rp4

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3004273, IEEE Internet of
Things Journal
IEEE INTERNET OF THINGS JOURNAL 1
Bitcoin and Blockchain: Security and Privacy

Ehab Zaghloul, Tongtong Li, Matt W. Mutka, Jian Ren
Abstract—Blockchain is a technology that was proposed to third-party. In Bitcoin, users possess ownership rights to virtual
enable the decentralized digital currency, Bitcoin. Since its cryptocoins that are denoted as Bitcoins (BTC). Users generate
inception, blockchain has been widely used in many other areas, transactions to transfer BTC and store them in the public
including tracing sensor data and mitigating its duplication in
IoT applications, the healthcare industry, and e-voting. In this ledger, blockchain. The smallest transferable value today is
paper, we provide a comprehensive review and analysis of the known as a Satoshi, which is equivalent to one-hundredth of
major security and privacy issues of Bitcoin and blockchain, the a millionth BTC (i.e. 0.00000001 BTC).
major challenges, and opportunities in utilizing the technology. Bitcoin transactions utilize cryptographic protocols to pro-
First, we present a comprehensive background of Bitcoin and the vide a secure process while striving to preserve the privacy
preliminary on security. Second, the major security threats and
countermeasures of Bitcoin are investigated. We analyze the risk of both the buyer and seller. The transactions are stored in
of double-spending attacks, evaluate the probability of success in a blockchain [2]–[5] to limit inherent issues of digital media
performing the attacks, and derive the profitability for the at- such as double-spending [6]. A blockchain is a distributed
tacker to perform such attacks. Third, we analyze the underlying database acting as a public ledger that holds all processed
Bitcoin peer-to-peer network security risks and Bitcoin storage transactions. It is based on a distributed consensus that allows
security. We compare three types of Bitcoin wallets in terms of
security, types of services, and their trade-offs. Finally, we discuss any past and present online transaction to be verified [7].
the security and privacy features of alternative cryptocurrencies Bitcoin transactions are released into the network and
and present an overview of emerging technologies today. Our validated by the nodes as they propagate through the entire
results can help Bitcoin users to determine a trade-off between network. The validating nodes, referred to as miners, compete
the risk of double-spending attempts and the transaction time to mine groups of transactions into blocks and earn BTC as a
delay or confidence before accepting transactions. These results
can also assist miners to develop suitable strategies to get involved reward. Mining is the process of solving a hard cryptopuzzle,
in the mining process and maximize their profits. referred to as the Proof-of-Work (PoW), that requires extensive
Index Terms—Blockchain, Bitcoin, Cryptocurrency, digital computational power. The first miner capable of finding a
assets, double-spending. solution to the problem broadcasts his/her block to the network
and earns the reward. The reward consists of a specified
amount of new released BTC and all the transaction fees
I. I NTRODUCTION associated with the transactions included in the block. All the
cryptocurrency is a decentralized online currency that other miners then surrender to the solution of the winning
A was developed as an alternate means to transfer money
in an unprecedented way. Existing financial systems require
miner and append the winning block to the blockchain.
The first Bitcoin software was implemented by Satoshi
a centralized trusted financial institution to securely process Nakamoto and is known as the Bitcoin Core. This imple-
transactions between two parties. This institution charges mentation is sometimes referred to as the Satoshi client and
costly service fees that are unavoidable for banking customers. is run by most of the network nodes in Bitcoin. It is an
In addition to such cost burdens, delayed processing time and open source project with a large developer community con-
security issues have affected the modern-day financial industry. tributing to it. The developers follow a Bitcoin Improvement
Certain transactions, such as funds transfer, may take days or Proposals (BIP) [8] document and introduce the standards of
weeks to be cleared, causing issues in cases of urgency. The the system. The document also contains new features and
modern-day financial system is also plagued with security and proposals for the developer community to test thoroughly
privacy vulnerabilities. Financial institutions employ the most before making final modifications to the software.
advanced security techniques to protect customers. However, Following Bitcoin, many cryptocurrency systems appeared
the sensitive information of the customer is always exposed to and continue to do so today. The blockchain technology is
the financial institutions making it vulnerable to information a common characteristic shared by many newly emerging
leakage. To mitigate these security concerns, privacy risks, and cryptocurrency systems [9]. The majority of these systems are
inconveniences, new cryptogra-phic protocols have been de- mainly clones of Bitcoin. These systems introduced only minor
veloped to allow secure and convenient asset transfer, without adjustments such as currency supply or block size within the
involving a centralized third-party. Blockchain. Alternatively, a few systems introduce innovative
In 2008, Satoshi Nakamoto developed a white paper in concepts that offer substantial features. Examples of these
which he proposed Bitcoin [1]. Bitcoin is an online Peer-to- features include novel consensus mechanisms or enhanced
Peer (P2P) digital cash system that does not require a trusted decentralized computing platforms that can provide additional
functions and higher flexibility to the system.
The authors are with Michigan State University, East Lansing, MI 48824- All cryptocurrencies are traded in the online cryptocurrency
1226, Email: {ebz, tongli, mutka, renjian}@msu.edu.
This work was supported in part by NSF grants CCF-1919154 and ECCS- marketplace. The cryptocurrency market is similar to other
1923409. exchange markets such as the stock market, with various
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Carleton University. Downloaded on July 13,2020 at 07:27:02 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3004273, IEEE Internet of
Things Journal
2 IEEE INTERNET OF THINGS JOURNAL
trading platforms. However, the cryptocurrency market is not reflecting that attackers with 51% computational power
regulated by a government or agency and trading occurs or more will continue to profit indefinitely.
virtually 24/7 across the world. The nature of cryptocur- 3) We present fundamental network security and privacy
rency allows transactions to occur at speeds that cannot be concerns. The purpose of this analysis is to expand the
accomplished with fiat currency, such as the United States knowledge of readers on major security and privacy
dollar. This results in a much more volatile market than concerns that threaten the stability of systems running
traditional trading markets. Coin prices are continuously rising the blockchain technology. Our target is to help the
and dropping, and new cryptocurrencies consistently enter and reader realize the major threats to such systems from
leave the marketplace. Many coins continue to rise in value a security and privacy perspective.
based on value demonstrated to investors. However, increased 4) We dive deeply into the exploration of Bitcoin storage
speculation in the marketplace has lead to the over-evaluation wallets. We first classify wallets based on their underly-
of many cryptocurrencies. ing infrastructure and methods of PKI pair generation.
As of January 2020, the total market cap of the cryptocur- We aim at presenting the cryptographic primitives re-
rency market hit $211 billion [10]. This amount comes from lated to each type of wallet. Next, we classify wallets
the total valuation of almost one thousand cryptocurrencies based on installation environments and then further
on the market today. Comparing this amount to the $17.6 classify them based on functionality. We strive to help
billion total market cap in 2016, the market has increased by the readers understand the different classes of wallets,
1,198%. This rapid growth in the new market has led an effort their corresponding security risks, and the best practices
to examine the role of cryptocurrency in the future. to secure their cryptocoins.
The interest in blockchain continues to grow aggressively.
A. Contributions It has already attracted a wide range of audiences such as
governments, enterprises, health-care, and many more. We
While the main purpose of this paper is to examine the realize that in order for blockchain to sustain its success and
potential stability of Bitcoin, we strive to delve deeper into for these interested entities to adopt it, we must educate a
analyzing the double-spending attacks by modeling the prob- wider range of audience, which could include: (i) researchers
ability of success in multiple ways. In particular, utilizing at the beginning of the line that wish to expand on research
our analysis, we present our own profitability analysis of the in this area and (ii) skeptical entities and individuals that wish
double-spending attacks. We reveal a break-point in time when to adopt the technology and wish to learn more about it. We
attackers should give up on the attack since it is unlikely that aim at putting together a comprehensive study that explores
they will turn a profit beyond this point (i.e. the time when blockchain technology from multiple angles and filling in the
the cost is greater than the revenue). We present a trade-off gaps of previous studies.
between the waiting time before accepting a transaction versus
the profits/losses of the attackers. This may help maximize
the confidence of the users before accepting transactions. B. Organization
In addition to this, we thoroughly analyze the infrastructure The rest of the paper is organized as follows. In Section II,
of Bitcoin storage wallets. Our discussion presents the key we provide a comprehensive background review on Bitcoin
algorithmic features introduced by each wallet type in order outlining its building blocks and protocols. Next, in Section
to counter the different potential threats. The main purpose is III, we evaluate double-spending attacks and present our
to enlighten the users with the trade-offs when using different profitability analysis. Following that, in Section IV, we assess
types of wallets from a cryptographic perspective. the major network security attacks of the Bitcoin network.
More specifically, the major contributions of this paper can In Section V, we analyze the security issues in the storage
be summarized as follows: wallets used by Bitcoin today. We investigate the subsequent
1) We provide a comprehensive explanation of the primary privacy protocols of Bitcoin in an effort to limit the linkage
components of Bitcoin discussed in a sequential and problem in Section VI. In Section VII, we review protocols
logical order for the readers to comprehend. The main and alternative consensus algorithms implemented in emerging
purpose is to cultivate the readers with the necessary cryptocurrencies outlining the security and privacy advantages
background on Bitcoin to consolidate their understand- and limitations. Finally, we conclude our study, summarize the
ing of the system. lessons learned, and future research directions in Section IX.
2) We delve thoroughly into the analysis of double-
spending attacks. We first show that the probability of II. U NDERSTANDING B ITCOIN
success of performing double-spending attacks can be Research in digital cash dates back to the early 1980s [11].
modeled using two distinct probabilistic models. We In 1990, DigiCash Inc., an electronic cash corporation, made
show that both models result in a similar outcome. Next, an initial attempt to provide a cryptocurrency system [12].
using these probabilistic models, we present a profitabil- Later, other systems such as DigiCash [12] and b-money [13]
ity analysis on performing double-spending attacks. The were introduced that used cryptographic protocols and aimed
main purpose of this analysis is to reflect the trade-off to enhance privacy. These systems suffered key issues includ-
between the waiting time before accepting a transaction ing double-spending attacks and did not use the blockchain
versus the profits/losses of the attackers. We also aim at technology.
Things Journal
ZAGHLOUL et al. : BITCOIN AND BLOCKCHAIN: SECURITY AND PRIVACY 3
Blockchain as a concept was initially proposed by Stuart SPV nodes with the required information from the blockchain
Haber and W. Scott Stornetta in 1991 [2]. Their blockchain necessary to complete the transaction verification.
aimed at certifying the creation/modification of a digital Some nodes may only perform one particular function. Ones
record by digitally time-stamping the records. However, the that are engaged in the mining process are referred to as mining
blockchain was not efficient since each record was indepen- nodes while others that generate transactions are referred to
dently time-stamped. To improve efficiency, Merkle trees [14] as wallets.
were incorporated into blockchains in 1992 [3]. They im- In most Bitcoin software implementations, all nodes are
proved efficiency by handling multiple digital records into one treated equally and can be uniquely identified by their IP
block. Finally, Satoshi Nakamoto implemented the first real addresses. Using these addresses, peers establish Transmission
blockchain and used it as the core technology for the Bitcoin Control Protocol (TCP) connections with one another. Each
cryptocurrency system. In this section, we will present the node can choose whether to connect to the network using
major building blocks and protocols of Bitcoin. a public or private IP. A node that utilizes a public IP is
accessible over the Internet by any connected node while
one with a private IP is only accessible by nodes within its
A. The Bitcoin Network
private network. By default, a node with a public IP address is
Bitcoin runs over a P2P network. The main advantage of granted 8 outbound connections and 117 inbound connections,
using a P2P network is the agile movement of data for all resulting in a total of 125 connections. On the other hand, a
nodes to achieve consensus. In contrast to the typical P2P node with a private IP address is granted only 8 outbound
network used to share data files between interested peers, connections. An outbound connection is initiated by the node
Bitcoin utilizes the network to rapidly broadcast data among itself when it requests connecting to a discoverable node
all the connected nodes. This process is known as flooding while an inbound connection is initiated by other nodes in
and continues until all nodes within the network receive the the network that desire connecting to the node.
broadcast data. For explanation purposes, we define the node that initiates
It is important to differentiate between the terms node and a connection as client and the node that waits for an incoming
peer of a P2P network. A node is a network entity that is connection as server. Both nodes engage in a TCP handshake
connected to one or multiple other similar nodes. The directly by exchanging network packets defined as version and verack.
connected nodes are referred to as the peers. Nodes propagate The client initiates a connection request by sending a version
data to the indirectly connected nodes by traversing it to their packet addressed to the IP address of the server. By default,
peers which follow a similar manner until the data reaches the server listens on port 8333 for incoming version packets. If
every connected node. the server accepts the version packet, it responds with a verack
In the Bitcoin network, data being flooded includes IP packet and its own version packet, both addressed to the IP
addresses of the nodes, newly generated transactions, and address of the client. Finally, the client responds by sending a
blocks of verified transactions that extend the blockchain. verack packet addressed to the IP address of the server and the
Peers share IP addresses of other nodes that they are connected connection is established. The connection enables symmetric
to or have discovered from their peer nodes. The aim behind communication allowing the client and server to exchange
sharing IP addresses is to allow peers in the network to data bidirectionally. The connection is lost if peers do not
discover and connect to more nodes resulting in a random communicate for a specified idle time. To reconnect, peers
network topology. Newly generated transactions are broadcast engage in a new TCP handshake.
through the network to rapidly publicize their occurrence to all As discussed previously, a node shares with its peers a list of
connected nodes. Miners compete to mine these transactions IP addresses that it has learned as a result of being connected
into blocks. The winning miner broadcasts the block to all the to the network. Each node stores its list in two separate tables:
nodes to extend and update their version of the blockchain. a tried table and a new table. The tried table of a node stores IP
Nodes in the Bitcoin P2P network are defined based on their addresses that the node has established connections with while
roles. The main duties are summarized as transaction gener- its new table stores IP addresses that it has only discovered but
ation, block/transaction routing, block/transaction verification, did not attempt to connect to yet. When a node desires sharing
and transaction mining. Block/transaction routing is performed IP addresses with its peers, it randomly selects IP addresses
by all nodes. from both tables and sends them in addr messages. An addr
A node that can perform all functions is referred to as a message can contain up to 23% or a maximum of 1000 IP
full node. It consistently keeps a copy of the full blockchain addresses of the total IP addresses stored in both tables. To
allowing it to verify any transaction without needing assistance initiate sharing, a node sends a getaddr message to its peers
of other connected nodes. It also possesses a BTC wallet requesting them to share their lists of IP addresses. The peers
that can generate transactions and compute the possessed then respond with an addr message. In some cases, sharing
value of BTC by the node. Moreover, a full node possesses IP addresses is unsolicited if a node voluntarily sends an addr
computational resources to compete in the mining competition. messages to its peers without receiving a getaddr message.
Nodes that do not store a full copy of the blockchain are A node that wishes to connect to the Bitcoin network for
referred to as Simplified Payment Verification (SPV) nodes the first time cannot obtain IP addresses by this method.
or lightweight nodes. These nodes require assistance from Bootstrapping is mainly achieved by communicating with a
full nodes when verifying a transaction. Full nodes feed the Domain Name Server (DNS) seeder. The node sends a DNS
Things Journal
query requesting a list of active IP addresses. If the DNS fails which specifies conditions that must be met in order to grant
to respond with an appropriate list of active IP addresses, the ownership rights. For example, the locking script attached
node can still connect to the network by using a hard-coded to UTXOpay must include the Pub of the seller needed to
list of IP addresses, referred to as seeds. Once connected to generate his/her wallet address. This ensures that the payment
any of these IP addresses, the node can then request more IP is made to the wallet of the seller and only he/she is granted
addresses from its peers by sending getaddr messages. access to it with his/her corresponding Pr. Using Pr, the seller
Nodes also relay verified transactions and blocks to their can generate a digital signature that corresponds to the Pub
peers to reach consensus. A node begins by broadcasting an associated with the locking script, hence claim the output.
inventory (inv) message to all its peers informing them of The inputs {UTXO1 , UTXO2 , · · · , UTXOn } represent un-
the new transactions or blocks it has received and verified. spent transaction outputs claimed by the buyer from previous
The peer nodes check whether they are already informed of transactions. When a buyer decides to use a specific output
these new transactions and blocks then respond to the node from a previous transaction as an input to a new transaction,
with a getdata message. The getdata message includes all the buyer must specify proof that he/she still possesses own-
the transactions and blocks a peer node is not aware of. ership rights and did not previously spend them in another
The node then responds with a transaction/block message that transaction. This is done by attaching an unlocking script to
includes the complete transactions/blocks the peer requests. each input. The unlocking script solves the locking script that
Once received, the peer validates the transactions or blocks and was associated with the output from the previous transaction.
continues to relay them to its own peers in a similar manner. Likewise, the unlocking script is a digital signature produced
If a received transaction or block cannot be validated, it is by the Pr of the buyer that corresponds to a Pub associated
immediately dropped and its propagation is discontinued. with the locking script of an UTXO. A valid unlocking script is
legitimate proof of continuous possession of ownership rights
B. Bitcoin Transactions to certain BTC being used as input. As a result, BTC can
be viewed as a chain of digitally signed transactions where
We define a Bitcoin transaction (TX) as the transfer of an
ownership rights are transferred from one owner to the other
amount of BTC ownership rights from the wallet of the buyer
by digitally signing them.
to the wallet of the seller, in exchange for a product or service.
BTC wallets utilize elliptic curve digital signatures to handle Inputs Outputs
the transfer of ownership rights and ensure that unauthorized UTXOa
sha1_base64="EB1+oUQjIBA2fjwsVCHkYhtUj4E=">AAAB+nicbVBNS8NAFHypX7V+pXr0EiyCp5LUgh4LXrxZoWkLbQib7aZdutmE3Y1SYn+KFw+KePWXePPfuE1z0NaBhWHmPd7sBAmjUtn2t1Ha2Nza3invVvb2Dw6PzOpxV8apwMTFMYtFP0CSMMqJq6hipJ8IgqKAkV4wvVn4vQciJI15R80S4kVozGlIMVJa8s3qMEJqIsPM7fTv5n6G5r5Zs+t2DmudOAWpQYG2b34NRzFOI8IVZkjKgWMnysuQUBQzMq8MU0kShKdoTAaachQR6WV59Ll1rpWRFcZCP66sXP29kaFIylkU6Mk86Kq3EP/zBqkKr72M8iRVhOPloTBlloqtRQ/WiAqCFZtpgrCgOquFJ0ggrHRbFV2Cs/rlddJt1J3LeuO+WWs1izrKcApncAEOXEELbqENLmB4hGd4hTfjyXgx3o2P5WjJKHZO4A+Mzx+Vv5Qq</latexit>
<latexit
spending of the cryptocurrency is infeasible. Each wallet Unlocking Script
randomly generates a private key Pr which is used to derive its UTXOpay
sha1_base64="OO7wVi0WukujYEW5jMAAKeRhbZ0=">AAAB/HicbVBNS8NAFHzxs9avaI9egkXwVJJa0GPBizcrNG2hDWGz3bRLN5uwuxFCqH/FiwdFvPpDvPlv3KY5aOvAwjDzHm92goRRqWz729jY3Nre2a3sVfcPDo+OzZPTnoxTgYmLYxaLQYAkYZQTV1HFyCARBEUBI/1gdrvw+49ESBrzrsoS4kVowmlIMVJa8s3aKEJqKsPc7Q7u536eoGzum3W7YRew1olTkjqU6Pjm12gc4zQiXGGGpBw6dqK8HAlFMSPz6iiVJEF4hiZkqClHEZFeXoSfWxdaGVthLPTjyirU3xs5iqTMokBPFlFXvYX4nzdMVXjj5ZQnqSIcLw+FKbNUbC2asMZUEKxYpgnCguqsFp4igbDSfVV1Cc7ql9dJr9lwrhrNh1a93SrrqMAZnMMlOHANbbiDDriAIYNneIU348l4Md6Nj+XohlHu1OAPjM8fT3WVJw==</latexit>
<latexit
corresponding public key Pub that is shared among all users. UTXOb Unlocking Script
+
sha1_base64="wpi7MNC4givCcTgcFpdn+DWF4ag=">AAAB+nicbVBNS8NAFHypX7V+pXr0EiyCp5LUgh4LXrxZoWkLbQib7aZdutmE3Y1SYn+KFw+KePWXePPfuE1z0NaBhWHmPd7sBAmjUtn2t1Ha2Nza3invVvb2Dw6PzOpxV8apwMTFMYtFP0CSMMqJq6hipJ8IgqKAkV4wvVn4vQciJI15R80S4kVozGlIMVJa8s3qMEJqIsPM7fTv5n4WzH2zZtftHNY6cQpSgwJt3/wajmKcRoQrzJCUA8dOlJchoShmZF4ZppIkCE/RmAw05Sgi0svy6HPrXCsjK4yFflxZufp7I0ORlLMo0JN50FVvIf7nDVIVXnsZ5UmqCMfLQ2HKLBVbix6sERUEKzbTBGFBdVYLT5BAWOm2KroEZ/XL66TbqDuX9cZ9s9ZqFnWU4RTO4AIcuIIW3EIbXMDwCM/wCm/Gk/FivBsfy9GSUeycwB8Ynz+XRJQr</latexit>
<latexit
The Pub is used to generate the address of the wallet needed to Unlocking Script
make payments to it while the Pr is used to generate a digital ..
sha1_base64="xnBsUZuzb2AWclaQdVq6clvP0a0=">AAAB6HicbVDLSgNBEOyNrxhfUY9eBoMgCGE3CuYY8OIxAfOAZAmzk95kzOzsMjMrhJAv8OJBEa9+kjf/xkmyB00saCiquunuChLBtXHdbye3sbm1vZPfLeztHxweFY9PWjpOFcMmi0WsOgHVKLjEpuFGYCdRSKNAYDsY38399hMqzWP5YCYJ+hEdSh5yRo2VGlf9YsktuwuQdeJlpAQZ6v3iV28QszRCaZigWnc9NzH+lCrDmcBZoZdqTCgb0yF2LZU0Qu1PF4fOyIVVBiSMlS1pyEL9PTGlkdaTKLCdETUjverNxf+8bmrCqj/lMkkNSrZcFKaCmJjMvyYDrpAZMbGEMsXtrYSNqKLM2GwKNgRv9eV10qqUvetypXFTqlWzOPJwBudwCR7cQg3uoQ5NYIDwDK/w5jw6L86787FszTnZzCn8gfP5A2/RjKk=</latexit>
latexit
<
. UTXOch
signature corresponding to the Pub in order to claim payments
sha1_base64="tD6NCaoxyUuFfrtrwHxQFANGNf4=">AAAB+3icbVBNS8NAFHzxs9avWI9egkXwVJJa0GPBizcrNG2hDWGz3bRLN5uwuxFLyF/x4kERr/4Rb/4bt2kO2jqwMMy8x5udIGFUKtv+NjY2t7Z3dit71f2Dw6Nj86TWk3EqMHFxzGIxCJAkjHLiKqoYGSSCoChgpB/Mbhd+/5EISWPeVfOEeBGacBpSjJSWfLM2ipCayjBzu4P73M/wNPfNut2wC1jrxClJHUp0fPNrNI5xGhGuMENSDh07UV6GhKKYkbw6SiVJEJ6hCRlqylFEpJcV2XPrQitjK4yFflxZhfp7I0ORlPMo0JNF0lVvIf7nDVMV3ngZ5UmqCMfLQ2HKLBVbiyKsMRUEKzbXBGFBdVYLT5FAWOm6qroEZ/XL66TXbDhXjeZDq95ulXVU4AzO4RIcuIY23EEHXMDwBM/wCm9GbrwY78bHcnTDKHdO4Q+Mzx9iZ5Se</latexit>
<latexit
sha1_base64="f1+k6TCZ5QJOUvdcJ9hTrzg9BOA=">AAAB7XicbVBNS8NAEJ34WetX1aOXxSJ4KkkV7LHgxWMF+wFtKJvNtl27yYbdSaGE/gcvHhTx6v/x5r9x2+agrQ8GHu/NMDMvSKQw6Lrfzsbm1vbObmGvuH9weHRcOjltGZVqxptMSaU7ATVcipg3UaDknURzGgWSt4Px3dxvT7g2QsWPOE24H9FhLAaCUbRSqzcJFZp+qexW3AXIOvFyUoYcjX7pqxcqlkY8RiapMV3PTdDPqEbBJJ8Ve6nhCWVjOuRdS2MaceNni2tn5NIqIRkobStGslB/T2Q0MmYaBbYzojgyq95c/M/rpjio+ZmIkxR5zJaLBqkkqMj8dRIKzRnKqSWUaWFvJWxENWVoAyraELzVl9dJq1rxrivVh5tyvZbHUYBzuIAr8OAW6nAPDWgCgyd4hld4c5Tz4rw7H8vWDSefOYM/cD5/AMm7jzw=</latexit>
latexit
<
made to the wallet and use them in later transactions. A Pr Unlocking Script
UTXOn
sha1_base64="KVUFxQuW6t8kBEsRBI3YdTwR4HI=">AAAB+nicbVBNS8NAFHypX7V+pXr0EiyCp5LUgh4LXrxZoWkLbQib7aZdutmE3Y1SYn+KFw+KePWXePPfuE1z0NaBhWHmPd7sBAmjUtn2t1Ha2Nza3invVvb2Dw6PzOpxV8apwMTFMYtFP0CSMMqJq6hipJ8IgqKAkV4wvVn4vQciJI15R80S4kVozGlIMVJa8s3qMEJqIsPM7fTv5n7G575Zs+t2DmudOAWpQYG2b34NRzFOI8IVZkjKgWMnysuQUBQzMq8MU0kShKdoTAaachQR6WV59Ll1rpWRFcZCP66sXP29kaFIylkU6Mk86Kq3EP/zBqkKr72M8iRVhOPloTBlloqtRQ/WiAqCFZtpgrCgOquFJ0ggrHRbFV2Cs/rlddJt1J3LeuO+WWs1izrKcApncAEOXEELbqENLmB4hGd4hTfjyXgx3o2P5WjJKHZO4A+Mzx+pgJQ3</latexit>
<latexit
is first generated from a Cryptographically Secure Pseudo- Unlocking Script
Random Number Generator (CSPRNG) and its corresponding
Fig. 1. A single transaction with multiple UTXO inputs and outputs.
Pub is then calculated using Elliptic Curve Digital Signature
Algorithm (ECDSA). Calculations are performed based on the
field and curve parameters defined by secp256k1 with the A transaction must include at least one input, however,
curve order n [15] as follows may include multiple outputs to simultaneously pay different
sellers from the total value associated with the inputs. The
Pr = CSPRNG(), Pub = Pr × G (mod n), (1)
locking script of each output would specify the conditions
where G is a generator of the elliptic curve and × represents of its claimer. However, it is necessary that the total BTC
elliptic curve multiplication. value of the inputs is always equal to or greater than the
The BTC wallet of the buyer assembles a transaction using total value of the outputs. In the event that the total value
the Unspent Transaction Outputs (UTXO) of the buyer stored of the inputs is greater than the total outputs, the difference,
in the blockchain. An UTXO specifies an amount of BTC known as the transaction fee, is rewarded to the miner that
claimed earlier by the buyer as a result of a previously adds the transaction into a block attached to the blockchain.
processed transaction. A simple BTC transaction is shown in For guaranteed processing, most available wallets today derive
Fig. 1. the transaction fee as a fixed amount of BTC in relation to
In the figure, we show that a transaction can consist of the size of the transaction. In other words, the transaction fee
multiple inputs and outputs. The output UTXOpay represents increases with the size of the transaction.
the transfer of ownership rights of a certain amount of BTC The wallet of the user combines all the transaction input-
from the wallet of the buyer to the wallet of the seller. The s/outputs and their corresponding scripts into one digital mes-
output UTXOch represents redirecting ownership rights of sage M. It then applies the Secure Hash Algorithm SHA256
the BTC change amount back to the wallet of the buyer. A to M twice to increase security before releasing it into the
distinct locking script is attached to each of these outputs network. The 32 byte digest representing the identity of the
Things Journal
transaction (IDTX ) is generated as follows The locking script of a transaction output is associated with a
number (N ) of public keys. In order for an individual to claim
IDTX = SHA256 (SHA256(M)) . (2)
the output, the individual must possess M -of-N private keys
A newly generated transaction assembled by the BTC wallet that correspond to the N public keys. This type of transaction
of a buyer is released into the Bitcoin network to be validated can increase the security and can be used in scenarios which
and stored in the blockchain. The generating node transfers the require more than one user to be present in order to claim
transaction to its peers which flood it to the rest of the network and spend BTC. However, as the number N of public keys
nodes. Each node that receives it audits the inputs by executing associated with the transaction output increases, the size of the
the scripts associated with it. This audit involves checking transaction also increases. As a result, these transactions ac-
whether the execution of the unlocking script integrated by quire large space in the UTXO pool, therefore requiring more
a buyer within each input matches its corresponding locking storage memory. As discussed previously, larger transactions
script defined in the previous transaction. If a match exists, the also require larger transaction fees.
node relays the transaction to its peers and temporarily places Pay to Script Hash (P2SH): This standard transaction was
it in its transaction pool until chosen to be mined, otherwise, introduced to resolve the complex issues caused by MultiSig
the transaction is dropped. transactions. The transaction has the same simple complexity
In some cases, transactions are not flooded into the network as a P2PKH transaction. Rather than associating the entire
in the same order they are generated. As a result, during locking script with a transaction output that includes multiple
the audit, a node might not be aware of some inputs of public keys, a double hash computation is applied to the entire
a transaction (child transaction) referring to the outputs of script, SHA256 RIPEMD160(script) . The result is a 20-byte
other transactions (parent transactions). Instead of immediately digest that is attached to the locking script instead of the
rejecting the transaction and considering its inputs as invalid, entire original script. In order to use the output from this
the node can temporarily place it into an orphan transaction transaction as an input to another transaction, the buyer creates
pool. If the parent transaction shows up, the inputs of the an unlocking script that holds M -of-N private keys and the
child transaction become valid and it can be transferred to the original script that was cryptographically hashed earlier. In
transaction pool. that way, sufficient information is available in the locking
and unlocking scripts to validate the UTXO for spending. In
C. Bitcoin Transaction Standards addition, the buyer no longer has to worry about generating
large transactions which might require hefty transaction fees
There are five major Bitcoin transaction standards and a few
to process. Instead, only the seller is required to provide the
non-standard transactions. All transaction types are generated
unlocking script he/she wishes to spend the output in a new
with a stack-based scripting language that is processed from
transaction.
left to right. A script consists of a list of instructions that must
Data Output: This standard transaction is intended to store
be executed in the correct order to grant an individual the right
arbitrary data on the blockchain rather than transfer BTC from
to spend the BTC within a transaction. The list of standards
a buyer to a seller. In the Bitcoin community, many members
is described below.
believe that such transactions are abusive to the system since it
Pay to Public Key Hash (P2PKH): This standard transaction
places a burden on the network nodes to process transactions
is the most used type. The locking script within each output of
that do not carry BTC. However, such transactions exist and
a transaction holds the public key hash (serving as a Bitcoin
allow 40 bytes of data to be stored per transaction. These
address) of the seller that will claim the BTC amount included.
transactions are un-spendable, therefore are not stored in the
In other words, the locking script defines a condition that the
UTXO set.
seller must possess a specific Pr corresponding to the public
Non-Standard: A very small percentage of transactions
key hash to claim the output. Once claimed by the seller, the
are processed under non-standard transactions. Non-standard
output becomes an UTXO owned by the seller. In order for
transactions use more sophisticated scripts that strive to pro-
the seller to use this specific UTXO as an input to a future
vide higher complexity and security. In some cases, these
transaction, the seller must attach a valid unlocking script to
transactions might even be the result of bugs or mistakes
it. The unlocking script includes the Pub of the seller and a
resulting in loss of BTC.
digital signature generated by his/her Pr that corresponds to
the public key hash associated with the locking script of the
previous transaction output. D. Merkle Trees
Pay to Public Key: The intent behind this standard transaction Validated transactions are grouped into blocks which are
is to simplify the P2PKH standard. Rather than associating the then mined and stored in the blockchain. A single block can
public key hash within the locking script of the output, the contain multiple transactions up to the block size limit. Merkle
public key itself is used. As a result, the validation process trees, sometimes referred to as hash trees, are utilized to cluster
is simple. The digital signature of the seller generated with multiple transactions in one block. A Merkle tree is a tree data
a Pr can immediately be compared to the associated Pub by structure generated in a bottom up approach that can efficiently
searching whether or not they match. summarize and verify the integrity of the transactions being
Multi-signature (MultiSig): In this standard transaction, a combined. Starting from the leaf nodes which are hashes of the
combination of keys is required to authorize an output claim. original data, each non-leaf node is generated as a computation
6
sha1_base64="lm6BLeGPon/f4DkPKr6TYzi9Ln0=">AAACBHicbVDLSsNAFL2pr1pfUZfdBIvgqiRVsMuCLnRXoS9oS5hMJ+3QySTMTIQSsnDjr7hxoYhbP8Kdf+M0jaCtBwbOnHMv997jRYxKZdtfRmFtfWNzq7hd2tnd2z8wD486MowFJm0cslD0PCQJo5y0FVWM9CJBUOAx0vWmV3O/e0+EpCFvqVlEhgEac+pTjJSWXLM8CJCaSD+5vU7d5OfT6qWuk7pmxa7aGaxV4uSkAjmarvk5GIU4DghXmCEp+44dqWGChKKYkbQ0iCWJEJ6iMelrylFA5DDJjkitU62MLD8U+nFlZervjgQFUs4CT1dmWy57c/E/rx8rvz5MKI9iRTheDPJjZqnQmidijaggWLGZJggLqne18AQJhJXOraRDcJZPXiWdWtU5r9buLiqNeh5HEcpwAmfgwCU04Aaa0AYMD/AEL/BqPBrPxpvxvigtGHnPMfyB8fENWH6YgQ==</latexit>
<latexit
IDTX1
sha1_base64="v8Rozth3NzLk8sTvab32V4vd1VA=">AAAB6nicbVBNS8NAEJ34WetX1aOXxSJ4KkkV9CQFL56kov2ANpTNdtIu3WzC7kYooT/BiwdFvPqLvPlv3LY5aOuDgcd7M8zMCxLBtXHdb2dldW19Y7OwVdze2d3bLx0cNnWcKoYNFotYtQOqUXCJDcONwHaikEaBwFYwupn6rSdUmsfy0YwT9CM6kDzkjBorPdz1vF6p7FbcGcgy8XJShhz1Xumr249ZGqE0TFCtO56bGD+jynAmcFLsphoTykZ0gB1LJY1Q+9ns1Ak5tUqfhLGyJQ2Zqb8nMhppPY4C2xlRM9SL3lT8z+ukJrzyMy6T1KBk80VhKoiJyfRv0ucKmRFjSyhT3N5K2JAqyoxNp2hD8BZfXibNasU7r1TvL8q16zyOAhzDCZyBB5dQg1uoQwMYDOAZXuHNEc6L8+58zFtXnHzmCP7A+fwBy7+Ndg==</latexit>
<latexit
N1
sha1_base64="stGpXDe4VE5CTNpoUqNvm05pz2M=">AAACBHicbVDLSsNAFL2pr1pfUZfdBIvgqiRVsMuCLnRXoS9oS5hMJ+3QySTMTIQSsnDjr7hxoYhbP8Kdf+M0jaCtBwbOnHMv997jRYxKZdtfRmFtfWNzq7hd2tnd2z8wD486MowFJm0cslD0PCQJo5y0FVWM9CJBUOAx0vWmV3O/e0+EpCFvqVlEhgEac+pTjJSWXLM8CJCaSD+5vU7d5OfT6qVuLXXNil21M1irxMlJBXI0XfNzMApxHBCuMENS9h07UsMECUUxI2lpEEsSITxFY9LXlKOAyGGSHZFap1oZWX4o9OPKytTfHQkKpJwFnq7Mtlz25uJ/Xj9Wfn2YUB7FinC8GOTHzFKhNU/EGlFBsGIzTRAWVO9q4QkSCCudW0mH4CyfvEo6tapzXq3dXVQa9TyOIpThBM7AgUtowA00oQ0YHuAJXuDVeDSejTfjfVFaMPKeY/gD4+MbWgOYgg==</latexit>
<latexit
blockchain.
the root node.
IDTX2
sha1_base64="qyjywr7vIp+wbCzGPW3aH4rsoPk=">AAAB6nicbVDLSgNBEOyNrxhfUY9eBoPgKexGRU8S8OJJIpoHJEuYnXSSIbOzy8ysEJZ8ghcPinj1i7z5N06SPWhiQUNR1U13VxALro3rfju5ldW19Y38ZmFre2d3r7h/0NBRohjWWSQi1QqoRsEl1g03AluxQhoGApvB6GbqN59QaR7JRzOO0Q/pQPI+Z9RY6eGue9EtltyyOwNZJl5GSpCh1i1+dXoRS0KUhgmqddtzY+OnVBnOBE4KnURjTNmIDrBtqaQhaj+dnTohJ1bpkX6kbElDZurviZSGWo/DwHaG1Az1ojcV//Paielf+SmXcWJQsvmifiKIicj0b9LjCpkRY0soU9zeStiQKsqMTadgQ/AWX14mjUrZOytX7s9L1essjjwcwTGcggeXUIVbqEEdGAzgGV7hzRHOi/PufMxbc042cwh/4Hz+ANHPjXo=</latexit>
<latexit
sha1_base64="Wfl9q3EqcEOPrZWxYtKzRQF9wes=">AAACBHicbVDLSsNAFL3xWesr6rKbYBFclaQV7LKgC91V6AvaECbTSTt0MgkzE6GELNz4K25cKOLWj3Dn3zhNK2jrgYEz59zLvff4MaNS2faXsba+sbm1Xdgp7u7tHxyaR8cdGSUCkzaOWCR6PpKEUU7aiipGerEgKPQZ6fqTq5nfvSdC0oi31DQmbohGnAYUI6UlzywNQqTGMkhvrzMv/fm0eplXyzyzbFfsHNYqcRakDAs0PfNzMIxwEhKuMENS9h07Vm6KhKKYkaw4SCSJEZ6gEelrylFIpJvmR2TWmVaGVhAJ/biycvV3R4pCKaehryvzLZe9mfif109UUHdTyuNEEY7ng4KEWSqyZolYQyoIVmyqCcKC6l0tPEYCYaVzK+oQnOWTV0mnWnFqlerdRblRX8RRgBKcwjk4cAkNuIEmtAHDAzzBC7waj8az8Wa8z0vXjEXPCfyB8fENW4iYgw==</latexit>
<latexit
N5
N3 to produce N4 as
IDTX3
sha1_base64="/lKxDHgNiQgS2aacR/nbegY4Lg4=">AAAB6nicbVBNS8NAEJ34WetX1aOXxSJ4KkkV9CQFL56kov2ANpTNdtMu3WzC7kQooT/BiwdFvPqLvPlv3LY5aOuDgcd7M8zMCxIpDLrut7Oyura+sVnYKm7v7O7tlw4OmyZONeMNFstYtwNquBSKN1Cg5O1EcxoFkreC0c3Ubz1xbUSsHnGccD+iAyVCwSha6eGuV+2Vym7FnYEsEy8nZchR75W+uv2YpRFXyCQ1puO5CfoZ1SiY5JNiNzU8oWxEB7xjqaIRN342O3VCTq3SJ2GsbSkkM/X3REYjY8ZRYDsjikOz6E3F/7xOiuGVnwmVpMgVmy8KU0kwJtO/SV9ozlCOLaFMC3srYUOqKUObTtGG4C2+vEya1Yp3XqneX5Rr13kcBTiGEzgDDy6hBrdQhwYwGMAzvMKbI50X5935mLeuOPnMEfyB8/kDzUONdw==</latexit>
<latexit
level of non-leaf nodes as
sha1_base64="JEM8VaQ/4vxNL58rrcT8nwto6L4=">AAACBHicbVDLSsNAFL3xWesr6rKbYBFclaQW7LKgC91V6AvaECbTSTt0MgkzE6GELNz4K25cKOLWj3Dn3zhtI2jrgYEz59zLvff4MaNS2faXsba+sbm1Xdgp7u7tHxyaR8cdGSUCkzaOWCR6PpKEUU7aiipGerEgKPQZ6fqTq5nfvSdC0oi31DQmbohGnAYUI6UlzywNQqTGMkhvrzMv/fm0eplXyzyzbFfsOaxV4uSkDDmanvk5GEY4CQlXmCEp+44dKzdFQlHMSFYcJJLECE/QiPQ15Sgk0k3nR2TWmVaGVhAJ/biy5urvjhSFUk5DX1fOt1z2ZuJ/Xj9RQd1NKY8TRTheDAoSZqnImiViDakgWLGpJggLqne18BgJhJXOrahDcJZPXiWdasW5qFTvauVGPY+jACU4hXNw4BIacANNaAOGB3iCF3g1Ho1n4814X5SuGXnPCfyB8fENXQ2YhA==</latexit>
<latexit
N2
Fig. 2. A Merkle tree within a block.

IDTX4
sha1_base64="cVRUNBy/RTcU6LUbsjbBwonoaeo=">AAAB6HicbVDLTgJBEOzFF+IL9ehlIjHxRHbRRI9ELx7ByCOBDZkdemFkdnYzM2tCCF/gxYPGePWTvPk3DrAHBSvppFLVne6uIBFcG9f9dnJr6xubW/ntws7u3v5B8fCoqeNUMWywWMSqHVCNgktsGG4EthOFNAoEtoLR7cxvPaHSPJYPZpygH9GB5CFn1Fipft8rltyyOwdZJV5GSpCh1it+dfsxSyOUhgmqdcdzE+NPqDKcCZwWuqnGhLIRHWDHUkkj1P5kfuiUnFmlT8JY2ZKGzNXfExMaaT2OAtsZUTPUy95M/M/rpCa89idcJqlByRaLwlQQE5PZ16TPFTIjxpZQpri9lbAhVZQZm03BhuAtv7xKmpWyd1Gu1C9L1ZssjjycwCmcgwdXUIU7qEEDGCA8wyu8OY/Oi/PufCxac042cwx/4Hz+AK3vjNo=</latexit>
latexit
<
sha1_base64="bYwW/qf0HJP13vYhEoygyO9SGC0=">AAACBHicbVBNS8NAEJ3Ur1q/oh57CRbBU0mqYo8FPeitQlsLbQmb7aZdutmE3Y1QQg5e/CtePCji1R/hzX/jNo2grQ8W3r43w8w8L2JUKtv+Mgorq2vrG8XN0tb2zu6euX/QkWEsMGnjkIWi6yFJGOWkrahipBsJggKPkTtvcjnz7+6JkDTkLTWNyCBAI059ipHSkmuW+wFSY+knN1epm/x8Wt3UPU9ds2JX7QzWMnFyUoEcTdf87A9DHAeEK8yQlD3HjtQgQUJRzEha6seSRAhP0Ij0NOUoIHKQZEek1rFWhpYfCv24sjL1d0eCAimngacrsy0XvZn4n9eLlV8fJJRHsSIczwf5MbNUaM0SsYZUEKzYVBOEBdW7WniMBMJK51bSITiLJy+TTq3qnFZrt2eVRj2PowhlOIITcOACGnANTWgDhgd4ghd4NR6NZ+PNeJ+XFoy85xD+wPj4Bl6SmIU=</latexit>
<latexit
R
IDTX5
sha1_base64="IcINxjopibshWvhqrt7+QgJ32RY=">AAAB6nicbVDLSgNBEOyNrxhfUY9eBoPgKewmgp4k4MWTRDQPSJYwO+lNhszOLjOzQgj5BC8eFPHqF3nzb5wke9DEgoaiqpvuriARXBvX/XZya+sbm1v57cLO7t7+QfHwqKnjVDFssFjEqh1QjYJLbBhuBLYThTQKBLaC0c3Mbz2h0jyWj2acoB/RgeQhZ9RY6eGuV+0VS27ZnYOsEi8jJchQ7xW/uv2YpRFKwwTVuuO5ifEnVBnOBE4L3VRjQtmIDrBjqaQRan8yP3VKzqzSJ2GsbElD5urviQmNtB5Hge2MqBnqZW8m/ud1UhNe+RMuk9SgZItFYSqIicnsb9LnCpkRY0soU9zeStiQKsqMTadgQ/CWX14lzUrZq5Yr9xel2nUWRx5O4BTOwYNLqMEt1KEBDAbwDK/w5gjnxXl3PhatOSebOYY/cD5/AM7HjXg=</latexit>
<latexit

N3
sha1_base64="aRW9teARuu/V7UoHQzt3W/ws178=">AAACBHicbVBNS8NAEJ3Ur1q/oh57CRbBU0mqaI8FPeitQlsLbQmb7aZdutmE3Y1QQg5e/CtePCji1R/hzX/jNo2grQ8W3r43w8w8L2JUKtv+Mgorq2vrG8XN0tb2zu6euX/QkWEsMGnjkIWi6yFJGOWkrahipBsJggKPkTtvcjnz7+6JkDTkLTWNyCBAI059ipHSkmuW+wFSY+knN1epm/x8Wt3UPU9ds2JX7QzWMnFyUoEcTdf87A9DHAeEK8yQlD3HjtQgQUJRzEha6seSRAhP0Ij0NOUoIHKQZEek1rFWhpYfCv24sjL1d0eCAimngacrsy0XvZn4n9eLlV8fJJRHsSIczwf5MbNUaM0SsYZUEKzYVBOEBdW7WniMBMJK51bSITiLJy+TTq3qnFZrt2eVRj2PowhlOIITcOACGnANTWgDhgd4ghd4NR6NZ+PNeJ+XFoy85xD+wPj4BmAXmIY=</latexit>
<latexit
Finally, the 32 bytes root node is derived as
non-leaf nodes of the Merkle tree as follows

where k is the concatenation of two identities.
IDTX6
R = SHA256 SHA256(N5 kN6 ) .
sha1_base64="8L+iohrTPqzG5uxE4OVKISypJjo=">AAAB6nicbVDLSgNBEOyNrxhfUY9eBoPgKexGUU8S8OJJIpoHJEuYnXSSIbOzy8ysEJZ8ghcPinj1i7z5N06SPWhiQUNR1U13VxALro3rfju5ldW19Y38ZmFre2d3r7h/0NBRohjWWSQi1QqoRsEl1g03AluxQhoGApvB6GbqN59QaR7JRzOO0Q/pQPI+Z9RY6eGue9EtltyyOwNZJl5GSpCh1i1+dXoRS0KUhgmqddtzY+OnVBnOBE4KnURjTNmIDrBtqaQhaj+dnTohJ1bpkX6kbElDZurviZSGWo/DwHaG1Az1ojcV//Paielf+SmXcWJQsvmifiKIicj0b9LjCpkRY0soU9zeStiQKsqMTadgQ/AWX14mjUrZOytX7s9L1essjjwcwTGcggeXUIVbqEEdGAzgGV7hzRHOi/PufMxbc042cwh/4Hz+ANNTjXs=</latexit>
<latexit

N4 = SHA256 SHA256(IDTX5 kIDTX6 ) .
N6
Ni = SHA256 SHA256(IDTX2i−1 kIDTX2i ) , i = 1, 2, 3,
sha1_base64="AHjCTFpoBQK5QaPH9RZHRUs49LQ=">AAAB6nicbVDLSgNBEOyNrxhfUY9eBoPgKezGgJ4k4MWTRDQPSJYwO+lNhszOLjOzQgj5BC8eFPHqF3nzb5wke9DEgoaiqpvuriARXBvX/XZya+sbm1v57cLO7t7+QfHwqKnjVDFssFjEqh1QjYJLbBhuBLYThTQKBLaC0c3Mbz2h0jyWj2acoB/RgeQhZ9RY6eGuV+0VS27ZnYOsEi8jJchQ7xW/uv2YpRFKwwTVuuO5ifEnVBnOBE4L3VRjQtmIDrBjqaQRan8yP3VKzqzSJ2GsbElD5urviQmNtB5Hge2MqBnqZW8m/ud1UhNe+RMuk9SgZItFYSqIicnsb9LnCpkRY0soU9zeStiQKsqMTadgQ/CWX14lzUrZuyhX7qul2nUWRx5O4BTOwYNLqMEt1KEBDAbwDK/w5gjnxXl3PhatOSebOYY/cD5/ANBLjXk=</latexit>
<latexit
N4
generated for each transaction as discussed in equation (2).
The leaf nodes used to construct the tree are the identities IDTX
the block header of a block to be mined and chained to the

R, representing the summary of all transactions is placed into
nodes that are added to even out the odd rows. The root node,
tree for this example. The dotted nodes represent the replicated
Fig. 2 represents the complete construction of the Merkle
(6)
N4+i = SHA256 SHA256(N2i−1 kN2i ) , i = 1, 2. (5)
Using the resulting digests we can generate the following
(4)
leaf nodes is generated at that level. To even it out, we replicate
As shown in the previous equations, an odd number of non-
(3)
concatenation of each two identities to generate the parent
IDTX5 }. Next, the double hash computation is applied to the
fifth identity is generated, {IDTX1 , IDTX2 , · · · , IDTX5 , IDTX6 =
at the leaf node level is odd, therefore a replica of the
leaf node in the tree. In this example, the number of nodes
{IDTX1 , IDTX2 , · · · , IDTX5 }, where each identity represents a
in equation (2). We denote the corresponding identities as
identity for each transaction has been generated as discussed
transactions has already been validated by the nodes and an
five transactions, {TX1 , TX2 , · · · , TX5 }. Each one of these
of the binary Merkle tree, consider a block that consists of
of nodes in that row. To better comprehend the construction
replica of the last node is reproduced to even out the number
case where a row consists of an odd number of nodes, a
of an even number of nodes, except the root node. In the
In a binary Merkle tree, each row within the tree consists
computation SHA256 (SHA256(·)) when generating nodes.
leaf node has exactly two children. It applies a double hash
BTC utilizes a binary Merkle tree in which each non-
continues until a single node is generated which is defined as
single digest that represents the node in the tree. The approach
its children nodes are concatenated then hashed to produce a
of its respective children nodes. For a single non-leaf node, all
Things Journal
hash.
E. Blockchain
whenever desired.
F. Bitcoin Mining
IDBi is generated for
generate a merkle path
requires hash computations.
adjusting all the subsequent chained blocks.
system to initiate a new mined block to be chained to it.
by computing a maximum of log2 N
in mining the block first. A transaction with low or no fees

The head of the blockchain is denoted as B0 and is defined
fees to maximize the profit that a miner can turn if successful

is filled with other transactions which have greater transaction
size and age of the transaction inputs. The rest of the block
to carry high priority transactions. Priority is based on the
exceed 1MB in size. A small portion of that space is specified
pools that will be placed into a block where a block cannot
Miners begin by selecting transactions from their transaction
the embedded UTXO(s) as the input to other transactions
and public to all users. The transaction claimer(s) can use
is added to the blockchain, it becomes completely verified
actions and add them to the blockchain. Once a transaction
Bitcoin mining is the final stage to secure validated trans-
the blockchain. Any modification to one block will require
it infeasible to retroactively alter records within any block of
root, which is incorporated in the header. This design makes
and non-leaf nodes of the Merkle tree, excluding the Merkle
in the following subsection. The body carries all the leaf nodes
nonce, and a time-stamp which are discussed in more detail
in the chain. The header also consists of a difficulty target,
header incorporates the block hash of its predecessor block
Each block consists of two parts, a header, and a body. Each
of the system, B0 was a stand-alone block waiting for the
does not reference any previous block. At the launching stage
as the genesis block. B0 differs from all the other blocks as it
SHA256 SHA256(·) . An identity is referred to as the block
Bi by applying to the block header
blockchain. To reference a block, a unique 32 byte identity
one referencing its previous block to form the complete
to the blockchain. Blocks are linked back-to-back, with each
the first block and Bn represents the most recent block attached
carrying a set of validated transactions, where B0 represents
is extended. It consists of blocks {B0 , B1 , · · · , Bn }, each
of BTC. As new transactions are processed, the blockchain
users with transaction confirmations to track ownership rights
transactions since the creation of Bitcoin. It provides its
The blockchain is a public ledger that stores all previous
existence method is considered to be efficient since it only
the existence of a transaction within the tree. This proof of
path as an authentication path, the SPV node can prove
total number of transactions in the tree. Using the Merkle
SHA256 SHA256(·) computations, where N represents the
a block, it turns to a full node for assistance. The full node will
SPV node needs proof to the existence of a transaction within
since they do not store a copy of the full blockchain. When an
The use of Merkle trees is more common in SPV nodes
IEEE INTERNET OF THINGS JOURNAL
Things Journal
will probably remain in the transaction pool of the miner until network so that all the nodes can update their blockchains.
it ages and becomes a high priority transaction. The winning miner transmits the block to its peer nodes to
Next, the miner assembles a special transaction, known as validate it before propagating it further through the network.
the coinbase transaction. This transaction is a reward paying The peer nodes check whether the block is correctly assembled
transaction to the miner in the event of winning a mining in terms of syntax and variables. The proof-of-work provided
competition. It does not have any inputs and consists of a by the miner must be correct and the coinbase transaction must
single output addressed to the wallet of the miner. The amount include the correct amount to pay the miner. If any information
incorporated in the output is the reward mining fee (6.25 BTC is invalid, the block is immediately dropped.
at the time of writing) plus the sum of all transaction fees Quite regularly, as blocks are mined to extend the
included in each transaction. blockchain, a temporary incident, known as a fork, might oc-
All the selected transactions along with the coinbase trans- cur. A fork occurs when two miners are able to simultaneously
action are then combined into a Merkle tree as discussed previ- mine two different blocks at the same time. As a result, both
ously. At this point, the miner has all the components needed to newly mined blocks are accepted to extend the blockchain.
construct the block header of the new block except the nonce. The blocks are flooded into the network and the miners update
Miners compete in the Proof-of-Work (PoW) crypto-puzzle to their version of the blockchain based on the block they receive
derive the value of this nonce. This value, if concatenated first. This results in two valid versions of the blockchain in
with the block header of the group of chosen transactions and possession by the miners with two different paths. However,
then double hashed, must produce a digest with a specific the miners continue to extend their version of the blockchain
prefix of zeros in its binary representation. Searching for this regardless which path they possess. Eventually, one path will
value is performed in a brute-force manner and is directly grow longer than the other as mining continues. The path that
correlated with the computational power available. The more grows longer is the winner and all nodes immediately discard
computational power available, the faster a miner is able to the other path and update their blockchain to the longer one.
find the correct nonce. A successful miner will then broadcast In literature, the blocks that are dropped are known as orphan
his/her PoW to claim the reward. blocks; valid blocks that were part of the blockchain at some
The primary advantage of the PoW crypto-puzzle is to make point.
it computationally infeasible to perform Sybil attacks [16].
PoW is intentionally designed to be resource-intensive to per- G. Bitcoin Scalability
form while efficient to verify. It requires a certain number of
Scalability is a major performance issue of the blockchain
zeros to appear in the prefix of the digest as a result of applying
systems. Layer 2 protocols, also known as off-chain protocols,
the double SHA256 computation. The prefix determines the
have been proposed in efforts to improve these issues. Light-
difficulty of finding the correct nonce. The more zeros required
ning Network [17] is the most notable example. It operates
in the prefix, the harder it is to find the correct nonce and vice
atop the Bitcoin system to provide transaction speedup. It also
versa. The difficulty is dynamically altered every two weeks
runs over a P2P network allowing the nodes to perform Bitcoin
based on the number of miners (total hash power) so that the
micropayments. Users of the protocol initially open payment
average time it takes for a miner to find a correct solution is
channels with designated BTC amounts. The connected nodes
approximately 10 minutes, a platform design choice.
can then begin to perform micropayments among each other
The first miner to find the correct nonce to a block of
which are not settled on the blockchain, but stored locally.
transactions is rewarded a mining reward as compensation
Once a user decides to close a payment channel, the final
for the computational power spent. The mining reward is
balance of the channel is settled on Bitcoin’s blockchain
halved precisely every 210,000 blocks that are added to the
allocating the correct amounts of BTC to each user.
blockchain. It is estimated to continue until the year 2140
when nearly 21 million BTC will have been released into the
system. The reason for having a fixed supply of BTC is to H. Bitcoin Mining Pools and Payment Methods
prevent price inflation in the future. Although solo miners can compete in the mining process,
Another incentive that encourages miners to spend their the likelihood of a successful return is very low. This is even
computational power to perform mining is the transaction fee. the case for solo miners with the most powerful computing
The winner is not only rewarded the mining reward but is machines. As a solution to this problem, solo miners collab-
also given all the transaction fees incorporated with all the orate in the mining process by joining computational power
transactions in the block. With time, the mining reward will into mining pools. Together, they form a large organization
decrease due to halving, which will demand higher transaction with significant computational power that can compete with
fees in the future to compensate for the reduced mining reward. the other large entities. The members of the mining pool
After a block is successfully mined, all the miners check work together to find the correct nonce for a candidate block
their transaction pools to eliminate the transactions that have and report the result as one miner, increasing their chances
been included in the mined block and immediately construct a of winning the competition. In the event of success, the
new block of transactions. The end of the mining race marks rewards are split among the participating miners based on the
the beginning of a new one. Miners instantly begin to search contribution provided by each.
for the nonce of the next block of transactions. The concept of a mining pool can be compared to the lottery.
Simultaneously, the mined block is flooded through the Assuming individuals with the same financial capabilities, if
Things Journal
a large group buys tickets together, the individuals within to hopping since the score does not consider factors such as
the group have a better chance of winning than a single the mining difficulty or the hashrate of the pool. Also, in this
individual buying tickets alone. If any ticket owned by the method mining at the beginning of a round is more profitable
group wins the lottery, the participating individuals split the since there are fewer shares at that time. As a result, the
reward proportional to the amount invested by each. In a geometric method was introduced to address these weaknesses.
mining pool, the computational power provided by each solo This method introduced a fixed fee, a constant amount taken
miner is analogous to the amount invested by each ticket buyer. from the reward of each block, and a variable fee, a score
A mining pool is managed by a pool operator who handles granted at the beginning of each round to the operator. As
the entire pool server and receives a percentage of the rewards time passes, the variable fee declines, making mining equally
as compensation. The role of the operator is to coordinate profitable throughout the entire round. Shorter rounds result
the mining performed by all the participating miners. The in larger variable fees and vice versa. By that, there is no
operator keeps a continuously updated copy of the entire advantage to mining early in the round.
blockchain to ease the job of the participating miners. Using Another score-based method is Pay-Per-Last-N-Shares
the updated blockchain, the operator verifies any transaction (PPLNS) that exists in different forms. In this method, the
that appears in the network and places it in a candidate block concept of rewarding miners after each round is replaced with
for mining. By that, miners only need to worry about finding rewarding miners that have been participating in earlier rounds,
the correct nonce of the candidate block. If the mining pool regardless of the mining result. In other words, the operator
wins the competition, the operator divides the rewards among pays miners based on their contributions from previous efforts.
the participating miners. Later on, more advanced payment systems evolved such as the
Reward splitting can be performed in multiple forms and Double Geometric Method (DGM). This system is a hybrid
varies from one mining pool to the other. As described in [18], between the PPLNS and geometric system that combines
these methods can be categorized into simple reward, score- advantages of both methods.
based reward, or risk-free pay-per share reward. Some mining pools employ a risk-free pay-per share sys-
Simple reward systems consist of either proportional system. One of the first implemented systems is known as the
tems or Pay-Per Share (PPS) systems. In the proportional Maximum Pay-Per Share (MPPS). It combines both the PPS
systems, a reward B is split among the participating miners at and proportional systems, where each participating miner
the end of each round, where a round is the consecutive time has a balance of each. If the miner submits a share, the
between two successful blocks generated by the pool. The PPS balance is incremented and when the pool successfully
operator keeps a percentage of the reward f B and divides the generates a block, the proportional balance is incremented. At
remaining (1−f )B among the miners based on the shares they pay time, the miner receives the minimum of both balances.
submit. Shares are defined as the number of hashes performed This method protects the pool from taking the risk alone.
by each miner in attempt to find the correct proof-of-work. A However, this method is inconsiderate to the miners, since they
miner that submits n shares from a total of N shares submitted will always make less whether the pool is successful or not.
n
by all the miners in the pool receives a reward of N (1 − f )B In addition to this, the system suffers from pool-hopping. A
BTC on average. Conversely, the PPS system is a deterministic solution was later proposed to solve this problem in the Shared
one where the miner knows how much reward can be turned Maximum Pay-Per-Share (SMPPS) system. The miners have
in advance. The operator immediately pays each miner based a PPS balance which continues to accumulate as the miners
on the submitted shares regardless of the mining result. In are participating. If a block is found by the pool and there
other words, a miner that submits n shares receives (1 − f )pB are sufficient funds, the miners are paid based on their PPS
BTC/share, where p represents the probability of one share balance. However, if there are no sufficient funds, miners are
being the correct proof-of-work. In this system, the operator paid proportional to the available funds and given credit to be
is taking the risk of mining independently since the miners paid later for whatever balance that is owed.
receive ensured payments whether or not the pool generates a Today, a broad range of mining pools exist that give miners
block. a variety of options when joining pools. The question most
Score-based reward systems come in many forms and strive miners would ask is which mining pool is the best to join.
to prevent miners from pool-hopping. Pool-hopping is the The answer here lies in the preferences of the miners. For
practice of mining in a pool only during its good times example, some miners are not willing to take the risk of not
(successfully generating blocks) and leaving it during its bad getting paid in the event of being unsuccessful in generating
times. A pool-hopper can maximize his/her rewards at the a block and would prefer a PPS mining pool. Others might be
expense of miners that remain loyal to the pool at all times. willing to take the risk and choose a score-based system for
The method introduced by Slush [19] is one of the first instance, in return for larger profit.
implemented score-based systems that extends the proportional
method. Rather than paying the miner an amount based on the
submitted shares after each round, the miner is given a score I. Alternative Cryptocurrencies
that is proportional to his/her contribution and increases as In literature, alternative cryptocurrencies are known as alt-
more time elapses from the start of the round. The score is coins, most of which are inspired by Bitcoin. Altcoins strive
used to calculate the reward share given to the miner at the to offer innovative features and/or enhanced security/privacy
end of the round. However, this method is still susceptible countermeasures in an effort to compete with Bitcoin. Their
Things Journal
development process is based on the level of innovation and III. B ITCOIN S ECURITY - D OUBLE -S PENDING ATTACKS
security/privacy countermeasures they present. Double-spending is an attack that could be performed by
The simplest method to develop an altcoin is by forking the malicious users attempting to deceive the system by spending
open source code of Bitcoin [20] while adding or modifying the same BTC more than once. The attacker generates du-
any features to it. In software development, a fork is a plicates of the same UTXO and uses it as an input in more
completely independent project that exploits a copy of the than one transaction. Differentiating between the duplicated
original source code. A Bitcoin fork generates an entirely (fraudulent) copies and the original becomes an issue when
new blockchain and is completely independent of Bitcoin. used in a decentralized system. There is no trusted entity
Namecoin [21] is the first developed Bitcoin fork that adopted that verifies the legitimacy of the UTXO used as input in
all of the characteristics of Bitcoin. It also introduced an a transaction. The inputs of a transaction may consist of
additional feature allowing users to store data within its trans- unidentifiable fraudulent BTC that have possibly been spent
actions. Various Bitcoin forks have evolved latterly with more earlier.
features and handled security/privacy issues. Many of these The system defends against such attacks by relying on its
forks implemented privacy protocols to increase the anonymity users (miners) to validate the legitimacy of the BTC used as
of cryptocurrencies. In Section VI, we discuss notable privacy an input to transactions. Using the information stored in the
protocols that have impacted some of these altcoins. blockchain from the previous transactions, the miners validate
In exceptional occasions, an altcoin can also be the result the inputs of any new transaction to ensure that it does not
of a hardfork. A hardfork occurs when modifications are contain previously spent inputs. Once verified, the transaction
made to the original software of Bitcoin making its new is mined into a block which is attached to the blockchain.
transactions/blocks incompatible with those previously gen- Any user that refers to the blockchain becomes aware that
erated prior to the modifications. These modifications can be specific UTXO(s) have been spent earlier, making fraudulent
as simple as altering certain parameters, such as the block input transactions detectable.
size, or as complex as changing major protocols, such as the To ensure that attackers cannot manipulate the blockchain
consensus algorithm. In order to enforce these modifications, in their favor, the mining process is designed to be an
the majority of users/miners must upgrade their client nodes expensive and resource-intensive operation. To mine a block
to the latest version which accommodates these changes. The of transactions in the blockchain, the miners must provide a
users/miners that do not accept the upgrade will view the new valid proof-of-work. An attacker that wishes to double-spend
transactions/blocks as invalid and will not accept them. As BTC must reverse a transaction that has been stored in the
a result, the blockchain will inevitably split into two paths, blockchain to reuse its inputs in another transaction. Reversing
one storing transactions of the original cryptocurrency and an already stored transaction in the blockchain is an extremely
one storing transactions generated due to the modifications difficult task since it requires a significant share of the total
made, hence creating a new altcoin. Users in possession of computational power of the system.
the original cryptocurrency will automatically be granted an In the rest of this section, we will analyze the double-
equivalent amount of the new altcoin to what they hold. spending attacks. We first discuss conventional methods to per-
form double-spending. Next, we analyze the probability and
Bitcoin Cash is a notable example of a Bitcoin hardfork
profitability of the double-spending attack and present a trade-
which occurred on August 1, 2017. It was the result of
off between the waiting time before accepting a transaction
enforcing BIP91 [22] which proposed activating Segregated
versus the profitability of the attack.
Witness (SegWit) [23]. SegWit increases the transaction speed
of Bitcoin by splitting the transaction into segments and
removing the unlocking signatures which are attached sepa- A. Types of Attacks
rately at the end. The majority of the miners accepted this A double-spending attack comes in many forms. We discuss
proposal resulting in Bitcoin Cash. Users who possessed BTC various techniques that can be performed.
were immediately granted an equivalent amount of BCC (The 1) Race Attack: A race attack refers to the case where a
currency of Bitcoin Cash) to the BTC they possessed. merchant accepts an unconfirmed transaction (a transaction
While only borrowing the concept of storing transactions in a transaction pool waiting to be mined and stored in
in a blockchain, some altcoins have been implemented from the blockchain) and immediately provides the payer with a
scratch with a completely different design and purpose. These product/service before waiting for confirmation. An attacker
altcoins strive to provide services and security/privacy coun- with the intention of deceiving the merchant creates two
termeasures beyond the capabilities of Bitcoin or any of its transactions: (i) a transaction that pays the merchant an amount
forks. They present substantial differences such as integrating of BTC in return for a product/service and (ii) a fraudulent
enhanced consensus algorithms or utilizing private (permis- transaction that pays the same amount to the wallet of the at-
sioned) blockchains. In contrast to the public (permissionless) tacker. Both transactions use the same inputs (duplicated BTC)
blockchain of Bitcoin, where all participating nodes are al- and try to spend the same BTC. The attacker concurrently
lowed to execute the consensus protocol, a private (permis- releases both transactions into the Bitcoin network. The miners
sioned) blockchain is limited to only specific nodes. As a consider both transactions as being valid until one of them
result, the cryptocurrency market has witnessed a considerable gets stored in the blockchain. The transaction that gets stored
number of altcoins with substantial innovative features. in the blockchain is referred to as a confirmed transaction.
Things Journal
At that point, the inputs of the stored transaction cannot be controlling the majority of the power, the attacker is capable of
used as inputs to other transactions. Therefore, the fraudulent interfering with the process of mining blocks and reversing any
transaction has a chance of being verified first and added to the block of transactions. During a 51% attack, the system loses
blockchain making the merchant-paying transaction invalid. integrity since the other miners no longer have an incentive to
The invalid transaction is rejected by the system and dropped compete in the mining process.
from the transaction pools of miners. To better comprehend this attack, consider the case where
To avoid a race attack, merchants must wait for the mining the attacker generates a merchant-paying transaction and re-
to be completed and the transaction to appear in the blockchain leases it into the network. The merchant waits for an appro-
before providing the payer with the product or service. It is priate number of confirmations before accepting the payment
recommended that the merchant should wait for at least six and making the trade. Simultaneously, the attacker secretly
subsequent blocks as confirmation before making the trade. In begins to mine a block that contains a fraudulent transaction
this case, the chances for an attacker to reverse a transaction followed by more blocks to extend it. Since the computational
are negligible, assuming that the attacker can control no more power of the attacker is more than the rest of the computational
than 10% of the total computational power used in mining. power of all the miners combined, the attacker can mine blocks
2) Finney Attack: Finney attack was first suggested in a in less time. Once the merchant accepts the transaction, the
Bitcoin forum [24]. Similar to the race attack, the attacker attacker releases the secretly mined blocks to create a fork in
performing this attack will only succeed if the merchant the blockchain. If the fraudulent fork created by the attacker
accepts an unconfirmed transaction. The attacker creates two is longer than the original chain, it becomes dominant and all
transactions similar to those in the race attack and holds miners begin to extend on it. By that, the merchant-paying
on to both of them. The attacker then begins mining the transaction no longer exists in the blockchain.
block containing the fraudulent transaction. If the attacker is This attack represents the biggest threat to Bitcoin as it is
successful in mining the block, the attacker then uses the other directly correlated to the resources an attacker can provide. Re-
transaction to pay a merchant immediately in exchange for a sources are measured in terms of financial and computational
product/service. Once the merchant makes the trade, the at- power. Large entities such as governments or intelligence
tacker releases the mined block which contains the fraudulent agencies have the means to control a large share of the total
transaction into the network. Given that the block is already computational power. They are able to destroy or push the
mined, it will be added to the blockchain immediately. As a system into their favorable status. It is important to note that
result, the merchant-paying transaction will become invalid. In even with a computational power that is slightly less than 50%,
addition to this, the attacker is rewarded the mining reward for an attacker may still be able to severely manipulate the system.
the mined block carrying the fraudulent transaction. However, In the next subsection, we analyze the chances of success of
the ability to independently mine a block is improbable given the attackers based on the share of computational power they
the resources necessary to perform the task. control.
3) Vector76 Attack: In comparison to the race and Finney
attacks, the Vector76 attack requires the merchant to wait for
a single block to be mined and added to the blockchain as a B. Probability of Success
confirmation. To reverse the transaction, the attacker needs to Despite the continuous increasing popularity of Bitcoin, the
create a fork in the blockchain. Initially, the attacker creates number of merchants that have accepted it as a method of
a merchant-paying transaction and does not broadcast it to payment today is still relatively minimal. Many merchants
the network. Next, the attacker tries to independently and have concerns about its capabilities in terms of security, while
secretly mine this transaction into a block. If successful, the others consider it as a slow method to make payments. Those
attacker holds onto the block until the honest miners discover that accept it should try to take all precautions before accepting
another block. The attacker then simultaneously releases the a transaction to prevent double-spending attacks.
block into the network at the same time as the honest miners One of the important precautions is to decide when to accept
release their block which will result in a fork. Before the a transaction before making the trade. Merchants prefer to
fork is resolved, the attacker creates a fraudulent transaction obtain a certain degree of confidence as assurance that the
that double-spends the same BTC used in the merchant-paying payer will not be able to reverse the transaction. Those that
transaction. The attacker then relays the fraudulent transaction can afford to wait a long period of time before accepting a
to the honest miners that do not have the path of the blockchain transaction (for example, online platforms) require a minimum
that carries the merchant-paying transaction. These miners see of six confirmations before accepting a transaction and con-
the fraudulent transaction as valid and begin mining it into a sidering it as being irreversible. However, others that cannot
block. As a result, each path of the blockchain stores one of the afford this time waiting (such as vending machines), rush into
transactions. If the path that holds the fraudulent transaction accepting transactions at the risk of losing the payment to a
grows longer than the other path, the double-spending attempt double-spending attack.
is successful. Similar to the analysis in [1], we model the race between the
4) 51% Attack: 51% attack is the largest threat to the BTC honest miners and the attacker to generate blocks as a binomial
system. This attack is also referred to as the majority attack random walk. The race is denoted as z which represents
in which the attacker (usually a pool of miners) controls more the number of blocks generated by the honest miners with
than half of the total computational power of the system. By computational power p minus the number of blocks generated
Things Journal
by the attacker with computational power q = 1 − p. If a Consider an attacker that possesses an unlimited amount of
block is generated by the honest miners, we increment z by resources and is willing to use as much of it as needed to
1. Conversely, if a block is generated by the attacker, we perform the attack, i.e. y → ∞. If q > p, then
decrement z by 1. The race between the honest chain and
1 − ( pq )y
the chain generated by the attacker can be derived as lim = 1. (14)
( y→∞ 1 − ( pq )y+z+1
zi + 1, with probability p,
zi+1 = (7)
zi − 1, with probability q, qy< p, we first divide the numerator and denominator
For
by pq then calculate the limit as
where i represents an individual block race. If q > p and the
attacker has unlimited resources, the attacker will eventually ( pq )−y − 1
z+1
q
reach z < 0. At that point, the attacker can replace the blocks lim = . (15)
generated by the honest miners and succeed in performing the
y→∞ ( pq )−y − ( pq )z+1 p
attack. Finally, we can summarize the probability of the attacker to
The probability of the attackers to catch up and surpass the surpass the blocks generated by the honest miners as
blocks generated by the honest miners can be compared to the (
Gambler’s Ruin Problem. Similar to the description in [25], z+1
(q/p) , if q < p or z ≥ 0,
we assume a gambler (attacker) begins with an initial fortune Qz = (16)
1, if q > p or z < 0.
i, 0 < i < N , and either wins $1 with probability q or loses
$1 with probability p = 1 − q, in each successive gamble. The The merchant has no way of figuring out the number
game represents a random walk which terminates at i = 0 of blocks that the attacker has been able to secretly mine.
(fail) or at i = N (success). The probability of success after Therefore, one way to model the overall probability of the
i trials is denoted as Pi and can be calculated as: attacker to surpass the honest chain is by using the Poisson
Pi = qPi+1 + pPi−1 . (8) distribution. The expected number
of blocks an attacker can
q
generate is λ = (z + 1) p . The overall probability Ps of
Since q + p = 1, we can rewrite equation (8) as: the attacker to surpass the honest chain can be computed
p by multiplying the Poisson density and the probability of
Pi+1 − Pi = (Pi − Pi−1 ) . (9)
q surpassing the honest z − k remaining blocks as discussed
At i = 0, the attacker has a probability of success P0 = 0. in equation
By rearranging and generalizing equation (9), we have ∞
X λk e−λ
i j Ps= × Qz−k
X p k!
Pi+1 = P1 k=0
q

∞ z−k+1
j=0 X λk e−λ 1− pq , if q < p or k ≤ z,

P 1−( pq )i+1 , if p 6= q, =1− (17)
1 1−( p )
k! 1 − 1 = 0, if q > p or k > z.
k=0
= q (10)
P (i + 1), if p = q = 0.5.
1
For equation (17), if q > p, we will always have Ps = 1,
Let i = N − 1 meaning that PN = 1, we can rewrite meaning that the attacker will win. When q < p, the proba-
equation (10) as bility for the attacker to succeed is

P 1−( pq )N , if p 6= q, z+1 k −λ
X λ e
z−k+1 !
q
1 1−( p )
1 = PN = q (11) Ps = 1 − × 1− . (18)
P N, if p = q = 0.5. k! p
1 k=0
Solve P1 from equation (11) and substitute the result into Another way to model this probability is by using the nega-
equation (10) to obtain tive binomial distribution assuming the attacker can pre-mine
 one block before broadcasting the merchant-paying transaction
 1−( pq )i , if p 6= q, to the network [27]. The merchant waits for n blocks to be
p N
Pi = 1−( q ) (12)
 i+1 , generated by the honest miners with computational power p
N if p = q = 0.5.
before accepting the transaction. At that time, the attacker
Following the analysis in [26], we assume that the attacker can secretly generate m blocks with computational power
begins with an initial fortune i = y and can afford to lose q = 1 − p, where m = n − z − 1. By definition, we can
up to y dollars before giving up. The gambler wins if i = model this as the m number of blocks that the attacker can
N = y + z + 1 dollars. This assumption modifies the game to generate (success) before the n number of blocks the honest
account for the probability Ps of the attacker to surpass the miners can generate (failure). Therefore, the probability of a
blocks generated by the honest miners as successful double-spending attack for a given value m can be
 p y calculated as
 1−( q)
p y+z+1 , if p 6= q,
1−( q )

Pi = (13) m+n−1
 y+1 , if p = q = 0.5. P (m) = × pn q m . (19)
y+z+1 m
Things Journal
releases a transaction into the network that pays v BTC to the

wallet possessed by the merchant. Immediately after releasing
the transaction, the attacker secretly begins to mine blocks
of transactions. One of these blocks contains a fraudulent
transaction that pays the same v BTC to the wallet possessed
by the attacker. The merchant accepts the transaction after
observing that n blocks have been extended to the blockchain.
If the attacker is able to secretly mine m = n + 1 blocks
and replace the n blocks in the blockchain generated by the
honest miners, then the attacker is successful in gaining a
product/service without paying for it. Assume that the attack
returns a value of 2v, one of which is the actual BTC as a result
of reversing the merchant-paying transaction and the other as
the product/service. In addition to this, the attacker gains the
mining reward for each block mined and the transaction fees
Fig. 3. Probability of successful double-spending attacks vs. number of included in each transaction. Then the revenue gained by the
confirmations waited by the merchant. attacker can be formulated based on his/her corresponding Ps
Overall, the probability for an attacker to successfully as follows
surpass the number of blocks generated by the honest miners
can be computed as Revenue ≈ v + Ps (v + Rm) BTC, (22)
∞
X where R is the block reward and the transaction fee per block.
Ps = P (m) × Qn−m−1
m=0
Multiple factors can impact the cost such as the price and
∞ depreciation value of machinery used, the cost of electricity,
X m+n−1
=1− × pn q m (20)
and the amount of BTC being spent in the transaction.
m However, formulating the cost with all the possible factors
 m=0
n−m is infeasible. To simplify it, we focus our analysis on the
1 − pq , if q < p or k ≤ n − m,

× cost factors that could change significantly as the attack is
1 − 1 = 0, if q > p or k > n − m. performed. These factors include the v BTC an attacker spends
in the merchant-paying transaction, the cost of mining m
Similar to the previous analysis, equation (20) confirms that
blocks, and the depreciation cost d(t) of the computing device
when q > p, the attacker will always succeed since Ps = 1.
used in BTC at time t. We derive the cost as follows
When q < p, the probability of success can be defined as
n−1
X m + n − 1 n−m ! Cost ≈ v + meq (t) + d(t) BTC (23)
n m q
Ps = 1 − ×p q × 1−
k p
m=0 where eq (t) is the estimated mining electrical cost in BTC
n−1
per block of a miner with a share q of the total computational

X m+n−1
=1− × (pn q m − pm q n ). (21) power of the system. We assume eq (t) remains constant during
m=0
m
the total time T the attack is performed.
Fig. 3 shows the results of Ps as n changes based on We also assume that the average lifespan of the mining
equation (21). From this figure, the merchant can obtain the equipment is approximately two years. Using straight-line
desired level of confidence before accepting a transaction. The depreciation, d(t) is a negligible value for an attack over
obtained level of confidence is definite for any q at n = 0, a short period of time. Therefore, we can reduce the cost
meaning that the attackers have 100% chance of success. As equation as follows
the number of blocks n increases, the chances of a successful
double-spending attack decline. Conversely, as q increases, the Cost ≈ v + meq (t) BTC (24)
chances of a successful attack increase. The figure also shows
that if q ≥ 0.5 then we will always get Ps = 1. This is The time to mine a single block either by the honest miners
known as the majority attack. In fact, even if the values of q or the attackers is approximately ten minutes. Therefore, we
are slightly less than 0.5, the chances of a successful double- can rewrite equations (21), (22), and (24) as
spending attack could still be high. However, the probability
T
declines exponentially as the value of n increases. 10 −1
X m + T
−1 T T
Ps ≈ 1− × (p 10 q m − pm q 10 ),
10 (25)
m=0
m
C. Attack Profitability
RT
A successful double-spending attack is only profitable if Revenue ≈ v + Ps v + BTC, (26)
10
the revenue is higher than the cost of performing the attack.
Suppose an attacker tries to double-spend v BTC paid to T
Cost ≈ v + eq (t) BTC. (27)
a merchant in exchange for a product/service. The attacker 10
Things Journal
The profit/loss can be formulated from equations (26) and

(27) as
Profit/Loss = Revenue − Cost

RT T
≈ Ps v + − eq (t) BTC. (28)
10 10
Nowadays, to stand a chance in mining Bitcoin, min-
ers merge their computational power into mining pools as
discussed in Section II-H. The mining pools combine the
computational power provided by the computing machine of
each participating miner. Machines are categorized into one of
four groups: Application-Specific Integrated Circuits (ASIC),
Field-Programmable Gate Array (FPGA), Graphics Processing
Unit (GPU), and Central Processing Unit (CPU). Each group
can provide up to a certain computational power. Comparisons
of most of those machines are presented in [28] and [29]. Fig. 4. Profit/loss of attackers with varying computational power q trying to
Each computing machine consumes electricity differently double-spend v = 5 BTC.
based on its specifications. Even machines with similar speci-
We estimate the average electricity cost eq (t) of a mining
fications might vary in cost to operate. As a result, formulating
pool based on its computational power q as
the cost of electricity spent by a miner in the mining process
becomes challenging. H(t) × ea (t) × w × q
eq (t) ≈ C(t) × q ≈ cents/block. (33)
ASICs have monopolized the mining process due to their 6h(t)
incomparable computational power with those of the CPUs,
For our simulations, we assume that the total cost of mining
GPUs, and FPGAs. Miners using any computing machines
blocks C(t) by all miners and computational power q of the
other than ASICs have a negligible chance of competing. Many
mining pool are fixed during the total mining time T . We also
mining pools do not permit miners with these machines to
assume a mining environment consists of miners using only
join their pools. A miner that joins a mining pool with one of
ASICs such as Antminer S9 since it is one of the most efficient
these machines would hardly earn BTC in the event that the
computing machines on the market today. The specifications
pool successfully mines a block. This is because rewards are
of this machine are h = 14 TH/s and w = 1.375 kWh.
usually divided among the miners based on their contributions
Consider an attacker trying to perform a double-spending
as discussed in Section II-H.
attack during the period of February 2020. During that pe-
Our goal now is to formulate the estimated electrical cost
riod, 1 BTC was equal to approximately $9643. The total
eq (t) of a mining pool. First we estimate the total number of
hashrate power was approximately H = 110M TH/s and
miners N (t) based on the total hashrate H(t) of the system
the average cost of electricity for all sectors in the U.S. was
at a certain time t as
approximately 10.45 cents/kWh, based on the data collected by
N (t) ≈ H(t)/h(t), (29) the U.S Energy Information Administration [30]. Under these
circumstances, in Fig 4 we present the expected profit/loss of
where h(t) is the average hashrate of a single mining machine double-spending attacks for various computational powers q.
involved in mining at time t. For this analysis, we assume the attackers try to double-spend
The cost of electricity is measured in cents/kWh and varies v = 5 BTC.
based on the end-use sector and time t. End-use sectors In Fig. 4, a point above y = 0 represents a profit while
include, residential, commercial, industrial, and transportation. one below it represents a loss. The point of intersection of a
We denote the average cost of electricity of all sectors at time curve with y = 0 represents the break-even point of an attack.
t as ea (t). Using the computing wattage w of the machine, The amount of BTC spent to perform the attack at this time
the average running cost c(t) of a machine at time t is is equal to the revenue returned. By analyzing the figure, we
c(t) ≈ ea (t) × w cents/hour. (30) attain the following findings:
1) For any value q at t = 0, the attacker turns a profit of
Using equations (29) and (30), the total cost E(t) for all exactly v BTC. Recall in Fig. 3, for any value q at n = 0
miners at time t is (or t = 0), Ps = 1. The merchant accepts an unconfirmed
transaction giving the attacker a theoretically perfect chance
E(t) ≈ N (t) × c(t) cents/hour. (31)
to succeed. In this example, the attacker is trying to double-
We know that it takes approximately 10 minutes to generate spend v = 5 BTC resulting in a profit = 5 BTC for all values
one block, i.e. in T = 1 hour, miners can generate m = 6 q at t = 0.
blocks. Therefore, the total cost C(t) for all miners to generate 2) When the merchant waits for n confirmations before
one block at T = 10 minutes can be estimated as accepting a transaction, the attacker is forced to mine blocks
E(t) in order to create a fork in the blockchain and succeed in the
C(t) ≈ cents/10 minutes (1 block). (32) attack. As discussed in Fig. 3, the probability of success is
6
Things Journal
based on the computational power q of the attackers. Larger IV. B ITCOIN S ECURITY - N ETWORK ATTACKS
values of q correspond to higher probabilities of success Ps , Bitcoin is designed to operate over a P2P network. It is
hence larger profits/losses. We also know that Ps declines as vulnerable to the decentralized network attacks which can
n (or t) increases for all values q < 0.5. As a result, the profits escalate other issues. In this section, we will discuss major
eventually turn into a loss as time progresses. An attacker with network attacks that can compromise Bitcoin and present net-
a smaller value q begins losing at an earlier time during the work related issues. We also suggest possible countermeasures.
attack while one with a larger value q can withstand longer
periods before losing. However, as reflected by the figure, the A. Denial of Service Attacks
losses of attackers with smaller values q are less and continue
to increase slower than those with larger values q. This is due Denial of Service (DoS) attacks flood the network with
to the fact that the cost of electricity eq (t) for attackers with bogus traffic in order to disrupt legitimate services and par-
larger values q are larger than those with smaller values q. ticipating components connected to the Bitcoin network. As
an example, DoS attacks on a mining pool can result in
3) In Fig 4, an attacker with q = 0.1 to q = 0.2 represents eliminating the pool from the mining competition, hence
the scenario that begins at the maximum possible profit if giving an advantage to other miners. They could also facilitate
only one block is added, then continues to decline till the double-spending attacks by preventing certain miners from
break-even point. When the number of blocks is increased observing the actual transaction flow [33], [34].
to two, the attacker will most likely fail to turn a profit. In Some nodes prefer to privately connect to the Bitcoin
other words, one block of confirmation for a transaction worth network in order to limit the possibilities of becoming victims
of 5 BTC should give the merchant enough confidence that of DoS attacks. However, this limits the nodes to at most 8 out-
an attacker with q = 0.1 to q = 0.2 will not be able to going connections. As the number of private nodes increases in
reverse the transaction. If the attacker continues to perform the network, the random topology connection weakens. With
the attack beyond this point, the cost will continue to increase fewer connections between the nodes, information is flooded
while the revenue declines leading to a loss. As a result, the at slower rates. There is also no guarantee of the legitimacy
attacker would most likely surrender at the break-even point of the 8 outgoing connections each private node connects to.
to minimize any losses. This means that even a private node can still be vulnerable to
a DoS attack if it unluckily connects to malicious nodes.
4) For q = 0.3 to q = 0.4, Fig 4 shows that the profit Bitcoin developers are continuously updating the Bitcoin
continues to grow as t increases until it reaches a maximum implementation in an effort to minimize the chances of DoS
point due to the accumulation of the mining rewards. Once occurrences. The newer versions analyze the network connec-
the chance of success Ps starts to decline with t, the profit tions more closely to try to eliminate suspicious nodes from
also begins to decrease until it reaches the break-even point connecting. Developers also strive to limit certain transac-
and later turns into a loss. However, for q ≥ 0.5, the attacker tions/blocks from being flooded throughout the network. New
always succeeds. The profit is represented as a straight line transactions/blocks are given priority over less important ones
with a positive slope where the slope represents the rate of such as orphan transactions/blocks. Certain parameters such
turning a profit. as block size are also continuously being altered to adjust the
network based on its needs. However, the nature of the P2P
As discussed previously, to increase their chances of win- network makes Bitcoin vulnerable to these attacks.
ning in the mining competition, miners merge their compu-
tational power. However, an attacker with a computational B. Sybil Attacks
power q < 0.5 will eventually lose at some point as t Peer-to-peer networks are also vulnerable to Sybil attacks
increases. On the other hand, an attacker with computational [16]. In Sybil attacks, the attacker sets up multiple pseudony-
power q ≥ 0.5 will always succeed with a profit. However, mous identities from a single node. In this way, the attacker
it is important to note that this analysis does not include the can acquire an unfair number of shares of the network IP
luck factor. Consider two miners with computational powers addresses. The honest nodes in the network can easily be
q1 and q2 respectively, where q1 > q2 . The miner with deceived into believing that the IP addresses belong to different
computational power q1 has more resources to solve the nodes. With a large number of IP addresses, the attacker
proof-of-work, therefore can perform mining faster than the can monopolize other connections of nodes and control data
miner with computational power q2 . However, the miner with propagating to them.
computational power q2 could still find the solution to the A countermeasure to this attack was proposed in the original
proof-of-work first due to the randomness of the exhaustive Bitcoin white paper [1]. This countermeasure also presented
search performed. From a probabilistic standpoint, the chances a solution to the majority decision-making problem. It is
are low. Moreover, it is worth mentioning that attackers may more convenient to have a one-to-one relationship between
improve their chances through bribery or selfish mining. In a a computing machine (node) and a vote instead of having one
bribery attack [31], the attacker may purchase mining power between an IP address and a vote. An attacker reproducing
from other miners at a premium cost. In a selfish mining multiple IP addresses from a single node can no longer make
attack [32], rational miners are encouraged to join larger use of them. Every node must engage in a proof-of-work
mining pools as it would result in larger revenue streams. procedure to prove its legitimacy as discussed in Section II-F.
Things Journal
Other countermeasures have been taken by the Bitcoin arrive, a deterministic eviction method could be used instead
developers to limit Sybil attacks. Each outbound connection is of the random eviction technique. In this way, each IP address
limited to a single IP address per subnet mask 255.255.0.0 (i.e. is mapped to exactly one slot in the tables rather than multiple
x.y.0.0/16). In other words, a malicious node can theoretically slots, requiring the attacker to possess a large number of
generate 65536 IP addresses per network prefix consisting of addresses. Also, allowing random selection of IP addresses
16 bits where only one can be utilized in a requested outbound rather than choosing the most recent ones when initiating an
connection. Today, owning a machine with different network outbound connection makes the attack less biased to the bogus
prefixes that consist of 16 bits which can generate numerous IP addresses of the attacker. Other measures include checking an
addresses is impracticable. Malicious users with IP addresses evicted IP address before replacing it with a new one. If the
belonging to different network prefixes need to collude in order address still connects successfully, there is no reason to evict
to pull off such an attack. and replace it with another one. Feeler and anchor connections
Developers can continue to increase the security by limiting are also good methods that can disrupt an attacker. Other
outbound connections to larger subnet masks (for example measures such as increasing the size of the tables, allowing
x.y.z.0/24), however, this would limit the connection possibil- more outgoing connections, or banning unsolicited addr can
ities to the outbound connections which contradicts the P2P also greatly limit eclipse attacks.
network. To optimize security, the subnet mask should be
modified dynamically based on the available network prefixes
D. Routing Attacks
of the nodes connected to the network. This optimization is
very challenging since there is no fixed pattern to how or The main purpose of a routing attack is to intercept the
when nodes connect to the network. In general, this practice network transmitted messages and tamper with them. The
is a weak security countermeasure and can slightly increase work presented in [39] proposed a routing attack on Bitcoin
the security if optimized. via the Internet infrastructure. The Border Gateway Protocol
Users should also realize that the majority of node connec- (BGP) [40] is the most widely used protocol when transmitting
tions are inbound connections (117). If we were to assume that data between Autonomous Systems (ASs). An AS manages a
all the 8 outbound connections of a node are legitimate, there set of nodes with similar IP address prefixes and is responsible
is no guarantee that the inbound connections are genuine. A for routing data between its nodes and other ASs.
private node relies only on its outbound connections to limit The proposed attack intercepts traffic between ASs by
its network connections and the data it receives. performing two independent attacks: partitioning attack and
delay attack. The attack takes advantage of the fact that ASs
C. Eclipse Attacks do not validate the newly announced BGP routes which could
The Eclipse attack on Bitcoin was proposed in [35]. The result in possible BGP hijacks. A malicious AS can announce
primary purpose of an eclipse attack as defined originally forged IP address prefixes to deceive other ASs into believing
in [36]–[38] is to monopolize all the outbound and inbound false routing information. As a result, a successful attacker
connections of a node within a P2P network. As a result, the will be able to intercept all the traffic for nodes with a certain
victim node becomes isolated from the rest of the network IP address prefix before it reaches its original destination.
and only receives data fed to it by the attacker. By monopo- The partitioning attack strives to partition the Bitcoin net-
lizing the connections of a node, the attacker can control the work into two disjoint groups. One group represents the set of
blockchain view of this node. The eclipse attack targets nodes isolated nodes while the other group represents the remaining
that are possibly discoverable; nodes with public IP addresses. network. The attacker, usually an AS, requires BGP hijacking
It strives to populate the tried and new tables of nodes with of other ASs. Once hijacked, the attacker can intercept all
bogus IP addresses by frequently sending the victim nodes inbound and outbound traffic of all the victim ASs. However,
unsolicited addr messages. When the tables of nodes are full, the attacker cannot intercept the traffic of stealth connections.
they begin evicting random IP addresses to replace them with Such connections include intra-AS, node connections within
the newer ones. the same AS, intra-pool, node connections between gateways
The attack requires the victim node to restart all of its belonging to the same mining pool or pool-to-pool, private
connections. Examples that may cause connection restarts connections established between pools. Stealth connections
include Internet Service Provider outages, power failures or can leak data to the isolated group of nodes and result in an
system/software updates. When the node tries reconnecting attack failure. Therefore, the attacker must detect such nodes
to its 8 permitted outbound connections, it will choose the and remove them from the lists of nodes to be isolated.
compromised addresses in either the new or tried tables with Once the network is divided into two groups, the attacker
a bias towards the newest stored IP addresses. The optimum can perform the delay attack. The main goal of the delay
time to perform the attack is after populating the tables of the attack is to tamper with data propagating to its destination and
victim node with a decent number of controlled IP addresses. cause a stall. The success of the attack relies on the fact that
The chances of a successful attack are based on the percentage message exchanging (inv, getdata, and tx) is not encrypted.
of the controlled IP addresses and the time an attacker spends If the attacker intercepts the flow of traffic between ASs, it
performing the attack. is possible to tamper with these messages without any node
To limit an eclipse attack, some countermeasures have been learning about it. For example, when a node within an AS
proposed [35]. When replacing IP addresses as newer ones requests data from its peer within another AS, the attacker
Things Journal
will intercept the requested message (getdata) and modify the

request. As a result, the sending node will send undesired data
s Seed
and cause the receiving node to resend a request message. As

Master
long as the attack occurs in a 20-minute time frame, the nodes Depth 0 k Key
will not lose their connection and will not be aware that their
messages are being tampered with. Child
The authors in [39] suggest some countermeasures to limit
Depth 1 k k k k Key
the routing attacks. Simple measures include increasing and
diversifying AS connections. Also, monitoring the network Grandchild
Depth 2 k k k k k k k k k k k k Key
information such as round-trip time can help identify potential
...
threats. More complex measures can include, encrypting mes-
...
sages, using different channels and ports, and simultaneously Fig. 5. The structure of a hierarchical deterministic wallet.
requesting data from more than one peer. However, implement-
Hierarchical Deterministic (HD) wallets, referred to as Type-
ing such more complex measures could introduce additional
2 wallets, were later introduced based on the BIP0032 stan-
cost and delay.
dard [42]. In HD wallets, keys are generated in a tree structure
as shown in Fig. 5. The key of a node is generated using its
V. B ITCOIN WALLET S ECURITY corresponding parent node key.
Unlike physical wallets that are used to hold cash and For each node, a key consists of three components: a private
banking cards, Bitcoin wallets behave differently. A bitcoin key Pr, a public key Pub and a chain code (CC). The chain
wallet does not store actual BTC. Instead, it stores the private code is a third component introduced to prevent the derivation
and public key pairs that can be utilized to prove the ownership of the key of a child node from only the private and public
rights to certain BTC stored over the blockchain. As discussed keys of the parent node. In this way, the extended key is an
in Section II-B, keys are generated using pseudo-random extension of both the private and public key. The extended
number generators and elliptic curve cryptography. In this private key is a combination of the private key and chain code
section, we discuss the variations in Bitcoin wallets and outline which is used to derive the private key of a child node. Using
the security issues in each. the derived private key of the child node, it is possible to derive
Similar to [41], we first discuss Bitcoin wallet security based its corresponding public key as explained in equation (1). On
on the key generation and infrastructure of the wallet. Three the other hand, the extended public key is a combination of the
types of wallets have been defined in BTC. We summarize the public key and chain code which is used to derive the public
comparison between all three types in Table I. key of a child node. It is important to realize that the public
The simpler wallets are categorized as nondeterministic key of a child node can be derived using either the extended
wallets, sometimes referred to as Type-0 wallets. In these private or extended public keys.
wallets, when a new pair of keys is requested, the wallet Key generation begins at depth 0 which derives the root
generates a random private key as shown in equation (1). Next, node (master) key components using a randomly chosen seed
the wallet derives its corresponding public key as described in (s). In many wallets, s is in the form of a mnemonic word
equation (1). The generated key pair is completely random sequence as described in BIP0039 standard [43]. A mnemonic
and uncorrelated to the previously generated keys. However, word sequence is a sequence of English words that represents
these wallets require sophisticated management and could fail a random number used to derive s. Using s, the master private
to perform well as the number of stored keys grows exceeding key PrM and chain code CCM are derived as
the storage capacity of the wallet. A consistent backup of the
PrM = Left256(HMAC-SHA512(s)), (35)
generated keys is also essential to ensure that the users can still
M
access their BTC in the event of a wallet being unavailable. CC = Right256(HMAC-SHA512(s)), (36)
However, backups are liable to theft and can result in exposing
where HMAC-SHA512 is a one-way hash-based message
all the keys belonging to a wallet.
authentication code that outputs a 512 bit digest and functions
Deterministic wallets are another type of BTC wallets. They
Left256 and Right256 extract the left and right 256 bits of
are also referred to as Type-1 wallets and can handle the
the digest respectively. Using the result in equation (35),
drawbacks of type-0 wallets. In this type of wallet, all the
the master public key PubM is generated as described in
generated keys are based on a common and randomly chosen
equation (1).
seed s. Using the s, all the keys are derived in a deterministic TABLE I
manner. First, a private key with an index i is generated as WALLET I NFRASTRUCTURE C OMPARISON .
Infra. Management Seed Backup Structure
Pri = SHA256(s||i). (34) Type 0 Complex No All keys Random
Type 1 Moderate Yes Only seed Sequential
Using equation (34), the corresponding public key Pubi is Type 2 Simple Yes Only seed Hierarchical
then generated as discussed in equation (1). In contrast to
nondeterministic wallets, deterministic wallets need only to The next step is to generate keys for the children nodes
keep a backup of s to regenerate all of the previously derived at depth 1 in the tree. Keys can be generated differently
keys. depending on the security of the environment in which the
Things Journal
wallet is being used. For example, when used in a secure children keys of the master node using the hardened CKD
environment, the wallet uses the extended private key to to keep the master key as secure as possible.
generate all the components of a child node key. This includes Bitcoin wallets can also take other measures to increase
the private key which would allow the user to spend BTC from the security of storing keys. Practices such as P2SH [44] and
the wallet. Using the private key Prp of the parent, we can Multi-Sig transactions increase the security of the BTC stored
generate the corresponding public key Pubp and derive both in the wallet, as discussed in Section II-C. Such techniques
the private key Prc and chain code CCc of the child using a are referred to as threshold techniques as they require M -of-
Child Key Derivation (CKD) function as N private keys to enable BTC spending. Other wallets enhance
the security by encrypting the stored private keys along with
Prc = Left256(HMAC-SHA512(Pubp ||CCp ||i))+Prp , (37) a pass-phrase chosen by the owner of the wallet as defined in
CCc = Right256(HMAC-SHA512(Pubp ||CCp ||i)), (38) BIP0038 standard [45]. That is
where Pubp = PubM , Prp = PrM , CCp = CCM are the Encrypt(Pr) = AESk (Pr||PassPhrase), (43)
public key, private key, and chain code of the parent node
where AES is the Advanced Encryption Standard [46] and
respectively and i is the index of the child node. Using the
k is the encryption key. If a user wishes to spend BTC, the
result of equation (37), we can derive the public key Pubc of
user must first decrypt the corresponding encrypted private key
the child node as explained in equation (1).
using k and the pass-phrase previously used in encryption.
On the other hand, when used in an insecure environment, Although encryption provides higher levels of security, the
the wallet uses the extended public key to derive only the user must keep the pass-phrase and encryption keys stored
public key and chain code of the child node instead of the securely.
private key. This protects the private key from being exposed
TABLE II
to potential attackers. It also allows payments to be made to WALLET F UNCTION C OMPARISON .
the wallet while preventing them from being spent. The public Type Function Examples
key Pubc and chain code CCc of the child node are derived Generate private key, derive pub-
coinbase.com [47],
using the CKD function as Full Service lic key, distribute public key, moni-
blockchain.info
(online) tor output TX, create/sign unsigned
[48]
TX, broadcast TX
Pubc=Left256(HMAC-SHA512(Pubp ||CCp ||i))+Pubp , (39) Signing-only Generate parent private key, derive Ledger Nano [49],
CCc=Right256(HMAC-SHA512(Pubp ||CCp ||i)). (40) (offline) parent public key, sign TX TREZOR [50]
Distributed customized pre-
Derive CKD, Distribute public key
Although using the extended public key is more secure (offline) populated database
as it does not expose the private key, it may still put the
wallet at risk. The extended public key exposes the chain code The wallets that exist today come in different forms and
which is an essential component in key derivation. Using an account for different security measures. Based on the different
exposed chain code and public key, an attacker can perform installation environments, wallets can be categorized into three
a brute-force attack on all the chain codes derived from it types: online (web) wallets, desktop (software) wallets, and
as shown in equation (40). In other cases, if the private key mobile wallets. As in [51], we can further categorize each type
of a node is compromised in any way, the attacker can use of these wallets into: full-service wallets, signing-only wallets
it along with its corresponding exposed chain code to derive and distributing wallets, based on the functions that they can
the extended private keys of all the descending children nodes perform. Table II summarizes these different functions.
as shown in equations (37) and (38). We also consider the A full-service wallet is one that can perform all the func-
worst case scenario where an attacker is capable of reversing tions required to spend and receive BTC. These functions
a derived Prc as shown in equation (37). If successful, using include generating private keys needed to spend BTC, signing
the corresponding parent extended public key, an attacker can transactions with the private keys, deriving public keys needed
derive Prp . to receive payments of BTC, broadcasting the derived public
To counter these issues, HD wallets also implement an keys to the network, and monitoring the BTC spending and
enhanced derivation function known as the hardened CKD. receiving of a wallet. Full-service wallets must be able to con-
This derivation strives to secure the exposed chain code within nect to the Bitcoin network. Examples of online full-service
an extended public key. It prevents the public key of a wallets include the wallets provided by coinbase.com [47]
child node from being derived from the extended public key. and blockchain.info [48]. Armory, Electrum and Bitcoin Core
Therefore, the extended private key of the parent node is only are the most popular desktop full-service wallets today. For
useful to derive a hardened private key Prch and chain code mobile wallets, an example that runs on both Android and
CCch of the child node as iOS includes the Airbitz wallet.
The second type of wallets are the signing-only wallets. The
Prch = Left256(HMAC-SHA512(Prp ||CCp ||i))+Prp , (41) main purpose behind these wallets is to enhance the security
CCch = Right256(HMAC-SHA512(Prp ||CCp ||i)). (42) of the wallet by generating private keys in secure offline en-
vironments. Working in conjunction with a networked wallet,
Using the result in equation (41), the corresponding hardened the signing-only wallet can interact with the Bitcoin network
public key Pubch of the child node can be derived as explained and can deterministically generate pairs of private and public
in equation (1). In practice, it is suggested to derive the keys as needed to transfer the public key to the networked
Things Journal
wallet. The role of the networked wallet is to distribute the Throughout the history of cryptocurrencies, multiple attacks
public key to allow payments to be made to the wallet. In have occurred to exchanges that resulted in massive losses and
case of an HD wallet, the network can also generate child severe price panics to certain cryptocurrencies. In 2011, one of
node keys as desired. Once the networked wallet detects a the most notable Japanese-based exchanges, Mt. Gox, online
transaction addressed to one of the public keys that it has wallets were hacked, leaking all the private keys it stored in
distributed, it creates an unsigned transaction based on the the wallet.dat file. Mt. Gox was able to recover from that
UTXO and transfers it to the signing-only wallet. The signing- heist, however, later in 2014, it filed for bankruptcy and was
only wallet then uses its private key that could be derived from shut down since it was responsible for around 70% of Bitcoin
an extended private key in the case of an HD wallet to sign the trading volume and lost approximately 850,000 BTC that was
transaction and returns it back to the networked wallet. Finally, valued at more than $450 million dollars. The hackers were
the networked wallet distributes the signed transaction in the able to even steal BTC stored in the exchange’s hardware
Bitcoin network to claim the BTC. wallets. There is no legitimate evidence of how the attack
Signing wallets can either be offline wallets or hardware occurred. In March 2014, Mt. Gox reported on its website
wallets. Offline wallets are designed to reduce the network that it had found 200,000 BTC from the total stolen in old-
vulnerabilities. Their tasks include private key derivation and format digital wallets. The other 650,000 were believed to be
transaction signing. The signed transactions are transferred via laundered on another exchange platform known as BTC-e.
removable media to the online wallets. Offline wallets provide The problem is that such heists could possibly occur again.
higher levels of security than the full-service wallets, however, Exchange platforms remain to be an extremely attractive
they require a continuously isolated device. On the other hand, hacking points for hackers since they hold so many funds
hardware wallets are less of a hassle than offline wallets. in the least secure manner. Users are recommended to keep
They are connected directly to the networked device which limited amounts stored in exchanges while storing the majority
eliminates the dependency of removable media when commu- of their funds in hardware wallets.
nicating between the signing-only wallet and the networked Another issue is whether or not it is possible to track
model. However, the hardware wallet is also inconvenient in the movement of stolen cryptocoins, hence, catch the hacker.
situations where the owner makes frequent payments since the Based on our analysis, it is theoretically possible. However,
owner must constantly carry the hardware wallet to be able there have been scenarios where hackers were able to launder
to make a payment anytime. As a result, many people use large portions of stolen cryptocoins such as the example
hardware wallets for long-term storage rather than day-to-day discussed previously. Another famous example occurred in
transactions. Utilizing this type of wallet, one can store large January 2018 when about $534 million dollars worth of a
amounts of BTC in the most secure environments. Popular cryptocoin known as XEM were stolen from a Japanese-based
examples of hardware wallets today include the Ledger [49] exchange known as Coincheck.
Nano and TREZOR [50]. In conclusion, we stress on the fact that there remains to be
The final type of wallets are the distributing-only wallets. a trade-off between the security of a wallet and the ease of use.
These wallets also strive to reduce the security issues caused The most frequently used wallets today are full-service wallets.
by the full-service wallets. They are in the form of networked They are free, user-friendly and can perform all functions
wallets for public key distribution in a prepopulated manner, needed by a BTC owner. However, these wallets could be
where the public keys are derived and distributed as needed vulnerable to theft since they are connected to the network.
by the network. Other distributing-only wallets are capable of
generating the public keys as the case in HD wallets.
VI. B ITCOIN N ETWORK P RIVACY
Exchange platforms store large portions of cryptocoins in
online wallets to provide their users the advantage of reduced Bitcoin suffers inherent privacy issues in that attackers could
transaction time due to the immediate availability of their link certain identities to their pseudonyms (such as Bitcoin
private keys. This is analogous to storing cash in a centralized addresses) and identify their history of transactions. This is
entity such as a bank. It is important to point out that storing known as the linking problem. Many users publish their real
cryptocoins in an online wallet provided by an exchange identities and Bitcoin addresses online so that others can
platform is the least secure method since it means storing the make payments to them. This practice is common among
corresponding private keys that can spend those cryptocoins. blogs and websites that request BTC as donations or those
The users must completely trust the exchange platform to selling a product or service. These actions could jeopardize
safely store the private keys and not act maliciously. Even their anonymity. Another common example is when users
worse, assuming we can trust an exchange platform, crypto- trade BTC for other altcoins over exchange platforms. Most
coin owners are still at risk of losing their cryptocoins in the exchange platforms require users to validate their identities
event the exchange platform online wallets are hacked and by uploading a copy of official identification which exposes
the private keys are leaked. A hacker that gets a hold of the the users to the exchange applications. Such examples do
private keys can immediately use them to send the cryptocoins not require an attacker to learn the full transaction history of
to his/her personal address. Once the transaction is processed those users. Simply by tracing the Bitcoin addresses over the
and stored over the blockchain, it becomes immutable to being blockchain, the transactions could be revealed. In fact, even
deleted/modified and most likely will not be reversed unless cautious users that do not publicly use their identities may be
the blockchain is hard forked. at risk as well.
Things Journal
Bitcoin utilizes Bitcoin addresses as its defense mechanisms centralized makes it prone to being compromised. In addition,
to preserve the privacy of users. When generated for the tumblers charge users mixing fees in return for their services.
users, bitcoin addresses do not leak any information about In an effort to mitigate these risks, new generation of
the identities of the users. However, attackers strive to search decentralized peer-to-peer tumblers were introduced. Instead
for links between bitcoin addresses and user identities using of sending BTC to a tumbler that performs mixing, the users
auxiliary information available over the network. If a link is themselves are involved in the process. For example, Coin-
found, it is possible to discover all the other Bitcoin addresses Swap [60] is a protocol that allows two parties to exchange
belonging to that user and revealing the complete history of Bitcoins with the help of an intermediary who facilitates the
BTC transactions of the user. Today, powerful analysis tools Bitcoin swapping. Each party establishes a payment channel
and search engines can be utilized to discover the Bitcoin with the intermediary using hash time-locked contracts to
address and determine this information. Even the strongly prevent the intermediary from stealing the Bitcoins. However,
encouraged practice of using a new Bitcoin address for every given that the intermediary knows both participating parties,
new transaction cannot completely prevent this information it can still compromise privacy. To solve this issue, Tum-
from being revealed once a Bitcoin address is linked to an bleBit [61] was later proposed allowing multiple participants to
identity of the user. setup payment channels using the same intermediary. Instead
The auxiliary information can be obtained by multiple of swapping, TumbleBit allows users to make anonymous
methods. Different techniques exist today that can speculate payments utilizing crypto-puzzles and blind signatures. The
links between Bitcoin addresses and user identities. The study paying user would generate a puzzle, blind it, and share
in [52] shows that using information about how nodes are the result with the intermediary along with the amount of
connected within a network can help identify users. In [53], it 1 Bitcoin. The intermediary would then solve the blinded
was shown that patterns of co-occurrences may reveal useful puzzle and return the blinded solution to the paying user. The
information and lead to any ties. The study in [54] showed that paying user next unblinds the solution and sends it along with
just by monitoring the communication channel, users are likely the original puzzle to the receiving user. The receiving user
to lose their anonymity. In [55], an analysis is presented that can then share both values with the intermediary and obtain
shows how compromised network nodes can leak significant the 1 Bitcoin. As more participants interact with the same
user information and link them to certain transactions. intermediary, it becomes infeasible for the intermediary to link
Users can run their nodes over Tor [56] in an effort to hide the participants together.
their information from the rest of the network. Tor is a software
that provides an additional layer of anonymity. It utilizes multi-
B. Bitcoin Joint Transactions
layer encryption and random relaying nodes to transfer data
between a sender and receiver. The sender begins by sending A joint transaction allows different users to combine the
the multi-layer encrypted message to a random node that inputs and outputs of their transactions into a single transaction
decrypts a single layer and transmits it to the next relaying to be processed as a whole. All participating users must
node. This process continues until the message is completely provide their own signatures to the transaction to unlock
decrypted and arrives at the receiver [57]. However, multiple their input portion. Once all participating users correctly sign
studies, such as [58], [59], have shown that even a low- their inputs, the transaction can be processed as a regular
resource attacker could be capable of gaining information transaction and added to the blockchain. An attacker can no
flowing between users running their Bitcoin nodes over Tor. longer trace the BTC movement of a user since there is no
This information can include the data sent between nodes or direct relationship between the inputs and the outputs of a
even the location of the nodes within the network topology. transaction. The level of privacy provided by a joint transaction
Other efforts have also been employed in an effort to increases with the number of participating users. This also
improve the anonymity of Bitcoin. We classify these efforts results in a lower transaction fee that is paid by each user
into two main classes: mixing services and joint transaction. as it is divided among more users. In 2013, Gregory Maxwell
introduced this concept as CoinJoin [62] which is widely used
in practice today. CoinJoin eventually began to evolve and
A. Bitcoin Mixing Services existed in multiple flavors. Notable examples that introduced
BTC mixing is an approach that mixes identifiable BTC in new concepts are described below.
an effort to make them unrecognizable by public observers. SharedCoin: Provided by Blockchain.info, SharedCoin is one
The first generation mixing was centralized and performed by of the initial implementations of the CoinJoin protocol that
tumblers. Tumblers are third party mixers that receive BTC ran over a centralized server. The centralized server was the
from different users, randomly mix them up, and then return meeting room for the participating users to meet and combine
to the users their updated BTC amounts. An attacker would their transactions together. Since users meet in one place, the
no longer be able to trace the BTC of a certain user since the server is capable of keeping logs of the transactions processed
user no longer possesses the same BTC that he/she previously over it. This requires users to completely trust the server
owned. However, a tumbler being a centralized entity presents not to misuse these logs and put their information at risk if
many threats to the users. It must be fully trusted not to compromised. Shortly, Kristov Atlas created CoinJoin Sudoku,
steal the BTC it mixes or even leak any information about a software that is capable of analyzing the mixing process
the mixing process. Even when completely trusted, being performed by SharedCoin. The software aims at discovering
Things Journal
the relationships between transactions and their owners. It participating users, market makers, and market takers. Market
clustered matching inputs and outputs of transactions trying makers are users who are willing to mix their BTC at any
to identify a common owner. However, this implementation is given time in return for a fee. On the other hand, market
completely suspended due to its various privacy limitations. takers are users that demand immediate mixing service and
Dark Wallet: In 2013, Cody Willson and Amir Taaki intro- are willing to pay a fee as compensation to the market makers.
duced Dark Wallet [63]. It provides anonymity using stealth Market makers and takers negotiate the service over an Internet
addresses and the CoinJoin protocol. A stealth address is a Relay Chat (IRC) channel. Once terms are discussed, a mixing
public seed address combined with some metadata used to contract is generated which enables each participating user to
derive an actual address for a payee to receive transactions. operate from their own personal machine. The fact that the
The metadata is shared only between the payer and the payee, system is decentralized protects users from the need to trust a
and cannot be accessed by the public observers. To generate centralized entity. Furthermore, the fee paid by the takers to
an actual address, the payee generates a private key and its the makers incentivizes them to continue to join.
corresponding public key. Next, the payer uses the public key
of the payee and some metadata to generate a transaction VII. S ECURITY AND P RIVACY OF A LTCOINS
with a new address. Once the payee learns the metadata, it The continuous emergence of altcoins presents enhanced
can claim the amount attached to the transaction by deriving features to the cryptocurrency enthusiasts. Some of these
the appropriate key from the stealth address. Others trying to altcoins have proven to provide enhanced security and privacy
trace the transaction that was received with a stealth address over Bitcoin. However, Bitcoin continues to remain at the top
would not be able to trace it. However, Dark Wallet cannot of the list of cryptocurrencies with the largest market cap. This
provide complete anonymity against linking users to certain contradiction raises questions around its dominance.
BTC transactions since the payer can trace it. In this section, we unfold major security and privacy ad-
CoinShuffle: CoinShuffle was introduced in 2014 [64]. It is vantages of altcoins. We first investigate distinct consensus
a combination of the CoinJoin protocol and the accountable algorithms implemented by different altcoins in an effort to
anonymous group communication protocol Dissent [65]. Its keep their network secure. We strive to elucidate the security
main purpose is to eliminate the involvement of third parties advantages of these algorithms over the proof-of-work imple-
while achieving anonymity and protection against DoS attacks. mented by Bitcoin. Next, we discuss major altcoin privacy
The protocol consists of three main phases: announcement, protocols and privacy improvement over Bitcoin.
shuffling and transaction verification. In the announcement
phase, the participants generate a new pair of private and A. Altcoin Security
public keys then broadcast their corresponding public key to
The Proof-of-Work (PoW) implemented in Bitcoin utilizes
the other participants. In the shuffling phase, each participant
SHA256: a CPU-bound function. The time needed to run
generates a new Bitcoin address to be used as their output
SHA256 is determined by the speed of the machine. Powerful
address in the mixing transaction. Following that, the partic-
machines such as ASICs can run SHA256 millions of times
ipants obliviously shuffle these generated Bitcoin addresses.
faster than various other CPUs, GPUs, and FPGAs. This
In the transaction verification phase, every participant checks
created an unfair mining competition since not all miners use
whether their Bitcoin address is contained in the output list.
the same computing machine. In fact, it eliminates miners
If present, each participant creates a mixing transaction that
using CPUs, GPUs, and FPGAs since their chances of success
spends the inputs to the shuffled list of outputs, signs the
are negligible when compared to those using ASICs.
transaction, and broadcasts the signature. Once each partic-
This PoW has also been greatly criticized for being an
ipant receives the signatures of the others, every participant
energy-wasting technique. Mining is performed using powerful
can generate a fully signed version of the mixing transaction.
computing machines that require substantial energy to run.
Dishonest behavior can be detected by the presence of one
Most of the energy used by all these miners ends up being
honest participant who would not broadcast his/her signature
wasted since the output of only one miner is used to extend
and report the dishonesty to all other participants.
the blockchain. As a result, the cost of running this PoW
However, Coinshuffle suffers anonymity vulnerability if not to achieve consensus is extremely costly. In addition, it is
used cautiously since it allows users to assign change back expected that Bitcoin will suffer a mining tragedy of the
to themselves in the mixing transaction. Once the change is commons [67]. The mining reward will converge to zero since
assigned to the Bitcoin address of the user, anonymity could it continues to halve approximately every four years (precisely
easily be lost. The best solution to this problem is to use every 210,000 blocks). Eventually, the miners will no longer
amounts that do not require any change. However, the user have an incentive in taking part of the consensus procedure
does not necessarily get to choose what amount to use since the someday. This will force the transacting users to increase their
user must use UTXO(s) from previous transactions. In addition transaction fees as an alternative incentive to the miners. As
to this, Coinshuffle reveals the identities of the participants a result, both the users and miners will be driven away from
among each other during the process. the system.
JoinMarket: JoinMarket [66] is a decentralized CoinJoin In an effort to mitigate these issues, some altcoins replaced
implementation. It aimed at improving the privacy of all the SHA256 with memory-bound hash functions in their PoW. In
previous implementations. JoinMarket introduced two types of comparison to the CPU-bound function used by Bitcoin, the
Things Journal
time needed to run memory-bound functions is determined an attacker with a 51% stake can also completely destroy the
by the amount of memory available to hold the processed cryptocurrency, assuming the intentions of the attacker are to
data. Developing ASICs for memory-bound functions is no eradicate the system at any price. PoS also suffers a major
longer advantageous since they can only optimize CPU- flaw known as Nothing at Stake (NoS). This issue can occur if
bound functions. Notable examples of such functions include coincidentally two stakeholders are chosen to validate the next
Scrypt [68], CryptoNight [69], Equihash [70], Ethash [71], block. This may result in two valid blocks that can extend the
and Dagger [72]. However, the proposed memory-bound PoW blockchain. As a result, a fork may occur to the blockchain
have not been proven to be completely successful. As a as the miners accept both blocks. To resolve the fork, the
result, more effort has been exerted to implement alternative validators vote on both branches. Voting is done at no cost
chain-based PoW algorithms. For example, combinations of which may be an incentive for a malicious validator to vote
hashing algorithms such as X11 [73] and X12-X17 [74] have for a specific path of the blockchain and facilitate a double-
been used in other PoWs where, 11-17 different hashing spending attack.
algorithms would be used together and the result of each These issues resulted in PoS to start appearing in multiple
subalgorithm is fed as input to the next subalgorithm. Other flavors. Its first implementation appeared in a Bitcoin fork,
notable chain-based PoW examples also include Lyra2RE [75] namely Peercoin [78], which incorporates a chain-based PoS,
and Quark [76] that use 5 and 6 different hashing functions a hybrid of an energy-efficient PoS and the original PoW
respectively. Unfortunately, the limitations still remain. As a that runs SHA256. PoW was used initially as a method of
result, consensus algorithms have evolved to pseudo-randomly coin generation and distribution to get the system running.
select a single validator to generate the next block of the As time progressed, PoW was slowly replaced by PoS to
blockchain. Some widely implemented protocols are described validate transactions, mint new coins and maintain consensus.
below. The validators are chosen based on the number of coins in
Proof-of-Stake (PoS): PoS is an alternative consensus algo- their possession and their corresponding age (i.e. a timestamp
rithm that was initially suggested in [77]. In contrast to PoW, indicating how old the coins are). Once they are granted a
PoS is dependent on economic stakes of users (i.e. holdings reward in return for their service, the age of their coins goes
in cryptocurrency) rather than their computational resources. back to zero to give other validators a chance to generate the
The algorithm deterministically selects a user with significant next block. By that, no single validator can monopolize the
holdings to validate the next block. In return, the selected validation process.
validator is rewarded a certain value of the cryptocurrency Later, modified versions of PoS were implemented into
similar to the mining reward in PoW and all the transaction some cryptocurrencies. In [79], the age of the coins was
fees included in the block. Conceptually, a user holding x% removed as it was argued to be abusive to the system. It can
of the total available cryptocurrency will be chosen x% of the help gain significant network weight and facilitate a double-
time as the validator in generating the next block. Once the spending attack. In some cases, it may also discourage honest
block is generated, the validator relays it to the other validators users from staking persistently as they would hold back until
to confirm it and extend the blockchain. their coins are oldest in age to maximize their chances. In
PoS has multiple benefits in comparison to PoW. Users are addition, Tendermint [80] and Casper The Friendly Ghost
no longer required to consume substantial amount of electricity (CTFG) [81] introduced a BFT-style PoS algorithm. In such
since they no longer engage in a mining process. In fact, PoS, a validator is selected randomly to propose the next
they are motivated to take part in the validation process as block, however, they include a process where all validators
it requires nothing more than presenting their wealth in return engage in a multi-round process to vote on a specific block at
for a reward if chosen to be the validator. In contrast to PoW, each round. Moreover, in [82], a delegated-style PoS (DPoS)
PoS significantly speeds up the consensus process. From a was proposed where the users vote for validators (referred
security perspective, PoS tackles the 51% attack by making it to as witnesses). Each vote has a different strength based
more expensive than performing it in a PoW environment. An on the stake of the user. However, this requires users to
attacker would need to possess 51% of the total cryptocurrency completely trust the validators they vote for. Notable examples
available to perform the majority attack. Assuming a single that implement DPoS include EOS [83] and Tron [84].
user possesses 51% of the total cryptocurrency and performs Proof-of-Activity (PoA): PoA is a consensus algorithm that
the attack, the value of the cryptocurrency will drop and the combines PoW and PoS into one protocol [85]. Its purpose
attacker would suffer most being the majority stakeholder. In is to reward only the online participators, thus motivate more
comparison to PoW, the majority attack requires 51% of the miners to remain online in an effort to secure the network.
total mining power which is theoretically achievable through The protocol is analogous to the lottery where the chances of
mining pools. This incident previously occurred in the mining winning of an individual are based on the number of tickets
environment of Bitcoin as a mining pool (Ghash.IO) exceeded the individual holds.
the 51% threshold. In PoA, miners first utilize their computational power
Although PoS could handle some issues caused by PoW, to compete in generating an empty block header; one that
it also introduced some major challenges. The largest stake- does not reference any transactions. A successful miner then
holders will be able to monopolize the consensus procedure immediately broadcasts the resulting hash to the network.
as they will always be selected and earn the reward. This will This hash value is used to deterministically derive N pseudo-
create a centralized consensus environment. In addition to this, random stakeholders who are potential miners if found to be
Things Journal
online. The derivation of these N stakeholders is performed by to PoS, it saves the miners the hassle of buying hardware to
hashing a concatenation of the broadcast hash value, the hash physically perform mining.
of the previous block, and N fixed suffix values. The protocol
then invokes a subroutine known as follow-the-satoshi once B. Altcoin Privacy
for each derived value. The subroutine finds the block storing
a satoshi with the same index as the result. Next, it inspects the Privacy is one of the most important issues of cryptocur-
block in which the satoshi was minted and traces its movement rencies. Below, we describe some notable protocols that have
up until its last owner. If online, this owner participates in been implemented in altcoins.
the next block generation process that extends the blockchain. Zero-Knowledge Proofs: Zero-knowledge proofs have been
Similar to PoS, the more satoshis an individual owns, the more implemented into some altcoins to provide private transactions.
likely that the individual will be selected randomly in this They allow a prover to convince a verifier that numbers in
process. transactions exist without revealing any information about
Every stakeholder then checks the validity of the empty the actual numbers. Notable variants of such proofs have
block header that was initially broadcast. Using this value been implemented such as zk-SNARKs [86], zk-STARKs [87],
they also check whether they were one of the N selected and BulletProofs [88]. In comparison to zk-SNARKs, both
validators. The first N − 1 lucky stakeholders sign the hash of zk-STARKs and BulletProofs do no require a trusted entity
the empty block header with the private key that controls the during the setup phase and provide a smaller size of proof,
satoshi derived from follow-the-satoshi subroutine. Next, they making the size of transactions smaller. However, the verifier
broadcast their signature to the network. The N th stakeholder computational complexity of zk-SNARKs is lower.
then generates a wrapped block that extends the empty block PrivateSend: PrivateSend is an altcoin joint transaction pro-
header by including the desired transactions to be verified, the tocol [89] that combines identical inputs from various users
N −1 signatures, and his/her own signature for this block. The into one transaction with multiple outputs. A user initially
wrapped block is finally broadcast to the network to extend reaches out to a random master node requesting mixing
the blockchain. The transaction fees that the N th stakeholder specific denominations of a certain amount of coins. The
collects from the included transactions are shared among the master node then announces that it is willing to accept other
miner and the N participators. coins of identical quantities and denominations to be mixed
From a security perspective, PoA makes the 51% attack into a transaction. Once the master node receives enough
more difficult than PoW and PoS since a large computational requests, the involved users specify their full list of inputs and
power and a significant stake are both required in PoA. outputs they wish to be mixed. The inputs specify the coins
Proof-of-Burn (PoB): PoB is an algorithm that achieves to be mixed while the outputs specify the output addresses of
consensus by burning a portion of a cryptocurrency. Burning users where they wish to receive the mixed coins. The master
a portion of cryptocurrency means generating a transaction node then puts all inputs and outputs into a joint transaction
with this portion destined to an inaccessible address by all and sends it to the involved users. The users validate the
users. The concept of burning is analogous to buying expensive transaction and sign their inputs and return it to the master
computational hardware in PoW. node. The master node finally broadcasts the transaction to the
In general, a miner burns portions of his/her holdings and network which is treated as any other transaction. However,
waits a certain period of time. This time ensures that it is PrivateSend is not a completely decentralized protocol and
impractical for an attacker to undo the transaction. After can jeopardize the anonymity of the user since it involves a
waiting, the transaction is permanently stored in the blockchain centralized node.
and becomes visible to all observers. This is proof that the CryptoNote: CryptoNote is a privacy-preserving protocol
potential miner has invested a portion of his/her holdings and embedded in some cryptocurrency implementations that strive
is worthy of being a miner. Honest miners will burn portions to hide the connection between a sender and receiver from
of their holdings that are less than or equivalent to what they the rest of the network [69]. The protocol protects the identity
can return in the mining process if successful. In other words, of the sender by utilizing ring signatures [90] when signing
if miners burn more than what they are expected to return in transactions. The public key of the sender is shuffled with
a successful mining process, they will spend more than what public keys of other senders, giving all keys equal probability
they earned, hence a loss. of being linked to a transaction. In this way, an attacker has
The potential miners then create candidate blocks in an ef- no way of identifying the private key used during transaction
fort to extend the blockchain. By referencing their transactions signing, hence identifying the sender. It also generates a
in the blockchain, they can prove that they have burnt some of unique public key for the receiver with each new incoming
their holdings earlier, thus become accepted by the community transaction. Using random data generated by the sender and
as miners. The winning block that extends the blockchain is the public key of the receiver, a one-time unique pair of
chosen by allocating the miner that has burnt the most after a private and public keys is generated via Diffie-Hellman key
certain period of time. exchange [91]. These keys are used to claim the transaction
From a security perspective, this algorithm can achieve the output by the receiver. However, since CrypoNote does not
same security as its predecessor algorithms. It requires a miner reveal the information of transactions, verifying transactions
to perform an expensive task (burning) that is easily verified becomes a challenge. To handle this issue, a modified version
by all other participators observing the blockchain. Similar of the original traceable ring signature [92] is utilized.
Things Journal
C. Mimblewimble Governments have also shown interest in blockchain. A

Similar to CryptoNote, Mimblewimble [93] is a proto- good example is clearly illustrated in applications such as
col that hides connections between senders and recievers. electronic voting where a high degree of transparency and im-
It eliminates the inputs and outputs in the UTXO design mutability is required [101], [102]. Votes could be stored over
model replacing them with a single multisignature known as the blockchain allowing the tallying process to be performed
confidential transactions. The multisignature uses the Pedersen within seconds. Blockchain can also provide voter verifiability
Commitment scheme and is generated by both sender and that is an imperative feature to trust election results.
receiver. Both parties share a blinding factor used to encrypt
all inputs and outputs of their transaction, and their private and IX. C ONCLUSION
public keys. Using the Pedersen Commitment, the blockchain Since the inception of Bitcoin, the cryptocurrency market
nodes can deduct the encrypted amounts from both inputs and has grown aggressively. It has also raised serious questions,
outputs to ensure that the coins actually exist. As a result, in particular, are cryptocurrencies the future of monetary
the transaction amounts remain completely obscured from the systems? We strived to address this enigma from a technical
entire network, providing privacy to both users. perspective by focusing on the security concerns, privacy
issues, and their trade-offs versus the transaction delay of
VIII. F UTURE R ESEARCH DIRECTIONS Bitcoin. These concerns are key factors in determining the
Following Bitcoin, some blockchain systems began incor- future of cryptocurrencies. To address these concerns, we first
porating smart contracts to provide services besides simple introduced the background of Bitcoin and explicated its major
payments, for example, Ethereum [94]. A smart contract building blocks and protocols. Next, we delved into crucial se-
is a self-executing code that is stored and processed over curity concerns. We began by discussing the double-spending
the blockchain. These contracts allow users to negotiate and attack and analyzing its probability of success. Using this
come to agreements without needing a trusted third party. analysis, we further evaluated the profitability of a potential
They may significantly facilitate payments that require certain attack. We showed that anyone in possession of less than half
prerequisites before initiating transactions. Similar to Bitcoin of the total computational power will eventually lose at some
transactions, when smart contracts are deployed over the point while performing the attack. In addition, we explored the
blockchain and executed by miners, the result is immutable major network-related security issues of the underlying peer-
and irreversible. However, in comparison to Bitcoin, they to-peer network. Our discussion showed that these network
present new security and privacy concerns as they require attacks are inevitable since there is no method to restrict
faultlessness. Once deployed over the blockchain, smart con- malicious nodes from connecting to the network. We further
tracts cannot be altered and will continue to exist indefinitely. explored storage security by investigating the wallet infrastruc-
Inappropriately implemented smart contracts may fall victims tures and the different modes of storage. We concluded that
to attacks [95] that may jeopardize the security and privacy of there is a trade-off between storage security and practicality.
users. Beyond the security issues that Bitcoin suffers, we investigated
Interestingly, since the outset of smart contracts, various the privacy limitations inherent to the system. We debunked
blockchain-based applications began to evolve beyond finan- the misconception of Bitcoin anonymity and reviewed major
cial services [96]. The main purpose of these applications is methods for privacy protection. We also looked to expand
to make use of the permanent, transparent, and irreversible the reader’s knowledge of emerging altcoins with advanced
features of blockchain. These applications are emerging in security and privacy features.
various domains. Extensive research is still needed in the blockchain space
From a commercial standpoint, blockchain could be useful to fully understand and enhance the security and privacy of
in any industry that applies supply chain in its manufacturing such applications. Though many applications aim at further
process. For example, the automobile industry could reduce the enhancing security and/or privacy, the users remain skeptical
number of recalls when a part is found to be faulty by storing due to various application specific requirements. As research
all automobile parts and their data as they change with time advances in these fields, it is possible that blockchain-based
over the blockchain. Tracing the data of a certain part over the systems may help revolutionize and supersede the centralized
blockchain starting from its origin would then allow a manu- systems we rely on today.
facturer to come to conclusions and enhance future decision
making. Similarly, blockchain could be used to trace sensor R EFERENCES
data and mitigate its duplication in IoT applications [97].
[1] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system.” https:
The healthcare industry is another popular area that could //bitcoin.org/bitcoin.pdf, 2008.
potentially benefit from blockchain. Patient data could be [2] S. Haber and W. S. Stornetta, “How to time-stamp a digital docu-
stored over the blockchain thus help doctors trace back the ment,” in Conference on the Theory and Application of Cryptography,
pp. 437–455, Springer, 1990.
entire history of a patient in just a few seconds and assist [3] D. Bayer, S. Haber, and W. S. Stornetta, “Improving the efficiency
them with making more efficient treatment decisions [98]– and reliability of digital time-stamping,” in Sequences II, pp. 329–334,
[100]. On larger scales, the stored patient data could even be Springer, 1993.
[4] S. Haber and W. S. Stornetta, “Secure names for bit-strings,” in
used to potentially enhance research that focuses on predicting Proceedings of the 4th ACM Conference on Computer and Commu-
medical patterns among patients. nications Security, pp. 28–35, ACM, 1997.
Things Journal
[5] H. Massias, X. S. Avila, and J.-J. Quisquater, “Design of a secure [38] E. Sit and R. Morris, “Security considerations for peer-to-peer dis-
timestamping service with minimal trust requirement,” in the 20th tributed hash tables,” Peer-to-Peer Systems, pp. 261–269, 2002.
Symposium on Information Theory in the Benelux, Citeseer, 1999. [39] M. Apostolaki, A. Zohar, and L. Vanbever, “Hijacking bitcoin: Routing
[6] G. Karame, E. Androulaki, and S. Capkun, “Two bitcoins at the price attacks on cryptocurrencies,” 2017 IEEE Symposium on Security and
of one? double-spending attacks on fast payments in bitcoin.,” IACR Privacy (SP), pp. 375–392, IEEE, 2017.
Cryptology ePrint Archive, vol. 2012, no. 248, 2012. [40] Y. Rekhter, T. Li, and S. Hares, “A border gateway protocol 4 (bgp-4),”
[7] M. Crosby, P. Pattanayak, S. Verma, and V. Kalyanaraman, “Blockchain tech. rep., 2005.
technology: Beyond bitcoin,” Applied Innovation, vol. 2, pp. 6–10, [41] A. M. Antonopoulos, Mastering Bitcoin: unlocking digital cryptocur-
2016. rencies.” O’Reilly Media, Inc.”, 2014.
[8] L. Dashjr, “BIP process, revised.” https://github.com/bitcoin/bips/wiki/ [42] P. Wuille, “Hierarchical deterministic wallets.” https://github.com/
Comments:BIP-0002, 2016. bitcoin/bips/wiki/Comments:BIP-0032, 2012.
[9] G. Hileman and M. Rauchs, “Global cryptocurrency benchmarking [43] M. Palatinus, P. Rusnak, A. Voisine, and S. Bowe, “Mnemonic code
study,” Cambridge Centre for Alternative Finance, 2017. for generating deterministic keys.” https://github.com/bitcoin/bips/wiki/
[10] “Coin Market Capital.” https://coinmarketcap.com/, 2018. Comments:BIP-0039, 2013.
[11] D. Chaum, “Blind signatures for untraceable payments,” in Advances [44] G. Andresen, “Pay to script hash.” https://github.com/bitcoin/bips/wiki/
in cryptology, pp. 199–203, Springer, 1983. Comments:BIP-0016, 2012.
[12] D. Chaum, A. Fiat, and M. Naor, “Untraceable electronic cash,” in [45] M. Caldwell and A. Voisine, “Passphrase-protected private key.” https:
Proceedings on Advances in cryptology, pp. 319–327, Springer-Verlag //github.com/bitcoin/bips/wiki/Comments:BIP-0038, 2012.
New York, Inc., 1990. [46] J. Daemen and V. Rijmen, The design of Rijndael: AES-the advanced
[13] W. Dai, “b-money.” http://www.weidai.com/bmoney.txt, 1998. encryption standard. Springer Science & Business Media, 2013.
[14] R. C. Merkle, “A digital signature based on a conventional encryption [47] Coinbase, “Coinbase - buy/sell digital currency.” https://www.coinbase.
function,” Conference on the Theory and Application of Cryptographic com, 2018.
Techniques, pp. 369–378, Springer, 1987. [48] Blockchain, “Bitcoin block explorer - blockchain.” https://blockchain.
[15] D. R. L. Brown, “SEC 2: Recommended elliptic curve domain param- info, 2018.
eters,” tech. rep., Certicom Research, 2010. [49] Ledger, “Ledger wallet - hardware wallets - smartcard security for your
[16] J. R. Douceur, “The sybil attack,” International Workshop on Peer-to- bitcoins.” https://www.ledgerwallet.com, 2018.
Peer Systems, pp. 251–260, Springer, 2002. [50] SatoshiLabs, “Trezor bitcoin wallet — the original and most secure
[17] J. Poon and T. Dryja, The bitcoin lightning network: Scalable off-chain hardware wallet.” https://trezor.io, 2018.
instant payments, 2016. [51] “Bitcoin Developer Guide.” https://bitcoin.org/en/developer-guide#
[18] M. Rosenfeld, “Analysis of bitcoin pooled mining reward systems,” wallets, 2017.
arXiv preprint arXiv:1112.4980, 2011. [52] A. Narayanan and V. Shmatikov, “De-anonymizing social networks,”
[19] S. Pool, “Reward system.” https://slushpool.com/help/manual/rewards, in Security and Privacy, 2009 30th IEEE Symposium on, pp. 173–187,
2017. IEEE, 2009.
[20] T. B. C. developers, “bitcoin/bitcoin.” https://github.com/bitcoin/ [53] D. J. Crandall, L. Backstrom, D. Cosley, S. Suri, D. Huttenlocher, and
bitcoin, 2017. J. Kleinberg, “Inferring social ties from geographic coincidences,” 2010
[21] A. Loibl, “Namecoin,” Network Architectures and Services, vol. 107, National Academy of Sciences, vol. 107, no. 52, pp. 22436–22441.
2014. [54] R. Puzis, D. Yagil, Y. Elovici, and D. Braha, “Collaborative attack on
[22] J. Hilliard, “Reduced threshold segwit masf.” https://github.com/ internet users’ anonymity,” Internet Research, vol. 19, no. 1, pp. 60–77,
bitcoin/bips/wiki/Comments:BIP-0091, 2017. 2009.
[23] P. Wuille, “Segregated witness and its impact on scalability,” SF Bitcoin [55] A. Korolova, R. Motwani, S. U. Nabar, and Y. Xu, “Link privacy
Devs Seminar, 2015. in social networks,” in Proceedings of the 17th ACM conference on
[24] H. Finney, “Best practice for fast transaction acceptance - how high Information and knowledge management, pp. 289–298, ACM, 2008.
is the risk?’.” https://bitcointalk.org/index.php?topic=3441.msg48384# [56] R. Dingledine, N. Mathewson, and P. Syverson, “Tor: The second-
msg48384, Feb. 2011. generation onion router,” tech. rep., Naval Research Lab Washington
[25] K. Sigman, “Gambler’s Ruin Problem.” http://www.columbia.edu/ DC, 2004.
∼ks20/FE-Notes/4700-07-Notes-GR.pdf. [57] J. Ren and J. Wu, “Survey on anonymous communications in computer
[26] A. P. Ozisik and B. N. Levine, “An explanation of nakamoto’s analysis networks,” Computer Communications, vol. 33, pp. 420–431, March
of double-spend attacks,” arXiv preprint arXiv:1701.03977, 2017. 2010.
[27] M. Rosenfeld, “Analysis of hashrate-based double spending,” arXiv [58] A. Biryukov, D. Khovratovich, and I. Pustogarov, “Deanonymisation of
preprint arXiv:1402.2009, 2014. clients in bitcoin p2p network,” Proceedings of the 2014 ACM SIGSAC
[28] “Mining hardware comparison.” https://en.bitcoin.it/wiki/Mining Conference on Computer and Communications Security, pp. 15–29,
hardware comparison, 2017. ACM, 2014.
[29] “Non-specialized hardware comparison.” https://en.bitcoin.it/wiki/ [59] A. Biryukov and I. Pustogarov, “Bitcoin over Tor isn’t a good idea,”
Non-specialized hardware comparison, 2017. Security and Privacy (SP), 2015 IEEE Symposium on, pp. 122–134,
[30] “U.S. energy information administration.” https://www.eia.gov/ 2015.
electricity/monthly/epm table grapher.php?t=epmt 5 6 a. [60] G. Maxwell, “Coinswap: Transaction graph disjoint trustless trading.”
[31] J. Bonneau, “Why buy when you can rent?,” in International Confer- https://bitcointalk.org/index.php?topic=321228.0, 2013.
ence on Financial Cryptography and Data Security, 2016. [61] E. Heilman, L. Alshenibr, F. Baldimtsi, A. Scafuro, and S. Goldberg,
[32] I. Eyal and E. Sirer, Majority is not enough: Bitcoin mining is “Tumblebit: An untrusted bitcoin-compatible anonymous payment
vulnerable, International conference on financial cryptography and data hub,” in Network and Distributed System Security Symposium, 2017.
security, 436–454, 2014. [62] G. Maxwell, “Coinjoin: Bitcoin privacy for the real world,” in Post on
[33] B. Johnson, A. Laszka, J. Grossklags, M. Vasek, and T. Moore, Bitcoin Forum, 2013.
“Game-theoretic analysis of ddos attacks against bitcoin mining pools,” [63] C. Willson and A. Taaki, “Dark wallet.” https://www.darkwallet.is/,
Financial Cryptography and Data Security 2014, pp. 72–86, Springer, 2017.
2014. [64] T. Ruffing, P. Moreno-Sanchez, and A. Kate, “Coinshuffle: Practical
[34] M. Vasek, M. Thornton, and T. Moore, “Empirical analysis of denial- decentralized coin mixing for bitcoin,” in European Symposium on
of-service attacks in the bitcoin ecosystem,” Financial Cryptography Research in Computer Security, pp. 345–364, Springer, 2014.
and Data Security 2014, pp. 57–71, Springer, 2014. [65] H. Corrigan-Gibbs and B. Ford, “Dissent: accountable anonymous
[35] E. Heilman, A. Kendler, A. Zohar, and S. Goldberg, “Eclipse attacks group messaging,” in Proceedings of the 17th ACM conference on
on bitcoin’s peer-to-peer network.,” in USENIX Security Symposium, Computer and communications security, pp. 340–350, ACM, 2010.
pp. 129–144, 2015. [66] A. Gibson and C. Belcher, “Joinmarket.” https://github.com/
[36] M. Castro, P. Druschel, A. Ganesh, A. Rowstron, and D. S. Wallach, JoinMarket-Org/JoinMarket-Docs/blob/master/High-level-design.md,
“Secure routing for structured peer-to-peer overlay networks,” ACM 2017.
SIGOPS Operating Systems Review, vol. 36, no. SI, pp. 299–314, 2002. [67] G. Hardin, “The tragedy of the commons,” Journal of Natural Re-
[37] A. Singh, T. wan Ngan, P. Druschel, and D. S. Wallach, “Eclipse attacks sources Policy Research, vol. 1, no. 3, pp. 243–253, 2009.
on overlay networks: Threats and defenses,” in In IEEE INFOCOM, [68] C. Percival, “Stronger key derivation via sequential memory-hard
Citeseer, 2006. functions,” Self-published, pp. 1–16, 2009.
Things Journal
[69] N. v. Saberhagen, “Crypto note v 2.0,” HYPERLINK [101] P. McCorry, S. F. Shahandashti, and F. Hao, “A smart contract for
https://cryptonote.org/whitepaper. pdf, 2013. boardroom voting with maximum voter privacy,” in Financial Cryp-
[70] A. Biryukov and D. Khovratovich, “Equihash: Asymmetric proof-of- tography and Data Security 2020, pp. 357–375, Springer, 2017.
work based on the generalized birthday problem,” Ledger, vol. 2, pp. 1– [102] E. Zaghloul, T. Li, and J. Ren, “Anonymous and coercion-resistant
30, 2017. distributed electronic voting,” in IEEE ICNC 2020, 2020.
[71] J. Ray, “Ethash.” https://github.com/ethereum/wiki/wiki/Ethash, 2018.
[72] V. Buterin, “Dagger: A memory-hard to compute, memory-easy to Ehab Zaghloul received his B.S. and M.Sc degrees
verify scrypt alternative,” tech. rep., Technical Report, 2013. URL in Computer Engineering from Arab Academy for
http://www.hashcash.org/papers/dagger. html, 2013. Science and Technology (AAST), Alexandria, Egypt
[73] B. Kiraly, “X11.” https://dashpay.atlassian.net/wiki/spaces/DOC/pages/ in 2012 and 2015 respectively. He earned his Ph.D.
1146918/X11, 2017. degree in Electrical and Computer Engineering at
[74] PiMP, “Blog: What are all these x11, x13, x15 algorithms made of?.” Michigan State University (MSU), East Lansing,
https://getpimp.org, 2017. USA. His research interests include applied cryp-
[75] “Lyra2re.” https://en.bitcoinwiki.org/wiki/Lyra2RE, 2019. tography, secure and private cloud data sharing,
[76] “Quark algorithm.” https://en.bitcoinwiki.org/wiki/Quark Algorithm, cryptocurrencies, and blockchain.
2018.
[77] Q. Mechanic, “Proof of stake instead of proof of work.” https://
bitcointalk.org/index.php?topic=27787.0, 2011.
Tongtong Li (SM’08) received her Ph.D. degree in
[78] S. King and S. Nadal, “Ppcoin: Peer-to-peer crypto-currency with
Electrical Engineering in 2000 from Auburn Univer-
proof-of-stake,” self-published paper, August, vol. 19, 2012.
sity. From 2000 to 2002, she was with Bell Labs, and
[79] P. Vasin, “Blackcoin’s proof-of-stake protocol v2,” 2014. had been working on the design and implementation
[80] J. Kwon, “Tendermint: Consensus without mining,” Draft v. 0.6, fall, of 3G and 4G systems. Since 2002, she has been
vol. 1, no. 11, 2014. with Michigan State University, where she is now an
[81] V. Zamfir, “Casper the friendly ghost: A correct by construc- Associate Professor. Prof. Li’s research interests fall
tion blockchain consensus protocol,” Whitepaper: https://github.com/ into the areas of wireless and wired communications,
ethereum/research/blob/master/papers/caspertfg/caspertfg.pdf, 2017. wireless security, information theory and statistical
[82] D. Larimer, “Delegated proof-of-stake (dpos),” Bitshare whitepaper, signal processing, with applications in neuroscience.
2014. She is a recipient of a National Science Foundation
[83] “Eos.io technical white paper v2.” https://github.com/EOSIO/ (NSF) CAREER Award (2008) for her research on efficient and reliable
Documentation/blob/master/TechnicalWhitePaper.md, 2018. wireless communications. Prof. Li served as an Associate Editor for IEEE
[84] T. Foundation, “Tron protocol version: 3.2.” https://tron.network/static/ Signal Processing Letters from 2007-2009, and an Editorial Board Member
doc/white paper v 2 0.pdf, 2018. for EURASIP Journal Wireless Communications and Networking from 2004-
[85] I. Bentov, C. Lee, A. Mizrahi, and M. Rosenfeld, “Proof of activity: 2011. She served as an Associate Editor for IEEE Transactions on Signal
Extending bitcoin’s proof of work via proof of stake [extended abstract] Processing from 2012-2016.
y,” ACM SIGMETRICS Performance Evaluation Review, vol. 42, no. 3,
pp. 34–37, 2014. Matt W. Mutka received the B.S. degree in elec-
[86] E. Ben-Sasson, A. Chiesa, E. Tromer, and M. Virza, “Succinct non- trical engineering from the University of Missouri-
interactive zero knowledge for a von neumann architecture.,” in Rolla, the M.S. degree in electrical engineering from
USENIX Security Symposium, pp. 781–796, 2014. Stanford University, and the Ph.D. degree in Com-
[87] E. Ben-Sasson, I. Bentov, Y. Horesh, and M. Riabzev, “Scalable, puter Sciences from the University of Wisconsin-
transparent, and post-quantum secure computational integrity.,” IACR Madison. He is a Professor on the faculty of the
Cryptology ePrint Archive, vol. 2018, p. 46, 2018. Department of Computer Science and Engineering
[88] B. Bünz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and G. Maxwell, at Michigan State University (MSU) and is cur-
“Bulletproofs: Short proofs for confidential transactions and more,” rently serving as a Program Director at the National
2018 IEEE Symposium on Security and Privacy (SP), pp. 315–334, Science Foundation (NSF) within the Division of
2018. Computer and Networks Systems (CNS) of the Di-
[89] B. Kiraly, “Privatesend.” https://dashpay.atlassian.net/wiki/spaces/ rectorate for Computer and Information Science and Engineering (CISE).
DOC/pages/1146924/PrivateSend, 2017. He served as Chairperson of the MSU Department of Computer Science
[90] R. Rivest, A. Shamir, and Y. Tauman, “How to leak a secret,” Advances and Engineering from 2007-2017. He has been a visiting scholar at the
in Cryptology—ASIACRYPT 2001, pp. 552–565, 2001. University of Helsinki, Helsinki, Finland, and a member of technical staff at
[91] W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Bell Laboratories in Denver, Colorado. He is an IEEE Fellow and was honored
Transactions on Information Theory, vol. 22, no. 6, pp. 644–654, 1976. with the MSU Distinguished Faculty Award. His current research interests
[92] E. Fujisaki and K. Suzuki, “Traceable ring signature,” in Public Key include mobile computing, sensor networking and wireless networking.
Cryptography, vol. 4450, pp. 181–200, Springer, 2007.
[93] T. E. Jedusor, “Mimblewimble,” 2016. Jian Ren (SM’09) received the BS and MS de-
[94] G. Wood, “Ethereum: A secure decentralised generalised transaction grees both in mathematics from Shaanxi Normal
ledger,” Ethereum project yellow paper, vol. 151, pp. 1–32, 2014. University, and the Ph.D. degree in EE from Xidian
[95] K. Zipfel, “Smart contract attack vectors.” https://github.com/ University, China. He is an Associate Professor in
KadenZipfel/smart-contract-attack-vectors, 2019. the Department of ECE at Michigan State University.
[96] S. Aggarwal, R. Chaudhary, G. S. Aujla, N. Kumar, K.-K. R. Choo, His current research interests include network se-
and A. Y. Zomaya, “Blockchain for smart communities: Applications, curity, cloud computing security, privacy-preserving
challenges and opportunities,” J. of Network and Computer Applica- communications, distributed network storage, and
tions, 2019. Internet of Things. He is a recipient of the US
[97] I. Makhdoom, M. Abolhasan, H. Abbas, and W. Ni, “Blockchain’s National Science Foundation Faculty Early Career
adoption in IoT: The challenges, and a way forward,” Journal of Development (CAREER) award in 2009. Dr. Ren
Network and Computer Applications, vol. 125, pp. 251–279, 2019. served as the TPC Chair of IEEE ICNC’17, General Chair of ICNC’18
[98] A. Azaria, A. Ekblaw, T. Vieira, and A. Lippman, “Medrec: Using and Executive Chair of ICNC’19 and ICNC’20. Currently Dr. Ren serves
blockchain for medical data access and permission management,” in as an Associate Editor for IEEE Transactions on Mobile Computing (TMC),
Open and Big Data (OBD), pp. 25–30, IEEE, 2016. IEEE Internet of Things Journal (IoT), ACM Transactions on Sensor Networks
[99] E. Zaghloul, T. Li, M. W. Mutka, and J. Ren, “d-MABE: Distributed (TOSN) and a Senior Associate Editor for IET Communications. Dr. Ren is a
multilevel attribute-based emr management and applications,” IEEE senior member of the IEEE.
Transactions on Service Computing, accepted, to appear.
[100] T. McGhin, K.-K. R. Choo, C. Z. Liu, and D. He, “Blockchain
in healthcare applications: Research challenges and opportunities,”
Journal of Network and Computer Applications, 2019.

rp4

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

rp4

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

rp4

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

Bitcoin and Blockchain: Security and Privacy

Fig. 2. A Merkle tree within a block.

the block header of a block to be mined and chained to the

requires hash computations.

adjusting all the subsequent chained blocks.

in mining the block first. A transaction with low or no fees

fees to maximize the profit that a miner can turn if successful

releases a transaction into the network that pays v BTC to the

The profit/loss can be formulated from equations (26) and

will intercept the requested message (getdata) and modify the

and cause the receiving node to resend a request message. As

C. Mimblewimble Governments have also shown interest in blockchain. A

You might also like