In November 2008, a paper entitled “Bitcoin: A Peer-to-Peer Electronic Cash System” was published online.1 The system described in the paper, including a monetary unit termed “bitcoins,” embodied the world’s first cryptocurrency. The most striking characteristic of the bitcoin system is the complete absence of any form of centralized control. There is no role for governments, financial institutions, or regulatory bodies. The system is completely autonomous. Peer-to-peer networking technology and mathematical encryption form the basis for the system. A distributed ledger, known as the blockchain, maintains a public record of all transactions. In the absence of trusted third parties, the security and maintenance of the system is a shared responsibility.
On January 3, 2009, with access limited to a select few cryptologists, the bitcoin software was released and the first bitcoins issued. Bitcoin was not, it must be noted, an overnight success. In fact, it wasn’t until 2013 that the system really began to take off. That year saw a fifty-fold increase in valuation, so that by January 2014, a bitcoin was worth around nine hundred euros. A series of advances and declines since then has seen the value of bitcoins fluctuate. Against the expectations of some observers, the currency has recovered and a bitcoin is again worth around six hundred euros.2 There are now more than seven hundred cryptocurrencies competing with bitcoin.3 Their success to date has been limited, with a cumulative capitalization of only around twenty percent that of bitcoin. The total capitalization of the bitcoins issued thus far amounts to more than fifteen billion euros.
Although credited to Satoshi Nakamoto, the true identity of the person, or people, responsible for the bitcoin paper remains unknown. Nakamoto, it seems, was merely a pseudonym. A number of people, most recently Craig Steven Wright, have come forward claiming to be the inventor of bitcoin.4 These claims have either been proven false or lack credibility. Nick Szabo is considered a more plausible candidate, but, like others, he has always denied being Nakamoto.
Encryption and Hash Functions
The protocol described in the bitcoin paper relies on a series of advances in mathematical cryptography. Some are embedded in conventional encryption methods—the transformation of a message, or plain text, in such a way as to render the text unreadable without a special key.5 When the same key is used for both encryption and decryption, the process is known as symmetric, or secret key, encryption; asymmetric, or public key, encryption uses a pair of keys for encryption and decryption, one public and the other private. Authentication processes and digital signatures also arise from advances in cryptography. The former involves methods for ensuring that the person using a credit card is authorized to do so, while the latter creates digital paths certifying that a message has been sent by a particular person and prevents a signed message from being altered.
The bitcoin protocol uses the Elliptic Curve Digital Signature Algorithm (ECDSA) for transaction signatures. Two keys are involved. A private key is used to sign transactions and a public key, similar to an account number, is used to verify that the signature is correct. This method ensures that the source of the transaction is, in fact, the person associated with the private key. If implemented correctly, ECDSA is considered safe and secure. The integrity of the system is derived from the difficulty in determining a private key from a public key. This involves calculating the discrete logarithm of a large integer; given three integers a, b, and c, such that a = bn mod c, one must find n, the discrete logarithm. Bitcoin uses the ECDSA system and 256-bit keys, providing a level of security comparable to that of RSA (the Rivest–Shamir–Adleman cryptosystem), an earlier encryption method which uses keys 3,072 bits in length.6
Another cryptographic component in the bitcoin protocol is the hash function.7 For a given character string of any length x, a hash function generates a fixed-length value, f(x), known as the digest of x, or the hash. Hash functions possess the following properties:
- The function f(x) can be calculated quickly and easily, but, for a given y, finding x such that f(x) = y is, in practice, impossible.
- Finding two different values x and x' such that f(x) = f(x') is also impossible.
- If x and x' are both character strings, or files, differing by only a single character, the values f(x) and f(x') appear to be entirely random.
Bitcoin uses the SHA-256 hash function, which, as the name suggests, generates 256-bit hashes.8 SHA-256 is used to link together the records in bitcoin’s distributed ledger, the blockchain. Linking the records in this manner makes it impossible to modify the blockchain without those changes being immediately apparent. SHA-256 is also used in the system for issuing bitcoins. A second hash function, RIPEMD-160, is also used when creating destination addresses for transactions, but has a less important overall role in the protocol.
Mining and Proofs of Work
Bitcoins were initially created and assigned at the rate of fifty bitcoins approximately every ten minutes. Every four years or so, the amount issued every ten minutes is halved. The most recent adjustment was made on July 9, 2016, with bitcoins now being issued at the rate of 12.5 every ten minutes. The protocol specifies an upper limit of 21 million for the number of bitcoins that can be issued. This figure will be reached in 2140, after which bitcoins will no longer be issued. Nearly 16 million bitcoins have been issued to date.
There are currently around 5,000 nodes, known as primary nodes, in the bitcoin network that maintain a copy of the blockchain and receive newly created bitcoins. Candidates, or miners, who occupy these major nodes on the bitcoin network, are anonymous and known only by their account numbers. The candidates compete with one another to solve puzzles and win bitcoins. The puzzles generally involve finding an x such that f(x) has a certain property, where f is SHA-256. That property, for example, might involve beginning with five zeroes. Solving puzzles involves calculating many possible values for f(x). The probability of winning is directly proportional to the miner’s ability to compute the SHA-256 function. The greater the computing capacity he or she possesses, the quicker a suitable value can be found. Due to the computation effort involved, this method is termed a proof of work.
It is impossible, in practice, to find an x for a given y such that f(x) = y. What is needed is a puzzle that is both feasible and that could be solved in a reasonable period of time. Thus the request for a partial inversion of f that involves finding an x such that f(x) is a sequence of characters beginning with k zeroes. The value of k can be used to adjust the puzzle’s difficulty. The larger the value of k, the more difficult it becomes to find a satisfactory x. On average, finding x involves testing 2k values of x. For example, if k = 10, then 210 = 1,024 calculations of f(x) are required. For k = 20, around a million attempts would be needed. To obtain a finer level of control, the value f(x) is treated as a number in base 2. The sequence 11010001 … 01 represents the number 0.11010001 ... 01 = 1/2 + 1/4 + 1/16 + 1/256 + … . One then requests a number x such that f(x) < y, where y is a positive threshold set between 0 and 1. The average resolution time can then be determined with great precision by carefully selecting the value for y. This is the method used in bitcoin’s proof-of-work protocol.
It is important to avoid submitting the same puzzle multiple times to provide protection from spam and denial of service attacks; otherwise libraries of solutions could be calculated in advance. This scenario can be easily avoided by making the puzzle dependent on a parameter p; find an x that starts with the string p = 0100011010100, such that f(x) < y. The number of possible parameters p is unlimited.
The first miner to solve a puzzle wins the newly created bitcoins. The miner selects the transactions that are waiting on the network and groups them into a page, or block, which is then added to the blockchain. In this manner, the blockchain is lengthened by one page every ten minutes. The winning miner also accrues, via his bitcoin account, all the optional fees associated with transactions. These additional payments ensure that miners will continue to be paid when bitcoins are no longer being issued and that there will always be volunteers to manage and monitor the blockchain. These fees, voluntarily associated to a signed transaction by the issuer, played only a minor role before 2016. They have gradually increased in importance because the size of the pages added every ten minutes have become inadequate for the volume of transactions, which are also issued at ten-minute intervals. An increase in the block size used by bitcoin is currently being discussed among miners. The outcome will be determined by a voting system in which only the miners can participate. The same mechanism is used to decide on the adoption of changes to the protocol.
Proofs of work are periodically adjusted in difficulty so that they require, on average, ten minutes to resolve. This system has led to an arms race among miners. The most successful have begun using specialized Application-Specific Integrated Circuits (ASICs) optimized for calculating SHA-256. Mining guilds, or mining pools, have been formed in response. Miners work together as if they were a single entity, collectively solving each puzzle. Winnings are shared in proportion to the computing power contributed by each miner. Members win smaller amounts, but do so more regularly.
The processing power of the miner network, or hash power, is currently estimated at a staggering 1.5 × 1018 SHA-256 calculations per second.9 The investment required to obtain specialized equipment, and the associated electricity overheads, serves to guarantee the blockchain’s resistance to attacks, in particular 51% attacks. Otherwise, a miner with more than 50% of the network’s total hash power has the ability to seriously disrupt the operation of the protocol.
Accessibility and Participation
The bitcoin protocol envisioned a system in which there are, and always will be, volunteers to maintain the blockchain. When a new page is added, each miner verifies that the state of the blockchain is correct. If this is not the case, the miner does not include the addition. Other cryptocurrencies have differing implementations. The length of time between page additions, for example, is often less than ten minutes and in some cases, such as in the Ethereum protocol, there is no upper limit on the number of monetary units that can be issued.
The open and transparent design of bitcoin is also an important consideration. Other types of blockchain can be limited, or even totally abandoned. The free bitcoin software can be downloaded by anyone. The codebase is open sourced and freely accessible. As a result, anyone can participate in monitoring the bitcoin currency by helping to ensure that no one creates bitcoins in contravention of protocols, all transactions are conducted according to the rules, and no one issues transactions by spending bitcoins they do not have in their account.
Advances in computing in terms of processing, storage, and networking, have been instrumental in the establishment and growth of bitcoin. The current generation of microprocessors command the resources needed to manipulate, explore, and control the bitcoin system. The blockchain is roughly ninety five gigabytes, a volume of data that can be comfortably accommodated by current laptop computers. The increasing reliability and efficiency of computer networks allows for almost instantaneous updates to a single blockchain. These advances, taken together, would have been impossible just fifteen years ago. Anyone possessing a reasonably recent personal computer can participate in the system.
Obtaining Bitcoins
To use bitcoin, an account and digital wallet are required.10 An account can be created anonymously, but it would be naïve to assume that the system can be used in complete anonymity. The complete history of transactions made using bitcoin since its inception can be found on the blockchain. One should also consider the possibility that there may be eavesdroppers in the peer-to-peer network monitoring IP addresses. When bitcoins are bought and sold in regular currencies, such as euros, some proof of identity is usually required. Maintaining the security of bitcoin account details is paramount. If a hacker manages to obtain an account key, he has full access to its contents. Deleting a digital wallet, even by mistake, is an irreversible process; the money in the account is lost forever.
The partial anonymity of accounts is also an attractive feature for unsavory individuals who might use bitcoin to avoid taxes or engage in money laundering. Bitcoin has, indeed, been used to conduct fraudulent and illegal transactions. This has often been portrayed as a particular weakness of the currency. Cash can also be used for illegal activities, circumstances that hardly sully its reputation. The operation of bitcoin is not affected by these problems. The strength of the protocol is derived from its design and mathematical cryptography. In over seven years of operation none of these elements has been found to be faulty.
Bitcoins can be obtained from platforms similar to physical currency exchanges. The purchased bitcoins are then registered in an account that can be managed from a computer or mobile phone. Bitcoins can also be kept in accounts that are managed by independent operators, the bitcoin equivalent of bank deposits. There are now specialized automatic teller machines that accept bills and send the corresponding sum in bitcoins to a nominated account. Bitcoins can be acquired by trading: selling a book, for example, and receiving payment in the form of bitcoins added to an account. Many merchants and websites accept payment in bitcoins, but to mitigate against the risk of fluctuations in valuation, they often automatically convert bitcoin payments into common currency.
Misconceptions, Durability, and Risk
The status of bitcoin as a competitor to established centralized currencies has created hostility in some countries.11 Bitcoin has been banned in Russia and is regulated in other countries such as Canada, where it is subject to anti-money laundering and counter-terrorist financing laws. The evolution of these regulations will shape the future adoption of cryptographic currencies.
Bitcoin and cryptocurrencies have been described as Ponzi schemes.12 It is true that the first miners—among them Nakamoto, who is thought to possess at least five percent of all the bitcoins in circulation—acquired quantities of bitcoins for next to nothing that are now worth hundreds of millions of euros. But this was not at the expense of other miners. Nor was it at the expense of current bitcoin users, who, with full knowledge of the risks and costs of mining, acquire bitcoins in currency exchanges or by investing in mining infrastructure. Nothing in the bitcoin protocol suggests an inevitable collapse, as is always the case for Ponzi schemes.
Bitcoins are, for all intents and purposes, every bit as real and solid as gold bullion, or the bank notes in one’s pocket. Cryptography has succeeded in creating unfalsifiable virtual objects. Bitcoins can also be circulated, almost without cost, from one location to another almost instantaneously. Since the abandonment of the gold standard, bitcoin, like any physical currency, relies only on the trust of its users. But in the case of bitcoins, that trust is not established by a central issuing bank. The cryptographic protocol prevents anyone from falsifying an account, and, in particular, from flooding the market with newly issued currency, leading to a collapse in its value. Holders of bitcoins are also protected against inflation. New bitcoins are issued at a predetermined rate and the supply cannot exceed the quantity specified in the protocol. A deflation of the currency is thus impossible.
At around fifteen billion euros, the current total capitalization of bitcoin represents only a fraction of the value of the euro or the dollar; counting only the bills in circulation, the latter are about a hundred times the value of bitcoin. For bitcoin to become truly competitive with these currencies, its value would have to rise dramatically.
The lack of centralized control means that the price of bitcoins can be subject to currency speculation, and it has been claimed that the value of bitcoins is manipulated by individuals who own large quantities of them. Their value does vary, sometimes by several percentage points per day, and on one occasion by more than thirty percent in a single day. This makes the currency difficult to use for trading purposes. But these variations have greatly declined over the last two years. It is not unreasonable to suggest that the high total capitalization value of bitcoins has had the effect of broad self-regulation.
There are now more than seven hundred cryptographic currencies. While based on principles similar to those of bitcoin, they differ in their implementation and may prove better suited for particular uses. Some of these protocols, in contrast to bitcoin, offer complete anonymity. This feature may entice users away from bitcoin.
The Ethereum protocol and its associated currency, known as ether, differs from bitcoin in that applications can be deposited on the blockchain. For example, a program could be developed that holds ethers and operates a lottery. Ethers are added or subtracted from accounts, depending on the result. This is, in fact, a form of decentralized autonomous organization (DAO). A variety of so-called smart contracts can be implemented using this protocol. This feature has proven to be both a strength and a weakness of the Ethereum protocol. In June 2016, the initial enthusiasm for Ethereum ended in a mini disaster. A DAO that, rather imprudently, held ether equivalent in value to 150 million euros was emptied of a third of its contents by a hacker who exploited a programming error. A smart contract should thus be handled with extreme care. Once placed on the blockchain, it cannot be easily modified. To remedy these weaknesses, verification techniques, such as those used in aeronautics, and more generally in embedded computing, must be developed and implemented for smart contracts.
The Future
The prospects for bitcoin, and cryptocurrencies in general, remain unclear. No currencies of this type have ever existed. Some believe that bitcoin’s current trajectory is nothing more than a bubble.13 But as each year passes, the continuing growth of bitcoin serves to reduce fears of a sudden collapse. Vitalik Buterin, co-founder of Ethereum, claims that
The long-term goal for Ethereum 2.0 and 3.0 is for the protocol to quite literally be able to maintain a blockchain capable of processing Visa-scale transaction levels, or even several orders of magnitude higher, using a network consisting of nothing but a sufficiently large set of users running nodes on consumer laptops.14
In the future, the blockchain principle could be adjusted in a multitude of ways, correcting the defects in Nakamoto’s protocol and creating new opportunities for expansion. It seems certain that Nakamoto did not envision the creation of mining pools. If a limit were set on the number of miners, the SHA-256 proof-of-work mechanism used by bitcoin could be eliminated. The Ethereum protocol uses a different proof-of-work algorithm, one that requires a significant amount of memory and that cannot be accelerated by specialized processors. Interest in mining is maintained for all participants, even those with less powerful computing resources. Another defect in the bitcoin protocol is the halving of payments to miners every four years. Miners will inevitably become reliant on payment from commissions. This has also been corrected in the Ethereum protocol, under which the rate of issue remains constant.
Considered more broadly, the range of possible future applications for blockchain technology is intriguing.
Blockchain systems of the type used by bitcoin ensure that a transaction between two users takes place. The transaction is conducted in public and is controlled by the network’s principal nodes, the miners. The transaction is computed by each principal node, and is thus computed many times, which serves to increase security. In a system with a central node, or a series of intermediary nodes, user confidence is required at each step. Controls and recalculations are possible and necessary, but these require complicated and cumbersome constructions. The general model of security is confused and not well established. Traditional systems were developed when only a small number of calculations were involved, storage requirements were minimal, and information circulated slowly. The solutions worked well, but were also clumsy, slow, and costly. The advent of high-speed networks has made possible a new form of agreement. This type of network, in which there is no central node, no third-party security, and no intermediaries that must be controlled separately, seems an obvious solution for the future.
Public blockchains of the type used by bitcoin are not without their drawbacks. The mining and proof-of-work systems are computer intensive and relatively complicated. Other methods, such as a proof-of-stake approach have not been tested to the same extent as the system used by bitcoin. Public blockchains are limited in terms of their capacity to execute transactions. A communication failure in the bitcoin network could lead to two different blockchains coexisting for a few minutes. Some accounts may spend the same amount twice due to a split in the blockchain. A selection procedure based on the calculated content of each blockchain allows for the recovery of system coherence once communication is restored.15
Private or semi-private blockchain models, in which the information on the blockchain is still freely available but the ability to write to the blockchain is limited, could be of interest to the finance and banking sector. If the principal nodes are fixed, there is no need for a mining system to designate who adds a new page to the blockchain. Consequently, there is almost no limit to the number of transactions that can be processed per second.
The Ukraine is currently evaluating a platform developed for the Ethereum blockchain as a way to organize and guarantee the results of elections.16 A blockchain would be used to collect votes, which would be added to the blockchain anonymously, but verified using encryption, meaning that when the election closes, the results are freely available and easily verifiable.17
The viability of loans implemented via the blockchain remains unclear. If a user lends money to another user who defaults on the loan, the lender cannot force repayment using the blockchain. One deterrent for defaulting is the automatic publication of the information, validated by the blockchain, and the prospect of reputational damage for the borrower. For a loan made in order to acquire property, it is conceivable that the certificate of ownership for the property could be linked on the blockchain to a successful repayment, and automatically canceled if the borrower defaults. If blockchains eventually acquire legal status, lenders could initiate legal action when borrowers default on a loan, requesting an external authority to force repayment of the loan or to pursue the defaulter.
Cryptocurrencies, in particular proof-of-work systems based on one-way functions, have given rise to some interesting developments in online gambling. An approach similar to bitcoin mining might seem applicable, given that a winner is declared every ten minutes and cheating is impossible. But the odds of a player winning would be dependent on their computing power, meaning that some participants would have an unfair advantage. More direct methods that deliver randomized drawings and are both perfectly fair and controllable have been developed. Online dice games in which neither the casino or the player can cheat are one example. The underlying protocols have long been known in cryptography; Manuel Blum proposed a telephone protocol for coin flipping in 1981.18 But it is only recently that online casinos have begun offering provably-fair games, the honesty of which is guaranteed by mathematical cryptography and for which no supervision is needed.19 These protocols are only concerned with ensuring randomness in games of chance; payments to players are not guaranteed. In the future, smart contracts may be a solution.
Translated and revised in English by the editors.