The Bitcoin Backbone Protocol: Analysis and Applications∗ Aggelos Kiayias† University of Athens aggelos@di.uoa.gr
Juan A. Garay Yahoo Labs garay@yahoo-inc.com
Nikos Leonardos† LIAFA, Université Paris Diderot–Paris 7 nikos.leonardos@gmail.com July 7, 2015
Abstract Bitcoin is the first and most popular decentralized cryptocurrency to date. In this work, we extract and analyze the core of the Bitcoin protocol, which we term the Bitcoin backbone, and prove two of its fundamental properties which we call common prefix and chain quality in the static setting where the number of players remains fixed. Our proofs hinge on appropriate and novel assumptions on the “hashing power” of the adversary relative to network synchronicity; we show our results to be tight under high synchronization. Next, we propose and analyze applications that can be built “on top” of the backbone protocol, specifically focusing on Byzantine agreement (BA) and on the notion of a public transaction ledger. Regarding BA, we observe that Nakamoto’s suggestion falls short of solving it, and present a simple alternative which works assuming that the adversary’s hashing power is bounded by 1/3. The public transaction ledger captures the essence of Bitcoin’s operation as a cryptocurrency, in the sense that it guarantees the liveness and persistence of committed transactions. Based on this notion we describe and analyze the Bitcoin system as well as a more elaborate BA protocol, proving them secure assuming high network synchronicity and that the adversary’s hashing power is strictly less than 1/2, while the adversarial bound needed for security decreases as the network desynchronizes.
1
Introduction
Bitcoin, introduced in [29], is a decentralized payment system that is based on maintaining a public transaction ledger in a distributed manner. The ledger is maintained by anonymous participants (“players”) called miners, executing a protocol that maintains and extends a distributed data structure called the blockchain. The protocol requires from miners to solve a “proof of work” (POW, aka “cryptographic puzzle” — see, e.g., [16, 38, 4, 24]), which essentially amounts to brute-forcing a hash inequality based on SHA-256, in order to generate new blocks for the blockchain. The blocks that comprise the blockchain contain sets of transactions that are generated at will by owners of bitcoins, who issue transactions that credit any entity of their choice who accepts payments in bitcoin. Payers broadcast transactions and miners include the transactions they receive into the blocks ∗ †
An abridged version of this paper appears in Proc. Eurocrypt 2015. Research partly supported by ERC project CODAMODA.
1