Bitcoin as a Protocol by Patrick Mannion

BitCoin as a Protocol Junghwa Cha, Patrick Mannion May 9, 2013

Introduction

The widespread adoption of the BitCoin digital currency system promises to revolutionize the way in which view banks, money, and digital transactions. The system is well built on algorithmic security, and has already been emulated by services in use such as Namecoin, as well as still-conceptual projects including CommitCoin and NooShare. BitCoins potential to be abstracted into a protocol that can be applied to other problems across sectors as broad as proof of invention, network dedication, high-end car sales, and online education certification.

Overview of BitCoin

Digital currency provides several distinct advantages over traditional currency issued by a central government authority. Both are fiat currency, meaning that their value is not tied to any particular asset. As a result, the manner in which the currency is issued must be the guarantee of its worth. In the case of traditional currency, this guarantee of worth is made by the government that issues the unit of currency. The insurance against reproduction comes from the difficulty of, and enforcement against, physical reproduction. In the case of digital currency, the guarantee of worth comes from the algorithmic construction of the money origination and exchange methods. The insurance against reproduction comes from cryptographic security measures and a public ledger of transactions. Digital currency, and BitCoin specifically, carries with it several distinct advantages. [5] Cost: With BitCoin, transaction costs are entirely optional. When provided (cite later section explaining transaction costs) they may be just a tiny fraction of the rates charged by banks, services like PayPal, and credit card merchants. There is no cost to holding BitCoins.[5]

2 Privacy: BitCoin brings to digital monetary transactions the same anonymity carried by cash transactions - only the two parties exchanging the funds need know one anothers identity.[5] Decentralization: BitCoin has no central authority - it is governed only by its implementation code, which is open source, and its network of users, which is large enough that attaining a single controlling interest would be extraordinarily difficult. Thus transactions do not require the approval of any corporate or state body that might restrict the flow of funds to or from a specific address.[5] Trust: Government-issued fiat currencys value is subject to the trust that the government will not print too much or too little currency and cause inflation or deflation in the currency market. With BitCoin the rules of money creation are clear-cut, and while variation in value exists, the existence of value does not rely on trust in any single authority.[5] In BitCoin, the unit of currency is called a coin, values of which are represented by symbol BTC. A coin consists of the proof that a transaction occurred in the past giving the current owner possession of the coin. This proof comes in the form of a string of text of fixed length produced by the last transaction through a SHA-256 hash function. Definition 1.1 (Hash Function): A hash function H is one that takes any text input T, and returns a string of text of fixed length T . T is unique to T within the range of hash function H, and no computationally feasible operation can be performed to derive T with the knowledge of both H and T .

Figure 1: The series of BitCoin transactions using the signature and hash mechanisms. (Nakamoto, 2008) Making a transaction with BitCoin: Starting with the hashed output of the last CS186

Junghwa Cha, Patrick Mannion

transaction, t, by which Bob obtained 1 BTC, suppose that Bob wants to make a transfer of that coin, c, to sally. 1. Bob first hashes t with Sallys public key. He then encrypts that hash with his private key, which is referred to as the process of signing. 2. Sally verifies that Bob was indeed the user making the transfer by verifying that the signed hash can be decrypted by his public key. 3. Sally then checks the public ledger to find the transaction record of c being transferred from some other user to Bob, and uses Bobs own public key to hash that transaction and ensure that the current proposed transaction matches up. 4. Sally also checks the public ledger to ensure that c has not yet been spent elsewhere by Bob. 5. The new transaction is then broadcast to all of Sally and Bobs neighbors in the BitCoin network, who broadcast it in turn until the entire network has knowledge of the transaction. 6. The transaction is put into the public ledger. Steps 3, 4, and 6 require Bob and Sally to rely on the public ledger as a reliable record of all transactions that have occurred through the present. This public ledger exists as a linear chain of blocks. Definition 1.2 (Block): A block b is a record that comprises a piece of the public ledger. The record contains, among other data, a history of all transactions that occurred between the time when the previous block was published, and the time at which b was published to the ledger. Blocks are published by miners who complete a hashing problem that is computationally intense to solve, but simple to check. Definition 1.3 (Blockchain): The public ledger of BitCoin, consisting of the longest linear chain of blocks. For a block to be published, it must be accepted by the community as valid. A valid block is computed and attached to the Blockchain in the following fashion: 1. A set of values V is defined that must be hashed together so that the output of the hash, V falls below a threshold t that is set by the system. V includes the set of recent transactions, along with other identifiers. If the block results in a hash below threshold t in doing so, it is said to be valid. 2. When a user M seeks to find a new block, he is referred to as a miner. When M computes a hash with output below threshold t, he announces his solution to his neighbors in the network. Each verifies that the solution results in a valid block and continues to pass it along to the entire network. 3. M receives a reward consisting of a quantity of BTC determined by the system (25 BTC as of May 2013) in addition to the sum of all optional transaction fees provided by users in the time since the last block. CS186

Junghwa Cha, Patrick Mannion

The set of values V, among other things, includes: Transactions: All of the transactions that have occurred since the last block was published Previous block hash: A pointer to the last block to make the of the public ledger continuous Nonce: Any value within the space defined by the system, chosen by the user; manipulating this value over iterations of the hash function is how miners operate Time stamp: A record of the time at which the block is computed Miners Public key: Ensures that if an acceptable solution is found, it is unique to the miner who finds it; also allows the system can allocate the reward to the miner who finds the solution. Note also that the system can self-regulate its difficulty by

Figure 2: A visual representation of the blockchain. (Nakamoto, 2008) changing the level of the threshold t, which results in increased or decreased time between blocks. This threshold has fallen over time as the computational power in the network of miners has increased. The goal time between blocks is ten minutes short enough that users do not need to wait long for their transaction to be verified in the public record, but long enough that there are few cases where multiple users all find acceptable blocks within close enough time that the network disagrees as to which is the official blockchain. Such cases are called block races, and are resolved by the blockchain proceeding along all of the split paths, until one path becomes longer than all others, and thus becomes by definition the officially accepted blockchain. The success of the expanding BitCoin market is a testament to the above implementations rigor. We will turn our attention next to how this rigorous model might be expanded to solve other problems aside from that of implementing a digital currency.

BitCoin as a Protocol

BitCoin brings with it many benefits surrounding issues of cost, privacy, decentralization, and trust, and the overview above is but a subset of the features and structures

CS186

Junghwa Cha, Patrick Mannion

within the implementation. If we seek to solve other problems through the extension of a so-called BitCoin protocol, however, we must hone in on which elements of BitCoin are most central to its success and most easily reproducible. These key elements are: 1. The Decentralized Public Ledger. The most impactful and innovative element of the BitCoin protocol is the notion that public storage of information can replace the centralized authority of a corporation or state. 2. Exchange Verification through Signed Hashes. The BitCoin protocol gives us a method for the reliable exchange of any text string, along with the proof of ownership contained in the Decentralized Public Ledger. Turning to the classes of problems that we might be able to solve with this BitCoin protocol, let us step back and look at the challenges within the digital currency space that were solved by BitCoin. [5] Money printing. The digital currency that we trade must be originated in some fashion. [5] Double-spending. Users must be prevented from manipulating transactions in the absence of the centralized regulatory authority. [5] Trust in value. Users must believe that the system will provide a strong enough guarantee of value (eg. prevent from being stolen by others) in the absence of a centralized authority.[5] Stepping away from the specifics of digital currencys specific issues, we can establish three classes of problems that are solved by the BitCoin protocol: 1. Problems of origination. The protocol allows for origination of digital fiat assets through the reward system within the block publishing mechanism of the Decentralized Public Ledger. 2. Problems of exchange and ownership. The protocol allows for exchanges of assets to be made securely with verification by the Signed Hash mechanism. It allows for ownership to be verified through the Decentralized Public Ledgers record of past transactions. 3. Problems of trust. The protocol establishes a trustworthy system for digital asset exchange based in its algorithmic structure. Additional issues of trust arise when we step outside this conventional space, however. If services, physical goods, or contracts are being exchanged, we find more complex trust problems surrounding digital verification of delivery. Within these classes of problems, specific cases exist that are better or more poorly suited to be solved by the BitCoin protocol. Solving problems of Origination. Origination of fiat currency is critical to the liquidity and stability of the BitCoin digital currency system in taking it from incep-

CS186

Junghwa Cha, Patrick Mannion

tion and to mass market adoption. In many other potential BitCoin protocol systems, however, the goods and services being traded are unique and separately originated, unlike the divisible and recombinable fiat units of BTC. In those cases, arbitrary digital origination is not a necessary feature of the system. This is one criticism that has been raised by the BitCoin Foundation about Namecoin [3], the decentralized DNS system that also incorporates its own currency, which is used to purchase domain names. Rather than establish their own currencies and give rewards for the creation of blocks, new systems operating based upon the BitCoin protocol can simply allow for transaction fees in BTC to provide the miners reward. Thus in most cases the problem of Origination is not relevant for repurposing the BitCoin Protocol. Solving problems of Exchange and Ownership. Exchange and Ownership may be the broadest class of problems to which the BitCoin protocol is most applicable. To exchange another asset class within the BitCoin protocol, all that is needed is a unique text identifier of the asset itself, which is then incorporated into the 0th transaction hash, allowing the route and ownership of the asset to be traced. For example, the unique identifier could be the serial number associated with a vehicle on a BitCoin protocol-based car exchange, or the identifier of a specific CPU in a cluster where time is allocated by a similar exchange in parallel with a trade of BTC. This assumes for the time being that the exchange of the asset can be verified before the transaction is considered complete. This may be difficult in the cases of services or physical assets, but that will fall under the class of Trust problems to be addressed separately. Problems of Ownership are inherent to problems of exchange, as traders must be certain that the seller of an asset does indeed possess, but there are also problems of Ownership that are entirely separate from the problems of Exchange. In these cases, there may be a need to make a one-time proof of ownership that will never be transferred beyond its originator or the first trade. One example comes from the field of patent law, where proof of invention is critical to show that an idea was conceived by a certain individual at a set point in time. The issue is not only that proof must be recorded reliably by a third party - it must be recorded secretly, as to reveal the details of an invention or device that could be reproduced before the patent is processed. This problem has been solved in the past by a publishing hashed text of the proof of invention in dated major newspapers that are easy to check as a sort of public record [4]. Hashing the text into a Decentralized Public Ledger, as CommitCoin proposes to do, provides a valid alternative that could disintermediate this service. Solving Problems of Trust. Issues of trust arise when applying the BitCoin protocol in any case when the exchange of an asset is not directly digitally verifiable within the original protocols system, i.e. when the exchange is of anything but a specific string of text. When services or physical goods are being exchanged, for example, some verification is required before the transaction can be completed. This may come in the form of an anonymous human mediator being asked whether the transaction has occurred (in cases where this is feasible), who has no financial incentive and knows CS186

Junghwa Cha, Patrick Mannion

the identities of neither seller nor buyer. Software can also provide helpful here - in the exchange of a car, for example, an online database could be referenced to see if the deed had formally changed registration owner before processing the funds. All of these extensions of the BitCoin protocol are practical for immediate development because the software is entirely open-source. As long as the extensions operate in similar fashion, we will be able to proceed and iteratively experiment with this powerful protocol that has the potential to change the way we do business and interact with one another digitally. Now we will turn to several examples of the application of BitCoin protocol in development already today. Nooshare solves a problem of exchange by dedicating the computational power of CPUs within the Nooshare network to a schedule of meaningful problems. Other examples may exist at the nexus of two of classes of categories, however. CommitCoin, a system for proof of invention, simultaneously solves the problem of ownership as well as the problem of trust, in cases when the time of invention needs to be guaranteed by a public source.

Applications of the Bitcoin Protocol

4.1

Resource Exchange and NooShare

Although personal computers have become extremely powerful, they are often inadequate in meeting the computational power demanded by some of todayâ&#x20AC;&#x2122;s simulations. More specifically, Monte Carlo simulations, which involve considering a very large number of samples, often need computing resources far beyond a single computer. As it becomes more common for private individuals with limited resources to seek greater computing power, projects like CPUShare have begun experimenting with the idea of a network of computers sharing computational resources with one another. The high-level concept of such an operation is that a user is able to sell idle CPU cycles to unknown customers who can utilize your CPU cycles to satisfy their computing needs. Clearly, issues of security, privacy, reliability, as well as interference with overall computer performance are just some of the issues facing this project, but the idea of both selling and buying computing power is attractive for many users. 4.1.1

NooShare Protocol

NooShare is a BitCoin-based cryptocurrency that accomplishes exactly that. NooShare introduces a resource-sharing component to the mining aspect of BitCoin, and utilizes the public block-chain to provide an incentive for users to contribute computational power. The basic NooShare protocol operates as follows: [2]

CS186

Junghwa Cha, Patrick Mannion

4.1 Resource Exchange and NooShare

1. Scheduling Transaction: A user announces a desired resource-heavy computation A and a corresponding value function R such that R(A(s)) is the usefulness of the computation with parameter s in relation to the Monte Carlo problem that A is trying to solve. The user also creates a NooShare-destroying transaction, which is then included in block n. The author of NooShare specifies that the scheduling transaction involve at least 65 NooShares. 2. Block Scheduling: Suppose that Fm represents the first block available for scheduling after block m. Then computation A will be scheduled for block number Fn+24+2e , where e is a random geometrically distributed variable with mean 12. 3. Changing the Hash: When the block number scheduled for the computation A is reached, the hash function used in data mining will be altered from the original BitCoin hash function H to an updated function HA (s), which takes A into account in hashing. 4. Block Computation: The block will be created and added to the public ledger as before, but miners will also keep track of the values of s for which they achieved ˆ ˆ = A(H(s)). When the block is generated, the highest valuations R(A(s)), where A(s) each miner is asked to submit his best performance,(A(s), R(A(s))). The best report out of all submissions is attached to the newly created block. 5. Reward: Not only will the block creator be rewarded, but the miners with the best report will also be rewarded, with the first miner achieving the best report having an increased reward. The author specifies a block reward of 50, a best report award of 5, and a best report first achievement bonus of 5 NooShares. The author does not specify what is the new hash function HA that he believes should be used given a useful computation A. It is clear, however, that HA must require computation of A, and must be robust against “maliciously crafted” computations of A. The randomized variable e in the scheduling step serves the same purpose, since a lasting attack on the NooShare community would require control over the hashing function across a continuous range of blocks. ˆ instead of R(A) is reasonable The decision to keep track of the best values of R(A) from the perspective of Monte Carlo simulations. The choice of s may not be sufficiently randomized, but a property of hash functions, such as H, is that its output is unpredictable, or random for all intents and purposes. This makes a preliminary pass into H before passing the randomized result into A attractive, since Monte Carlo simulations involve random sampling. The best report reward functions as an auction, where each agent, or miner in this case, doesn’t pay anything beyond the cost of computation and receives a reward if and only if his report is best. This is a truthful auction, where the optimal strategy of each miner is to report his best achieved value. While the choices of rewards are relatively arbitrary, there are considerations to be made in terms of the relative scaling of the rewards. For one thing, the block reward

CS186

Junghwa Cha, Patrick Mannion

4.1 Resource Exchange and NooShare

must be significantly greater than the best report reward. This is because the updated hash function HA requires A and is therefore more expensive to compute than just A. If the above relation between the rewards doesn’t hold, miners will focus only on finding the best report of A, and the incentive for block generation will not be sufficient to continue the block chain at a reasonable pace. In addition, the possible total reward achievable by a single agent must be less than the price of the scheduling transaction. If this were not the case, one could imagine an attack by an agent with a computation A who has hidden knowledge allowing him to compute A or HA much faster than anyone else. This will grant him an effective computing power of 51% of the network at a fraction of the cost, perhaps even to the point where such a computing power is feasible. In that case, the agent will be able to beat out the other miners and collect the reward for positive net gain. The NooShare protocol takes advantage of the fact that a fundamental aspect of BitCoin is the system of miners all contributing their resources into solving a single problem. The idea that the problem could be a hash function that changes from block to block instead of being a predetermined encryption algorithm (like ECDSA, which BitCoin currently uses) allows for crowd computing possibilities. Agents can, at a price, change the hash function being solved to one based on a meaningful problem relevant to the agent. This allows for the problem of computational resource exchange to be solved using a slight deviation from the standard BitCoin protocol. 4.1.2

Discussion

While NooShare solves the problem of resource exchange in an inventive way, the author of the paper leaves out several important points, 2 of which will be discussed here. First, there is the omission of the updated hash function HA given the computation A. The author suggests a possibility for HA as follows: ˆ ˆ HA1 (S) = H(H(S) + A(S)), A(S) = A(H(S)). The function H is the original encryption H used by the BitCoin protocol, and + is string concatenation rather than real addition. This function for HA is dismissed on that grounds that it is not secure and does not yield interesting results in the block chain. But in the context of updated hash functions, it is not clear why this particular hash function is any less secure or interesting than other choices. The output is sufficiently randomized, and computation of HA requires a preliminary ˆ which are the desired values from the perspective of the agent computation of A, scheduling problem A. Second, the author’s claims that a unit of NooShare currency has intrinsic value unlike BitCoins must be examined. BitCoins gain value in the physical world when they are used in online transactions involving real goods or services. NooShare, on the other hand, seems to have computational resource exchange as its primary function. CS186

Junghwa Cha, Patrick Mannion

4.2 Ownership, Trust, and CommitCoin

This would suggest that the main participants of the NooShare network would be individuals who need the additional resources. As NooShare is formulated in the current paper, the incentive for non-researchers to join the NooShare network is not immediately obvious. Itâ&#x20AC;&#x2122;s possible that NooShare can be used as a digital currency with real value just like BitCoin, but realistically this seems unlikely. It would likely be beneficial if NooShare was adapted to use the existing BitCoin infrastructure in place rather than creating a brand new currency.

4.2

Ownership, Trust, and CommitCoin

The problem of ownership arises as a subset of the broader class of commitment schemes. A commitment scheme is a method of committing to a chosen value without revealing the value to others. At some later point, the publicly available commitment can be verified against the chosen value, ensuring that the original chosen value is not changed in the mean time. A commitment scheme naturally requires a minimum of two functions, a commitment function that takes a message (or value) as input and outputs a commitment, and a verify function that takes a message and a commitment and returns true if and only if the message is consistent with the commitment. The commitment function must satisfy at least two properties, which are 1) it is hiding, in that given an output it is difficult to find the message that resulted in that particular commitment, and 2) it is binding, in that given an output consistent with a message m it is difficult to find a distinct message m0 with the same output. In some cases, however, it is not sufficient to guarantee only that the chosen value has not been changed. For an example, a proof of first invention requires not only that the message is consistent with the commitment but that the recorded time of the commitment is guaranteed. In addition, the time of verification may not be specified when the message is committed. This implies that an unknown amount of time may pass between the commitment and verification steps. This raises the issue of trust, since settling a dispute regarding the temporal sequence of separate invention claims necessitates an objective guarantee. Methods used today to prove first invention generally involve a central agency, such as the (widely discredited) folkloric method of mailing a description of the invention to oneself, relying on the post office for a time stamp. Such methods are often unreliable, but even in the case when they work, can be costly for an individual. This lays the background for CommitCoin, a timestamping protocol developed by Jeremy Clark and Aleksander Essex that utilizes the BitCoin infrastructure already in place. 4.2.1

CommitCoin Protocol

For ease of reference we call the message source Alice and the verifier Bob. The CommitCoin protocol is as follows: [1]

CS186

Junghwa Cha, Patrick Mannion

4.2 Ownership, Trust, and CommitCoin

Input: Alice has a message m at time T0 and a BitCoin account < s, p >, where s is her secret key and p is her public key. We assume this account has at least 2 BitCoins. Output: At some time T1 , Bob is able to verify that Alice committed message m at time T0 . Protocol steps: 1. Pre-instantiation: At time T0 , Alice creates a commitment c = C(m) according to a commitment function C. Alice also creates a temporary BitCoin account with secret key s0 = c and public key p0 corresponding to s0 . 2. Instantiation: At time T0 , Alice transfers 2 BitCoins to < s0 , p0 >. Alice then transfers 1 BitCoin from < s0 , p0 > back to < s, p > in transaction τ1 and signs the transfer with randomness parameter ρ. 3. Tag & Open: At time T0 + ∆t, once the two instantiating transactions have been placed on the public ledger, Alice transfers the second BitCoin from < s0 , p0 > back to < s, p > in transaction τ2 , and signs the transfer with the same randomness parameter ρ. 4. Extraction: At time T1 , Bob uses transactions τ1 and τ2 recorded on the public ledger to find the secret key s0 , which is equal to c. The message m can then be verified against c. Several aspects of the CommitCoin protocol deserve further discussion. First, the primary purpose of the protocol is to store enough information on the public ledger so that c can be retrieved by Bob at time T1 . The process can be greatly simplified if c were used as the public key of the temporary BitCoin account. This would imply that the transaction stored in the public ledger is simply (p0 → c, 2), representing a transfer of 2 BitCoins from account p0 to account c. However, this is deemed undesirable since this places the 2 BitCoins unredeemable, since the secret key of this temporary account is unknown. This permanently places these BitCoins out of circulation, which is a result that is undesirable for both Alice and the larger BitCoin community. With the current formulation of the protocol, there is no direct long-term cost to Alice beyond the (currently optional) transaction fees. Alice also needs to announce c in a way that reliably makes it available to any member of the BitCoin community. The extraction step relies on the particular encryption algorithm used by BitCoin, the Elliptical Curve Digital Signature Algorithm. Given a secret key s, randomness parameter ρ, a reference point G, and a transaction hash z, the signature (R, S) given by ECDSA is R =ρ ∗ G S =ρ−1 (z + s ∗ R)

mod p

Normally, ρ is randomized across signatures to prevent public knowledge of the secret key. But two different transactions z and z 0 with the same randomness parameter ρ CS186

Junghwa Cha, Patrick Mannion

4.3 Universal Badge System

will have signatures (R, S) and (R, S 0 ). Notice that the first parts of each signature will be equal. Using S and S 0 , the secret key s can be computed in the following way: ρ ∗ S − ρ ∗ S 0 = (z + s ∗ R) − (z 0 + s ∗ R0 ) = z − z 0 → ρ = (z − z 0 )(S − S 0 )−1 . Once ρ is known, the equation for S can be solved to obtain s. This shows that c can be properly “leaked” to allow anyone to verify the commitment. This is one example of a protocol that utilizes the BitCoin framework already in place to guarantee time of commitment. This accomplishes public knowledge of both the commitment and the time-stamp at a minimal cost to the source Alice, and thus is a preferred protocol over a procedure involving a central agency. 4.2.2

Discussion

Unlike NooShare, CommitCoin builds upon the existing infrastructure of the BitCoin network and eliminates the need for a separate currency. As suggested in the discussion section of NooShare, this is a very effective method of eliminating participation incentive concerns from consideration in implementing an application of the BitCoin protocol. CommitCoin provides a very promising method of securely storing a value (in this case, a commitment) in the public ledger of BitCoin such that both the content and the time stamp of the commitment are preserved in public knowledge.

4.3

Universal Badge System

The concept of privately- and publicly-issued certificates is not new, as is apparent from degrees, diplomas, licenses, and the like. However, there has been a recent trend for universal badges that are not as cost or time intensive as diplomas, and simply serve to provide a guarantee as to the skill or experience of the badge holder. Badges can be issued by anyone, although certain sources will be considered more trustworthy than others. Considering this, a loose application of the BitCoin protocol to a universal badge network consisting of issuers, badge holders, and verifiers can be considered. For an example, a student S learning from Khan’s Academy might receive a badge B, after which S can take B to a third institution, H, and receive credit for his work in Khan’s Academy. Each student’s “wallet” would contain the badges that he has received through transactions withi the network. The need for an encryption algorithm such as ECDSA is immediately apparent as we need H to be able to verify that B is indeed issued from Khan’s Academy and not by S himself. A public ledger would also contain a record of all badges that had been issued by all issuers within the network, and would eliminate the possibility of double-spending (two students holding the same badge) or illicit creation of badges. The primary difference between a badge system and the BitCoin protocol is that badges are not transferrable objects as BitCoins are. Thus, an issued badge cannot CS186

Junghwa Cha, Patrick Mannion

be said to have real-world monetary value, since it cannot be spent. However, in the absence of a centralized agency overlooking the system of badges, the value of a decentralized publicly available guarantee offered by BitCoin is immediately apparent. Although each badge will be transferred exactly once, transactions involving the issuing of badges will be reported in the same manner as before. Mining would have to be modified, since BitCoin mining shouldnâ&#x20AC;&#x2122;t result in badges from scratch. In this case, transaction fees, the cost a student pays to receive the training for a badge, would have to serve as the reward for mining.

Potential Issues

While the expansion of the Bitcoin protocol is extremely promising in theory, it remains to be seen how various adaptations of the digital currency systems structure to other problems will fare in the real world. In particular, there are several weaknesses that must be addressed if these new networks are to succeed. Startup difficulties surrounding mining. For any system based on the Decentralized Public Ledger to succeed, there must be a sufficient amount of computational power working to create blocks within a timely fashion so that transactions can clear and double-spending cannot occur. To start, the mining function used should be identical to BitCoins, so as to take advantage of as much of its massive network as possible. In the absence of the ability to create currency out of thin air to reward block-builders, however, the issue lingers of how to incentive miners to work on nonBitcoin mining projects. Transaction costs would have to be extremely high at first to compete with the 25 bitcoin reward every 10 minutes, which at May 09, 2013 prices equates to $17,000 per hour, necessitating 1700 transactions per hour just to get below a $10 transaction cost. In some cases, such as industries where exchange is already highly regulated and expensive, the cost may be comparatively low. Even where it is expensive now, however, the block reward payout is cut in half every four years so all else equal, it will gradually become easier to compete. 51% attacks. A far more potent threat to the establishment of any new digital market based on the Bitcoin protocol is the potential for a 51% attack, which can occur when any single user controls more than 50% of the computational resources going towards mining blocks. In this case, he can take over the block chain by not accepting blocks from other users, thus allowing him to double-spend or spend other users coins. The threat of such an attack is miniscule in Bitcoin, where the network of miners is currently massive and the cost of attaining 50% of the market would be astronomical. The most feasible actor for such massive spending to take over half of the mining network is a government actor with the interest in shutting the Bitcoin network down. If they were to do so, however, the question is then from whom would they steal? In CS186

Junghwa Cha, Patrick Mannion

double-spending or making fraudulent trades to remove coins that they do not own, the government would either be stealing from its citizens, raising legal issues, or from non-citizens, raising international relations issues. Thus it seems unlikely that even if the spending were authorized any government would perform a 51% attack on the Bitcoin network to attempt to shut it down. But what about other networks of the Bitcoin protocol? First of all, computational power devoted to them would be much smaller initially, so it would be comparatively simple to control 51% of the resources devoted to the new network. Second of all, in the case of a non-monetary exchange, it might be more politically palatable for a government to steal the possession of an individual user or users in a 51% attack. In this case their goal might not be to cripple the network, but rather merely to take over a controversial asset. For example, if the system were trading domain names as in the case of NameCoin, the government might have an interest in seizing a popular torrent aggregator domain. Combatting 51% attacks remains daunting for small networks. One might simply hope that with smaller networks, there would be less impetus for malevolent actors to get involved. This is likely true in many cases, but certainly not reliable. Another potential solution would be for some single wealthy benevolent agent to donate a large degree of computational power to allow the network to grow through its infancy. Alternatively, the agent could be a nonprofit that could reveal its activity publically and pay down bills with the transaction fees it wins. This is a far more practical solution, though beyond the existence of such an agent it would rely on the agents in the network trusting that supposedly benevolent dictator. Unreliability of wallet services. Although the Bitcoin protocol is incredibly secure in and of itself, weaknesses exist whenever a middleman is involved in holding the valuable information of unspent Bitcoins or other assets. Wallet services that keep track of this data online have been frequently compromised since Bitcoins inception, which does little to support user confidence in the system. Any third party that is trusted with critical information must be trusted to the same degree that a Bank would be in the absence of Bitcoin, though these services are often startups that are considerably less secure and reliable. This issue would extend to any adaptation of the Bitcoin protocol in which the critical transaction data might be stored online by under-informed users. Scalability in space. In any system that incorporates Decentralized Public Ledger, each user must store an entire copy of the blockchain on his individual computer or device. This enables blocks to be verified before being passed to other nodes in the network, and ensures that double-spending can be checked with a reliable copy of the ledger and not against what any other node claims to be true. The downside of this system, however, is that as time goes on and as the network of users grows, each user must store more and more data to be able to participate in the decentralized network. If the quantity of data grows faster than the cost of storage drops, users may be discouraged from participating in the network. Worse still, they may rely

CS186

Junghwa Cha, Patrick Mannion

on faulty information provided by other nodes who claim to have a true copy of the public record, and fall prey to double-spending attacks which weaken the integrity of the network. Fortunately, any new network would start very small, so this issue is far off for any Bitcoin protocol extension, and is more likely to be solved by the Bitcoin Foundation before any smaller extensions scalability crisis occurs.

Conclusion

The application of BitCoin to DNS transfer services through currencies such as NameCoin is already well-known and well-documented online. In this paper we identified three classes of problems that BitCoin solves effectively: origination, exchange and ownership, and trust. The decentralized public nature of BitCoin makes it an attractive alternative to the centralized agencies currently in place that oversee transactions and mediate disputes. Specifically, we examined potential applications that have not been implemented yet, such as NooShare, which solves the problem of exchanges, CommitCoin, which deals with ownership and trust, and the universal badge system. Finally, we discuss a number of potential issues with BitCoin. Many of these have not occurred in practice, but that is likely to change as BitCoin and its applications become more prominent in real-world transactions and gain influence and attention. Though the BitCoin protocol is still in its youth, it is clear that it will significantly impact, if not replace altogether, methods in place for transactions and system of guarantees.

References [1] Clark, Jeremy. Essex, Aleksander.: CommitCoin: Carbon Dating Commitments with Bitcoin (Short Paper). A.D. Keromytis (Ed.): FC 2012, LNCS 7397, pp. 390398, 2012. [2] Coventry, Alex.: NooShare: A decentralized ledger of shared computational resources. 2012 (Unpublished) [3] Gavin Andresen, Bitcoin’s Security, Inside and Out. May 3, 2013. Cambridge, MA. [4] http://www.surety.com. Web. 09 May 2013. [5] Parkes, David C., and Seuken, Sven. “Electronic Curriencies.” Economics and Computation: A Design Approach. N.p.: n.p., Forthcoming. 475-79. Print.

CS186

Junghwa Cha, Patrick Mannion