Bitcoin and Game theory

A brief overview on the linkage

Dhandabani S

Department of Management Studies

IIT Madras Chennai

vigneshsrinivasan10@gmail.com
 Background

Background: Currencies

Alice Bob

Carol David

Origin: Barter system

Coordination became an issue. What if Alice needs a car?

Cycle Books
Alice Bob XYZ
Car Car
 Background

Background: Money

Many ine ciencies in the barter system: value of good, impossible to spend later

Intermediate entities or Medium of exchange: Money

“Why do I believe in the cowry shell or gold coin or dollar bill?”

King-signed paper notes or coins enforced the trust

First coins in history
King Alyattes of Lydia in 640 BC
Banks — Centralised regulatory bodies; Fiat currencies

Cash Time of payment Credit

Neither system is clearly superior

ffi

 Background

Background: Digital cash

O line
Anonymity Can’t Double spend Unforgeable signature
transaction
Advantages of Cash

IDEA: “The bearer of this note may redeem it for one dollar by presenting it to me” with my signature attached

Less Online
Can Double spend Can forge signatures
anonymous transaction

Initial ideas to address these issues came from David Chaum through Cryptography in 1983

Digicash in 1989 - Chaum

Anonymity and Double spend: Blind signatures through Cryptography
Instead of preventing double spend, Digicash detected double spend
Money cannot be split without interference of banks and only user-to-merchants transactions
ff

 Background

Background: Cryptocurrency

Minting money out of thin air: Digital cash to dollar value

What makes the gold to acquire its value?

Scarcity — It is the reason why gold and diamonds are used as backing for money

How can be the cryptocurrencies made scarce? Solving a puzzle that takes while to crack to mint money

Cynthia Dwork, Mini Naor in 1992 — Puzzle to reduce email spams

Bitcoin is a cryptocurrency that has advantages barring ONLINE TRANSACTIONS with puzzles to mint money

Anonymity Scarce Can’t Double spend Unforgeable signature

 Background

Background: Blockchain

A distributed ledger that records the details of the transactions in blocks

Stuart Haber, Scott Stornetta in 1991: Secure timestamping of digital documents

Timestamped
(txn. time)
Immutable Distributed
(irreversible) (shared)
Properties
Unanimous Secure
(uni ied) Anonymous (encrypted)
(hidden ID)

Since information in each block is carried to next block through HASH, one need not worry about previous blocks

Bitcoin uses blockchain at the back-end to record the transactions

f

 Primitives

Cryptocurrencies Primitives: Cryptographic Hash function

Any-sized input Fixed-sized output E iciently computable O(n)

Properties of typical mathematical hash function

Nobody can ind a collision Collision

It is infeasible to ind two values  and  , such that ≠ , ( )≠ ( ) resistance
Cryptographic
hash function

Given the output ( ), one should not ind

Hiding
Use of high min-entropy satisfying probability distribution

If someone wants to target the hash function to have output value Puzzle
given part of input , then its di icult to ind the input in time less than friendliness
𝖧
𝗑
𝗒𝗄𝟤
𝗑
𝗑
𝗑
𝗒
𝗒
𝖧
𝗑
𝖧
𝗒
𝗇
ff
f

ff
f
f

 Primitives

Controlling tampering data using ( )

Hash pointer ( ): To indicate where some information is stored

Blockchain in Bitcoin Tamper-evident log

An adversary cannot tamper any data at any point of time. If she does, subsequent ( )s will change

All we need is to store the head of the chain or the last hash pointer to check for tampering; E cient storage
𝖧
𝖧
𝖧
ffi
 Primitives

Cryptocurrencies Primitives: Digital Signature

Digital analog to the handwritten signature

Signature has to unique; but veri able by anyone Should be tied to intended document; unforgeable

( , ) := ( ) — Generates a public key for a secret key Digital

:= ( , ) — Signs the document under signature
:= ( , , ) — Checks whether the signature is valid scheme

Secret key is kept privately to a user and revelation happens through public key. Public key is your identity

This makes Bitcoin to have Decentralised Identity Management

One need not register or sign up in Bitcoin. You can just create public key as many as you want
Identities are Addresses in Bitcoin jargons

Bitcoin uses Elliptic Curve Digital Signature Algorithm for digital signatures

Size of Secret key: 256 bits Size of Public key: 512 bits
𝗉
𝗌
𝗌
𝗆
𝗌
𝗂
𝗌
𝗌
𝗌
𝗄
𝗂
𝗄
𝗂
𝗄
𝗀
𝖵
𝗀
𝗄
𝖾
𝗌
𝖺
𝗌
𝗉
𝗅
𝗂
𝖺
𝗄
𝖽
𝗀
𝗌
𝖾
𝗂
𝗀
𝗇
𝗏
𝗀
𝗌
𝖾
𝖾
𝗄
𝗋
𝗇
𝗂
𝖿
𝗆
𝖾
𝗒
𝗋
𝖾
𝖺
𝗉
𝗌
𝗍
𝗄
𝖾
𝗌
𝖪
𝖺
𝗆
𝗀
𝖾
𝖾
𝗒
𝖾
𝗌
𝗌
𝗌
𝗄
𝖺
𝖾
𝗀
𝗒
𝖾
𝗌
𝗂
𝗌
𝗓
𝗂
𝖾
𝗀

fi

 Primitives

Unforgeability game

In Bitcoin, ATTACKER cannot forge a signature if the number of guesses is less than 280

No matter what algorithm ATTACKER is using, his chances of forging is extremely small, which will never happen in practice

 Two simple cryptocurrencies

Goofycoin Scroogecoin

Goofy can create coins whenever he wants Append-only ledger to track transactions
Rules
Whoever owns a coin a transfer it to someone else

Involved parties and Scrooge have to sign each transaction

Alice getting coin from Goofy and sending it to Bob

Scrooge can’t create fake transactions, but can ignore transactions
Alice can send the coin to Carol even after sending to Bob
from few nodes demanding some bribe.
since Alice only has to sign
Double spending problem Centralisation problem
𝖢
𝖯
𝖺
𝗋
𝗒
𝖾
𝖺
𝖢
𝗍
𝗈
𝖾
𝗂
𝖢
𝗇
𝗈
𝗌
𝗂
𝗇
𝗌

 Bitcoin Mechanics

How Bitcoin achieves decentralisation?

Distributed consensus — Idea similar to decentralising Scroogecoin

Let there be nodes that have an input value. Some are faulty or malicious. A distributed
consensus protocol has following two properties:
• Must terminate with all honest nodes agreeing on the value
• The output must have been generated by an honest code.

Bitcoin consensus algorithm (simpli ied)

Let there be nodes of which few are faulty or malicious. Each node will hear about few transactions,
and has some pool of outstanding transactions that need to be included in the blockchain.

To come to consensus on a block, at regular intervals (10 minutes) every node proposes its pool to include in next block.

A node is selected at random to propose the block.

The block proposal is sent to all other nodes in the network, and nodes can accept or reject the block.

If accepted, nodes indicate acceptance by updating the hash pointer; otherwise, stick to previous hash pointer
𝗇
𝗇
f

 Bitcoin Mechanics

Incentives for honest behaviour

What if the selected random node is malicious? How can the algorithm select honest nodes?
Can we reward nodes that created the blocks that ended up on the long consensus chain?

Since we don’t know their real identities to pay them in dollars, can we pay them digitally? — BITCOIN

Block reward Transaction fee

Node that creates a block can include a special transaction Block reward gets halved for every 210,000 blocks created

Speculation is that by 2040, block reward

will approach zero
This is the only way to create Bitcoins.

If that happens, how can we incentivise

Node can choose recipient and of course, she will choose one of hers nodes to behave honestly?

How does this incentive ensure honest behaviour?

Because of approval from other nodes to be included in the chain Voluntary; Di erence between input and output value of transaction

In 2015, block reward is 25 bitcoins Dynamics are still unclear and is an open problem
𝖢
𝖳
𝗋
𝗈
𝖺
𝗂
𝗇
𝗇
𝖢
𝗌
𝖺
𝗋
𝖼
𝖾
𝗍
𝖺
𝗂
𝗈
𝗍
𝗂
𝗇
𝗈
𝖿
𝗇
𝖾
𝖳
𝖾
𝗋
𝖺
𝗇
𝗌
𝖺
𝖼
𝗍
𝗂
𝗈
𝗇
ff

 Bitcoin Mechanics

Proof-of-work

Recall that the node selection process is still random. How can we improve the selection? — Proof-of-work

Key idea: Approximate the selection by selecting nodes in proportion to computing power
Bitcoin achieves proof-of-work using hash puzzles — Bitcoin mining

( || || || || . . . || ) < — Typical hash puzzle. Finding

A completely decentralised system is possible with appropriate hash puzzles and proof-of-work.

1
Properties of hash

Di icult to compute In 2015, size of the target space is less than of the size of output space
1020
puzzles

Trivial to verify A simple property, yet the important property that takes central authority out of context

Parameterizable
Instead of having xed cost for computing, cost has to be function of parameters
cost
𝖧
𝗇
𝗈
𝗇
𝗇
𝖼
𝗈
𝖾
𝗇
𝖼
𝖾
𝗉
𝗋
𝖾
𝗏
𝗁
𝖺
𝗌
𝗁
𝗍
𝗑
𝗍
𝗑
𝗍
𝗑
𝗍
𝖺
𝗋
𝗀
𝖾
𝗍
ff
fi

 Bitcoin Mechanics

Parameterizable cost

Suppose you are a miner and invested in hardware to do Bitcoin mining. With time, overall mining ecosystem is growing and
more miners are deploying faster hardware, which results in creation of more blocks than expected.

If blocks come very close together, ine ciencies arise and optimisation bene ts will be lost.
Hence, keeping 10 minutes as constant, miners recalculate the size of target space for every 2016 blocks (once in two weeks)

This recalculation assures that the cost is not xed and depends on parameters

If you are miner, you are interested in how long will it take you to ind a block
Solving a hash puzzle is probabilistic: falls within target or not — Bernoulli trial

Nodes try many nonces, a discrete probability process, resulting in Poisson process
10 minutes
mean time to next block for a miner =
fraction of hash power

If you have 0.1% of total hash power, you are going to nd blocks once every
10,000 minutes, which is about a week
𝗇
𝗈
𝗇
𝖼
𝖾
ffi
fi
fi
f

fi

 Game Theory

Double spend attack

Anonymity Scarce Can’t Double spend Unforgeable signature

Public key Hash puzzles ?? Secret key

Each transaction contains a signature, recipient’s public key and a hash to previous transaction of sender.

Alice pays Bob through his public key using the hash pointer (). Her updated pointer is ()
Now, Alice pays Carol through his public key using the hash pointer () instead of (), starting a double spending attack

Hypothetically, let’s assume that these two transactions are broadcast to two non-overlapping networks

Two di erent networks approve this attack since they don’t know that Alice has doubly spent

There will be two consensus chains that di er only in the last block. How can the Bitcoin prevent double spend attack?

Miners heuristically extend the block that they detect rst on peer-to-peer network. Hence, only one of the chains is built on further.
It is possible that the chain that has Carol’s transaction is extended. But the other chain is orphaned.

If Bob and Carol are merchants and they need to provide Alice some service, either one can wait for six con rmations
Good trade-o between waiting time and transaction guarantee
𝟣
𝟤
𝟣
𝟤
𝖧
𝖧
𝖧
𝖧
ff
ff
ff
fi
fi

 Game Theory

51 percent attack

Let there be an attacker who holds 51% of the mining power. Can he distort the Bitcoin mechanics?

1. Can 51% attacker steal bitcoins?

No. Because the signatures are unforgeable and is private

2. Can 51% attacker suppress transactions?

Let’s say 51% attacker does not like Alice. He can suppress transactions, i.e., reject blocks that contain Alice’s transactions. But he can’t
prevent the Alice’s transactions from being broadcast to other peers. As a result, some honest will approve Alice’s transactions.

3. Can 51% attacker change block reward?

Since he doesn’t control the entire network, he cannot change the block reward. Honest nodes will recognise the attack

4. Can 51% attacker destroy con idence in Bitcoin?

Let’s assume he creates a lot of double spend attacks and succeeds. People lose con dence in the Bitcoin and exchange rate would plummet.
From a nancial point of view, cost incurred to attain 51% power is substantial and any rational attacker will not do that.
𝗌
𝗄
fi
f
fi

 Game Theory

Way forward: Miners

Currently, because of challenges like good hardware to mine and hoping for good luck to extend, miners are not strategic.

Miners can make strategic decisions to allot their mining time optimally.

Which transactions to include

Which block to mine on

When to announce new blocks

Choosing between blocks at same

height

There is no complete model that con rms that default mining strategy is optimal

Where most miners choose the default strategy rather than strategising, Bitcoin seem to work well
fi

 Game Theory

Mining pools

Since the variance of nding new blocks is high, miners can aggregate and form a pool while mining

Mining pools rst started around 2010.

Because of incentive di erences, miners switch between pools.

June 2014 August 2014 April 2015

Mining strategy is an area in which practice is ahead of theory

Founder of Bitcoin is a mystery. He/She/They has/have proposed the idea using the name “SATOSHI NAKAMOTO”
fi
fi
ff

Thank you..!