Averting the tragedy of the Blockchain

Raphael Voellmy

December 1, 2013

Abstract

Bitcoin is the protocol of a decentralized, virtual payment system. The Bitcoin protocol is thefirst successful attempt of creating an independent payment system that enables participants tosend value in a purely peer-to-peer fashion, without requiring trust in an intermediary institutionsuch as a bank or payment processor. The core of the Bitcoin protocol is a synchronized,distributed database that is extremely difficult and costly to tamper. An important part ofBitcoin is its incentive system, that rewards participants for being honest. This paper aimsto explain what Bitcoin is, investigates its strengths and weaknesses, and examines differentsolutions to the low difficulty equilibrium threat which may ensue after the removal of theblocksize limit, a specific parameter in the Bitcoin protocol.

1 Introduction

While there are many different virtual currencies with different rules, usages and valuations, thispaper’s focus lies exclusively on Bitcoin. The European Central Bank defines a virtual currency asfollows: ”A virtual currency is a type of unregulated, digital money, which is issued and usuallycontrolled by its developers, and used and accepted among the members of a specific virtual com-munity” (European Central Bank, 2012). This definition holds true for most virtual currencies likeWorld of Warcraft Gold or Facebook Credits, but Bitcoin is not issued by its developers, nor is itaccepted exclusively in virtual environments (Bitcoin Wiki, 2013c). This weak definition of virtualcurrencies by the ECB demonstrates that Bitcoin is a truly new form of money that is very hardto categorize and compare with existing virtual currency schemes.

2 Bitcoin

Bitcoin has gained a lot of attention in the in the past years. The value of a bitcoin has soared fromUSD 0.30 in January 2011 to a peak value of USD 1242 in December 2013 (bitcoinwisdom.com,n.d.). With around 12 million bitcoins in existence (bitcoinwatch.com, n.d.) this corresponds to atotal market capitalization of more than 6 billion USD. The wild upswing in value has caught theattention of investors, media, regulators and intelligence agencies.

Bitcoin is a payment system that solves many problems of previous attempts of creating acurrency for the internet (Simon Barber, 2012). Its concept was published by an pseudonymousdeveloper named ”Satoshi Nakamoto”.

Bitcoin allows the transfer of value in a purely peer-to-peer manner, without any intermediaryfinancial institutions. The payment system is composed of a payment protocol for transferring and

1

issuing new units of value, as well as its own currency, denoted as bitcoins1 or BTC. Bitcoins arenot issued by any institution, but are created by a process called mining. The mining processis also responsible for securing the network’s integrity and verifying transactions. As long as noadversary can outpace the Bitcoin network’s total processing power, bitcoins cannot be forged ordouble-spent (Nakamoto, 2008).

The value of a bitcoin is determined exclusively by supply and demand. There is no actualvalue backing bitcoins, and there is no institution where a bitcoin can be redeemed in exchangefor government currency or a commodity. Still, people are willing to pay more than USD 1000 fora single bitcoin. Most importantly because contrary to our government issued money, the supplyof bitcoins has a hard limit of 21 million units, and the number of newly created bitcoins is verypredictable.

2.1 How Bitcoin works

Explaining how Bitcoin works is not an easy task. Within the Bitcoin community, the process ofunderstanding the Bitcoin protocol is often referred to as ”going down the rabbit hole”. Under-standing Bitcoin requires an understanding of different pieces of the protocol, and only if thesepieces are individually understood, the system as a whole can be. Since all pieces of the protocolare interdependent, there is no straight-forward way of explaining the protocol as a whole. Thecore-pieces of the Bitcoin protocol - namely transactions, the blockchain, miners, mining difficultyand generation transaction - will be explained individually in the following chapters.

Before going into details of the Bitcoin protocol, it is important to understand that the Bitcoinsystem is nothing but a distributed database of monetary transactions. The major achievementof the Bitcoin protocol is its ability to synchronize the database when facing malicious adversaries(Youtube, 2013). Without malicious adversaries, a simple distributed database with records of alltransactions would be fully sufficient to implement a peer-to-peer payment system. Many featuresof the Bitcoin protocol are only in place to secure the system from malicious adversaries.

2.1.1 Transactions

Let us begin with an example: Alice wants to send a bitcoin to Bob. In order to create a validtransaction, Alice needs to provide the following information:

• Input: A reference or multiple references to previously received and unspent transactions.The output value of all referenced transactions is called input value.

• Output script: A script that defines how Bob can redeem the bitcoins. This script usuallycontains a hash of Bob’s public key, known as Bitcoin address. A Bitcoin transaction canhave an arbitrary number of output scripts, so Alice could send bitcoins to Bob and Carolwith a single transaction.

• Output value: The output value determines how many bitcoins Bob will receive. If Alicehad sent bitcoins to multiple receivers in the same transaction, she would have to specify anoutput value for each receiver (for every output script).

• Signature: A cryptographic signature of the transaction, signed with Alice’s private key

1By convention, the currency unit is called bitcoin, written in lowercase, while Bitcoin denotes the payment systemas a whole.

2

If the total input values exceed the total output values, the difference is given as a reward forthe node that confirms the transaction. Note that Alice does not explicitly specify an input value.The input value is solely derived from the total output value of all referenced input transactions.This means if Alice has received only a single transaction with an output value of 100 bitcoins,she can only create a transaction with an output value of 100 bitcoins. If she wants to send onlya single bitcoin to Bob, she will create two outputs, where one output sends 99 bitcoins back toherself. The bitcoins that are sent back to the sender are referred to as change (?). This concept ofbitcoin transactions is often misunderstood. Some reporters referred to bitcoins as ”a long stringof letters and numbers”, while in reality there is no such thing as ”a bitcoin”, but only bitcointransactions. Of course by saying ”a bitcoin”, one could also refer to the unit of account, which isan abstraction of bitcoin transactions.

Figure 1: Simplified representation of two Bitcoin transactions, showing inputs and outputs

After encoding the transaction, Alice broadcasts it to her peers. They validate the transac-tion by checking Alice’s signature, and by checking their blockchain whether the referenced inputtransactions are valid. If the transaction is valid, they broadcast the transaction to their peers.This process is repeated until all peers have received and validated Alice’s transaction (Nakamoto,2008).

2.1.2 The Blockchain

The blockchain is a special kind of distributed database. It is a log of every transaction that evertook place in the Bitcoin system. All information stored in the blockchain is publicly available, andis automatically downloaded from other peers when setting up the reference client1. Nodes in theBitcoin network use the blockchain to verify transactions. Since every transaction that ever tookplace is recorded in it, every node can verify if any Bitcoin address has sufficient funds to issue acertain transaction.

The blockchain consists of many blocks that are linked together. The first block in the chain iscalled genesis block and was created manually by Satoshi Nakamoto. On average, every 10 minutesthe blockchain is extended by one block. Each honest node in the Bitcoin network always considersthe longest chain of verified blocks as the valid one. Among other, a block contains following data2:

• Transactions: Most importantly, a block contains a list of transactions. Every block con-tains at least one transaction. There is an upper limit of transactions of a total of one

1There are many different implementations of the protocol, and not all of them download the complete blockchain.The ”original” implementation of the Bitcoin protocol is called ”reference client” or ”Bitcoin-QT”.

2Only the data that is crucial to understand the Bitcoin protocol is listed here.

3

megabyte. With an average transaction size of half a kilobyte (Bitcoin Wiki, 2013d), about2000 transactions can be stored in a block. The first transaction in the block is called coinbasetransaction, generation transaction or block reward. It is a special transaction with no inputs,going to the miner that created the block.

• Hash of previous block header: The hash of the previous block effectively links a blockto its predecessor, creating a chain, hence the name blockchain.

• Target: The target is an important value in regard to the generation of new blocks. It iscalculated deterministically based on creation times of previous blocks. The target will beexplained in detail in section 2.1.3.

• Nonce: The nonce is an integer that fulfills the following condition: When concatenated withthe hash of the block header and then hashed twice with the sha256 algorithm, the resultingnumber is smaller than the given target. The target will be explained in detail in section2.1.3.

• Block Hash: Every block contains a hash of its header. The block header consists of aMerkle tree hash of all its transactions, the hash of the previous block header, the nonce,the target, the protocol version and a timestamp. The block hash acts as the input of thecomputational puzzle that miners have to solve, which will be explained in section 2.1.3.

Figure 2: Simplified representation of three consecutive blocks

(Nakamoto, 2008)

2.1.3 Miners

Every node in the Bitcoin network may choose to be a miner. Miners are responsible for issuingnew coins, as well as confirming transactions. For every transaction a miner confirms, the minermay keep the transaction fee. The fee is important, as it encourages miners to use their processingpower to verify transactions (Nakamoto, 2008).

Verifying transactions only takes a fraction of a second. Most of the time a miner is busy findinga solution to a computational problem that is extremely difficult to solve, but easy to verify. To bespecific, a Bitcoin miner tries to find x, where d is a given target, h is the block header - which isgiven by the previous block hash, Merkle tree root of the transactions in the block and some metadata - so that the following inequation holds true:

4

d ≥ sha(sha(((h, x)))

Since there is no known way of inverting the sha256 hashing function in polynomial time, themost efficient known way to solve the inequation is to try as many x until the inequation holds true(brute forcing). At the time of writing, the probability of finding a solution on the first attemptis less than 3.29 ∗ 10−19, therefore it requires more than 3.03 ∗ 1018 (3.03 quintillion) attempts tosolve the inequation on average. With one of the most powerful CPUs currently on the market3, itwould take roughly 1460 years to find a solution (Bitcoin Wiki, 2013b). Verifying a solution takesonly a fraction of a second.

Miners are willing to invest such a vast amount of computational resources, because they arerewarded for a solution. Only by finding a valid solution, a miner is allowed to create a new blockand append it to the existing blockchain. Creating a new block is what all miners are striving for.First, because the miner that creates a block is allowed to include a generation transaction in thenew block, a transaction with no inputs to the miner’s own Bitcoin address, effectively creatingnew bitcoins. Second, because a miner may collect the transaction fees of all transactions includedin the block. After creating the new block, with all transactions the miner wishes to include, itis broadcasted to all peers. The other miners that received the block verify the solution and alltransactions in the block. If the block was created according to the Bitcoin protocol - containing acorrect solution, a valid generation transaction and no double-spending transactions - they acceptit and add it to their blockchain. The transactions in this newly created block are now confirmedonce. The miners that received the new block are now working on a new computational puzzle,with the hash of the newly received block in the header (Nakamoto, 2008).

This concept of solving computational puzzles is what makes Bitcoin possible. Only with avalid solution to the computational puzzle is a node allowed to verify transactions. A valid solutioncan only be found if a vast amount of computational resources was invested. This concept is calledproof-of-work. If the Bitcoin protocol was designed in a way that a majority of nodes decideswhether or not a transaction is valid, an attacker could simply create a large number of maliciousnodes, all of them voting in his favor. With proof-of-work this is not possible, unless an attackerhas a vast amount of computational power at hand.

Since Bitcoin is a globally distributed system, it is not unusual that two miners in differentlocations find a solution at roughly the same time. The nodes in the network then consider theblock they received first as the valid one. In this scenario, there are now two different blockchains,both with a different last block. This situation is resolved as soon as a new block is found, extendingeither one of the two existing blockchains. As stated in section 2.1.2, the longest blockchain is alwaysconsidered to be the valid one, which means the block at the end of the now shorter blockchain isdiscarded, making it a so called orphan block.

All transactions in the orphan block are considered invalid, including the generation transaction,but usually all transaction in it are also contained in the other branch, except for the generationtransaction. Since the branch of the blockchain that a majority of processing power is workingon will ultimately always be the longest, mining can be seen as a way to vote on the validity of ablockchain. As long as 51% of miners are honest, an attacker has no way of tampering with theblockchain (Nakamoto, 2008).

3Xeon E5-2690, retail price more than USD 2000

5

Figure 3: Simplified representation of the blockchain: The black blocks are considered valid, thepurple blocks are orphaned, the green block is the genesis block.

2.1.4 Mining difficulty

The difficulty is a measure of how difficult it is to find a new block. The difficulty is calculated bydividing the largest allowed target ( 4.5 ∗ 1015) by the current target d (Bitcoin Wiki, 2013a).

The difficulty is adjusted every 2016 blocks, and depends on the past processing power of theBitcoin network. It is calculated in a way that, assuming the processing power of the next 2016blocks corresponds to the arithmetic mean of the past 2016 block, it takes exactly two weeks togenerate the next 2016 blocks(Github, n.d.). The bi-weekly target adjustment is a crucial propertyof the Bitcoin system. It ensures that bitcoins are created in an almost linear way. Almost linearbecause the amount of newly created bitcoins varies slightly, depending on the growth or decreaseof the total processing power, since the difficulty is calculated from the arithmetic mean of thecreation time of the past 2016 blocks2.

2.1.5 Generation Transaction

As mentioned earlier, the generation transaction is the first transaction in a block, and does nothave an input transaction. Generation transactions are responsible for distributing newly createdbitcoins. Furthermore, they are currently the main incentive for contributing processing power tothe Bitcoin network.

The output value of the generation transaction currently amounts to 25 bitcoins. According tothe protocol, it is halved every 210’000 blocks, roughly every 4 years. The last fraction of a bitcoinwill be created around the year 2140. The total amount of bitcoins will never exceed 21 millionunits (Bitcoin Wiki, 2013e).

2.2 Why Bitcoin is successful

Despite three decades of research on e-cash, no other virtual currency took off as rapidly as Bitcoindid. Apart from enabling sending value over the internet within seconds for a negligible transactionfee, the reason for Bitcoin’s success lies in its core properties:

• No central point of trust: In the Bitcoin system there is no single entity that has controlover transactions and balances. Bitcoin is governed by thousands of computers, validity oftransactions is determined by a vote of the majority.

2In reality, the amount of newly created bitcoins varies slightly, depending on the growth or decrease of the totalprocessing power, since the difficulty is calculated from the arithmetic mean of the past 2016 blocks.

6

• Incentives and economic system: The Bitcoin system is designed in a way that it incen-tivizes to participate, and that early investors are rewarded the most:

– The process of mining ensures that bitcoins cannot be double-spent and that only validtransactions are accepted. Miners are rewarded for their work with newly created bit-coins.

– By validating transactions, miners can claim transaction fees.

– The mining reward can only be claimed if a majority of other miners agree that allconfirmed transactions are indeed valid

– The amount of newly created bitcoins decreases over time, which incentivizes to get inthe game as early as possible.

• Predictable money supply: The supply of newly created bitcoins is independent from thenumber of miners and the total processing power. Therefore, the less miners are competingagainst each other, the more bitcoins are shared among the participants; again a strongincentive to get in the game as early as possible.

• Divisibility and fungibility: Bitcoins can be divided almost indefinitely. The smallestallowed amount that can be sent is currently 10−8 bitcoins. The Bitcoin protocol can beadapted to support even smaller denominations.

• Scripting: Every transaction contains a script that defines how bitcoins can be sent orclaimed by the payer or payee. The scripting feature is not fully utilized, only standardtransactions are accepted by the reference client yet. But the infrastructure to realize moreadvanced transactions is in place, and ready to be ”switched on”. Scripting allows advancedpayment mechanisms, such as M-of-N transactions, dominant assurance contracts, escrow anddispute mediation and many more (?).

• Transaction irreversibility: Bitcoin transactions quickly become irreversible. This ef-fectively eliminates the possibility of a charge-back. Consequently, a merchant can acceptpayments from anyone, anywhere without worrying about charge-back. Hence, a merchantcan offer cheaper prices, because no charge-backs have to be compensated.

• Readily available implementations: A bitcoin user can choose from many different im-plementations, desktop implementations as well as mobile implementations. The Bitcoincommunity is very active in improving existing and developing new software solutions aroundthe virtual currency.

(Simon Barber, 2012)

3 Vulnerabilities, Weaknesses and Threats

Before examining vulnerabilities and weaknesses of Bitcoin, it is worth mentioning that only purelytechnical problems are addressed. Political or economical problems, such as the discussion whethera deflationary currency can ever gain mass adoption, or whether Bitcoin’s anonymity will lead toits prohibition, are out of the scope of this paper.

7

3.1 51% Attacks

Bitcoin’s most apparent threat is the so called 51% attacks. With 51% of the network’s totalprocessing power, an attacker can double-spend bitcoins, reverse transactions or even block alltransactions.

As stated earlier, the Bitcoin network relies on a vote of the majority on which transactions areconsidered valid. It is important to note that a 51% attack could not create new bitcoins out ofthin air or change the rules of the Bitcoin network in any way. For instance, if a 51% attacker triedincreasing the output amount of a generation transaction, or spending bitcoins that are not in hispossession, all honest nodes would reject that block, and carry on as usual. This would result in thesplitting of the blockchain, creating an honest and a malicious branch. It goes without saying thatevery rational Bitcoin user would ignore the malicious branch, even if it was the longest branch,and the attacker’s spendings on processing power are wasted. Therefore, every miner has a strongincentive to play according to the rules of the protocol.

An attacker who has the ability to outperform the total processing power of Bitcoin’s networkcould have a devastating impact on the usability of the system. Such an attack is unlikely to takeplace, because bitcoin’s value would drop significantly if an attacker succeeded in performing suchan attack, and outperforming the Bitcoin network’s processing power is costly. Any rational playerwould be better off by using the processing power to contribute to the network rather than tryingto undermine it (Joshua Kroll, 2013).

3.1.1 Double spend attack

Example: Alice sent 0.01 bitcoins to Bob. The transaction was included in block B−6, with block B0

denoting the newest block known to the network, and B−1 the block before that, and so on. Bob isnow sure that the bitcoins are now in his possession, and gives Alice a pizza in exchange. What hedoesn’t know is that Alice is in possession of an enormous bitcoin mining rig that computes morehashes per second than the entire Bitcoin network combined. As soon as she received the pizza, shestarts working on a new branch of the blockchain, starting from block B−7, and does not includeBob’s transaction. Since Alice’s mining rig outperforms the entire rest of the Bitcoin network’sprocessing power, her malicious chain will eventually surpass the generally accepted one, effectivelychanging what was considered true by all participants before. Since her malicious blockchain doesnot include the transaction to Bob, the bitcoin is now back in her possession.

Note that performing a double-spend attack does not require 51% of the total processing power.It can already be achieved with a smaller share of processing power, but the probability of succeedingshrinks with a smaller share (Rosenfeld, 2012).

3.1.2 History attack

Changing the past transaction log is also called history attack. The further in the past a transactionwas recorded in the block chain, the more difficult it is to perform a history attack on it.

But even if an attacker was in possession of a vast amount of processing power, it still wouldnot be feasible to conduct a history attack, due to so called checkpoints. Checkpoints are hashes ofblocks that are hardcoded in the reference client’s code, and any past transaction log that results ina different hash is considered invalid. Checkpoints are included in the code by the Bitcoin developersmanually. Some critics hold the view that if a group of people is allowed to set checkpoints for past

8

transactions, the entire proof-of-work is obsolete, and all energy that is required for the systemcould be spared (Laurie, 2011).

3.1.3 Blocking attack

The most devestating of all 51% attacks is the blocking attack. A miner that controls 51% couldessentially ”block” every transaction that is broadcasted. The attacker can achieve this by notincluding any transaction in the blocks he creates, and ignoring all other blocks that are broadcastedfrom other miners. Since the attacker’s chain will always outperform other chains, all nodes in thenetwork consider the attacker’s empty chain as the valid one.

3.2 Forwarding Problem

Another problem of Bitcoin lies in the broadcasting of transaction. Since a miner that finds ablock can keep the transaction fees of all transactions included in the block as a reward, thereis an incentive not to braodcast transactions. A miner can only include a transaction in a blockif he knows about the transaction. By not broadcasting a transaction, a miner can reduce thecompetition and thereby increase its chances of including the transaction in a block itself. Thisincentive problem could be solved by changing the rules of the Bitcoin protocol so that the nodesthat forward a transaction are also rewarded with part of the transaction fee. Nodes would thenhave an incentive to forward as many transactions as possible (Moshe Babaioff, 2012).

3.3 Incentive not to include transactions in a block

It may sound paradox, but in the current system there is an incentive not to include transactionsin a block. Even though a miner is rewarded with all transaction fees of validated transactions, hisexpected return can be optimized by broadcasting empty blocks. The reason lies in the propagationtime of blocks. A miner has an incentive to broadcast a newly created block to as many nodes aspossible, because as soon as a miner receives a block, it starts working on it. As explained earlier, itis possible that two blocks are found at roughly the same time. Miners will try to extend the blockthey received first. The more miners are working on a specific block, the more likely this block isto become the generally accepted one. With every transaction a blocks size increases slightly, andthe smaller the block is, the faster it propagates. Since the transaction fees are currently negligiblecompared to the block reward, a rational player can maximize its profits by broadcasting emptyblocks.

One very large mining corporation that once controlled a large portion of the network’s pro-cessing power actually broadcasted empty blocks. Whether they did it to maximize their miningreturn, or for any other reason, is not known.

3.4 Concealed mining strategy

With the current Bitcoin protocol there exists a mining strategy that will ultimately result inthe centralization of Bitcoin mining. This selfish mining strategy - let us call it concealed miningstrategy - gives mining pools that already control a large portion of the network’s processing poweran advantage over honest miners, which will attract other rational miners to mine with the poolthat pursues the concealed mining strategy. With more miners joining the pool that pursues theconcealed mining strategy, the strategy gets even more effective. The exact share of the network’s

9

processing power that is required to gain an advantage over honest miners depends on the numberof miners that are mining on the concealed mining strategy pool, but even if the pool consists ofonly one miner, no more than 1

3 of the network’s processing power is required to gain an advantageover honest miners.

The concealed mining strategy works as follows: Whenever the concealed mining pool finds ablock, it doesn’t publish it to other miners, but keeps it secret to itself. It then continues to mineon the secret branch, as long as it is at least one block ahead of the publicly known blockchain. Ifthe publicly known blockchain catches up to the private blockchain, the concealed miner instantlypublishes its previously concealed block. In that case the blockchain is split, with some minersmining on the previously concealed block. Depending on the next found block, the previouslyconcealed block will either be discarded or kept in the blockchain. In this case the concealed minerhas a slight disadvantage over the honest miners, because it can be assumed that a smaller fractionof all bitcoin miners are mining on the previously concealed block, since miners always work onthe block they received first. But let us assume now that the mining pool pursuing the concealedmining strategy found another block, with the predecessing block being a concealed block. In thatcase, the malicious miner has the ability to publish his privately known blockchain at any time,and rendering the publicly known blockchain useless. In other words, all honest miners are wastingtheir processing power on a blockchain that can be invalidated by the concealed miner at any time.The concealed miner will publish its concealed blockchain the moment when honest miners areexactly one block behind the concealed blockchain.

As mentioned before, the success of the concealed mining strategy depends on the connectivityof the pool to other miners. In the theoretical case that all miners will always discard blocks fromhonest pools in favor of the concealed mining strategy pool’s blocks, the pool’s expected profit,proportional to his share of the networks processing power, will always exceed honest miner’sexpected profit-hashrate-ratio. In another abstract scenario where honest miners never try toextend the concealed mining pool’s blockchains, the pool’s hashrate-profit-ratio still exceeds honestminers’ ratio if the pool controls more than 1

3 of the network’s processing power.According to Ittay Eyal (2013) this problem can be alleviated with a simple change in the

Bitcoin clients. Currently, miners always work on the first block they received. Any block that isreceived at a later point in time, at the same position in the blockchain as the previously receivedblock, will be ignored. By performing a Sybill attack on the network, the concealed mining poolmight be able to publish the previously concealed block to a larger portion of the network, eventhough the block was published later than the block of the honest miners. This will result in ahigher probability of the previously concealed blockchain to be extended. This problem could besolved by letting the miners chose randomly which blockchain to extend in case they know of morethan one blockchains of the same length. With this change in the Bitcoin protocol, there would bea threshold of 1

4 of the network’s processing power that a concealed mining pool needed to controlin order to exceed honest miners’ expected hashrate-profit-ratio (Ittay Eyal, 2013). One potentialproblem with this solution is that miners might maximize their profit by always mining on theblock they first received, as this block was probably propagated first, and therefore the probabilitythat this blockchain will be extended is slightly higher.

10

4 Tragedy of the Blockchain

One particular aspect of the Bitcoin protocol has been discussed wildly in the Bitcoin community,and divided its members into two groups. Namely the discussion whether or not to increase thecurrent blocksize limit. In this chapter, we will examine the problem - which, according to somekey members of the Bitcoin community does not exist - and introduce a few feasible solutions.

4.1 Mining equilibrium and cost of 51% attack

Before discussing the blocksize issue, we will establish a model of Bitcoin mining and show thatif miners act rationally, the network’s processing power, and therefore the mining difficulty, isproportional to the total of the miners’ revenue (Joshua Kroll, 2013).

Let Vh be the expected return of computing a single hash, let c be the cost for computing asingle hash, then the expected profit of a hash ui,h for a miner i is:

uh,i = Vh − ch,i

This means that a miner i will generate a profit u(t) of the hashrate hi,t times the profit perhash uh,i = Vh − ch,i:

u(t) = t ∗ hi,t(Vh − ch,i)

As long as u′(t) is positive, a rational miner will continue to mine. The cost of computing a hasharises from the energy that is used by the mining hardware to compute a hash. Since an improvedefficiency of generating a hash has a direct impact on a miner’s profit, there is a constant arms raceof owning the most efficient Bitcoin mining hardware, as currently seen with ASIC mining devices.Now let us look at Vh a little closer. The profit per hash is directly dependent on the hashratesH of the entire network. For simplicity, we assume that bitcoins are created at a strictly constantrate and ignore the slight variance due to decreases and increses of the network’s total processingpower. The expected value of a hash then is equal to the block reward Vb plus the transactionfees vt, divided by the total number of hashes the all miners i compute on average until a block isfound:

Vh =Vb + Vt∑

i hi

Let us assume that each miner computes hashes at roughly the same cost Ch. This is notentirely true, due to different energy costs in different countries, college students obtaining freeenergy at their dorms, Russians stealing energy from their neighbors, Scandinavians heating theirapartment with GPUs, et cetera, but it’s a good approximation to reality. With this assumption,we see that if the following inequation holds true, new miners will join in, or existing miners extendtheir Bitcoin mining capabilities:

0 < Vh − Ch =Vb + Vt∑

i hi− Ch

New miners joining the mining game leads to an increase of the total computed hashrates ofthe network, so it is easy to see that there is a mining equilibrium where the cost of computing ahash is equal to the total value generated by mining.

11

Keeping this mining equilibrium in mind, we can now determine the cost of performing a 51%attack on the Bitcoin network. To perform a 51% attack, an adversary needs to outperform theentire network’s processing power over some period of time. Assuming the attacker is not inpossession of superior Bitcoin mining hardware, and computes hashes at the same cost as the therest of the network, the cost of performing an attack amounts to the following:

hi >∑−i

h−i =Vb + Vt

Ch

Since block rewards will no longer be given to miners in the future, the security of the entirenetwork ultimately relies on the value of the transaction fees Vt.

4.2 Blocksize - A key parameter defining Bitcoin’s future

As seen in the previous chapter, the value of transaction fees is essential for Bitcoin’s future.Currently, transaction fees play a rather insignificant role, since they account to only a fraction ofthe current block reward. In this chapter we will look further in the future, namely the year 2140,when block reward is close to zero.

If all transactions could be issued for free, there would be no incentive for miners to mine. Thiswould result in an extremely low mining difficulty, making a 50% attack feasible. The Bitcoinprotocol does not enforce a transaction fee, it is completely voluntary. The only difference whensending a transaction without a fee is that if a miner that doesn’t include transaction with no feesfinds the next block, the transaction will not be verified. So by issuing a transaction without a fee,the sender might wait a little longer for the transaction to be verified than if a fee was included.But in theory, if there is as many as one single miner that does include transactions without a fee,it will eventually be included in a block and therefore be verified.

Let us look at this with our game-theory goggles on. Every miner tries to maximize profit.When a miner verifies a transaction, a check of the cryptographic signature is required, as welllooking into the blockchain if the transaction is valid. By doing so, a miner has to pay electricityfor the required computer cycles, as well as the opportunity cost of losing his processing poweron verifying the transaction instead of generating new hashes. A rational miner will not verify atransaction with a transaction fee that is lower than the cost of verifying the transaction. Questionis, how much does it cost to verify a transaction? The answer is alarming: According to a back-of-the-envelope calculation of Bitcoin’s lead developer, the cost of verifying a transaction for aminer is about 1.27∗10−7 USD, taking the cost of bandwidth, storage and CPU time into account.This means that any rational miner will verify transactions with a transaction fee that exceeds theequivalent bitcoin value of 1.27 ∗ 10−7 USD. Knowing that, any rationally acting participant in theBitcoin network will not pay a higher transaction fee than that. By each player acting in his ownbest interest, the common good - namely the blockchain - suffers. A classic case of tragedy of thecommons.

So what does all this have to do with the blocksize? As mentioned earlier, the blocksize is ahard coded limit in the Bitcoin protocol that defines the maximum size of a block. Currently thelimit is set to 1MB, which allows about 7 transactions per second to be processed. At first, thisarbitrary limit looks like a serious drawback to Bitcoin’s scalability, but at a second thought, thislimit may be the solutions to the alarmingly low mining difficulty equilibrium. By limiting themaximum amount of transactions that can be processed, a competition of which transactions willbe included in the next block is put in place. A rational miner no longer includes any transaction

12

with a non-zero transaction fee, but chooses to include the transaction with the highest fees inorder to maximize profits.

4.3 Examination of different solutions to the low difficulty equilibrium threat

The low difficulty equilibrium is a well known issue in the Bitcoin community. Many possiblesolutions have been discussed, some of which will be discussed in this chapter.

4.3.1 Leaving the blocksize limit as is

The easiest solution is to leave the blocksize as is. This solution obviously does not require a hard-fork of the blockchain, which is a big plus. Unfortunately, leaving the blocksize as is comes withdisadvantages, especially the fact that the system does not scale. Comparing the 7 transactionsper second the Bitcoin network can currently handle to the 24’000 transactions the VISA networkis capable of processing, it seems logical that part of the Bitcoin community thinks that this limitundoubtedly needs to be removed.

If the blocksize limit of 1MB ever were to be reached, it would result in participants of thenetwork paying higher transaction fees in order to get their transaction included in the block. Less-urgent transactions could be sent cheaper because a non-urgent transaction does not necessarilyhave to be included in the next block. A transaction with a lower fee would have to wait until thereare no more transactions with a higher fee than transactions that fit in a single block. In otherwords: Less urgent transactions would have to wait for a time where the network is less congested.

Currently the blocksize limit is far from being reached. The average blocksize in 2012 wasless than 67KB per block. Therefore, a healthy growth of the Bitcoin network is implied for thissolution to have any effect on transaction fees.

Advocates of the blocksize-limit also argue that with higher transaction fees, businesses willcome up that handle bitcoin transactions off-chain. Off-chain transactions are transactions thatare not recorded in the blockchain, but processed by a bank-like service provider. Any transactionwithin such a Bitcoin bank would only be recorded on the business’ privately known transactionlog. This system can be compared to our current banking system with banking corporations andSWIFT transactions for interbank transactions. Transactions on the blockchain would then onlybe issued by corporations, and individual transactions bundled together to avoid high transactionfees (keepbitcoinfree.org, n.d.).

4.3.2 Completely removing the blocksize limit

Even though removing the blocksize limit is the cause of the described tragedy of the commonsissue, it seems to be the solution that will be implemented in the near future. Advocates of thissolution argue that the cost of including a transaction in a block not only consists of bandwidth,storage and energy costs, but also of a so called orphan cost. With every additional transaction inthe block, the block grows in size, and the block size has a direct impact on the propagation timeof the block. By every transaction a miner includes in a block, the risk of the block being orphanedrises slightly, because while the block propagates, another block might be found somewhere in thenetwork. In other words there is always a trade-off for miners between how many transaction feesto collect and the risk of the block being orphaned.

Research shows that the size of a block has a significant impact on propagation time. With everyadded kilobyte, it takes a block 80ms longer to reach a majority of the network (Christian Decker,

13

2013). As soon as a miner propagated his newly created block to a majority of the network, theaverage probability of the block being orphaned is less than 0.5.

As you may have noticed, the solution to the concealed mining strategy, namely choosing theblock to mine on randomly, would also have an impact on the question whether or not to increasethe blocksize. If miners were to chose randomly on which chain to mine on, the orphan cost wouldshrink significantly, because block propagation would no longer be a race to reach as many nodesas quickly as possible. The assumption that miners will not include all transactions with non-zerotransaction fees because of the orphan cost would therefore no longer be fulfilled.

4.3.3 Enforce minimum transaction fee

Another very simple solution is to enforce a minimum transaction fee for every transaction. Theobvious problem with this solution is how to define the minimum transaction cost. The Bitcoinprotocol itself does not have any notion of how much a bitcoin is worth in terms of fiat currency.Consequently, the cost of a transaction fluctuates with the bitcoin/USD exchange rate. Of coursethis problem could be resolved with Bitcoin developers adapting the transaction fees to the exchangerate, but as all developers-interaction, that leaves the uneasy feeling of them being in control ofthe system.

4.3.4 Mining cartel or monopoly

A rather counter-intuitive solution to the tragedy of the commons problem is to have a miningmonopoly or a cooperative cartel of miners. By not including transactions with small fees in theirblocks, and even not accept blocks that contain transactions with too small transaction fees, theycould enforce a minimum transaction fee. Assuming they control more than 50% of the network,their blockchain will always be the longest, even if they discard all other blocks. Of course it wouldbe in their best interest to collect as many transaction fees as possible, but at the same time theywant Bitcoin to be as successful as possible, so the stable equilibrium would be to enforce a sensibletransaction fee.

The obvious problem with this solution is that Bitcoin’s core strength, its distributed nature,would be violated. But truth is that today Bitcoin’s three largest mining pools already controlmore than 51% of the network. Therefore, a mining cartel is not so far fetched (BitcoinTalk, n.d.).

4.3.5 Dominant Assurance Contracts

One could argue that stakeholders that are most interested in Bitcoin’s security should be respon-sible for securing the network. A Bitcoin core developer proposed a solution to the low equilibriumthreat where large stakeholders pledge bitcoins for miners to contribute to the network. This canbe achieved by using dominant assurance contracts, a principle we know from companies such asKickstarter. Dominant assurance contracts are already possible with today’s Bitcoin protocol usingthe scripting system described in section 2.2.

A large stakeholder can create a transaction that is only valid if the total output value exceeds acertain threshold before a certain point in time. The transaction is a ”anyone-can-pay” transaction,meaning that anyone can add inputs to it. The transaction does not have any output value, so ifthe threshold is reached, the pledged bitcoins will be given to the miner that can first include thetransaction in a block.

14

5 Conclusion

The Bitcoin system is a very successful virtual currency scheme, and nothing like it has been seenbefore. This paper shows how the system creates incentives to participate in the system, and tokeep the system secure at the same time.

This paper also shows that the system is not perfect, and there are serious threats that needto be considered. While only purely technical threats have been discussed, the severity of otherthreats probably overshadows the purely technical ones. One threat that was not discussed is thethreat of the Bitcoin community not finding a consensus on how to solve a particular problem, suchas the low difficulty equilibrium problem. The splitting of the Bitcoin community, due to differentpolitical and philosophical views, would ultimately result in the splitting of the blockchain, witheach party considering their branch of the blockchain as valid. From a usability standpoint, thisscenario is disastrous. It would mean that every Bitcoin address has a different balance, dependingon which blockchain you look at. After asking an a Bitcoin forum whether a consensus was foundon the blocksize issue, three different core developers participated in the discussion, each praisinga completely different solution (reddit.com, 2013). This leads to two realizations: First, that thereis no right answer, because every possible solution contains its own political opinions, and secondthat the threat of a fork of the blockchain is not as far fetched as you might think.

References

BitcoinTalk. n.d.. “Disturbingly low future difficulty equilibrium.” https: // bitcointalk. org/

index. php? topic= 6284. 0 .

bitcoinwatch.com. n.d.. “Total BTC.” http: // bitcoinwatch. com/ .

Bitcoin Wiki. 2013a. “Difficulty.” https: // en. bitcoin. it/ wiki/ Difficulty .

Bitcoin Wiki. 2013b. “Mining Hardware Comparison.” https: // en. bitcoin. it/ wiki/

Mining_ hardware_ comparison .

Bitcoin Wiki. 2013c. “Real world shops.” https: // en. bitcoin. it/ wiki/ Real_ world_

shops .

Bitcoin Wiki. 2013d. “Scalability.” https: // en. bitcoin. it/ wiki/ Scalability .

Bitcoin Wiki. 2013e. “Transactions.” https: // en. bitcoin. it/ wiki/ Transactions .

bitcoinwisdom.com. n.d.. “BitcoinWisdom.” http: // bitcoinwisdom. com/ .

Christian Decker, Roger Wattenhofer. 2013. “Information Propagation in the Bitcoin Net-work.”

European Central Bank. 2012. “Virtual Currency Schemes.” Frankfurt am Main, Germany.

Github. n.d.. “GetNextWorkRequired method.” https: // github. com/ bitcoin/ bitcoin/

blob/ master/ src/ main. cpp# L1321 .

Ittay Eyal, Emin Gun Sirer. 2013. “Majority is not Enough: Bitcoin Mining is Vulnerable.”

15

Joshua Kroll, Ian Davey, Edward Felten. 2013. “The Economics of Bitcoin Mining, or Bitcoinin the Presence of Adversaries.”

keepbitcoinfree.org. n.d.. “Keep Bitcoin Free! - Working together to keep Bitcoin decentralized.”http: // keepbitcoinfree. org/ .

Laurie, Ben. 2011. “Decentralised Currencies Are Probably Impossible - But Lets At Least MakeThem Efficient.”

Moshe Babaioff, Shahar Dobzinski, Sigal Oren Aviv Zohar. 2012. “On Bitcoin and RedBalloons.”

Nakamoto, Satoshi. 2008. “Bitcoin: A Peer-to-Peer Electronic Cash System.”

reddit.com. 2013. “Is there a consensus on the blocksize limit issue?” http: // www. reddit.

com/ r/ Bitcoin/ comments/ 1owbpn/ is_ there_ a_ consensus_ on_ the_ blocksize_ limit_

issue/ .

Rosenfeld, Meni. 2012. “Analysis of hashrate-based double-spending.”

Simon Barber, Xavier Boyen, Elaine Shi Ersin Uzun. 2012. “Bitter to Better How to MakeBitcoin a Better Currency.”

Youtube. 2013. “Mike Hearn, Bitcoin Developer - Turing Festival 2013.” http: // www. youtube.

com/ watch? v= Pu4PAMFPo5Y .

16

Declaration

I, Raphael Voellmy, hereby declare that I have produced this work independently and have usedno other than the listed tools and sources.

—————————————————Date and Signature

17