KAUNAS UNIVERSITY OF TECHNOLOGY

Faculty of mathematics and natural sciences

Department of applied mathematics

Course work

Cryptographic currency: BitcoinP170M100 – Cryptographic systems

Author: I. Ignatauskas IF-3.3 gr.

Supervisor: Prof. dr. E. Sakalauskas

Kaunas, 2013

1. Introduction..................................................................................................................................1

2. Network........................................................................................................................................32.1. The block chain......................................................................................................................32.2. Blocks....................................................................................................................................42.3. Mining (block hashing)..........................................................................................................52.4. SHA-256................................................................................................................................7

3. Transactions..................................................................................................................................8

3.1. Digital Signature Algorithm....................................................................................................8

3.2. Addresses and wallets.........................................................................................................10

3.3. Transaction messages..........................................................................................................11

3.4. Confirmation........................................................................................................................12

3.5. In-store transactions............................................................................................................13

Conclusion..........................................................................................................................................15

References..........................................................................................................................................16

1. Introduction

A concept called “crypto-currency” was first described in 1998 by Wei Dai. It was an idea of

new form of money that uses cryptography to control its creation and transactions instead of central

authority. The first successful implementation of the idea is Bitcoin which was introduced in 2009

by Satoshi Nakamoto [1]. Bitcoin is open source completely digital currency and peer-to-peer pay-

ment network which is powered by its users. Most commonly used unit in Bitcoin is also called

Bitcoin (BTC), while the smallest unit is satoshi (1 BTC = 100,000,000 satoshis).

Main problems with centralized currencies are that controllers can increase their supply at sub-

jective whims and impose arbitrary rules upon their user. Furthermore, systems can be destroyed or

disrupted by attacking central point of control. Being decentralized, Bitcoin solves these problems.

Currently most of the electronic payments rely on banks and payment system such as “PayPal”.

While it works well enough, such systems have several disadvantages. First of all, you have to pro-

vide your personal information to third parties, your accounts can be frozen or their balance par-

tially or completely confiscated, payments to certain legal entities may be refused. It also has high

costs. Credit card or payment system transaction fee may be several percent of the transaction. Elec-

tronic funds transfer from one bank account to another is also expensive (local transfers usually cost

about 1 euro while international 10-50 euros) and may take a few days in some cheap transfer cases.

Another problem for merchants is that completely non-reversible payments are not possible, which

leads to merchants asking for more information from their customers than they would otherwise

need. Despite their best efforts, certain percentage of fraud is still unavoidable. In comparison Bit-

coin is potentially anonymous, has very low or no transaction cost, transfer can be made worldwide

with average confirmation time of 10 minutes, no authority can freeze or deny payments to your ac-

counts and payments are non-reversible.

Payment systems based on a trusted third party use data encryption to protect user information.

In Bitcoins case, nothing is actually encrypted and all transactions are made public. The advantage

of this is that there is no database or accounts that can be hacked. However this puts a lot of respon-

sibility into the hands of the user, who has to keep his wallet (private keys) secure. Bitcoin transac-

tions are only tied to cryptographic keys, so privacy is also responsibility of the user.

By some people Bitcoin is also viewed as a viable alternative to traditional government con-

trolled fiat currencies. At first Bitcoin was mostly known and used by IT enthusiasts and criminals.

The huge impact on growing popularity of the Bitcoin was caused by global financial crisis, which

reduced people trust in banking systems and government controlled currencies. People started to

look for alternative ways to store they money and cryptographic currencies started to get more at-

tention. Investing in Bitcoin, however, seems to be risky because currently it is very unstable and

it’s not backed up by any government or institution.

Since introduction of Bitcoin, many similar crypto-currencies emerged, which shares most of

the source code with Bitcoin. For example, Litecoin (LTC) uses different hashing algorithm, has

higher maximum number of coins and shorter confirmation time. Nevertheless, Bitcoin remains the

most popular crypto-currency.

The aim of this paper is to analyze and describe how Bitcoin network and protocol operates.

2. Network

Bitcoin uses peer-to-peer model network to propagate transactions. All Bitcoin transactions are

combined into blocks that form the block chain. Nodes exchange information about blocks,

transactions and other node addresses that they know of. The network may be summarized by the

following points:

New transactions are broadcasted to all nodes.

Each full node (node which performs calculation to keep network secure) collects new

transactions into a block.

Each full node works on finding proof-of-work for its block.

When a full node finds a proof-of-work, it broadcasts the block to all nodes.

Nodes accept the block only if the block follows protocol rules.

Full nodes express their acceptance by working on creating a next block in the chain,

using the hash of the accepted block.

2.1. The block chain

The block chain is a public transaction database which is shared by all nodes on the Bitcoin

network. It is the main innovation of the Bitcoin. The full block chain contains every transaction

that ever occurred on the network and it is stored on a computer of anyone who chooses to do so.

Because of this, many users have complete records of every transaction in Bitcoins history readily

available to them at any point, and anyone who wants this information can obtain it with ease. This

makes Bitcoin very hard to fool.

Blocks in the chain are connected to each other by referring to the hash value of the previous

block (fig. 1). This works as a timestamp that proves that the referenced block existed at the time of

creation of the block which references it. Every new block added to the chain reinforces

chronological order and validity of previous blocks.

Figure 1: Chronological connection of blocks

Honest network nodes only generate new blocks by referencing blocks in the longest valid

chain (fig.2 black blocks). A chain is considered valid if all blocks and transactions within them are

valid, and only if it starts at genesis block (first block generated, fig.1 green block). Blocks in

invalid chains or shorter chains are not used. When client switches to another chain, all valid

transactions in invalid chain are returned to the pool of queued transactions and will be included in

another block. Once a block has been in a chain for a while it becomes

computationally impractical to modify because every block after it would

have to be regenerated. These properties make double spending of Bitcoins

very difficult.

As a block can only reference a single previous block, there can only be

one path from any block to genesis block. However, coming from genesis

block there may be forks (fig.1 purple blocks) which occur when two (or

more) blocks reference the same previous block. One-block forks are

created from time to time when two nodes generate a block only few

seconds apart. When that happens full nodes build onto the block which

they received first. The tie brakes when the next block is generated and one

of the branches becomes longer. More serious forks have occurred after fixing bugs that required

backward-incompatible changes.

2.2. Blocks

Bitcoin transactions are permanently recorded in the network through files called blocks.

Maximum size of the block is currently limited to 1 MB but it may be increased in the future. Each

block contains a UNIX time timestamp, which is used in block validity checks to make it more

difficult for adversary to manipulate the block chain. New blocks are added to the end of the record

(block chain) by referencing the hash of the previous block and once added are never changed. A

variable number of transactions is included into a block through the merkle tree (fig 3.).

Transactions in the merkle tree are hashed using double SHA256 (hash of the hash of the

transaction message).

Figure 3: Structure of a merkle tree

Transactions are included into the block’s hash indirectly through the merkle root (top hash of a

merkle tree). This allows removing old transactions (fig. 4) without modifying the hash of the

Figure 2: Block chain

block. Once the latest transaction is buried under enough blocks, previous transactions serve only as

a history of the ownership and can be discarded to save space.

Figure 4: Removing old transactions from the blocks

2.3. Mining (block hashing)

Mining is a process of including transactions into newly generated blocks. The primary purpose

of mining is validation of transactions but it also serves as a mechanism to create new Bitcoins.

Mining is designed to be resource intensive and its difficulty is adjusted by the network so that

number of blocks generated remains steady. When mining, a node is constantly trying to produce a

proof-of-work, which is required for the block to be accepted by the network as valid. Proof-of-

work algorithm is relatively simple. The basic idea is that hash (double SHA256) of the block

header (see table 1) must be smaller than a set target. Different hash values are produced mostly by

changing nonce (timestamp and accepting transaction into the block also changes hash, but those

change relatively slowly). When a node finds a hash that meets target requirement (solves a block)

it broadcasts the new block to the network and is entitled to the block generation reward. Once

proof-of-work is found other nodes can easily verify it and the block cannot be changed without

redoing the work. As blocks are chained, changing the block would also include redoing all the

blocks after it. So as long as honest nodes control most of the computing power of the network,

honest chain will outpace any other chain.

Table 1: Structure of a block header

Field Purpose Update conditions Size, bytes

Version Block version number Software update which specifies a new

version

4

hashPrevBlock 256-bit hash of the previous block header A new block comes in 32

hashMerkleRoot 256-bit hash based on all of the

transactions in the block

A transaction is accepted into a block 32

Time Current timestamp as seconds since

1970-01-01T00:00 UTC

Every few seconds 4

Bits Current target in compact format Difficulty is changed 4

Nonce 32-bit number (starts at 0) A hash is tried 4

Difficulty is changed by adjusting the current target (number which hash value must be lower

than). It’s done every 2016 blocks (about two weeks). The value is changed by evaluating network

hash rate based on how long it took to generate last 2016 blocks and then a new target value is set

so that average time to generate a block would be 10 minutes. Target is actually a 256 bit number

which is expressed in special floating-point format. Blocks with target values, which doesn’t fallow

protocol difficulty rules are considered invalid by honest network nodes.

The block generation reward consist of two parts. First part

is generation transaction, which creates a certain amount of

Bitcoins out of nothing. The number of Bitcoins created starts at

50 BTC and is reduced by half every 210,000 blocks (fig. 5).

The last block that will generate coins should be generated near

the year 2140, bringing the total number of Bitcoins to slightly

below 21 million. Second half of award is transaction fees of all

transactions included into the block. This fee is incentive for

miners to include transactions into the block (verify) and to

continue mining (and thus provide security to the network)

when a number of new Bitcoins generated greatly decreases.

2.4. SHA-256

Bitcoin uses SHA-256 hash function to for its proof-of-work algorithm. SHA-256 is

cryptographic hash function developed by United States National Security Agency (NSA). It

consists of the following steps:

Initialize starting hash values, and round constants Kt.

Break the message into 512-bit blocks, extend if necessary.

Produce 64 32-bit words Wt from each 512-bit block

Perform 64 iterations (fig. 6) on each block using different Kt and Wt.

Figure 5: Total number of Bitcoins over time

Add values of block hashes to produce the hash of the message

SHA-256 is very easy to parallelize and to implement in hardware. In comparison Litecoin uses

memory intensive Scrypt algorithm which makes it more difficult to parallelize because high

amount of fast memory would be required to run many cores in parallel. Arguably it makes Litecoin

less vulnerable to centralization of mining power, arising from limited ownership of specialized

hardware. But it is unclear because, SHA-256 is very simple so many individuals could implement

it in hardware solution. Conversely, as Scrypt is more difficult it can prove to be worse for

centralization if a well-funded entity comes up with fast but proprietary ASIC.

Figure 6: One iteration of SHA-256

3. Transactions

In a simplified way Bitcoin transaction is performed by doing the following steps. Suppose Alice

wants to send some Bitcoins to Bob:

Bob sends his address to Alice.

Alice adds Bob’s address and the amount of Bitcoins to transfer to a transaction message.

Alice signs the transaction with her private key and announces her public key for signature

verification.

Alice broadcasts the transaction on the Bitcoin network for all to see.

Network verifies transaction by including it into the block chain.

3.1. Digital Signature Algorithm

To sign transactions Bitcoin uses elliptic curve digital signature algorithm (ECDSA) [3]. The

elliptic curve over a prime finite field Fp, defined by equation:

y2≡ x3+ax+bmod p, where p > 3 and a,b ϵ Fp

is a set of all pairs (x,y) ϵ Fp, and also imaginary infinity as identity element O.

The group operator for the points on an elliptic curve is called addition, but its definition has

nothing to do with conventional arithmetic addition (fig. 7). To add point P to another point Q on

the same curve we first join P with Q with a straight line. The third point of the intersection of this

line with a curve is denoted R. The mirror of this point with respect to x axis is the point P+Q (and

P+Q= -R). If the third point of intersection does not exist, we say it is at infinity.

Figure 7: Elliptic curve point addition

Curve point multiplication by scalar is defined as: k×P = P + P +…+P (fig. 8). Point addition

with itself P+P means that we must draw a tangent at P (when another point approaches P, the

joining line becomes a tangent at P in the limit).

Figure 8: Elliptic curve point multiplication by scalar

For a digital signature based on an elliptic curve, we need to select a curve and a base point G of

high order n (meaning that n × G = O). Cryptographic signatures in Bitcoin use secp256k1 [6]

curve defined over Fp, where p=2256-232-29-28 -27-26-24-1 (256-bit prime order), a = 0, b = 7.

ECDSA can be described by following steps. Suppose Alice wants to send signed message. At

first Alice creates a key pair, consisting of a private key integer dA, randomly selected in the interval

[1, n-1] and a public key curve point QA=dA×G (elliptic curve point multiplication by a scalar).

For Alice to sign a transaction message m, she follows these steps:

1. Calculate hash of the message z=SHA256(m).

2. Select a random integer k from [1, n-1].

3. Calculate the curve point (x1, y1) = k×G.

4. Calculate r=x1 mod n. If r = 0, go back to step 3.

5. Calculate s=k-1(z+r·dA) mod n. If s=0, go back to step 3.

6. The signature is the pair (r, s).

For Bob to authenticate Alice's signature, he must have a copy of her public-key point QA. Bob

can verify QA is a valid curve point as follows:

1. Check that QA is not equal to the identity element O, and its coordinates are otherwise valid

2. Check that QA lies on the curve

3. Check that n*QA=O.

After that, Bob follows these steps:

1. Verify that r and s are integers in [1, n-1]. If not, the signature is invalid.

2. Calculate z=SHA256(m).

3. Calculate w=s-1 mod n.

4. Calculate u1=z·w mod n and u2=r·w mod n.

5. Calculate the curve point (x1, y1) = u1×G+ u2×QA.

6. The signature is valid if r ≡ x1(mod n), invalid otherwise.

3.2. Addresses and wallets

Bitcoin address is 160 bit hash of

ECDSA public key (fig. 9). A new ECDSA

key-pair is generated for each receiving

address. Hash values and the checksum data

are converted to an alpha-numeric

representation using a custom Base58Check

encoding scheme. Bitcoin allows you to

create as many addresses as you want (each

address takes up about 500 bytes), and each

one is completely separate.

All these addresses (public keys) and

their associated private keys are stored in a

wallet data file. A transaction to Bitcoin

address requires the associated private key

to exist in recipient’s wallet. Wallets can be

encrypted to protect the keys from being

stolen. It is also highly recommended to

make backups of your wallet because if you

completely lose your wallet file, all of your

coins are lost and cannot be recovered. To help managing back-ups wallet uses pre-generated key

queue. When you need a new address it actually isn’t freshly generated but taken from key queue.

This queue is saved into a back-up, so when you restore from a back-up, a certain amount of new

addresses (and Bitcoins which were sent to them) won’t be lost.

Since Bitcoin addresses are basically random numbers, it is possible, although extremely

unlikely, for two people to independently generate the same address (collision). If this happens, then

both the original owner of the address and the colliding owner could spend money sent to that

address. However intentionally generating a colliding address would currently take tens of orders of

magnitude longer than to generate a block, which earns you generation reward and transaction fees.

So it will likely always be more profitable to play by the rules and use your processing power for

block hashing (helping to keep network secure) than to try to create collisions.

3.3. Transaction messages

Figure 9: Elliptic-curve public key to Bitcoin address conversion

The basic idea behind Bitcoins is that a digital coin is a chain of signatures (fig. 10). When

transferring coins, the current owner must prove ownership of coins and specify the new owner of

coins. The new owner is indicated by his public key (Bitcoin address) and the ownership of coins is

proven by providing a signature, which is made with private key associated with Bitcoin address

(public key) of the previous transaction. Signature also protects transaction message from

modification.

Figure 10: Transaction of coins

The actual Bitcoin transaction is a little more complex. First of all, it can have multiple inputs

and outputs, which allows to split and/or to combine value of coins. Secondly, it uses scripting to set

conditions for redeeming coins, which enables to design more complex types of transactions and

link them together to cryptographically enforced agreements. Although, non-standard transactions

are extremely rare now, it can be used to integrate some third party services in the future (like

solving disputes between buyer and seller).

A principle example of standard pay-to-PubkeyHash transaction message with one input and

one output:

Input:

Previous tx: f5d8ee39a430901c91a5917b9f2dc19d6d1a0e9cea205b009ca73dd04470b9a6

Index: 0

scriptSig: 304502206e21798a42fae0e854281abd38bacd1aeed3ee3738d9e1446618c4571d10

90db022100e2ac980643b0b82c0e88ffdfec6b64e3e6ba35e7ba5fdd7d5d6cc8d25c6b241501

Output:

Value: 5000000000

scriptPubKey: OP_DUP OP_HASH160 404371705fa9bd789a2fcd52d2c580b65d35549d

OP_EQUALVERIFY OP_CHECKSIG

The input is a reference to an output in a different transaction. Previous tx is a hash of a

previous transaction and Index is the specific output of the referenced transaction. ScriptSig is the

first half of the script, which is used to authorize to collect coins from an output. In this case input

script contains two components, a signature and a public key (standard transaction). Because

ScriptSig is not included when creating signature, it can only contain data values and no actual

scripts.

The output contains instructions for sending coins. Value is an amount of coins expressed

satoshi (1 BTC = 100,000,000 satoshis), that this output will be worth when referenced.

ScriptPubKey is the second half of a script, which is used to authorize to collect coins from an

output. The sum of all inputs always has to be more or equal to the sum of all outputs (otherwise

transaction will not be accepted by the network). If you only want to spend part of the value of an

input the second output which sends “change” back to you is created. If the sum of inputs is more

than the sum of outputs, the difference is considered to be a transaction fee.

The authorization to collect coins from referenced outputs is done by evaluating scriptSig and

referenced output’s scriptPubKey (in this order). The input is authorized if script evaluates to true.

In this example standard condition are used. Hash of the public key provided in scriptSig is

calculated and then compared to value in scriptPubKey, if values are equal when signature

verification is performed (using signature and public key provided in scriptSig). However, scripting

allows the sender to create very complex conditions that people have to meet to claim output’s

value. For example, output may be redeemable by a password instead of a key or it may require

input to be signed by a lot of different keys. It is also possible to create an output, which can be

redeemed by anyone without any authorization.

3.4. Confirmation

Transaction message is broadcasted to the network and is considered confirmed when it is

included into a block. On average it takes about 10 minutes. However, one confirmation is not very

safe and it is recommended to wait for 2-6 confirmations. Additional confirmations are considered

to be blocks after the block which transaction was included in.

3.5. In-store transactions

Bitcoin is well suited for online stores. Merchants can accept Bitcoins directly or use third

party payment-processing service, which accepts them. Some payment services can automatically

convert Bitcoins to other currencies like USD or EUR.

As Bitcoin transactions can take tens of minutes to become confirmed, it seems that they are

not suitable for in-person transactions, like in supermarkets. However, retailers can accept uncon-

firmed transactions with very little risk by simply ‘listening’ on the Bitcoin network for a double-

spending transaction or using third party, which offers such services. The original transaction would

propagate through Bitcoin network so fast, that fraudulent double-spent transaction would have

very low chance of succeeding.

Theoretically, an attacker could avoid sending out a second fraudulent transaction to the net-

work by attempting to solo-mine a block containing an attack transaction, which sends coins to

himself, withholding the block from the rest of the network, quickly making a fraudulent purchase

and then releasing an attack block. However, costs of such activity would greatly outweigh the

value of anything that could be offered without confirmation and it is extremely hard to execute.

Some brick-and-mortar businesses are already accepting Bitcoins as a payment option. One of

the common methods is using smart phones and wallet addresses through QR codes (fig. 11). Seller

displays or prints QR code and customer pays by scanning it with his mobile phone. There are also

proposals to use Bluetooth or NFC instead of QR codes.

Figure 11: Using mobile phones and QR codes for payment

Another method is to only accept Bitcoins for the purchase of gift or pre-paid cards, which are

later used for actual purchases of goods or services. This is probably the easiest way to accept

Bitcoins if your business already processes gift cards.

Some companies are already creating point-of-sale terminal designed to works exclusively with

cypto-currencies such as Bitcoin and Litecoin (fig.11).

Figure 12: Bitcoin POS terminal

Conclusion

Bitcoin introduced a new payment system which relies on cryptographic proof-of-work instead

of trust. The network nodes reach consensus with little coordination by voting with their

processing power. They express their acceptance by working on valid blocks and transactions and

reject invalid ones by refusing to work on them. This makes network secure as long as honest

nodes control majority of processing power.

Because of its decentralized nature Bitcoin is neutral, highly predictable, gives users a lot of

control of their money and can offer very low transaction fees.

Ownership of coins is identified using public key cryptography and is only tied to cryptographic

keys, which gives a possibility of anonymity.

Bitcoin has been successfully operating for almost five years. The concept seems like a natural

step in evolution of digital payment systems. However, its future is still unclear because of small

degree of acceptance and mostly unknown legal status. Furthermore, Bitcoin is the first and

experimental realization of the concept, so later crypto-currencies which try to improve on Bitcoin

may take over in the future.

References

1. Satoshi Nakamoto. Bitcoin: A Peer-to-peer Electronic Cash System. Available at:

http://bitcoin.org/bitcoin.pdf

2. Yogesh Malhotra. Bitcoin Protocol: Model of ‘Cryptographic Proof’ Based Global Crypto-

Currency & Electronic Payments System. Available at:

http://yogeshmalhotra.com/BitcoinProtocolPaper_MalhotraYogesh.pdf

3. Bitcoin Wiki: Technical. Available at:

https://en.bitcoin.it/wiki/Category:Technical

4. Wikipedia. Elliptic Curve DSA. Available at:

http://en.wikipedia.org/wiki/Elliptic_Curve_DSA

5. Avi Kak. Lecture 14: Elliptic Curve Cryptography and Digital Rights Management. Available

at: https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture14.pdf

6. Standards for Efficient Cryptography. SEC 2: Recommended Elliptic Curve Domain

Parameters. Available at:

http://www.secg.org/collateral/sec2_final.pdf

7. Bitcoin.org. Frequently Asked Questions. Available at:

http://bitcoin.org/en/faq

8. Wikipedia. SHA-2. Available at:

http://en.wikipedia.org/wiki/SHA-2

9. Coinbase. Accept Bitcoin using mobile device:

https://coinbase.com/docs/merchant_tools/point_of_sale

10. Coinkite. Bitcoin Merchant Terminal.

https://coinkite.com/faq/terminal