American Scientist

On January 3, 2009, Satoshi Nakamoto began selling a new form of money and operating an associated support system called the bitcoin cryptocurrency system. The name bitcoin (BTC) comes from it being digital money that can be used like coinage, and the crypto term indicates that the bits are secured by cryptographic methods. The currency has secretive roots: It is still unknown who Nakamoto was, but it may have been Harold Thomas Finney II, a known cryptologist who created a secured transaction system similar to that used in BTC exchanges, and a developer employed by the PGP (Pretty Good Privacy) Corporation. (PGP is a protocol widely used in personal encoding keys.) Finney was the first recipient of BTCs in 2009. But we may never know for certain who Nakamoto was, because Finney died in 2014.

The term bitcoin conjures up an image of a real coin encoded as a bit pattern. The big problem with bit patterns is that the owner can retain a digital copy and try to make another payment with the same coin. This double-spend problem plagues all concepts of virtual money. Nakamoto wanted a system that could ensure that a sum of money can be spent exactly once—no double payments.

Banks already know how to prevent double payments: A digital transaction is completed by the bank, not the consumer. The bank has full control over the database of all accounts and can safely transfer an amount from the payer to the payee accounts. Banking is based on trust in the banking system. Nakamoto rejected the idea of a centralized database, seeking instead a system without a trusted intermediary or a single point of failure. A distributed ledger of accounts that cannot be hacked by breaking into a single database fills this bill.

Thus, Nakamoto defined bitcoins as “a chain of digital signatures.” To understand what he means, consider the example of Alice wanting to pay 1 BTC to Bob. Alice can create a certificate that says “Alice pays 1 BTC to Bob, signed Alice.” The certificate is signed by Alice’s secret digital key, which is paired with her public digital key that anyone can use to validate her ownership. The certificate is a record of a transaction stored in the ledger of all transactions. Alice’s ability to pay is determined by the entire history of all transactions that flow to or from her. When the transaction is completed, the ledger will show her net worth decreasing by 1 BTC and Bob’s increasing by 1 BTC. In other words, cryptographic coins are the value generated by transactions recorded in a ledger. We scan the ledger to find out anyone’s net worth at any moment of time.

The idea of calculating value based on a history of transactions is used in many places. A familiar example is the title to a property. It is a certificate that says, “As of this date, Alice is the sole owner of the property described here; signed, notary.” When Bob wants to buy the property, the escrow company hires a title search firm to review all the records of previous sales and liens back to the beginning to validate that Alice is indeed the legitimate sole owner. The trail of transactions on the property is called a chain. Although the current title is an integral part of the chain, the validity of that title depends on the entire history. Nakamoto’s definition of value is parallel to this scenario if the title company is replaced by a computer system and the transactions are all electronic fund transfers.

The records of all bitcoin transactions are compiled into blocks of about 4 megabytes in size. The linked list of all blocks going back to the beginning in 2009 is called a blockchain. Although the blockchain could be stored in a central database, Nakamoto wanted to distribute it among many computing nodes in the network to remove the risk of single point of failure. Thus, there are many copies of the blockchain in a distributed network of nodes, but the entire chain is protected from tampering by a complex arrangement of links made from digital signatures and hashes, mathematical functions that scramble all the bits of a file into a fixed-length code. A form of majority voting is used to decide which blocks are valid and can be added to the chain. Changing the contents of a copy in any node without being detected is next to impossible.

The bitcoin system comes with user interface software called a wallet. A user logs into a wallet and specifies transactions. The wallet handles all the details, such as representing the transactions as signed certificates, broadcasting them into the network, and receiving transactions from the network that would affect the funds in the wallet. The wallet converts currencies such as the U.S. dollar into bitcoins through a system of brokers called BTC exchanges.

Signatures and Hashes

In the world of online transactions, two concepts are absolutely fundamental: the digital signature and the hash. Using a bitcoin wallet, a user can obtain a matched pair of encryption keys (one public and one private, each consisting of patterns typically 256 bits long), the basis of a public key cryptosystem. In the blockchain, message secrecy is unimportant, but authenticity is. Alice’s transaction “Pay 1 BTC to Bob” is encoded as “Pay 1 BTC to public-key-of-Bob,” signed with her private key, and submitted to the blockchain. Only Bob can “cash” the transaction—in other words, use his secret key to unlock the transaction. The digital signatures guarantee the validity of the transactions recorded in the ledger.

But the signatures do not protect against double spending, which could happen if Alice inserted two identical “pay Bob” transactions into the blockchain. The blockchain protocols would not accept Alice’s duplicate transaction, but if Bob can cash them before the protocols reject the duplicate, Bob gets paid twice and Alice pays once. Nakamoto solved this problem by a complex series of cryptographic techniques based on what are called hashing functions. A hash is the output of a special function that takes all the bits of a file, scrambles them, and condenses the scramble into a fixed number of bits, typically 256. A well-designed hash function will so completely scramble the original file that altering a single input bit causes most bits in the output to change. The hash function is not invertible: Given the output, the only way to find the input that generated it is an exhaustive search of all possible inputs, which would take more time than the remaining life of the universe. To guarantee that no one can tamper with any transactions in the blockchain, each is entered into the chain along with its hash. It is easy to verify that a transaction is valid simply by computing its hash and comparing with the hash stored with the transaction.

The hash of a block of transactions in the chain can be computed by combining the hash of the previous block with the hashes of all transactions in the current block and a nonce (a random number used once). This method of linking blocks is called a ratchet because any change to a block requires recomputing all the block hashes all the way to the end of the chain.

Proof of Work

Using an algorithm called a Proof-of-Work (POW), the time to compute a new hash of a block is made to be time-consuming and expensive, on purpose and for good reason. If the time needed to make a hash is approximately the same as the time it takes for the network to add a new block to the chain, it becomes impossible for a hacker to catch up and substitute the recomputed chain for the original.

The nonce plays a pivotal role in POW. The nonce is not just any number, but a random number that causes the hash of the block to begin with a certain number of leading zero bits. For example, if the number-of-zeros parameter is 60, the block hash must begin with 60 zero bits. The only way this format can be met is to find a nonce that, when combined with all the other hashes of the block, yields a block hash beginning with 60 zero bits. Because hash functions are not invertible, this process can only be done by repeatedly trying a nonce that is one larger than the previous nonce.

The value of cryptographic coins is calculated based on a history of transactions recorded in a ledger, similar to verifying the title to a property through a review of all its previous sales and liens.

• Facebook
• Twitter

The number-of-zeroes parameter in bitcoin is frequently adjusted so that POW takes an average of about 10 minutes. That means that a hacker expects to spend about 10 minutes of computing time to find a nonce that generates a valid hash for a fraudulent block. In turn that means that the hacker has a very small chance of overtaking whoever is linking a new valid block to the chain. Nakamoto set up the system to make POW progressively harder (with more leading zeroes) so that new nonces are progressively harder to find. Finding new nonces becomes impossible when the total number of bitcoins is 21 million.

Miners

A miner is a special node that computes the POW for new blocks proposed for the chain and builds the blockchain by performing POW and adding blocks. It works as follows:

New transactions are broadcast to all nodes.

Each node collects new transactions into a block.

Each miner node does the POW to find a hash for the new block. Different miners working in parallel will find different nonces and hashes.

When a miner node completes a POW, it broadcasts the block and its hash to all nodes.

A node validates the new block by verifying the signatures and hashes of all the transactions and then adds the block to its local copy of the blockchain.

After accepting a block, a miner node begins working on creating the next block in the chain, using the hash of the accepted block as the previous hash. All the other miners drop their attempts to validate a block and start over to mine the next block.

The first miner to find a hash for the new block gets a reward of a few bitcoins.

Miners are constantly looking for ways to amass so much computing power that they can always win the race to add the next block to the chain, and thereby reap the reward. Mining is such a big business that there are now special-purpose chips for computing hashes. This environment encourages the formation of a cartel of miners, who together control 51 percent or more of the computing power in the network, to collaborate on producing new blocks and share the rewards. With at least 51 percent of the computing power, the group can complete POW faster than any nodes in the network. This scenario is called a 51-percent attack because it can also be used to populate the chain with fraudulent blocks.

To prevent such fraud, Nakamoto’s system depends heavily on self- interest rather than trust. He claims, “If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favor him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.” But Nakamoto overlooked the possibility of a 51-percent cartel.

Blockchain Spinoffs

Although blockchains were invented for the bitcoin currency, many see their potential for other purposes, such as dealing with public and organizational records in a decentralized network. There are proposals to move the Internet’s DNS (Domain Name System) to a blockchain, which would be much faster as well as resilient against outages. Despite the enthusiasm, there are also a number of important issues that give pause and will need resolution before blockchains will be widely adopted. These issues include performance, trust, volatility of cryptocurrencies, reliability, and overall world energy cost from operating blockchains.

Performance

By design, updates in the Nakamoto blockchain are computationally intensive. The result is that the overall throughput of the bitcoin network is about 7 transactions per second, and it takes about 10 minutes to close a transaction after it is submitted. In contrast, credit card companies and banks today can handle thousands of transactions every second, and give almost instantaneous response times to close transactions. On August 1, 2017, the BTC blockchain experienced a hard fork when the block size was changed from 1 megabyte to 4 megabytes, and a lighter version of BTC called bitcoin cash was created to improve transaction processing speed.

In addition to massive computational power, the blockchain requires massive storage. In 2017, the blockchain occupied 100 gigabytes, and it took many days to download and verify a new copy on a personal computer. This blockchain clearly cannot scale up to the size that would be needed to support a cryptocurrency with billions of users.

There are at least a dozen alternative blockchain architectures that all aim to reduce the computational work to verify a new block and add it to the chain. The most promising is Ethereum, which uses a Proof-of-Stake (POS) rather than Proof-of-Work: In POS, nodes with larger amounts of currency get greater weight in a vote determining when a new block will be added to the chain. But these alternative currencies appear to be more susceptible than bitcoin to a 51-percent attack. It will take some time to test out all these alternatives to find out which ones are reliable, scalable, and hackproof.

Another alternative is being explored by the Hyperledger.org project, which aims to produce an open architecture for business blockchains. They have defined a set of layers, each providing a critical function. One of the most critical to performance is the consensus layer, which adds a proposed new block to the chain once a consensus of the nodes is achieved. They are experimenting with alternatives to POW that are much less computationally intensive, such as using a lottery to select a node that then provides the proposed new block or accepting the proposed block only if a majority vote for it. These new options are possible when assumptions about trust are relaxed. In Nakamoto’s network, no one trusts anyone; the system is designed to achieve consensus on additions to the blockchain when each node is anonymous and considers the other nodes as untrustworthy. In the new system, people within an organization may reveal themselves and have a greater basic level of trust.

Trust

Blockchain verification is intended to be computationally expensive, which means it is also energy intensive.

• Facebook
• Twitter

Miners of the blockchain network are becoming highly specialized professionals relying on expensive chips specifically designed for POW. Because many ordinary users cannot afford to be miners, much of the computing power is concentrating in a relatively small minority of the network. After a recent $79 million heist of Ethereum coins, the miners proposed to collaborate so that they could go back and revise the blockchain to delete the transactions performing the heist. Although this act would deprive the criminals of their bounty, it also would undermine trust in the network. What else might a coalition of miners do?

Volatility

The exchange rates for cryptocurrencies can be quite volatile, which encourages speculators to buy up bitcoins and hoard them. The saturation limit of 21 million BTC adds to the volatility because of the scarcity of the coins. There is no central government bank monitoring the currency and keeping its value stable. For this reason, the Chinese government has banned speculation in ICOs (Initial Coin Offers) that exchange cryptocurrency for investment in startups.

The volatility of bitcoin values is likely to be correlated with social and political uncertainty, especially as confidence in government declines. At one point, rumors that China held most bitcoins in circulation led to price spikes because of fears that China might devalue its currency. The exponential increase in bitcoin exchange rates during the 2016–2017 seasons may be a reaction to political changes in Europe and the United States.

Economist William Luther of Kenyon College in Ohio claims that bitcoin has failed to catch on because of the steep switching cost in moving away from government-backed currencies. Bitcoin adopters need to have their own copy of the ledger (taking up 100,000 megabytes in 2017) and enough computing power to do the hashes and signatures rapidly. And even if they do make the switch, the volatility could easily rob them of their wealth.

Energy Cost

We think the biggest problem of all is in the POW idea itself. It is intended to be computationally expensive, even when the world’s most powerful computers and special chips are deployed. This computation load means that POW is also energy intensive. Various estimates are that the current electrical demands of world data centers consume about 7 percent of the world’s electricity. Massive use of blockchains would significantly boost that total. Do we want a system of currencies that requires so much of the planet’s energy to power? Or that becomes ever more susceptible to total collapse if someone finds a way to shut down the power grids?

Coining a New System

It seems most likely that bitcoins will remain limited in use until there are affirmative answers to questions about their security and resilience, but such solutions are not obvious right now. On the other hand, the idea of blockchain ratcheting is already spreading to related technologies and could grow further, assuming some of its issues can be resolved. For example, the Signal Protocol used by social networks such as Instagram and Facebook employs ratchets inspired by blockchain technology. It’s another case where the adoption of a technology has taken an unexpected turn, and determining which new developments will stand the test of time can be difficult to predict.