CS 731: Blockchain 

Technology And 
Applications
Sandeep K. Shukla
IIT Kanpur

C3I Center
Blockchain evolving from simple ledgers, to cryptlets that fetch trusted and
agreed-upon external data needed to execute Smart Contracts

Smart Contracts are unable to access external data or events based on time or market conditions. Calling code or data outside
of a Smart Contract or blockchain breaks the general trust barrier and authenticity of transactions. Cryptlets will allow the
blockchain to access external data securely, while maintaining the integrity of the blockchain.

Source: Cale Teeter
Acknowledgement

• The material of this lecture material is 
mostly due to Prof. Arvind Narayanan’s 
Lecture at Princeton and his book on 
Bitcoin  
Centralization vs. decentralization
Centralization vs. decentralization
Centralization has many advantages
Easy to manage
Easy to provision
Easy to ban
Easy to distribute responsibility …
Decentralizaton
Harder to manage
Harder to distribute work
Harder to ban
Harder to provision
But centralization has a single trusted party – weakness
Decentralization may be mixed with partial
centralization

E-mail:
decentralized protocol, but dominated by
centralized webmail services
Decentralization in Blockchain
1. Who maintains the ledger?
2. Who has authority over which transactions are valid?
3. Who creates new bitcoins?
4. Who determines how the rules of the system change?
5. How do bitcoins acquire exchange value?

Beyond the protocol:

exchanges, wallet software, service providers...
Decentralization in Bitcoin
Peer-to-peer network:
open to anyone, low barrier to entry

Mining:
open to anyone, but inevitable concentration of power
often seen as undesirable

Updates to software:
core developers trusted by community, have great
power
Distributed consensus
Bitcoin’s key challenge

Key technical challenge of decentralized

digital cash

distributed consensus
Why consensus protocols?

Traditional motivation: fault-tolerance in distributed

systems

Distributed hash tables

Distributed DNS, public key directory,

stock trades …
Defining distributed consensus

The protocol terminates and all correct nodes decide on the

same value

This value must have been proposed by some correct node

 peer-to-peer system
When You want to pay Ravi:
you broadcast the transaction to every node in the
network:

signed by you
Pay to pkRavi : H( )

Note: Ravi’s Computer may not be connected to

the network at the transaction time
Bitcoin Blockchain Growth Dynamics

At any given time:

● All nodes have a sequence of blocks of transactions

they’ve reached consensus on
● Each node has a set of outstanding transactions it’s
heard about
Bitcoin Blockchain Growth Dynamics
Tx
Tx
…
Tx This Photo by Unknown 
Tx Tx Tx Author is licensed under CC 
BY‐ND
Tx Tx Tx
… … …
Tx Tx Tx Consensus
protocol

Tx Tx This Photo by Unknown 
Author is licensed under 
Tx Tx CC BY

… …
This Photo by Unknown Author is licensed 
under CC BY‐ND
Tx Tx

OK to select any valid block, even if proposed

by only one node
Why consensus is hard
Nodes may crash
Nodes may be malicious

Network is imperfect
• Not all pairs of nodes connected
• Faults in network
• Latency

No notion of global time

Many impossibility results

• Byzantine generals problem

• Fischer-Lynch-Paterson (deterministic nodes):

consensus impossible even with a single faulty
node
Some well-known protocols

Example: Paxos

Never produces inconsistent result, but can (rarely)

get stuck
Understanding impossibility results

These results say more about the model than about

the problem

The models were developed to study systems like

distributed databases
Bitcoin consensus: theory & practice

Bitcoin consensus works better in practice than in

theory

Theory is still catching up

BUT theory is important, can help predict

unforeseen attacks
Some things Bitcoin does differently

Introduces incentives
• Possible only because it’s a currency!

Embraces randomness
• Eventual consistency – no deadline for consensus
• Consensus happens over long time scales — about 1 hour
Consensus without identity: the
block chain
Why identity?

Pragmatic: some protocols need node IDs

Security: assume less than 50% malicious

Bitcoin nodes have no identities

Identity is hard in a P2P system — Sybil attack

anonymity is a goal of Bitcoin – although what it achieves is

pseudo-anonymity
Select random node

Analogy: lottery or raffle

When tracking and verifying identities is hard, we

give people tokens, tickets, etc.

Now we can pick a random ID and select that node

Key idea: implicit consensus
In each round, random node is picked

This node proposes the next block in the chain

Other nodes implicitly accept/reject this block

• by either extending it
• or ignoring it and extending chain from earlier block

Every block contains hash of the block it extends

Consensus algorithm (simplified)

1. New transactions are broadcast to all nodes

2. Each node collects new transactions into a block
3. In each round a random node gets to broadcast its block
4. Other nodes accept the block only if all transactions in
it are valid (unspent, valid signatures)
5. Nodes express their acceptance of the block by
including its hash in the next block they create
What can a malicious node do?

Double-
signed by A spending
CA → B attack
Pay to pkB : H( )

signed by A
CA → A’

Pay to pkA’ : H( )

Honest nodes will extend the longest valid branch

From Bob the merchant’s point of view
3 confirmations
1 confirmation

CA → B

CA → A’ double-spend
attempt
Double-spend probability
Hear about CA → B transaction decreases exponentially with #
0 confirmations of confirmations

Most common heuristic:

6 confirmations
 Recap

Protection against invalid transactions is cryptographic,

but enforced by consensus

Protection against double-spending is purely by consensus

You’re never 100% sure a transaction is in consensus branch.

Guarantee is probabilistic
Incentives and proof of work
Assumption of honesty is problematic

Can we give nodes incentives for behaving honestly?

Can we reward nodes

that created these blocks?

Can we penalize the node

that created this block?

Everything so far is just a distributed consensus protocol

But now we utilize the fact that the currency has value
Incentive 1: block reward

Creator of block gets to

• include special coin-creation transaction in the block
• choose recipient address of this transaction

Value is fixed: currently 12.5 BTC, halves every 210,000

blocks.

Block creator gets to “collect” the reward only if the block

ends up on long-term consensus branch!
 There’s a finite supply of bitcoins

Total supply: 21 million

Block reward is how

Total bitcoins in circulation

new bitcoins are created

First inflection point: Runs out in 2040.

reward halved from 50BTC No new bitcoins unless rules
to 25BTC change

Year
Incentive 2: transaction fees

Creator of transaction can choose to make

output value less than input value

Remainder is a transaction fee and goes to block

creator

Currently: Purely voluntary, like a tip

Future: May be mandatory
Remaining problems

How to pick a random node?

How to avoid a free-for-all due to rewards?

How to prevent Sybil attacks?

Proof of work

To approximate selecting a random node:

select nodes in proportion to a resource
that no one can monopolize

• In proportion to computing power: proof-of-work

• In proportion to ownership: proof-of-stake
Equivalent views of proof of work

Select nodes in proportion to computing power

Let nodes compete for right to create block

Make it moderately hard to create new identities to gain

more computing power – hence higher probability of being
picked
 Hash puzzles
To create block, find nonce s.t.
nonce
H(nonce ǁ prev_hash ǁ tx ǁ … ǁ tx) is very small
prev_h
Tx
Tx
Output space of hash

Target
space

If hash function is secure: only way to succeed is to try enough nonces

until you get lucky : Brute-Force
PoW property 1: difficult to compute

110 x10^18 Hashes per second 
PoW property 2: parameterizable cost

Nodes automatically re-calculate the target every

two weeks

Goal: average time between blocks = 10 minutes

Prob (Alice wins next block) =

fraction of global hash power she controls
Key security assumption

Attacks infeasible if majority of miners weighted by

hash power follow the protocol
Solving hash puzzles is probabilistic

10
minutes
Probability density

Time to next block (entire network)

PoW property 3: trivial to verify

Nonce must be published as part of block

Other miners simply verify that

H(nonce ǁ prev_hash ǁ tx ǁ … ǁ tx) < target
Mining economics

If mining reward hardware +

(block reward + Tx fees) > electricity cost → Profit

Complications:
• fixed vs. variable costs
• reward depends on global hash rate
Putting it all together
Summary

Identities Block chain and

consensus
Transactions
Hash puzzles and
P2P network mining
Bitcoin has three types of consensus

• Value (market value – outside the blockchain

dynamics – based on the market)

• State (Consensus achieved by the blockchain

itself on the state of the ledger)

• Rules (Rules of the blockchain – hard/soft forks

when rules are changed)
Bitcoin mining – security – value cycle

security of
block chain

health of
value of
mining
currency
ecosystem
What can a “51% attacker” do?

Steal coins from existing address? ✗

Suppress some transactions? ✓

• From the block chain
✗
• From the P2P network

Change the block reward? ✗

Destroy confidence in Bitcoin? ✓✓

Remaining questions

How do we get from consensus to currency?

What else can we do with consensus?