chain in secret that is longer
than the "honest chain" (containing the transaction that should be undone).
• Due to the work required to do this, this race can only be won if the attacker has greater computation
power than the rest of the network together.
• Since using such computation power to honestly mine is likely more profitable than pulling a double-spend, the
incentive for doing a double-spend attack is low.

• How the bitcoin network verify the new block?

• Mining
• Bitcoin miners find a random number (called a "Nonce") that when inserted into the current block
makes the hash be below the current target. They then send that current block around the network.
• Verification
• Everyone checks their work (the proof-of-work) by hashing the block and checking if the result is
below the current target. In mining pools, miners do the same thing, but the current target is much
higher (so it's easier). When they find one of these, it's called "mining a share". A small percentage of
the "shares" will actually have a hash below the actual target, and the pool will make it's 25BTC profit,
then distribute it out to the miners who found a share (normally using some über-complicated
method to prevent cheating/pool hopping)
• What is blockchain?
• A data store which usually contains financial transactions that are replicated over a
number of systems that are reside in a peer-to-peer network where each read and write
requests are validated by cryptographic functions which makes them to hard to change
the past records.
• What are the types of blockchain?
• Public (permissionless) or (Pseudonymous)
• Anyone can read/write the transactions
• Private (permissioned) or (identified)
• participants are known and trusted
• Data storage
• A blockchain is just a file
• competing most closely with a database
• Blocks in a chain = pages in a book
• Blocks contains content and header
• Block ordering is based on the block’s hash value
• Data distribution
• Peer to peer network
• Challenge in determining the real or true state or value of the data
• if all the nodes are trusted but working in a different speed and have slightly different states
• If some/all of the nodes are untrusted how do you ensure that the system can’t easily be corrupted by bad
peers?

• CONSENSUS: How do you resolve conflicts?

• Conflict #1: A common conflict is when multiple miners create blocks at roughly the same
time. Because blocks take time to be shared across the network, which one should count
as the legit block?
• Apply Longest chain rule: If you see multiple blocks, treat the longest chain as legitimate.
• Scenario: If three miners across the world create ‘Block 81’ at roughly the same time,
which ‘Block 81’ should be considered valid?
• Since they will certainly contain a different payment address for the 25 BTC block reward;
and they may contain a different set transactions: 81a, 81b, 81c
• Consider you assume 81a is valid and started to create 82a, in the mean time, 82b came to you
following that 83b comes. As per the longest chain rule 80-81a is smaller than 80-81b-82b
• UPGRADES
• Suggest the change – Bitcoin Improvement Proposal(BIP):
• BIPs are nothing but improvements are proposed, discussed, and written up into the Bitcoin core
software
• Adopt the changes by the miners
• upgrade can be downloaded by nodes and block makers (miners) and run, but only if they want to
• Miner node
• Download the bitcoin core software and install it in your node then full node capable of:
• Connecting to the bitcoin network
• Downloading the blockchain
• Storing the blockchain
• Listening for transactions
• Validating transactions
• Passing on valid transactions
• Listening for blocks
• Validating blocks
• Passing on valid blocks
• Creating blocks
• ‘Mining’ the blocks
• DEFENCE: How do you make it hard for baddies?
• A dishonest miner can:
• Refuse to relay valid transactions to other nodes
• Attempt to create blocks that include or exclude specific transactions of his choosing
• Attempt to create a ‘longer chain’ of blocks that make previously accepted blocks become ‘orphans’
and not part of the main chain
• He can’t:
• Create bitcoins out of thin air*
• Steal bitcoins from your account
• Make payments on your behalf or pretend to be you
• With transactions
• Very limited effect. The honest simply reject any invalid transactions from him
• With blocks
• If he has sufficient block creation power, he can delay your transaction by refusing to include it in his
blocks
• your transaction will still be known by other honest nodes as an ‘unconfirmed transaction’, and they will
include it in their blocks
• Worst case scenario – Double spending attack
• create a longer chain of blocks than the rest of the network, and invoking the “longest
chain rule” to kick out the shorter chains. This lets him unwind a transaction.
• Create two payments with the same bitcoins: one to an online retailer, the other to yourself (another
address you control)
• Only broadcast the payment that pays the retailer
• When the payment gets added in an honest block, the retailer sends you goods
• Secretly create a longer chain of blocks which excludes the payment to the retailer, and includes the
payment to yourself
• Publish the longer chain. If the other nodes are playing by the “longest chain rule” rule, then they will
ignore the honest block with the retailer payment, and continue to build on your longer chain. The
honest block is said to be ‘orphaned’ and does not exist to all intents and purposes.
• The original payment to the retailer will be deemed invalid by the honest nodes because those
bitcoins have already been spent (in your longer chain)
• How do you make it hard for dishonest miners to create blocks?
• computationally expensive to add blocks
• guessing game where block-makers need to guess a number, which when
crunched with the rest of the block data contents, results in a hash / fingerprint
that is smaller than a certain number
• INCENTIVES: How do you pay validators?
• miners do lots of mining, increasing the difficulty and raising the walls against network
attacks. They are rewarded in bitcoin according to a schedule, and in time, as the block
rewards reduce, transaction fees become the incentive that miners collect.
Bitcoin
• Bitcoin
• Is a decentralized electronic payment system based on cryptographic proof instead of
trust thereby enabling two willing parties to transact directly with each other without
the need for a trusted third party like centralized bank.
• cannot be printed
• resilient to any manipulations
• backed by hard and complex energy intensive math problems
• Inflation proof
• Take the power back from the governments
• Moves faster and quicker
• Fixed supply of bitcoin 21Million
Centralization vs. decentralization
Centralization vs. decentralization
• Competing paradigms that underlie many digital technologies

• Centralized: Online Social Networking Services (Facebook,

Google)

• Decentralized: Internet, Email service and the SMTP protocol

• Decentralization is not all-or-nothing: For example, E-mail.

Email has a decentralized protocol (e.g., SMTP), but dominated
by centralized webmail services
Comparison between banking and bitcoin network
Banking network
• trusted third parties to process electronic
payments
• Completely non-reversible transactions
are not really possible
• financial institutions cannot avoid
mediating disputes
• cost of mediation increases transaction
costs, limiting the minimum practical
transaction size and cutting off the
possibility for small casual transactions
• Demands more information than they
would otherwise need
• A certain percentage of fraud is accepted
as unavoidable
Bitcoin network
• transact directly with each other without
the need for a trusted third party
• an electronic payment system based on
cryptographic proof instead of trust
• Transactions that are computationally
impractical to reverse would protect
sellers from fraud
• system is secure as long as honest nodes
collectively control more CPU power
• double-spending problem using a peer-
to-peer distributed
• timestamp server to generate
computational proof of the chronological
order of transactions
Aspects of decentralization in Bitcoin
1. Who maintains the ledger? Our focus in this chapter

2. Who has authority over which transactions are valid?

3. Who creates new bitcoins?
4. Who determines how the rules of the system change?
5. How do bitcoins acquire exchange value?

Beyond the protocol:

Exchanges, Wallet software, Service providers...
Aspects of decentralization in Bitcoin
1. Peer-to-peer network:
Open to anyone, Low barrier to entry

2. Mining:
Open to anyone, but inevitable concentration of power
often seen as undesirable

3. Updates to software:
Core developers trusted by community, have great power
 Needs of decentralization in Bitcoin
• Objective: A purely peer-to-peer version of electronic cash would allow online
payments to be sent directly from one party to another without going through a
financial institution
• Challenge: Double spending attack
• Solution:
• Digital signatures provide part of the solution
• Main benefits are lost if a trusted third party is still required to prevent double-spending
• Solution for double-spending problem using a peer-to-peer network
• network timestamps transactions by hashing them into an ongoing chain of
hash-based proof-of-work, forming a record that cannot be changed without
redoing the proof-of-work
• longest chain not only serves as proof of the sequence of events witnessed,
but proof that it came from the largest pool of CPU power
• Benefit: As long as a majority of CPU power is controlled by nodes
that are not cooperating to attack the network, they'll generate the
longest chain and outpace attackers
Distributed consensus
Bitcoin’s key challenge
• Key technical challenge of decentralized e-cash:
distributed consensus

• or: how to decentralize ScroogeCoin

Why consensus protocols?

• Traditional motivation: reliability in distributed systems

• Distributed key-value store enables various applications: DNS,

public key directory, stock trades …
Defining distributed consensus
• There are “n” nodes, each have an input value. Some nodes are
faulty or malicious. A distributed consensus protocol has the
following two properties:

1. The protocol terminates and all honest nodes are in agreement on

the same value

2. This value must have been proposed by some honest node

What does this mean in the context of Bitcoins?

Bitcoin is a peer-to-peer system
When Alice wants to pay Bob:
she broadcasts the transaction to all Bitcoin nodes

signed by Alice
Pay to pkBob : H( )

Note: Bob’s computer may not be in the picture or online!

In fact, running a Bitcoin node is not important for Bob to
receive the funds. The Bitcoins will be his regardless
What nodes need to reach a consensus on?
● Which transactions were broadcast on the network
● Order in which these transactions occurred

 Result of the consensus protocol: Single, global transaction

ledger for the system
Signature verification
How consensus could work in Bitcoin
At any given time (in the bitcoin peer-to-peer network):

● All nodes have a sequence of blocks of transactions (called,

ledger or block chain) they’ve reached consensus on
● Each node has a set of outstanding transactions it’s heard
about (but not yet included in the block chain)
● For these transactions consensus has not yet happened
● Each node may have a slightly different outstanding transaction
pool
How consensus could work in Bitcoin
Tx
Tx
…
Tx
Tx Tx Tx
Tx Tx Tx
… … …
Consensus
Tx Tx Tx
protocol

Tx Tx
Tx Tx
… …
Tx Tx

OK to select any valid block, even if proposed by only one node

Why consensus is hard (esp. in the Bitcoin
context)?
Nodes may crash
Nodes may be malicious

Peer-to-peer network is imperfect

• Not all pairs of nodes connected (and may participate)
• Faults in network
• Latency

No notion of global time  constraints the set of

consensus algorithms that can be used
Many impossibility results
• Byzantine generals problem: Consensus impossible
to achieve if 1/3 or more generals are traitors

• Fischer-Lynch-Paterson (deterministic nodes):

consensus impossible with a single faulty node
(under certain conditions)
Some well-known protocols
•Example: Paxos

•Never produces inconsistent result, but can

(rarely) get stuck
Understanding impossibility results
• The earlier results proven for specific models
• Specifically, distributed databases
• A distributed database model (and assumptions under it)
doesn’t carry over to Bitcoins!
• These results say more about the model than about
the problem
• What does it mean?
• It may be possible to develop consensus protocols that
work for Bitcoin networks
Bitcoin consensus: theory & practice
• Bitcoin consensus works better in practice than in
theory

• Theory is still catching up

• BUT theory is important, can help predict

unforeseen attacks
So why is the problem of consensus different in
Bitcoins?
Introduces incentives
• Possible only because it’s a currency!
• So in Bitcoins we do not have to solve the consensus problem in general, but only
the one for a currency system

Embraces randomness
• Does away with the notion of a specific starting and ending point for consensus
• Consensus happens over long time scales — about 1 hour
• In summary, consensus in Bitcoins is not deterministic – Even at the end of 1 hour
nodes may not be 100% sure that their view of the block chain is the consensus view
• Although the probability of that not being the case is very low
Consensus without identity: using a block chain
Bitcoin’s consensus algorithm
Bitcoin nodes don’t have long-term identities
Why?

1. Identity is hard in a P2P system — Sybil attack

2. Pseudonymity is a goal of Bitcoin

Why having identity is useful for consensus?
Answer: It makes the consensus protocol easy to design! But
how?
1. Pragmatic: some protocols need node IDs
• Protocols could have instructions of the form “Now node with lowest ID,
do something..”
• Without identities, instructions are constrained
2. Security: assume less than 50% malicious
• If nodes have identities, and difficult to create new node identities then
some assumptions about the number of malicious nodes can be made
• This can be used to prove certain security properties
How to overcome lack of identity in Bitcoins?
• Weaker assumption: select random node in the bitcoin network

• Analogy: lottery or raffle

• When tracking & verifying identities is hard, we give people tokens,
tickets, etc.

• Key assumptions:
• Now we can pick a random ID & select that node
• Multiple sybil nodes by the adversary are able to get only a single token
(random ID)
Key idea: implicit consensus
1. In each round (corresponds to a different block in the
block chain), random node is picked

2. This node proposes the next block in the chain

• No consensus or voting done by this node!

3. Other nodes implicitly accept/reject this block

• by either extending it
• or ignoring it and extending chain from earlier block

4. Every block contains hash of the block it extends

Consensus algorithm (simplified)
1. New transactions are broadcast to all nodes
2. Each node collects new transactions into a block
3. In each round a random node gets to broadcast its block
4. Other nodes accept the block only if all transactions in it
are valid (unspent, valid signatures)
5. Nodes express their acceptance of the block by including
its hash in the next block they create
Now let’s analyze if this works!
Assume a malicious adversary.

Can this adversary subvert the implicit

consensus process by:

1. Stealing Bitcoins?
2. Denial of service?
3. Double spend?
 What can a malicious node do?
Double-
signed by A spending
CA → B
Pay to pkB : H( ) attack

signed by A CA → A’
Pay to pkA’ : H( )

Honest nodes will extend the longest valid branch

In practice nodes extend the block that they first detect on the peer-to-peer network
(not a solid rule)
From Bob the merchant’s point of view
1 confirmation 3 confirmations

CA → B

Double-spend probability
CA → A’ double-spend decreases exponentially
attempt with # of confirmations

Hear about CA → B transaction Most common heuristic:

0 confirmations 6 confirmations
Recap

• Protection against invalid transactions is cryptographic,

but enforced by consensus

• Protection against double-spending is purely by consensus

• You’re never 100% sure a transaction is in consensus branch.

Guarantee is probabilistic
Incentives and proof of work
Assumption of honesty is problematic
Can we give nodes incentives for behaving honestly?
Can we reward nodes
that created these blocks?

Can we penalize the node

that created this block?

Everything so far is just a distributed consensus protocol

But now we utilize the fact that the currency has value
Incentive 1: Block Reward
Creator of block gets to
• include special coin-creation transaction in the block
• choose recipient address of this transaction

Value is fixed: currently 12.5 BTC, halves every 210,000 blocks created (or
every 4 years at the current rate of block creation)
• We are now in the third period – first period block reward was 50 BTC

Block creator gets to “collect” the reward only if the block ends up on long-
term consensus branch!
• Subtle but powerful trick: Incentivizes nodes to behave in way that will get other
nodes to extend their block
 There’s a finite supply of bitcoins
Total supply: 21 million

Block reward is how

Total bitcoins in circulation

new bitcoins are created

First inflection point:
reward halved from 50BTC to 25BTC
Runs out in 2040. No new bitcoins
unless rules change

Does that mean that after 2040,

nodes will no longer have incentive
Year
to behave honestly?
Not really!
Incentive 2: Transaction Fees
• Creator of transaction can choose to make output
value less than input value

• Remainder is a transaction fee and goes to block

creator (that first puts that transaction into that block)

• Purely voluntary, like a tip

• But system will evolve, and will become mandatory, as Block
rewards run out
Remaining problems
1. How to pick a random node?

2. How to avoid a free-for-all due to rewards?

• Everybody may want to run a bitcoin node in order to get
this free reward (lock reward and Transaction fee)

3. How to prevent Sybil attacks?

• An adversary may create a large number of Sybil nodes to
subvert the consensus process
Proof of work
To approximate selecting a random node: select nodes in
proportion to a resource that no one can monopolize (we
hope)
• In proportion to computing power: proof-of-work
(Used in Bitcoins)
• In proportion to ownership of the currency: proof-of-
stake (Not used in Bitcoins – but a legitimate model used in
other cryptocurrencies)
Equivalent views of proof of work

1. Select nodes in proportion to computing power

2. Let nodes compete for right to create block

3. Make it moderately hard to create new

identities
Hash puzzles
nonce
To create block, find nonce s.t. prev_h
Tx
H(nonce ‖ prev_hash ‖ tx ‖ … ‖ tx) is very small Tx

In other words, H(nonce ‖ prev_hash ‖ tx ‖ … ‖ tx) < target

Output space of hash

Target If hash function is secure (satisfies puzzle-friendliness):

space only way to succeed is to try enough nonces until you get lucky
Advantage of such a PoW system?
• It completely does away with the problem of magically picking
a random node (to propose a block)

• Nodes independently compete by attempting to solve hash

puzzles
• Once in a while, one will succeed and propose the next block

• Result: Such a system is completely decentralized  No one

gets to decide which node proposes the next block
PoW property 1: difficult to compute
• Difficulty varies with time

• As of 2015: difficulty level is over 1020 hashes/block

• i.e., size of target space <= 1/1020 size of hash’s output space
• Such a computation not possible with commodity laptops

• Only some nodes bother to compete — miners

• This process of repeatedly solving hash puzzles is called bitcoin mining

• Technically anyone can mine  however mining power is concentrated in a

mining ecosystem
PoW property 2: parameterizable cost
Nodes automatically re-calculate the target (size of target space
as a fraction of the output space) every two weeks

Goal: average time between blocks = 10 minutes

In other words, recalculation takes place after 2,016 blocks!

Prob (Alice wins next block) =

fraction of global hash power she controls
Why is such a re-adjustment needed?
• It is inefficient if blocks are proposed too close to each other

• Would not be able to put multiple transactions in a single

block!

• Why 10 minutes?
• Not significant!
• Can change it to 5 minutes, and system would still work
Key security assumption

Bitcoin attacks infeasible if majority of miners

weighted by hash power follow the protocol (or are
honest)

This will ensure a more than 50% chance that the

next block is proposed by a honest node!
Solving hash puzzles is probabilistic
10
minutes
Probability density

Time to next block (entire network)

PoW property 3: trivial to verify
Nonce must be published as part of block

Other miners simply verify that

H(nonce ‖ prev_hash ‖ tx ‖ … ‖ tx) < target

Advantage?
No centralized verifier needed! Any node or miner can
verify that the block was correctly mined
Mining economics
mining cost
If mining reward
> (hardware + → Profit
(block reward + Tx fees)
electricity cost)
Complications:
• Fixed (hardware) vs. variable (electricity) costs
• Reward depends on rate at which miners propose blocks (ratio of their
hash rate to the global hash rate)
• Cost in dollars, but reward in BTC  profit depends on exchange rate
Solving more than 1020 hashes to obtain 12.5 BTC at current
exchange rate is profitable!
Putting it all together
Recap
Identities Block chain & consensus

Transactions Hash puzzles & mining

P2P network
Bitcoin is bootstrapped
security of
block chain

health of
value of
mining
currency
ecosystem
What can a “51% attacker” do?
Steal coins from existing address? ✗

Suppress some transactions?

• From the block chain ✓
• From the P2P network ✗

Change the block reward? ✗

Destroy confidence in Bitcoin? ✓✓

Remaining questions

1. How do we get from consensus to currency?

2. What else can we do with consensus?

 How to store and use Bitcoins
• To spend someone’s Bitcoin, it is necessary to know two important things
• some information stored on the public blockchain
• identity and the value of the coins
• the secret key of the owner of the Bitcoin
• Is it true?
• If bitcoins are stored in wallets, if you copied your wallet you’d own double
the number of bitcoins
• Actually, you are cloning your Private keys not the bitcoins
• Which one stored in blockchain: Bitcoin or Ownership of bitcoin
• Ownership of bitcoin
• Hence storing the bitcoin is nothing but storing keys
• Important preconditions to use Bitcoins are
• be able to spend your own money when you want to
• nobody else can spend your money
• convenience: the process must be relatively simple and don't cost too much
Possible approaches to store the keys
• Digital
• Store the keys on a local device, such as a computer, a phone
• + convenience: the money could be accessible just pushing a
button
• - availability: if the device crashes or you lose it, the money is
lost with it
• - security: if someone manages to break into the device the
security is broken. It's just as safe as carrying money in the
pocket.
• Paper
• Store your keys in the paper
• How will you solve these issues?
• Use Wallets: Software wallets or Hardware wallets
Wallet software
• + convenience:
• keeps track of the money
• provides a nice user interface.
• higher level of anonymity or privacy, using a whole bunch of
different keys and addresses.
• Automatically store and manage them
• To receive money, provide the third party an address belonging to
your wallet through a string or a QR Code.
• + availability:
• Possible to connect from every device with the personal account
• + security:
• If someone is able to break into the system, all the money can be
stolen. However it is typically more secure than a personal device.
Types of Wallets: Software and Hardware
• Software Wallets
• Create new Bitcoin addresses and store the corresponding private keys
• Display your addresses to someone who wants to send you a payment
• Display how many bitcoins are in your addresses
• Make Bitcoin payments
• Ex: Blockchain.info, Electrum, Jaxx and Breadwallet

• Hardware Wallets
• Bitcoin wallets with hardware component wherein the private keys are stored in chips on
small handheld devices
• only respond to certain pre-programmed requests
• For example, Sign this transaction request
• private key is stored on hardware that is not connected to the internet
• can communicate with the outside world only via a limited set of pre-programmed
interfaces
• Ex: Trezor and Ledger Nano
Software Wallets
• Address Creation
• Step 1: Generate some randomness and use it to pick a number from 1 to 2256-1. This is your private key.
• Step 2: Do some maths on it to generate a public key.
• Step 3: Hash your public key twice to create your Bitcoin address.
• Step 4: Save the private key and its corresponding address.
• Address Display – Encoding the Bitcoin addresses
• When someone wants to send you bitcoins, you need to tell them your address
• Encoded String – base58
• take the bits of the key and convert it from a binary number to a base 58. it uses 58 characters to encode each digits as a character.
Why 58? Lower case + upper case + digits = 26+26+10=62 After leaving out some confusing characters, its 58
• Ex: 1LfSBaySpe6UBw4NoH9VLSGmnPvujmhFXV
• QR code – 2 dimensional barcode
• Nothing but text, encoded in a visual way that makes it easy for QR code scanners to read the code and convert it back into text
• Vanity address
• an address that starts with some human-meaningful text: 1bonesEeTcABPjLzAb1VkFgySY6Zqu3sX
• Account Balance
• Needs all the transactions going in and out of the addresses
• full node wallet
• storing the entire blockchain and keeping it up to date
• constantly connected over the internet to other Bitcoin nodes
• lightweight wallet
• connecting to a node elsewhere which does the heavy lifting
• Bitcoin Payments
• Wallets have the capability to know the account balances as well as make payments
• Generates a bundle of data called a ‘transaction,’ which includes
• references to the coins that are going to be spent (transaction inputs consisting of unspent outputs of previous
transactions), and
• which accounts the coins will be sent to (new outputs).
• Vanity address – (Bitcoin address)
• an address that starts with some human-meaningful text.
• For ex: the gambling website Satoshi Bones has users send money to addresses containing the string
“bones” in positions 2--6, such as 1bonesEeTcABPjLzAb1VkFgySY6Zqu3sX (all regular addresses begin
with the character 1, indicating pay-to-pubkey-hash.)
• What is address?
• Hash(hash((public key))=address. If the digits are manupulated by satoshi, means it is not possible to
generate its key pair.
• How they produced these kind of addresses?
• repeatedly generated private keys until they got lucky and found one which hashed to this pattern. Such
addresses are called vanity addresses and there are tools to generate them.
• How much work does this take?
• 58 possibilities for every character
• To find an address which starts with a specific k -character string, generate 58k addresses on average until
you get lucky (600 million addresses for 5 character)
• But it becomes exponentially harder if we increase the address.
• Speeding up vanity address generation.
• private key x
• Public key is gx
• address is H(gx)
• After trying gx try gx+1, because gx+1 =xgx
 Other features of Software Wallet
• Good wallet software has more functionality, including the ability to back up
private keys (encrypted with a passphrase) either to a user’s hard drive or to a
cloud storage server
• Generate one-time use addresses for privacy
• Hold addresses and private keys for multiple cryptocurrencies
• integrated with exchanges to allow users to convert between one
cryptocurrency and another directly from within the wallet software
• m of n ‘sharding’ or ‘splitting’ of a private key
• Allow you to split keys or set up addresses that require multiple digital signatures to
spend from
• 2-of-3 sharding where a private key is split into 3 parts, any 2 of which can be combined
to regenerate the original key
• Shamir’s secret sharing algorithm
• m of n ‘multi-sig’ addresses
• addresses that require multiple digital signatures to make payments from them
• multiple people need to sign or approve a transaction
Hardware Wallets
• Bitcoin wallets with a hardware component where private keys are stored
in chips on small handheld devices
• The user interface software for this hardware component is run on an
online machine.
• When it comes to the critical part of the transaction (the signing), the
unsigned transaction is sent to the hardware wallet, which returns the
signed transaction without revealing the private key
Storage of Keys: Cold or Hot Storage
• Wallets are software which are used to create and share the addresses with
which the account balance and payments can be made.
• However, they need some storage to manage data such as private keys and addresses
• It may be either local storage in your PC or mobile phone or an online storage.

Cold Storage Hot Storage

Offline ( not connected to internet) Online (connected to internet)

Similar to keep the money in safe Similar to keep the money in wallet

Low availability High availability

Low convenience High Convenience

More secure Less secure

Hot storage Cold storage

online offline

convenient but risky archival but safer

separate
keys
• Is it possible to manage Bitcoins only with a cold storage?
• No! But it can be used together with a hot one to store the majority of Bitcoins
• If you use both Hot and cold storage together:
• Keep separate addresses and keys for each
• BENEFIT: Coins in the cold storage will be safe evenif the hot storage is compromised
• Moving Bitcoins between hot and cold storage
• each side knows its own secret key and the receiving address of the other side
• Even if the cold storage is offline most of the time, it sometimes needs to connect
• To transfer money and to check if its balance is changed.
• Scenario-1: Hot storage is operating whereas the cold storage is offline
• If the amount in the hot storage becomes too high:
• Move some coins from hot storage to cold storage using their own addresses
• Challenge: To preserve privacy, each coin needs to be transfer to different addresses. Since
the cold storage is offline, how to get these addresses from cold storage?
• Yes! Gmail does this in 2-factor authentication. Generate a list of codes and take the
printout and use these codes to login.
• Likewise, the cold storage needs to go online, generate a list of addresses and transfer
it to Hot storage.
• The hot storage uses these addresses of cold storage to transfer the money from it.
• The last two steps were done by Hierarchical Wallet.
• If the amount in the hot storage becomes too low:
• Move some coins from cold storage to hot storage but how?
• Connect the Cold storage to online and transfer it
 Hot storage Cold storage

online offline

hot secret key(s) payments cold secret key(s)

cold address(es) hot address(es)

 Hot storage Cold storage

online

hot secret key(s) payments

cold address(es)
offline
Problem:
Want to use a new address (and key) for each coin sent to cold
But how can hot wallet learn new addresses if cold wallet is offline?

Awkward solution:
Generate a big batch of addresses/keys, transfer to hot beforehand

Better solution:
Hierarchical wallet
Hierarchical Wallet
• Allows the cold storage side to have an unbounded number of addresses and
the hot side knows these addresses via short, one time communication
between the both sides.
• IMPORTANT - Regular key generate (generateKey) creates a public key
(address) and a secret key but with the key generation info it is possible to
create a sequences of addresses instead of just one without leaking the
information regarding private keys
• address generation info
• apply genAddr operation to the address generation info and integer i, obtaining the ith address
• private key generation info
• apply genKey operation to the key generation info and integer i, obtaining the ith private key
• This split up enables the address generation in the Hot side and the private key
generation in the cold side
• ECDSA supports hierarchical key generation
• As long as the hot and cold side know the right sequence number, you can
generate addresses from the hot side and private keys on the cold side.
Hierarchical Wallet • At the beginning the cold side does
the generateKeysHier operation obtaining
both the address and key generation info.
• Then it pass the address generation info to
the hot side.
• So, now they're connected and the two
sides can generate addresses or keys
when needed.
• When the cold side reconnects,
• it generates addresses sequentially and
checks the block chain for transfers to
those addresses until it reaches an
address that hasn’t received any coins.
• It can also generate private keys
sequentially if it wants to send some
coins back to the hot side or spend them
some other way
How to store the key or a key generation info in cold storage ?
• Digital Wallet
• Save it in phone or tablet, but If the device is stolen or broken, the keys get lost
• Brain Wallet
• encrypt the information with a password that we must remember and Useful during travel or in poor
physical security situations
• subject to all possible attacks against passwords
• Online guessing of email logins (solved by rate-limit)
• Here in brain wallet, the attacker download all the addresses and try to guess the passwords (solved by strong passwords generated
using random 80 bit number)
• One passphrase-generation procedure that gives about 80 bits of entropy is to pick a random sequence of 6 words from among
the 10,000 most common English words (6 ⨉ log 2 (10000) is roughly 80
• Key stretching: use a deliberately slow function to derive the private key from the passphrase to ensure it takes as long as possible for
the attacker to try all possibilities. Ex; Take SHA-256 and compute say 220 iterations of it,
• Also it has a predictable algorithm for turning a passphrase into a public and private key.
• hash the passphrase with a suitable hash function to derive the private key, and given the private key, the public key can
be derived in a standard way
• Challenge: all private keys in a brain wallet can be accessed by the attacker, if he can guess the passphrase thereby he
can own all the unspent bitcoin in the address
• Paper Wallet
• print the information and lock it up in a safe as 2D barcode, QR code or a string in base 58 notations but It
can be stolen
• Tamper-Resistant device
• store offline information is to put it in somekind of tamper-resistant device.
Split and share keys
• So far different ways of storing the private keys in a single place were discussed
• Problem: Single point of failure
• Solution: split and share keys to have more security.
• Secret Sharing – Split and Share the keys
• split the key in N pieces such that,
• given any K of those pieces, is possible to reconstruct the key.
• given fewer than K pieces, it is impossible to know anything about the original key.
• Example: N=2, K=2
• Step:1 – Choose the following
• large prime number P
• S is the secret and has to be in the range [0,P-1]
• R a random value, which is also in the range [0,P-1]
• Step:2 – Split the secret S as shown below
• X1 = (S+R) mod P
• X2= (S+2R) mod P
• Step:3 – Reconstruct S If both X1 and X2 are known:
• (2X1 - X2) mod P = (2S+2R-S-2R) mod P = S mod P = S
• How to increase N, with K=2
• take the 2D plane with X and Y axis
• choose a random value R
• draw a line with slope R and passing
through the point (0,S)
• the shares will be the points on the
line (1, S+R), (2, S+2R), (3, S+3R), ...
• Clearly it is possible to choose as
many shares as wanted, since there's
an infinite number of points on the
line
• Given any two points on a line, it is
possible to retrieve its equations
using the interpolation, so K=2.
• Given just one point, it's impossible
to retrieve any information about the
line
• If we do this operation using the Representing a secret via a series of points on a
arithmetic modulo a large prime P, all random polynomial curve of degree K-1 allows
we have said is still applicable. the secret to be reconstructed if, and only if, at
least K of the points (“shares”) are available
• How to increase K?
• To increase K, use functions that require more than two points to be defined
• Ex: For K=3, use a Quadratic function Y = R2 X2 + R1 X + S which requires two random parameters R1 and R2
• Ex: K=4, use a Cubic function (increase a polynomial degree)
• Advantages of secret sharing
• Adversary
• needs to retrieve K shares in order to get back the secret key
• needs to break the security of different places K times
• Disadvantages of secret sharing
• To sign a transaction, we need to reconstruct the key bringing the shares together
• If an attack happens at that time, it is easy get the secret key
• Using Threshold cryptography
• produce Bitcoin signatures in a decentralized fashion using the shares
of the key(Split) without ever reconstructing the private key on any
single device
• Steps
• split its key material between your desktop and your phone
• initiate a payment on your desktop, which would create a partial signature and send it to
your phone
• Your phone would then alert you with the payment details — recipient, amount, etc. —
and request your confirmation
• your phone would complete the signature using its share of the private key and
broadcast the transaction to the block chain
• If a malware in your desktop
• It tried to steal your bitcoins, it might initiate a transaction that sent the funds to the hacker’s address,
but then you’d get an alert on your phone for a transaction you didn’t authorize
• Using Multi-signature
• Instead of taking a single key and splitting it, Bitcoin script directly allows you to stipulate
that control over an address be split between different keys. These keys can then be
stored in different locations and the signatures produced separately. Of course, the
completed, signed transaction will be constructed on some device
• Example: Andrew, Arvind, Ed, and Joseph are cofounders of a company which owns a lot of Bitcoins. To
protect their storage they can decide to use a multi-signature 3 out of 4 for their transaction. Each of
the five of them will generate a key pair and sign the signature separately. In 3-out-of-4 multi-sigthree
of them must sign to create a valid transaction.
• Advantages
• the four key are kept separately and with a different security. So that it is quite difficult for an attacker
to retrieve 3 of them
• if one or two employees go rogue, they're still not able to take ownership of the money. The majority is
necessary to manage it
• in addition if one loses the key it is still possible to manage the cold storage and transfer the money to a
new place.
Threshold Cryptography vs Multi-Signatures
• Threshold signatures are a cryptographic technique to take a single
key, split it into shares, store them separately, and sign transactions
without reconstructing the key.
• Multi-signatures are a feature of Bitcoin script by which you can
specify that control of an address is split between multiple
independent keys. While there are some differences between them,
they both increase security by avoiding single points of failure.
Online Wallets – Wallet on the Cloud
• An online wallet is kind of like a local wallet that you might manage yourself,
• except the information is stored in the cloud, and
• you access it using a web interface on your computer or
• using an app on your smartphone
• site sends code
• site stores keys
• you log in to access wallet
• Coinbase and blockchain.info.
• Pros:
• convenient
• nothing to install
• works on multiple devices
• Cons:
• security worries
• what if site malicious?
• what if site compromised?
Online Wallet
Bitcoin Exchanges
• Typical traditional bank service
• Open your account
• You deposited the fiat currency, the bank promises to give it back later
• Bank take some amount of and invest it whereas keep a fraction of money to meet out
the usual or unusual day’s demands – fractional reserve.
• Bitcoin exchange service
• Open your account
• You deposit the fiat currency and bitcoin, the bank promises to give it either or both form
• You do credit or debit both bitcoin and fiat currency, buy or sell bitocins using fiat
currency
• If you want to buy 2 BTC, the exchange identifies a person who is willing to sell 2 BTC and connect him
to you.
• If my account holds 5000 dollars and 3 bitcoins and I use the exchange, I put an order to buy 2 bitcoins
for 580 dollars each, and the exchange finds someone who is willing to take the other side of that
transaction and the transaction happens. Now I have 5 bitcoins in my account instead of three, and
3840 dollars instead of 5000
• Pros
• Exchanges help to connect the Bitcoin economy and the flows of bitcoins with the fiat
currency economy
• Cons
• Three types of risks
• Bank Run: A run is what happens when a bunch of people show up all at once and want their money
back.
• Greedy behavior - Ponzi scheme: someone gets people to give them money in exchange for profits in
the future, but then actually takes their money and uses it to pay out the profits to people who bought
previously
• Inside/outside attackers: someone — perhaps even an employee of the exchange — will manage to
penetrate the security of the exchange to key information that controls large amounts of bitcoins
• A study in 2013 found that 18 of 40 Bitcoin exchanges had ended up closing due to some
failure or some inability to pay out the money that the exchange had promised to pay
out.
• Failure rate is nearly 45% where the banks donot have that much failure rate due to regulations
• How Bitcoin exchanges or other Bitcoin business should be regulated?
• Proof of reserve (by signing a challenge string )
• The Proof of Reserve is made of two pieces:
• prove how much reserve it's holding.
• prove how many demand deposits the group holds.
• Aims to prove that the exchanges has sufficient amount of bitcoin reserve and the valid customers are
participated in the proof of reserve.
• How much reserve you’re holding?
• simply publishes a valid payment-to-self transaction of the claimed reserve amount
• How to prove these transactions are legitimate?
• sign a challenge string - a random string of bits generated by some impartial party — with the same
private key that was used to sign the payment-to-self transaction
• Proof of liabilities (by Merkle tree)
• How many demand deposits you hold?
• If you can prove your reserves and your demand deposits then anyone can simply divide those two numbers
and that's what your fractional reserve is
• Construction
• Leaf nodes are all the customers'
accounts and their individual deposit
• Root of the Merkle tree will correspond
to the total deposit amount
• The exchange can sign the root of the
tree, making a claim that it's valid.
• Verification
• Now each customer can ask to see that
they are included in the tree.
• The exchange can show the path to the
customer account and the customer can
check that the hash pointers are
consistent all the way down and that
starting with its deposit the amount add
up to the total.
If everybody does it, then every branch
of the tree is explored and verified.
• Proof of liabilities
• The exchange publishes the root of a Merkle tree that contains all users at the leaves,
including deposit amounts.
• Any user can request a proof of inclusion in the tree, and verify that the deposit sums are
propagated correctly to the root of the tree.
• Proof of Inclusion
• The root hash pointer and root value are the same as what the exchange signed and
published.
• The hash pointers are consistent all the way down, that is, each hash value is indeed the
cryptographic hash of the node it points to.
• The leaf contains the correct user account info (say, username/user ID, and deposit
amount).
• Each value is the sum of the values of the two values beneath it.
• Neither of the values is a negative number.
• Drawback of these: leak lot of private information
• Solution: Proof of Solvency
• Payment services
• How a merchant accepts payments in bitcoins in a practical way?
• Challenges
• New technology may affect their business
• Additional cost incurred to include the bitcoin in their business
• Security risks
• Exchange rate risks
• Solution
• Payment services exist to allow both the customer and the merchant to get what they want, bridging the gap
between these different desires.
• The merchant goes to payment service website and fills out a form describing the item, price, and
presentation of the payment widget, and so on.
• The payment service generates HTML code that the merchant can drop into their website.
• When the customer clicks the payment button, various things happen in the background and eventually
the merchant gets a confirmation saying, “a payment was made by customer ID [customer-id] for item
[item-id+ in amount *value+.”
Payment service
Payment process involving user, merchant and payment
service
• Transaction fee
• Transaction fee = value of inputs - value of outputs
• fee goes to miner who records the transaction
• Costs resources for
• peers to relay your transaction
• miner to record your transaction
• Transaction fee compensates for (some of) these costs
• Generally, higher fee means transaction will be forwarded and recorded faster.
• Current default-transaction fee
• No fee is charged if a transaction meets all of these three conditions
• The transaction is less than 1000 bytes in size,
• All outputs are 0.01 BTC or larger
• Priority is large enough where Priority is defined as: (sum of input age * input value) / (transaction size)
• Otherwise
• Transaction fee is 0.0001 BTC per 1000 bytes
• The approximate size of a transaction is
• 148 bytes for each input plus, 34 bytes for each output and 10 bytes for other information.
• So a transaction with two inputs and two outputs would be about 400 bytes
• Most miners enforce the consensus fee structure.
• If you don’t pay the consensus fee, your transaction will take longer to be
recorded.
• Miners prioritize transactions based on fees and the priority formula.
• Currency Exchange Markets
• Currency exchanges trade bitcoins against fiat currency like dollars and euros.
• Basic market dynamics
• market matches buyer and seller
• large, liquid market reaches a consensus price
• price set by supply (of BTC) and demand (for BTC)
• Supply of Bitcoin
• supply = coins in circulation (+ demand deposits?)
• coins in circulation: fixed number, currently ~13.1 million
• When to include demand deposits?
• When they can actually be sold in the market.
• Demand of Bitcoin
• BTC demanded to mediate fiat-currency transactions
• Alice buys BTC for $
• Alice sends BTC to Bob
• Bob sells BTC for $
• BTC demanded as an investment
• if the market thinks demand will go up in future
Simple model of transaction-demand

T = total transaction value mediated via BTC ($ / sec)

D = duration that BTC is needed by a transaction (sec)
S = supply of BTC (not including BTC held as long-term investments)

S
Bitcoins become available per second
D Equilibrium:

T
Bitcoins needed per second P = TD
P S