Consensus without identity: using a block chain

Bitcoin’s consensus algorithm

 Nodes and identities
Nodes without persistent identity
• We will have to keep in mind that Bitcoin nodes don't have any persistent
long term identities. This is another difference from how traditional
distributive consensus algorithms operate. If nodes had identities, it would
make things a lot easier:
• it would be possible to include in the protocol specific references to nodes IDs.
• the system would be more secure. If nodes were identified and weren't able to create
new identities, we could make assumption on malicious nodes and try to eliminate
them from the network, to be sure that at least 50% of them are not malicious.
 Why Bitcoin nodes don't have identities?
• Bitcoin protocol is a peer-to-peer decentralized system. So there is no central
authority that assigns identities to nodes and verify that they're not creating
new nodes. This could take to a Sybils attack: malicious nodes could create a
lot of copies of nodes all controlled by them to look like there are a lot of
different participants. When in fact, all those pseudo participants are really
controlled by the same adversary.
• Pseudo-anonimity is a goal of Bitcoin, so it doesn't assign an immutable
identity even if it could be possible also in a decentralized system. Bitcoin
doesn't provide a strong anonymity, since different transactions of the same
subject can probably be linked together. But, at the same time, it is not
necessary to use a real identity to take part to the network. So an adversary
could trace the transactions and connect them to an "address", but it would be
harder to understand who is really making that transactions.
 Ability to check a random node
• Even if the Bitcoin nodes don't have an immutable identity we can make one
assumption. We can suppose to have the ability to pick a random node and
check it. It is similar to systems such as lotteries where people are tracked and
verified not through their real identity, but through a ticket or a token assigned
to them to take part in the game.
• For the moment we will assume that there's a similar token generation and
distribution also in Bitcoin protocol. This protocol will assure that if an
adversary tries to create a lot of sibil nodes, all of them will just get one token.
So the adversary is not able to multiply his power that way.
 Implicit consensus
• Under the assumption of random node selection, it is possible to reach implicit
consensus. Let's identify a round as the insertion of a new block in the
blockchain. In each round a random node is somehow selected, and this node
will be able to propose the next block in to be inserted in the blockchain.
• There is no consensus algorithm and no voting. This node simply unilaterally
proposes what the next block in the block chain is going to be. If the node is a
malicious one, other nodes will implicitly accept its block or reject it. The
acceptance is implicit because:
• if other nodes consider the new block valid, they will extend the blockchain starting from
this block
• while if other nodes want to reject the new block, they will continue the blockchain
starting from the previous one
 Consensus algorithm
• When Alice wants to pay Bob, she creates a transaction and broadcasts it to all
of the nodes.
• Each node is constantly listening to the network and collecting a list of
transactions not yet inserted into the blockchain.
• at some point, one of these nodes is chosen randomly to propose the next
block. It will put in the new block a bunch of transaction and add it to the
blockchain. This node can be honest, or malicious and try to insert some invalid
transactions. For example it could insert transaction with non-valid signature or
with coins already spent.
• the other nodes will accept this block or reject it, by either including the hash
of this latest block in their next block or ignoring it. The block is accepted only if
all the transaction in it are valid.
 Why the consensus algorithm works?
Let's see how can a malicious adversary try to subvert this process. If Alice is a
malicious attacker, she could try to:
• steal Bitcoins belonging to another user. She is not able to do this, because
she cannot forge someone else's signature.
• act against another user Bob. For example Alice could try not to insert any
Bob's transactions into new blocks. But there will be other honest nodes that
will gather Bob's transaction into a new block.
• try to spend some coins twice (double-spending attack).
 What can a malicious node do?
Double-
signed by A spending
CA → B
Pay to pkB : H( ) attack

signed by A CA → A’
Pay to pkA’ : H( )

Honest nodes will extend the longest valid branch

In practice nodes extend the block that they first detect on the peer-to-peer network
(not a solid rule)
From Bob the merchant’s point of view
1 confirmation 3 confirmations

CA → B

Double-spend probability
CA → A’ double-spend decreases exponentially
attempt with # of confirmations

Hear about CA → B transaction Most common heuristic:

0 confirmations 6 confirmations
Recap

• Protection against invalid transactions is cryptographic,

but enforced by consensus

• Protection against double-spending is purely by consensus

• You’re never 100% sure a transaction is in consensus branch.

Guarantee is probabilistic
Incentives and proof of work
Assumption of honesty is problematic
Can we give nodes incentives for behaving honestly?
Can we reward nodes
that created these blocks?

Can we penalize the node

that created this block?

Everything so far is just a distributed consensus protocol

But now we utilize the fact that the currency has value
Incentive 1: Block Reward
Creator of block gets to
• include special coin-creation transaction in the block
• choose recipient address of this transaction

Value is fixed: currently 12.5 BTC, halves every 210,000 blocks created (or
every 4 years at the current rate of block creation)
• We are now in the third period – first period block reward was 50 BTC

Block creator gets to “collect” the reward only if the block ends up on long-
term consensus branch!
• Subtle but powerful trick: Incentivizes nodes to behave in way that will get other
nodes to extend their block
 There’s a finite supply of bitcoins
Total supply: 21 million

Block reward is how

Total bitcoins in circulation

new bitcoins are created

First inflection point:
reward halved from 50BTC to 25BTC Runs out in 2040. No new bitcoins
unless rules change

Does that mean that after 2040,

nodes will no longer have incentive
Year to behave honestly?
Not really!
Incentive 2: Transaction Fees
• Creator of transaction can choose to make output
value less than input value

• Remainder is a transaction fee and goes to block

creator (that first puts that transaction into that block)

• Purely voluntary, like a tip

• But system will evolve, and will become mandatory, as Block
rewards run out