The Blockchain Technology: Some Theory And Applications

Working Paper No. 2017/03

The Blockchain Technology: Some Theory and Applications

Nicola Dimitri1 October 2017

Š The author, 2017 š Professor of Economics, University of Siena-Italy, Corvers Chair on Innovation Procurement, Maastricht School of Management, Life Member, Clare Hall College Cambridge, Visiting Professor IMT

1

The Maastricht School of Management is a leading provider of management education with worldwide presence. Maastricht School of Management’s mission is to provide education and advocacy for ethical management, inspiring leadership, innovative entrepreneurship and effective public policy, building on our unique history in working together with institutions in emerging economies for better global management. www.msm.nl

The views expressed in this publication are those of the author(s). Publication does not imply endorsement by the School or its sponsors, of any of the views expressed.

2

THE BLOCKCHAIN TECHNOLOGY: SOME THEORY AND APPLICATIONS

Nicola Dimitri Professor of Economics University of Siena-Italy Corvers Chair on Innovation Procurement Maastricht School of Management-NL Life Member Clare Hall College Cambridge-UK Visiting Professor IMT Lucca-Italy

Abstract Since its 2008 appearance as a cornerstone of the cryptocurrency bitcoin, the blockchain technology gained widespread attention as a modality to securily validate and store information without a trusted third party. Indeed trust is replaced by cryptographic security, epitomised by hash functions, a unique fingerprint of any information file. The paper is a quick overview of the main concepts and applications of the blockchain, taken from an economic perspective.

1

THE BLOCKCHAIN TECHNOLOGY: SOME THEORY AND APPLICATIONS

1. Introduction On 31 October 2008, at 2.10 pm New York Time (Vigna-Casey, 2015) a white, seminal, paper, written under the pseudonym of Satoshi Nakamoto (SN), was diffused by email to a very large list of computer science experts suggesting how to design a protocol for a peerto-peer cryptocurrency, called Bitcoin. The paper spurred several reactions (Extance, 2015; Popper, 2015) which then developed into the current implementation of Bitcoin. It describes how bitcoin transactions should be recorded, how to solve the potential problem of double spending (Eyal-Emin, 2014), how to change the supply of bitcoins over time, how to keep pricacy and sustain security and other important features. It also pointed out that trust can be replaced by a cryptographic proof, and that no mediating figures are needed to agree and validate transactions. The suggested method for registration of bitcoin transactions was the inception of the blockchain technology (BL), a protocol where the relevant information is recorded in subsequent blocks on a ledger, that is shared by all the nodes of the network. Since then other cryptocurencies, such as Litecoin, Feathercoin, Peercoin, Novacoin and others (Halaburda-Sarvary, 2016) and platforms such as Ethereum, based on BL have been introduced and the potential of the technology began to unfold in areas other than cryptocurrencies (Walport, 2015; Nomura Research Institute, 2016; Deloitte, 2016). As of now, its development and applications have been identified as Blockchain 1, 2 and 3 (BL1-2-3) (Swann, 2015). Blockchain 1 refers to the initial applications to currencies, Blockchain 2 refers to contracts while Blockchain 3 concerns applications to further legal and economic aspects. More specifically, BL3 includes value attestation services, notary services, identity and property verification, intellectual property rights protection and others. Public institutions across the world are also becoming interested in BL3 services (Walport, 2015). For example, recently in 2017 the government of Georgia announced an agreement with a specialised company to implement its land property cadastre on a blockchain. The main goal of such operation is to make sure that information on land property is shared among the stakeholders and is non-manipulable, since attempts to change it could be reliably identified. As well as states, banks and corporations are also becaming interested in BL to enhance security and efficiency in information management. Unlike permissionless applications of BL such as cryptocurrencies, where any individual could enter the network and operate, access to states and corporate applications is restricted. The interest of Governments in BL may be seen as somewhat surprising, since the initial bitcoin application was strongly motivated by a libertarian and authority-free approach. 2

Therefore, the question is: what are the main features of BL becoming so widely attractive in both the private and public spheres? Tapscott-Tapscott (2016) identify “seven principles underlying BL, which may help explaining the wide spread interest for it: “networked integrity, distributed power, value as incentive, security, privacy, rights preserved, inclusion”. Below we briefly comment on two of them. Broadly speaking, security on BL is based on the cryptographic principle of a privatepublic key approach (Swann, 2015; Narayan et al, 2016; Antonopoulos, 2017; Holden, 2017;). The intuition behind it can be drawn from our every day email experience. Email communication is based on two main elements. A personal credential to enter the system, which plays the role of the private key and the email address, which corresponds to the public key. Credentials have to be well managed and safely kept by an individual, as they represent the instrument for writing and reading messages. The email address is publicly known, and used by those who want to transmit messages to that individual. However, messages sent to that address, public key, could only be read by accessing the system with the corresponding individual’s credentials, private key. Hence, messages sent to a specific address could only be read using the credential of the receiver. Therefore security and privacy of the message content is guaranteed by the protocol and by the fact that personal credentials can not be traced back from the public address. This is clearly true unless the sender/receiver transmits the message to other addresses or the credentials are appropriated by somebody else. In fact, the relation between credentials and addresses is formally a function; that is, the same credential could be used for different addresses while for each address there is only one credential that could allow to read the message. As we shall see, information security is one of the most important features of BL. Personal privacy is almost complete since actors, in a permitted network such as bitcoin where anyone can operate, act under a pseudonym, the digital address, and not under full anonymity. That is, in principle it seems that some inference could be made on the real identity of a trader (Narayanan et al, 2016) by looking at the history of his transactions. However, this can still be very difficult and require large computational power. This paper is a short presentation, from an economic perspective, of some of the main theoretical issues and applications of BL. Far from being exhaustive and complete, the work aims to provide a quick overview of few major themes. Chapter 2 presents a definition of BL and discusses how consensus, on whether the relevant information to include in a BL is correct, could emerge in a distributed network. Chapter 3 is a short discussion of bitcoin, as a main example of cryptocurrency, where BL was first introduced. In Chapter 4 we introduce the notion of smart contract and discuss its bearing for procurement. Chapter 5 concludes the paper.

3

2. Blockchain, Distributed Consensus and Coordination

As said, the fundamental technology underlying cryptocurrencies, smart contracts and more in general smart services is BL. This definition, drawn from Wolport (2015) captures the main elements for our discussion “A block chain is a type of database that takes a number of records and puts them in a block (rather like collating them on to a single sheet of paper). Each block is then ‘chained’ to the next block, using a cryptographic signature. This allows block chains to be used like a ledger, which can be shared and corroborated by anyone with the appropriate permissions. There are many ways to corroborate the accuracy of a ledger, but they are broadly known as consensus (the term ‘mining’ is used for a variant of this process in the cryptocurrency Bitcoin)â€?. The following important feature is what distinguishes BL from a standard database “The real novelty of block chain technology is that it is more than just a database — it can also set rules about a transaction (business logic) that are tied to the transaction itself. This contrasts with conventional databases, in which rules are often set at the entire database level, or in the application, but not in the transactionâ€?. Therefore, broadly speaking BL is a list of connected blocks of data, whose contained information is typically validated peer-to-peer by the nodes of the relevant network. Indeed, in some of the most important applications consensus on the recorded data is obtained via some majority rule, without a trusted third party mediating between the interested subjects. As a matter of fact, savings on costs for verification and networks formation are identified as the main economic advantages of BL (Catalini-Gans, 2016) A simple representation of BL could be as follows. If đ??ľđ?‘Ą stands for the union of all blocks of information available at time đ?‘Ą, and đ?‘?đ?‘Ą for the block of information added at time đ?‘Ą, with đ?‘Ą = 1,2, ‌ then đ??ľđ?‘Ą = đ??ľđ?‘Ąâˆ’1 âˆŞ đ?‘?đ?‘Ą = đ??ľđ?‘œ âˆŞ ⋃đ?‘Ąđ?‘–=1 đ?‘?đ?‘– with đ??ľđ?‘œ being the initial block. A fundamental cryptographic element of BL information security, is the hashing function â„Ž = đ??ť(đ?‘Ľ), that is a function assigning a string of symbols of limited size â„Ž to a list of symbols of any size đ?‘Ľ. Then, a hash â„Ž can be seen as a summary of đ?‘Ľ, which can be very large, with two remarkable properties: the first one is that inversion of đ??ť(đ?‘Ľ) is virtually impossible and, moreover, even a slight variation of the input đ?‘Ľ to đ?‘Ľâ€™ will produce an output ℎ′ = đ??ť(đ?‘Ľ ′ ) which is meaningfully different from â„Ž (Narayanan et al, 2016). These two properties, as well as others, are fundamental for the bitcoin implementation and in general for BL. For example, in bitcoin the private key is first 4

generated as a random number, then a public key is obtained through some mathematical transformation of the private key and, finally, a bitcoin address is obtained as a hash of the public key (Antonoupoulos, 2017). Therefore, from the bitcoin address, which is public information in the network, is neither possible to trace back the public key nor the private key. Hence, as long as it is well managed, the private key remains secret. Moreover, the content of a block (bitcoin transactions, time stamp and others), is hashed as a unique string of symbols and, if the block information for some reason is tampered with its hash would meaningfully change. Therefore, since the hash computation is immediate, the block hash represents a very quick test to verify if a block content has been altered. The methodology for registration of transactions, which besides the amount of currency exchanged includes a time stamp, can be interpreted as an example of the so called triple-entry book keeping, an accounting methodology originally introduced to specify the time dimension, as well as the monetary details of the exchange, payer and receiver (Ijri, 1982). Therefore, such registration technology allows to trace back from its initial introduction the path followed by each single bitcoin, keeping the memory of its ownerships. Such feature of bitcoin evokes the view that money is memory, advocated by Kocherlakota (1998). If security concerning blocks content alteration is guaranteed, the question for BL applications is how to agree on the information to be inserted in the block. In the next paragraph we discuss consensus formation in distributed systems.

2.1 Distributed Consensus In permissionless BL, such as those of bitcoin and other cryptocurrencies, information is not done by a trusted, mediating, third party rather by all the nodes which are part of the relevant network. Therefore, consensus on the correct information to record in BL has to emerge within a distributed environment, according to some pre-defined rule. Such rules are typically based on majority criteria, which are assumed to take care of the potential problem of validating incorrect information or rejecting correct information. Indeed, if a “trusted third partyâ€? may not deserve trust or be competent enough, in a decentralised environment nodes too could behave opportunistically, for example trying to validate false information, or perhaps involutarily approving wrong information. Therefore for the correct functioning of a BL with decentralised, peer-to-peer, validation it is important that honest nodes reach a consensus and be sufficiently numerous, so that a majority could emerge to support correct information registration. But what is correct information? For example, with reference to financial transactions, suppose an individual draws đ?‘Ľâ‚Ź from an ATM machine in country A. Hence, the system should charge his bank account in country B by the sum −đ?‘Ľâ‚Ź. If instead, because of a computer malfunctioning or other reasons, the bank account was charged −đ?‘Śâ‚Ź, with đ?‘Ś ≠đ?‘Ľ, then the system would produce information discrepancies and become unreliable. 5

Therefore, for the system to continue functioning in a proper way a majority of nodes should form to validate information where the charge in country B is−đ?‘Ľâ‚Ź. If some very occasional, minor, mistakes and inconsistencies can be tolerated, as long as they could be timely fixed and do not harm customers, major mistakes due to technical problems or to opportunistic alterations of the data, by some of the nodes in a network, would seriously hinder the correct functioning of the system and eventually its adoption. Therefore, unforgeability and consistency of the relevant information among the nodes of a distributed system is a fundamental requirement for its acceptance and success. However obtaining such consensus, in the presence of nodes who could behave opportunistically, raises some critical issues that we are going to discuss in the next paragraph. 2.2 The “Byzantine Generalsâ€? The main conceptual problem for reaching consensus in an unreliable distributed system has been originally presented within the Artificial Intelligence community under the metaphores of the Coordinated Attack with two generals (Akkoyunlu et al., 1975; Gray, 1978) in its simplest version, or as the Byzantine Generals in the general version with more than two generals (Pease et al, 1980; Lomport et al, 1982; Dolev 1982; Turek-Shasha, 1992). The main problem, in both versions, is that generals of different divisions of an army have to coordinate their attack to defeat the enemy. If they do not do so attack would fail to succeed; failure to coordinate may take place because while some generals are honest, following the initial command of a (loyal) general, others can be traitors, hence with an incentive to alter the information on the attack to make it fail. A standard version of the Byzantine Generals communication protocol is as follows. Suppose there are đ?‘› generals; one of them will send a message to the other generals to communicate whether tomorrow they should attack the enemy camp, at a certain time, or retreat. The general sending the first message is the chief, main, commander and will take a decision after having collected as much relevant information as possible on the enemy’s position, forces, weather conditions etc. To simplify, as in the original version of the problem, we assume the main general to be honest, that is he will communicate to the others what he truly believes in the interest of his army. As we shall see, the situation may differ depending on whether or not honesty of the chief general is commonly known by the other generals. For this reason we do not consider so, although we assume that any other loyal general will follow the command received, if they only receive one command. Each general thinks the other generals may be loyal or traitors. Again, also this assumption could be further specified by saying that everyone knows that at least a share đ?‘ of the generals, where 0 ≤ đ?‘ ≤ 1, hence đ?‘ đ?‘› generals, are traitors. However, again to simplify, in what follows we shan’t discuss this. In the original version of the problem the main question asked was the following: is there a way for the main general to send the command that the loyal generals will follow? We now see how, for this to occur, it is fundamental the modality with which the message is sent (oral or written) and whether it is delivered sequentially or simultaneously 6

As for the modality of the command, we can conceive the message as being (i) oral (ii) written but forgeable (iii) written and unforgeable. Cases (i) and (ii) are important for successful coordination when the message is transmitted sequentially from one general to the other, or when even if the initial message is sent simultaneously by the main general, the other generals can communicate wih each other. To gain insights on the above points, consider this simple example, inspired by Lomport et al (1982), with three generals đ??´, đ??ľ and đ??ś. If đ?‘šđ?‘– stands for the message sent by general đ?‘– = đ??´, đ??ľ, đ??ś, then for simplicity we assume đ?‘šđ?‘– can only be of two types: đ?‘šđ?‘– = {đ?‘Ž, đ?‘&#x;}, for a=attack or r=retreat. Start considering (i) and (ii), and suppose (a) the message is sent sequentially by đ??´ to đ??ľ and then by đ??ľ to đ??ś: that is đ??´â†’đ??ľâ†’đ??ś meaning that đ??´ sends it to đ??ľ who in turn sends it to đ??ś. Assume đ??´ is honest and that any honest general receiving a message will communicate-execute the same message, while if a traitor receives message đ?‘Ž then will communicate message đ?‘&#x; and viceversa. Moreover, a traitor will always implement action đ?‘&#x;. First observe that if either đ??ľ, or đ??ś, or both are traitors and đ?‘šđ??´ = đ?‘Ž then clearly one general will not attack. Indeed, suppose đ??ľ is a traitor while đ??´ and đ??ś are honest. Since đ?‘šđ??´ = đ?‘Ž then đ?‘šđ??ľ = đ?‘&#x; and both đ??ľ and đ??ś will retreat. For this reason, the plan of attacking ordered by the chief commander will not be followed by all honest generals. If đ??ľ is honest, đ??ś is a traitor and đ?‘šđ??´ = đ?‘Ž then đ?‘šđ??ľ = đ?‘Ž but đ??ś will not attack though, in this case, all honest generals will attack. If both đ??ľ and đ??ś are traitors and đ?‘šđ??´ = đ?‘Ž, then đ?‘šđ??ľ = đ?‘&#x; and both đ??ľ and đ??ś would retreat. Trivially, also in this case, all honest generals will attack. If đ?‘šđ??´ = đ?‘&#x; and đ??ľ is the only traitor then đ?‘šđ??ľ = đ?‘Ž and đ??ś only will attack. Instead if đ??ś is the only traitor then đ?‘šđ??´ = đ?‘&#x;, đ?‘šđ??ľ = đ?‘&#x; and all will retreat, as well as when both đ??ľ and đ??ś are traitors. (b) the message is sent simultaneously, and separately, by đ??´ to đ??ľ and đ??ś. Moreover, đ??ľ and đ??ś do not communicate with each other: that is đ??´ ↙

↘

đ??ľ

đ??ś

7

Still assuming đ??´ to be honest, if đ?‘šđ??´ = đ?‘Ž and at least one between đ??ľ and đ??ś is a traitor then at least one of them will not attack, though again all honest generals will. Under the same conditions, if đ?‘šđ??´ = đ?‘&#x; then all will choose đ?‘&#x;. Suppose instead that now đ??ľ and đ??ś can communicate with each other. In particular, suppose đ??ľ is loyal general and đ??ś is a traitor. If đ?‘šđ??´ = đ?‘Ž then đ??ś may say to đ??ľ that he received đ?‘šđ??´ = đ?‘&#x;. đ??´ ↙ đ??ľ

↘ â†? đ??ś

In this case đ??ľ may be uncertain as to whether đ??´ or đ??ś are traitors, and undecided on what action to take. The simple example shows that consensus among honest generals, who will execute the order, can be difficult to obtain even when only one traitor is present within three 1

generals. Indeed, more extensively, if at least 3 of the generals are traitors then Lomport et al (1982) show that it is impossible for the plan to be followed by all honest generals. Therefore, how can the message go through and the related action implemented by all loyal generals? Suppose now (iii) messages are written and transmitted in an unforgeable way. Moreover, each message sent by a general keeps record of the messages received by that general. For this reason, now a message will contain the following information đ?‘šđ?‘– = {đ?‘šđ?‘— } where đ?‘šđ?‘— , with đ?‘— ≠đ?‘–, are the messages received by general đ?‘– before sending his own message. More specifically, consider again the sequential communication đ??´â†’đ??ľâ†’đ??ś Suppose that A is honest, đ??ľ is a traitor and đ??ś is honest. If đ?‘šđ??´ = đ?‘Ž then now đ?‘šđ??ľ = {đ?‘šđ??´ = đ?‘Ž} Indeed, because of non-manipulability of đ??´â€˛đ?‘ message, although đ??ľ is a traitor he could not send messages other than what đ??´ sent to him. Therefore, action đ?‘Ž will be implemented by the two honest generals. It is easy to see that, with unforgeability, the above conclusion holds for any number of generals, whether with sequential or simultaneous communication. As a result, the protocol is implemented by all honest generals. The Blockchain technology solves the distributed consensus problem as with the written, unforgeable, messages introducing the new information to be registered in blocks, which is added to previously accepted registered blocks. As said before, hashing functions make forgeability virtually impossible. A more general way to analyse the Byzantine Generals problem, is to assume that being a honest general or a traitor, is the outcome of a strategic choice. Though we won’t enter into the analysis, it may be interesting to sketch, in a very simple way, how the problem could be modelled as a game. Consider the sequential, simplified, procedure đ??´ → đ??ľ with 8

only two generals. In the following table we represent all the possible sequences of moves that could take place.

đ?‘şđ?’•đ?’‚đ?’•đ?’† đ?’?đ?’‡ đ?’•đ?’‰đ?’† đ?’˜đ?’?đ?’“đ?’?đ?’… đ?‘¨ đ?’”đ?’†đ?’?đ?’…đ?’” đ?’Žđ?’†đ?’”đ?’”đ?’‚đ?’ˆđ?’† đ?‘Ž đ?‘šđ??´ = đ?‘Ž đ?‘Ž đ?‘šđ??´ = đ?‘Ž đ?‘Ž đ?‘šđ??´ = đ?‘Ž đ?‘Ž đ?‘šđ??´ = đ?‘Ž đ?‘Ž đ?‘šđ??´ = đ?‘&#x; đ?‘Ž đ?‘šđ??´ = đ?‘&#x; đ?‘Ž đ?‘šđ??´ = đ?‘&#x; đ?‘Ž đ?‘šđ??´ = đ?‘&#x; đ?‘&#x; đ?‘šđ??´ = đ?‘Ž đ?‘&#x; đ?‘šđ??´ = đ?‘Ž đ?‘&#x; đ?‘šđ??´ = đ?‘Ž đ?‘&#x; đ?‘šđ??´ = đ?‘Ž đ?‘&#x; đ?‘šđ??´ = đ?‘&#x; đ?‘&#x; đ?‘šđ??´ = đ?‘&#x; đ?‘&#x; đ?‘šđ??´ = đ?‘&#x; đ?‘&#x; đ?‘šđ??´ = đ?‘&#x;

( đ?‘¨ đ?’‚đ?’„đ?’•đ?’Šđ?’?đ?’?, đ?‘Š đ?’‚đ?’„đ?’•đ?’Šđ?’?đ?’?) (đ?‘Ž, đ?‘Ž) (đ?‘Ž, đ?‘&#x;) (đ?‘&#x;, đ?‘Ž) (đ?‘&#x;, đ?‘&#x;) (đ?‘Ž, đ?‘Ž) (đ?‘Ž, đ?‘&#x;) (đ?‘&#x;, đ?‘Ž) (đ?‘&#x;, đ?‘&#x;) (đ?‘Ž, đ?‘Ž) (đ?‘Ž, đ?‘&#x;) (đ?‘&#x;, đ?‘Ž) (đ?‘&#x;, đ?‘&#x;) (đ?‘Ž, đ?‘Ž) (đ?‘Ž, đ?‘&#x;) (đ?‘&#x;, đ?‘Ž) (đ?‘&#x;, đ?‘&#x;)

đ?‘ˇđ?’‚đ?’šđ?’?đ?’‡đ?’‡đ?’” ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?

That is, the first column on the left reports what nature chooses as a first move, that is whether it would be right for the army to attack or retreat. We call nature’s choice the state of the world, with đ?‘? being the (commonly known) probability of đ?‘Ž. Then general đ??´ will observe the state and send a message đ?‘šđ??´ to general đ??ľ, which again could be either to attack or retreat. However, since đ??ľ cannot observe the state he may not perfectly deduce it from đ??´â€˛đ?‘ message. Finally, generals đ??´ and đ??ľ will simultaneosly choose whether to attack of retreat. To each possible profile of actions, there will be payoffs associated, and based on such payoffs choices will be made. The game can be solved by backward induction. Hence, in the final, simultaneous, subgame Nash Equilibria will be identified. Based on those, đ??´ will decide which messages to send after the state realises. Therefore, the analysis would suggest who strategically behave honestly or as a traitor, based on the profitability of such choices. It would also include the standard approach previously discussed, where generals are by definition loyals or traitors, as a particular case. Indeed, payoffs in that case will be such that being honest or traitor is a dominant strategy, at any state of the world. Finally, notice that players may be uncertain as to the opponent’s payoffs, in which case the final stage of the game could be modelled as a Bayesian game. Having introduce some of the main conceptual issues behind BL we now proceed discussing Bitcoin, its original and so far best known application.

9

3 Bitcoin

As said, main example of a BL application are cryptocurrencies (Halaburda-Sarvary, 2016; Hubermann et al., 2017). These are virtual currencies exchanged between individuals, where validation of transactions is peer-to-peer, typically based on distributed consensus and so on majority rules, rather than guaranteed by a trusted mediating figure. The underlying spirit with which bitcoin and other cryptocurrencies were introduced was indeed to avoid a mediating figure, so that implemented transactions could be transparent and verified by all the nodes in the network. Moreover, money supply would be agreed by all of them rather than discretionarily decided by central banks. Cryptocurrencies coexist with fiat, paper money minted and legally enforced by the states: this raises the question of competing currencies, as posed and already discussed by Hayek, (1990). Governance of such communities can also take different forms though, often, is again based on democratic consensus. The number of cryptocurrencies has increased over the years and a comprehensive, up-todate, account of their number, importance and impact can be found in Hileman-Rauchs (2017). Virtual currencies attracted much attention for their consequence on economic activities, and money supply in the economy (European Central Bank, ECB, 2012,2015). Indeed, the introduction of private cryptocurrencies increases the set of assets, that indivduals can use for speculative reasons as well as for exchanges etc, besides those authorised by the states. Central banks are also discussing whether assets such as bitcoin have to be considered as a currency or as a commodity. For example, according to the the ECB the high volatility of the bitcoin/dollar exchange rate makes it more akin to a commodity than to a currency, since the standard reserve of value function does not seem to be accomplished in this case. A full understanding of the economics of bitcoin is still work in progress (Bonneau et al, 2015; Bohme et al, 2015; Athey et al, 2016; Garratt-Wallace, 2016; Narayanan et al, 2016, Huberman et al 2017; Chiu-Koeppl, 2017). However, some key features distinguishing private cryptocurrencies from fiat, paper, money are clear and below we discuss some of them: i) ii) iii) iv) v)

money supply of cryptocurrencies is not decided by a Central Bank but rather by the users in a democratic way money supply typically is not decided to accomplish some monetary policy target of a specific state, or group of subjects, but rather pre-defined by the protocol unlike fiat currencies, until now cryptocurrencies have no legal enforceability. Nobody could be forced to accept cryptocurrencies in exchange of a good/service. unless explicitly formalised in legal contracts, misbehaviour involving cryptocurrencies can not be legally prosecuted. potentially, in any country the prevailing fiat currency and cryptocurrencies can be active concurrently, and chosen according to the individuals’ preferences and profitability.

10

Recently some states are also considering to introduce their own digital currencies, side by side to paper money. Obviously, in this case some of the (i)-(v) observations would cease to hold. Among the many available cryptocurrencies Bitcoin is certainly the best known. (VignaCasey, 2015; Popper, 2015; Halaburda-Sarvary, 2016; Narayan et al. 2016; TschorschScheuermann (2016), Antonopoulos, 2017). As said, the structure of the Bitcoin protocol was originally proposed by SN, although currently implementation and development of some of its features is lively debated within the community. The Bitcoin protocol is based on a number of rules shared by the community, and originally suggested by SN. Unlike fiat currencies, because of such rules bitcoin is deemed to be noninflationary. To have a better understanding of its main features, in the next paragraph we briefly discuss two of them, from an economic perspective.

3.1 Money supply and mining In absence of a mediating figure, the first important question for the protocol to operate is the following: who is going to verify that a proposed monetary exchange is correct and who keeps record of all the transactions undertaken over time? More specifically, by a correct exchange we mean that the paid money indeed belongs to the payer and that he does not spend it in other transactions. This double spending important problem is analogous to the issue of counterfeiting with paper, fiat, currencies. The idea of SN is that those who make the system operating, and registrations correct, should invest their resources in the system, as a way to show their committment in its proper functioning (Kroll et al 2013; Catalini-Gans, 2017; Huberman et al, 2017 ). That is, resources spent in the initiative represent an economic incentive to become one of those subjects who make the system work correctly. Resources are used to solve a “cryptopuzzle�, which is proposed to all the nodes in the network immediately after the transactions in a block are validated and added to the head of the chain. Those who solve the puzzle, and keep the ledger of transactions, receive two forms of rewards. A fixed amount of bitcoins, pre-defined by the protocol, plus voluntary fees by those who performed the transactions. Since blocks have limited capacity, such fees can be interpreted as the willingness to pay, by those exchanging bitcoins, for their transaction to be included in the next block, rather than wait for their registration in future blocks. The reward pre-defined by the protocol consists in newly minted bitcoins, introduced at a decreasing rate over the years, so that around 2041 no further bitcoin will be introduced and rewards will only be due to fees. Therefore, money supply is regulated by a pre-defined and possibly immutable rule and, eventually, the number of bitcoins will be constant. Because of such deacresing rate of money creation over time, those working to solve the cryptopuzzle are called miners, since in the case of mines the mineral will be completely extracted at some date. A further reason why the incentive is based on solving such a puzzle may be because it can not be solved without deploying remarkable computational power. Hence, though recently 11

energy consumption for such activity increased remarkably (Bohme et al, 2015), Catalini-Gans (2016) point out that it is precisely this wasteful and dedicated, very specific, investment that induces the strongest committment in having the system work properly by those who try to solve the puzzle. That is, resorces spent in the syestem can not be used elsewhere. Among other issues (Houy, 2016), such as the block size, how to scale-up bitcoin etc., recently two main questions have been at the center of the debate on mining. The first is about its profitability; if electricity costs are becoming so large, under what conditions can mining be profitable? Alternatively, what conditions should miners’ reward satisfy to overcome mining costs? The second is a concern by the community on the possibility, intrinsic to the mining activity, that a monopoly would emerge and that a peer-to-peer virtual currency would be eventually controlled by a single subject. In Dimitri (2017) the two questions have been addressed, and in what follows we briefly summarise some of the main results of the paper. Consider a static contest model where � = 1,2, . . , � is the generic active miner. We want to discuss how many bitcoins � will invest in computational, hashing, power ℎ� ; a miner is active if ℎ� > 0. Start considering � ≼ 2. Upon solving the puzzle the miner would receive � ≼ 0 bitcoins, as the sum of the pre-defined reward and the transaction fees. Suppose �� is the random variable representing the waiting time until miner � finds a solution to the puzzle, which we assume exponentially distributed with parameter

â„Žđ?‘– đ?‘‘

, where đ?‘‘ is a

parameter indicating the difficulty for solving the puzzle, and continously adjusted by the Bitcoin protocol to have a block registration, on average, every 10 minutes. If đ?‘‹đ?‘– are independent random variables then đ?‘‹ = đ?‘šđ?‘–đ?‘› đ?‘‹đ?‘– is also an exponentially distributed random variable with parameter

â„Ž(đ?‘›) đ?‘‘

đ?‘‘

, where â„Ž(đ?‘›) = ∑đ?‘›đ?‘–=1 â„Žđ?‘– and expected value đ??¸đ?‘‹ = â„Ž . For the Bitcoin protocol it (đ?‘›)

is đ?‘‘đ??¸đ?‘‹ = đ?‘Ą, with đ?‘Ą = 10đ?‘šđ?‘–đ?‘› Assume also that miner đ?‘–′đ?‘ cost function đ??śđ?‘– (â„Žđ?‘– ) is given by đ??śđ?‘– (â„Žđ?‘– ) = đ?‘?đ?‘– â„Žđ?‘– meaured in bitcoin, at the current exchange rate with $, â‚Ź, and other fiat currencies. Hence, miner đ?‘– ′ đ?‘ profit đ?›ąđ?‘– (â„Žđ?‘– ) will be a random variable given by â„Žđ?‘– đ?‘–đ?‘“ â„Žđ?‘– > 0 â„Ž(đ?‘›) ℎ−đ?‘– đ?‘¤đ?‘–đ?‘Ąâ„Ž đ?‘?đ?‘&#x;đ?‘œđ?‘?đ?‘Žđ?‘?đ?‘–đ?‘™đ?‘–đ?‘Ąđ?‘Ś đ?‘–đ?‘“ â„Žđ?‘– > 0 â„Ž(đ?‘›) đ?‘¤đ?‘–đ?‘Ąâ„Ž đ?‘?đ?‘&#x;đ?‘œđ?‘?đ?‘Žđ?‘?đ?‘–đ?‘™đ?‘–đ?‘Ąđ?‘Ś 1 đ?‘–đ?‘“ â„Žđ?‘– = 0

đ?‘… − đ?‘?đ?‘– â„Žđ?‘– đ?‘¤đ?‘–đ?‘Ąâ„Ž đ?‘?đ?‘&#x;đ?‘œđ?‘?đ?‘Žđ?‘?đ?‘–đ?‘™đ?‘–đ?‘Ąđ?‘Ś đ?›ąđ?‘– (â„Žđ?‘– ) =

−đ?‘?đ?‘– â„Žđ?‘– {0

â„Žđ?‘–

where the ratio â„Ž

(đ?‘›)

is the contest function, representing the probability that miner đ?‘– will be the

first to solve the puzzle, and ℎ−đ?‘– = â„Ž(đ?‘›) − â„Žđ?‘– . Hence, miner đ?‘– ′ đ?‘ expected profit đ??¸đ?›ąđ?‘– (â„Žđ?‘– ) is

12

đ??¸đ?›ąđ?‘– (â„Žđ?‘– ) =

đ?‘…â„Žđ?‘– − đ?‘?đ?‘– â„Žđ?‘– đ?‘– = 1, . . , đ?‘› â„Ž(đ?‘›)

(1)

Assuming complete information on đ?‘?đ?‘– , maximising (1) with respect to â„Žđ?‘– leads to đ?‘…ℎ−đ?‘– â„Ž(đ?‘›) 2

= đ?‘?đ?‘– (2)

Second order conditions are satisfied and suppose that đ?‘?1 ≤ đ?‘?2 ≤. . ≤ đ?‘?đ?‘› . If đ?‘?(đ?‘›) = ∑đ?‘›đ?‘–=1 đ?‘?đ?‘– it follows that

â„Ž(đ?‘›) =

đ?‘…(đ?‘› − 1) (3) đ?‘?(đ?‘›)

and for each active miner the optimal level of computational power is

â„Žđ?‘– =

â„Ž(đ?‘›) [đ?‘?(đ?‘›) − (đ?‘› − 1)đ?‘?đ?‘– ] đ?‘…(đ?‘› − 1)[đ?‘?(đ?‘›) − (đ?‘› − 1)đ?‘?đ?‘– ] = (4) đ?‘?(đ?‘›) đ?‘?(đ?‘›) 2

therefore â„Ž1 ≼ â„Ž2 ≼. . ≼ â„Žđ?‘› . Expressions in (4) represent the unique Nash Equilibrium of the mining game, and contain interesting insights on the condition for the mining activity to be profitable, that is â„Žđ?‘– > 0. This is given by đ?‘?(đ?‘›) − (đ?‘› − 1)đ?‘?đ?‘– > 0 suggesting that, provided đ?‘… > 0, only the relative cost structure would count for the decision to be a miner. Therefore, what seem to be important for mining is not so much how high are one’s costs relative to the reward, but actually relative to the other miners’ costs. Indeed, it would always be profitable for at least one miner, đ?‘› = 1, to be active. In this case his profit đ?›ą1 (â„Ž1 ) would be đ?›ą1 (â„Ž1 ) = {

đ?‘… − đ?‘?1 â„Ž1 đ?‘¤đ?‘–đ?‘Ąâ„Ž đ?‘?đ?‘&#x;đ?‘œđ?‘?đ?‘Žđ?‘?đ?‘–đ?‘™đ?‘–đ?‘Ąđ?‘Ś 1 đ?‘–đ?‘“ â„Ž1 > 0 0 đ?‘¤đ?‘–đ?‘Ąâ„Ž đ?‘?đ?‘&#x;đ?‘œđ?‘?đ?‘Žđ?‘?đ?‘–đ?‘™đ?‘–đ?‘Ąđ?‘Ś 1 đ?‘–đ?‘“ â„Ž1 = 0

And, for â„Ž1 > 0 his expected profit given by đ??¸đ?›ą1 (â„Ž1 ) = đ?‘… − đ?‘?1 â„Ž1 , so that there always exists a small enough investment â„Ž1 = đ?œ€ > 0 such that đ??¸đ?›ą1 (â„Ž1 = đ?œ€) = đ?‘… − đ?‘?1 đ?œ€ > 0. However, if there would always be at least one miner, could it be possible to have just one? From (4) it is easy to see that with more than two miners, if one of them reduces his own marginal costs he may render the expected profit of some other miner negative, forcing him to 13

leave the mining activity. If, for a miner, profit gains are higher than expenditures needed to reduce the marginal cost then he would find it be profitable to undertake such reduction. However, if only two miners would remain active then, whatever their cost structure, they will both obtain positive profits. Therefore, the mechanism of marginal costs reduction could not lead to a monoply, unless miners would prefer to invest their resources in activities other than mining, possibly because the return rate from investment is lower than in alternative options. However, with two miners typically one of them will have more than 50% of the overall computational power. 3.2

Is Bitcoin deflationary ?

One of the important elements inspiring Bitcoin has been to have a non-inflationary, indeed deflationary, currency. We interpret this statement in a standard sense, that is the currency would maintain its purchasing power when buying goods and services. More explicitly, their prices expressed in number of bitcoins should remain stable over time, possibly even decrease. This way bitcoin, as a currency, could properly play the role of a reserve of value. Based on current rules inspired by SN, which in any case could always be changed in the future, this feature is claimed to be due to additional money introduced at a decreasing rate over time through the mining activity. Limited supply and lack of discretionary choices is what should make bitcoin a non-inflationary currency, preserving its purchasing power as time unfolds. What we briefly want to discuss here is that this may certainly be true, for example, if bitcoin would dominate, be more widely adopted than other currencies. However, this may not necessarily be the case. Indeed, if bitcoin would keep coexisting with fiat currencies, it seems that in principle nothing may prevent to import price inflation into bitcoin prices from that part of the economy which is using fiat money. đ?‘“

The following simple example illustrates the argument. Suppose đ?‘’ = đ?‘? is the exchange rate between the relevant đ?‘“ = đ?‘“đ?‘–đ?‘Žđ?‘Ą currency and đ?‘? = đ?‘?đ?‘–đ?‘Ąđ?‘?đ?‘œđ?‘–đ?‘›. That is, one bitcoin buys đ?‘’ units of fiat money. Further suppose there are two goods in the economy, indexed as đ?‘– = 1,2. Additionally assume that the two goods could be purchased in either currencies and that, for simplicity, transaction costs for exchanging one currency into the other can be neglected. If đ?‘?đ?‘–đ?‘? is the unit price of good đ?‘– expressed in bitcoins, and đ?‘?đ?‘–đ?‘“ the price of the same good in units of fiat money, then suppose initially đ?‘?đ?‘–đ?‘“ = đ?‘’đ?‘?đ?‘–đ?‘? đ?‘¤đ?‘–đ?‘Ąâ„Ž đ?‘– = 1,2 (5) that is prices expressed in the two currencies are directly related through the exchange rate. Admittedly this is a very simple way to express the relation between prices. Indeed, it should probably incorporate also the fact that, for example, VAT taxation on purchases made with bitcoins does not seem to be clear yet in some of the countries, which may represent an advantage for bitcoin use. On the other hand, bitcoins may be perceived to have a higher chance than fiat currencies of not being accepted in the future and collapsing as a medium of eachange.

14

Suppose now the price in terms of the fiat currency increases, perhaps because of an increase ′ in the currency supply, with the new price being đ?‘?1đ?‘“ > đ?‘?1đ?‘“ . Therefore, for bitcoin to be a noninflationary currency đ?‘?1đ?‘? should remain constant, despite the increase in đ?‘?1đ?‘“ . We now see how this may occur, keeping in mind that the argument for when the bitcoin price may even decrease would be analogous. From (5) it follows that this could happen if the exchange rate would increase to the level đ?‘’ > đ?‘’ such that ′

′ đ?‘?1đ?‘“ = đ?‘?1đ?‘? (6) đ?‘’′

which might take place if a lower bitcoin price for good 1 would induce consumers to exchange units of fiat currency with bitcoins, in so doing putting pressure on the exchange rate to increase by the same percentage. However, if this is true and (6) takes place then đ?‘?2đ?‘“ < đ?‘’′đ?‘?2đ?‘? (7) and by a similar argument consumers of good 2 would find it convenient to buy it using fiat currency rather than in bitcoin. If, also in this case, its bitcoin price should not increase than, at ′ the new exchange rate đ?‘’′ there would have to be an increase in the price đ?‘?2đ?‘“ > đ?‘?2đ?‘“ to re′ establish equality đ?‘?2đ?‘“ = đ?‘’′đ?‘?2đ?‘? at the new exchange rate đ?‘’′ Hence prices in bitcoin would not increase since adjustments in the two price equations will be obtained through variations of the price in fiat currency and of the exchange rate. However if in (6) the argument supporting an increase in exchange rate is that consumers will shift from buying in fiat currency to buying in bitcoins, then a similar reasoning could hold when (7) is the case. Indeed, consumers of good 2 holding bitcoins would find more convenient now to pay in fiat currency and in so doing increase its demand. As a consequence, after a first increase to đ?‘’′ the exchange rate could start decreasing, which in turn may imply further adjustment in the exchange rate itself to re-establish the price equation for commodity 1. This, in turn, may affect again equation (6) and so on. That is, the initial increase in the price of one good could trigger subsequent changes in fiat currency prices and in the exchange rate, whose final outcome might depend on a number of elements. All this is under the assumption that bitcoin prices should not increase, remain stable or possibly decrease. Scarsity of bitcoins may play a role in the argument, by making it more plausible that upon the increase of good 1 price, an increased demand for bitcoin would tend to raise the exchange rate without asking for bitcoin prices to raise. Therefore, the exchange rate would act as a barrier, isolating the bitcoin economy from the fiat, inflationary, economy. Price inflation in the fiat currency economy would inflate the exchange rate only, but not the goods prices in bitcoin.

15

If cryptocurrencies represent the first stage BL1, smart contracts represent BL2, the first stage of alternative applications. In the next Chapter we introduce them as well briefly touch upon BL3 applications, such as those in the public sector.

4 Smart Contracts and beyond

The idea of smart contract (SC) was originally introduced by Szabo, a legal and computer science expert, since the early 1990. Over the years he re-elaborated the notion and in 1996 gave the following definition (Szabo, 1996) “The basic idea of smart contracts is that many kinds of contractual clauses (such as liens, bonding, delineation of property rights, etc.) can be embedded in the hardware and software we deal with, in such a way as to make breach of contract expensive (if desired, sometimes prohibitively so) for the breacher. A canonical real-life example, which we might consider to be the primitive ancestor of smart contracts, is the humble vending machine. Within a limited amount of potential loss (the amount in the till should be less than the cost of breaching the mechanism), the machine takes in coins, and via a simple mechanism, which makes a beginner's level problem in design with finite automata, dispense change and product fairly. Smart contracts go beyond the vending machine in proposing to embed contracts in all sorts of property that is valuable and controlled by digital means. Smart contracts reference that property in a dynamic, proactively enforced form, and provide much better observation and verification where proactive measures must fall short. And where the vending machine, like electronic mail, implements an asynchronous protocol between the vending company and the customer, some smart contracts entail multiple synchronous steps between two or more parties.” From an economic perspective, SC could be interpreted as an almost perfect form of committment, by the relevant parties, and so as a modality to render a contract virtually renegotiation-proof. Conditional clauses can be part of the SC protocol, but being part of it from the very beginning they can not be considered as ex-post arbitrary, possibly opportunistic, attempt at renegotiating contract conditions by some of the parties. The above quotation suggests that a vast array of contractual agreements might be digitalised in the spirit of the “humble” vending machine, albeit not all contracts could be made smart. To gain insights on which SC could be more common, in a recent empirical survey BartolettiPompianu (2017) scrutinised six main platforms, the main two being Bitcoin and Ethereum, to look at the number of smart contracts hosted in them. Based on the contracts content they also categorised them as the following six types: financial, notary, game, wallet, library, and unclassified. Not suprisingly, of the 834 contracts considered a main part, almost 380, were classified as financial (Capgemini, 2015). Indeed, financial transactions can be very good candidates for a digitalised version of the contract, because its fundamental elements, such as 16

a sum of money, time dates, prices and similar, are all numerical and most of them part of the information already included in the chain, rather than taken from outside. Yet, smart contracts are not immune from attacks, and Atzei et al (2016) provide an analysis on those on Ethereum. The recent spate of interest on BL, and information storage through distributed ledgers by the public sector for personal and companies’ identity records, land property registration, intellectual property rights attestation etc. , suggests that governments start believing that some of their administrative functions could perhaps be performed more efficiently using BL and distributed ledgers (Swann, 2015; Tapscott-Tapscott, 2016) On this line, Walport (2015) provides the following public policy recommandation to navigate through such innovative information keeping system “A digitally-informed leadership An empowered focused government department for all national digital transformation, which is internationally minded and collaborates closely with all industry sectors A living, collaborative national plan, which is industry-led with government investment Technologically aware, qualified and experienced senior political officials in every government organisation Engineers and digital business leaders as politicians” Moreover, still according to Wolport (2015) governments could enjoy the following advantages “Reduced cost of operations, including reducing fraud and error in payments Greater transparency of transactions between government agencies and citizens Greater financial inclusion of people currently on the fringes of the financial system Reduced costs of protecting citizens’ data while creating the possibility to share data between different entities, allowing for the creation of information marketplaces Protection of critical infrastructure such as bridges, tunnels etc Reduced market friction, making it easier for small and medium-sized enterprises (SMEs) to interact with local and national authorities Promotion of innovation and economic growth possibilities for SMEs” An area where SC and governmental interests can naturally meet is procurement, which being responsible for about 18% of the EU GDP, and of similar percentages in other geographical areas, could be a sector where major advantages could emerge in terms of savings of transaction costs, auditing costs etc. In the next chapter we envisage how this could take place. 4.1 Smart Contracts and procurement Digitalisation of contracts on a BL could be relevant for both the private and the public sector. If, according to the above recommendations by Wolport, prior to taking important inititiaves the public sector should possibly endow itself with an overall strategy and required competence. Similar considerations would also hold for the private sector, though possibly on a different scale (Satyavolu-Sangamnerkar, 2016). 17

To build up an understanding on how a SC could work in public procurement, consider the following simple example. Suppose a contracting authority (CA) wants to set up a framework agreement (FA) with a supplier, to buy lap tops with some specified technical characteristics, during the next two years years. The agreement asks the supplier to provide any quantity of lap tops required by CA over the two years. Since quality is specified in the call, the contract is awarded to the lowest unit price which emerges in a competitive, sealed bid, auction. A SC associated to this agreement could be the following. Once participants are selected, software could be written to implement the following stages of the whole procedure: i) set up an e-platform where bidders can submit their price offers ii) based on the offers the software identifies the winner iii) authorised officials of CA will insert in the system the number of requested lap tops as soon as such needs emerge iv) the software will automatically produce an order to the supplier as long as at least đ?‘Ľ lap tops are demanded by CA. If đ?‘Ľ = 1 it means that orders will be made any time demand for a single lap top is inserted v) the order specifies when and where to deliver the lap tops for a check and a test on the technical components. The check could be made by a third party whom both, CA and the suppliers trust vi) the third party enters in BL the outcome of the check which, if positive, automatically sends the oder of delivering to CA the lap tops. vii) once the lap tops reach CA the software will aumatically send an order to the bank for payment of the lap tops viii) If contracts terms are breached, for example delayed lap tops delivery to CA, or lower than requested quality supplied, the software automatically will implement a penalty by drawing money from an escrow deposited at the very beginning by the supplier. All the above steps, and perhaps others which we did not consider, could be introduced on a BL digital platform, and coded as software. They will be executed automatically, possibly except for (v). The various phases of the procurement would appear on the BL, whose records are shared by CA and the supplier. Therefore, they would all be transparent and traceable. The advantages of such simple SC is that, whenever the software is set up, and the requested inputs are inserted (number of lap tops requested and quality check) the procurement phases automatically proceeds without additional input. How costly the parties decide to make a stop and correction of such procedure, would embody the degree of commitment they are prepared to have in the contract, as initially designed. The higher the costs the higher the committment. Though it may be true that producing such software and SC could be costly, once in place relevant transaction costs would be meanigfully reduced, likewise timing will be exactly managed directly by the system. 18

The software cost would increase with the complexity of the project, since a higher number of clauses and phases will have to be included, and it is also possible that not all the contract phases could be made smart. Yet, the above gains on those contract components where automatization is possible could still more than compensate for such costs. Another public procurement procedure that could accomdate SC is the Dynamic Purchasing System (DPS). As well as FA, DPS are used for repeated procurement of standardised goods, performed on an electronic platfom. The qualification criteria of the suppliers interested in entering DPS can be coded, as well as the procedures underlying demand of goods and services by the contracting authority. Quality checking and testing, delivery and payment could be structured as in the abive FA example. Finally, coding of procurement SC could refer to EDIFACT, (Electronic Data Interchange For Administration, Commerce and Transport), a set of rules and a protocol, set up by the Economic Commmssion of the US to exchange business messages and data. An area where a smart version of a contract may be difficult to set is procurement of innovative solutions. Indeed, in this case testing and evaluating the suitability and goodness of a completely new device could pose a too big a challenge to an automatised contract.

5 Conclusions

In the paper we provided a quick overview of some main conceptual issues and applications of the blockchain technology. Though BL was originally introduced to implement the diffusion of cryptocurrencies, it soon became clear that its adoption might be extended to many other functions, from contracts implementation to physical and intellectual property registration, personal and commercial identities, value attestation, etc. This is because information on a BL is virtually unforgeable, and this is what makes it particularly suitable for information validation and storage. The fundamental element of BL is cryptography, in particular the hash functions which provide a unique fingerprint to any block of recorded information.

19

References Akkoyunlu E., Ekanadham K., Huber R., Some constraints and tradeoffs in the design of network communications. SOSP ’75: Proceedings of the fifth ACM symposium on Operating systems principles, pag 67–74, NY, USA, (1975) Antonopoulos A., Mastering Bitcoin (2nd Ed), O’Reilly, (2017) Athey S., Parashkevov I., Sarukkai V., Xia J., Bitcoin Pricing, Adoption, and Usage: Theory and Evidence, Stanford Business School Working Papers, n° 3469, (2016) Atzei N., Bartoletti M., Cimoli T., A Survey of Attacks on Ethereum Smart Contracts, 6th International Conference on Principles of Security and Trust (POST), (2017) Bartoletti M., Pompianu L., An Empirical Analysis of Smart Contracts: Platforms, Applications and Design Patterns, 1st Workshop on Trusted Smart Contracts (WTSC17), (2017). Böhme R, Christin N., Edelman B., Moore T., Bitcoin: Economics, Technology, andGovernance, Journal of Economic Perspectives, 29, 213-238, (2015) Bonneau J., Miller A., Clark J., Narayanan A., Kroll J., Felten W., SoK: Research Perspectives and Challenges for Bitcoin and Cryptocurrencies, IEEE Symposium on Security and Privacy, (2015) Catalini C., Gans J., Some Simple Economics of the Blockchain, MIT SLoan School of Management, Working Paper 5191 (2016) Capgemini, Smart Contracts in Financial Services: Getting from Hype to Reality, Capgemini Consulting (2016) Chiu J., Koeppl T., The Economics of Cryptocurrencies. Bitcoin and Beyond, Queen’s University Working Paper, Canada (2017) Deloitte, Blockchain: Enigma, Paradox Opportunity, Deloitte Limited, (2016) Dimitri N., Bitcoin Mining as a Contest, Ledger, 2, 31-37. Dolev D., The Byzantine Generals Strike Again, Journal of Algorithms, 3, 14-30 (1982) European Central Bank, Virtual Currencies Schemes, Eurosystem (2012) European Central Bank, Virtual Currencies Schemes; a Further Analysis, Eurosystem (2015) Evans D., Economic Aspects of Bitcoin and other Decentralized Public-Ledger Currency Platforms, Coase-Sandor Institute for Law and Economics Working Paper 685, (2014) Extance A., Bitcoin and Beyond, Nature, 526, 21-23 (2015) Eyal I., Emin G., Majority is Not Enough: Bitcoin Mining is Vulnerable, in Financial Criptography and Data Security, Springer, (2014) Garratt R., Wallace N., Bitcoin 1, Bitcoin 2, ... : An experiment in privately issued outside monies”, Working Paper, Department of Economics University of Santa Barbara (20916) 20

Gray J., Notes on Database Operating Systems, IBM Reserach Laboratory, San Josè, US, (1978) Halaburda H., Sarvary M., Beyond Bitcoin, Palgrave Mc Millan, (2016) Hayek F., Denationalisation of Money; The Argument Refined, Third Ed, Institute of Economic Affairs, (1990). Hileman G., Rauchs M., Global Cryptocurrency Benchamarking Study, Cambridge Center for Alternative Finance, Judge Business School, University of Cambridge UK, (2917) Holden J., The Mathematics of Secrets, Princeton University Press, (2017) Houy N., The Bitcoin mining game, Ledger, 1, 53-68, (2016) Huberman G., Leshno J., Moallemi J., Monopoly without a Monopolist: An Economic Analysis of the Bitcoin Payment System, Working Paper Columbia Business School, (2017) Kai K., Strategy and Dynamics in Contests, Oxford University Press, (2009) Kocherlakota N., Money is Memory, Journal of Economic Theory, 81, 232-251, (1998) Kroll J., Davey I., Felten E., The Economics of Bitcoin Mining, or Bitcoin in the Presence of Adversaries, The Twelfth Workshop on the Economics of Information Security WEISS 2013, (2013) Ijiri Y, Triple-entry bookkeeping and income momentum, Studies in Accounting Research, 18, American Accounting Association, Sarasota, (1982) Lomport L., Schostak R., Pease M., The Byzantine Generals Problem, ACM Transaction on Programming Languages and Systems, 4, 382-401 (1982) Nakamoto S., Bitcoin: A Peer-to-Peer Electronic Cash Sytem, White Paper, (2008) Narayanan A., Bonneau J., Felten E., Miller A., Goldfeder S., Bitcoin and Cryptocurrency Technologies, Princeton University Press, (2016) Nomura Research Institute, Survey on Blockchain Technologies and Related Services, March (2016) Pease M., Shostak R., Lomport L., Reaching Agreement in the Presence of Faults, Journal of the Association for Computing Machinery, 27, 228-239, (1980)Journal of the AssoctaUon for Compmmg Ma Popper N., Digital Gold, Penguin, (2015) Satyavolu P, Sangamnerkar A., Blockchain’s Smat Contracts: Driving the Next Wave of Innovation Across Manufesturing Value Chains, Cognizant, (2016) Szabo N., Smart Contracts: Building Blocks for Digital Markets, www.fon.hum.uva.nl (1996) Szabo N., Formalizing and Securing Relationships on Public Networks, First Monday, 2, September (1997) Swan M., Blockchain, O’Reilly (2015) Tapscott D.,- Tapscott A., Blockchain Revolution, Portfolio Penguin, (2016) 21

Tschorsch F., Scheuermann B., Bitcoin and Beyond: A Technical Survey on Decentralized Currencies, ePrint Survey,(2016) Turek J., Shasha D., The Many Faces of Consensus in Distributed Systems, IEEE Computer, 25, 8–17 (1992) Vigna P., Casey M., Cryptocurrency, Bodley Head, (2015) Vojonovic M., Contest Theory, Cambridge University Press, (2015) Walport M., Distributed Ledger Technology: Beyond Blockchain, HM Government Office of Science, (2015)

22