Bitcoin and Blockchain II

Recap

Bitcoin address is a (hashed) public key of a digital signature.
There is a global public ledger. Every node holds the same entire ledger.
The ledger is represented as a chain of blocks. Each block contains 0 or more transactions.
Creation of a block needs work. Proof of work is basically a nonce that causes the hash of a block to have many leading 0s. As a reward of the work, the block creator can mint coins and collect a fee from each transaction.
Authenticity of a transaction is achieved having the money spender sign his transactions with his public key.
A block is connected to its previous block through a hash chain. That is, a block contains PrevHash = H(previous block).

Protocol: How a transaction is put into the global ledger

New transactions are broadcast to all nodes.
Each node collects new transactions into a block.
Each node works on finding a difficult proof-of-work for its block.
When a node finds a proof-of-work, it broadcasts the block to all nodes.
Nodes accept the block only if all transactions in it are valid and not already spent.
Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash.

Conflict Resolution

In the above protocol, the first miner to submit a valid block gets his block added to the blockchain and receives the reward.

Conflict

However, what happens if two miners or more submit their blocks at the same time?

If two miners solve a block at almost the same time, then we will have two different blockchains in the network.

Node A that finds the proof of work will contain a block chain that looks like the upper on in the picture.
Node B that finds another proof of work will contain a block chain that looks like the lower on in the picture.
The other nodes will be confused. They will hold both chains at the moment and wait until the conflict is resolved.

Resolving conflicts: choose the longest chain

We need to wait for the next block to resolve the conflict. Nodes always consider the longest chain to be the correct one and will keep working on extending it.

If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one block (or the other) first.
The nodes will work on the first block they received. (The other branch will also be stored in case it becomes longer.)
The tie will be broken when the next proof-of-work is found and one branch becomes longer. That is, the nodes that were working on the other branch will then switch to the longer one.

Conflict Resolution: Security Consideration

As you just saw, when there is a conflict, the longer branch will be accepted. This has important security implications.

Even if a transaction is put into the block chain, don't relax yet! It is possible that your branch may be nullified in the midst of conflict resolution procedures.

Finney Attack

Consider a merchant who accept a payment immediately on seeing the transaction written into the global ledger.

Unfortunately, the merchant is exposed to the transaction being reversed. An attacker can pre-mine a block with a transaction, and spends the same coin (i.e., double spending!) in a second transaction before releasing the block.

In particular, a Finney attack works as follows (see the picture on the right):

Source: Steemit.com

Suppose the attacker is try to generate a branch of blocks occasionally.
In each branch the attacker generates, he includes a transfer from address A to address B, both of which he controls. Suppose that transaction Tx2 is the case in the above picture. The purpose of this transaction is for double spending. In particular, the adversary is setting up an attack as follows:
- Transfer from A to a merchant's address C (Tx1 in the above picture).
- The merchant sees the coin transfer (with Tx1 in the chain, well temporarily) and happily ships its product to the adversary.
- The adversary nullifies transaction Tx1 by putting a longer branch containing Tx2 in the chain.
- Overall, the merchant spent no coin (with Tx2 in the chain), but the merchant already shipped the product!
To cheat the merchant, when he generates a branch of blocks, he doesn't broadcast it yet.
Instead, the attacker opens the store web page of the merchant and makes a payment to the merchant's address C with his address A. (Tx1 in the picture above). The merchant waits until the transaction is pushed into the global blockchain, and then deliver the product.
The attacker broadcasts his secret longer branch now, and the transaction (Tx2, A → C) will be finalized. The transaction (Tx1, A → B) is inconsistent with (A → C), and would never be pushed back into the ledger. The merchant shipped its product for nothing.

Confirmation

As you see from the Finney attack, acceptance of a block may be temporary. Even if we see that a recent transaction is already included in the blockchain, there is no guarantee that this chain is the "permanent" one, since it is possible that another branch may grow longer than the one that has already accepted by a node. If the new branch doesn't not include this transaction, the transaction is invalid.

The question is:

When should we feel confident that our transaction is "permanently" accepted?

Confirmation number

One good indicator is how many blocks are added to the blockchain after a transaction is included. We call this confirmation number.

Suppose that a transaction Tx is included in a block that has K following blocks.
If the attacker wants to nullify Tx, it has to create a new branch that has at least K blocks.
Creating blocks (i.e., finding a proof-of-work) takes work and time. Creating K blocks is more work and time.
At the same time, honest nodes are also mining and making the original branch longer. There are probably more honest nodes than the attacker. So, the mining speed from the honest nodes (collectively) would be much faster the than the attacker.
In summary, the larger the value K is, the less likely that the transaction will be excluded by another branch, and the more confident we should have on the transaction.
To prevent from the Finney attack, it is recommended to wait for at least 6 block confirmations before accepting the payment.

Mining Speed: Honest Nodes vs Malicious Node

The key issue: the longest chain

Recall that the longest chain is the "permanent" one. If an attacker can mine faster than all the honest node together, then the attacker will be successfully in the double spending.

Hash power

In the bitcoin system, the primary task of mining is to calculate hashes in order to find a valid block. Therefore, the mining speed can be essentially measured using hash rate, which measures how many operations a miner can do per second. Hash rate is also called hash power. The higher a miner's hash power is, the more likely that the minder can do double spending.

In 2012, Rosenfeld calculated the probably of a successful double spend, with regard to the hash rate and confirmation number.

q: The attacker's hash rate.
r: The probability of successful double spend
n: A confirmation number.

Focusing on the recommended confirmation number n = 6 (brown line), we see that as long as q < 0.1 (the hash rate of the attacker is 10% or less), then the probability of successful double spend is less than 0.001.
If q > 0.5 (the attacker holds the majority of the hash power), then the double spend is always successful whatever the confirmation number is.

51% attack

A 51% attack occurs when one or more miners takes control of more than 50% of a network's hash power. If a 51% attack is successful, the attacker essentially controls the network. Something like this has actually happened before.

In July 2014, the mining pool ghash.io briefly exceeded 50% of the bitcoin network's computing power. The pool voluntarily reduced its total mining power to 40% after asking some of its participants to vacant the pool.
In 2018, Bitcoin Mining giant Bitman has mined 42% of all the Bitcoin blocks during a week in June, steadily moving closer to own the majority hash power of the bitcoin network. Note, according to the above graph, even with 42% hash power, the success rate for Bitman to do double spending is quite high: 58% with 6 confirmations.

Other Things about Bitcoin

Reward to the miner

When a miner creates a block, the miner creates coins as a reward (along with the transaction fee).

The block reward started at 50 coins, and halves every 210000 blocks.
As of May 2021, the reward is 6.25 coins.

total number of coins that will be minted
Due to this having feature, total number of coins that will be minted is predefined as well. It's 21 million coins.
So far, more than 93% coins have already been mined.

The Bitcoin scalability issues

The on-chain transaction processing capacity of the bitcoin network is limited by the average block creation time of 10 minutes and the original block size limit of 1 megabyte. These jointly constrain the network's throughput. The transaction processing capacity maximum estimated using an average or median transaction size is between 3.3 and 7 transactions per second.

There are various proposed and activated solutions to address this issue. See here for more details.

Energy consumption

Bitcoin has been criticized for the amount of electricity consumed by mining -- so many hash calculations!

Source: cbeci.org.

Bitcoin’s electricity consumption is roughly 130 TWh, which is above total energy consumption in Argentina (121 TWh), the Netherlands (108.8 TWh) and the United Arab Emirates (113.20 TWh).

Bitcoin explorer

Check out this site.

Check out the hash of a block and nonce.
Check out who the miner of a block is. How many coins does the miner of a block get?
Check out the fee of a transaction.
Check out the confirmation number of a transaction.
Check out how often a block is added in the chain.

True or False?

(T/F) Conflicts happen when a block has multiple parent blocks.
(T/F) The higher confirmation number a transaction has, the safer it is.
(T/F) Even if a block is mined with a proof of work, the block can be nullified.
(T/F) The security of the block chain depends on the assumption that the aggregate hash power of the honest miners is greater than that of the attacker.
(T/F) The only source of the reward for the miner is from minting coins.
(T/F) The number of all minable coins are upper bounded by a fixed number. There should exist no more coins than that many coins.