This is a chapter from the book Token Economy (Third Edition) by Shermin Voshmgir. Paper & audio formats are available on Amazon and other bookstores. Find copyright information at the end of the page.
Blockchain networks use various cryptographic tools paired with economic incentives to trustfully identify and authenticate all network actors and guarantee the correctness of token transactions. Understanding the role of these tools and mechanisms is key to understanding why and to what extent blockchain networks are more decentralized than current Internet infrastructure.
Cryptography focuses on the creation of secure and secret communication and collaboration systems that are resilient against eavesdropping or manipulation. Early cryptographic systems were analog, designed to ensure that a piece of information (plaintext) would be converted into unintelligible text (ciphertext) and could only be deciphered with the corresponding cipher. The term “cipher” refers to a pair of algorithms that define both encryption and decryption processes. While the history of cryptography and cryptanalysis dates back to the advent of handwritten texts, it has evolved significantly in the computer age. The most notable game-changers were the Enigma machine, which was used by the Germans in World War II, and the emergence of Turing-complete electromechanical computers in response. While computers made classical ciphers more vulnerable to brute-force attacks—where computers test all possible combinations to crack the cipher—they also enabled the development of more robust cryptographic systems designed to resist such attacks. Today, modern cryptography extends far beyond text encryption, as it can encrypt any computer file—text, image, or video.
The emergence of the Internet as a computer-to-computer network was another significant game-changer in the 1960s. These early computer networks primarily focused on connecting stand-alone computers, creating addressing mechanisms, and establishing data transmission protocols. Secure communication, however, wasn't a priority in the early years. Systems for more secure communication between stand-alone computers were eventually developed, but initially for military purposes only. They later made it into the commercial Internet.
Secure communication algorithms are generally designed to be incredibly difficult and expensive to break—requiring an infeasible amount of computational effort, time, and resources. Security in this context is a relative term that relies on computational hardness assumptions. As computing technology advances and hardware becomes cheaper, cryptographic algorithms must evolve to maintain their resistance by increasing complexity and difficulty—creating a cryptographic arms race.
Today, cryptographic tools are increasingly used to secure day-to-day applications such as e-banking, e-commerce, identity verification, authentication, rights management, digital signatures, and secure computation. However, cryptographic tools have also raised many legal and ethical questions along the way. Some governments have classified them as weapons, restricted their use, or required individuals to disclose encryption keys for investigation purposes. Political debates around these issues intersect with broader discussions about privacy in the digital age, particularly as encryption becomes central to safeguarding constitutional rights and, more broadly, digital human rights in an era of potential mass surveillance (read more on this topic in the chapter “Token Privacy”).
Bitcoin’s Origins
Bitcoin’s system architecture did not emerge out of thin air but was built on decades of research and development in cryptography, P2P networks, and numerous attempts to create digital cash systems. Key inspirations included Adam Back’s “Hashcash,” Wei Dai’s “B-money,” Nick Szabo’s “BitGold,” as well as the broader cypherpunk movement. Cultural influences, such as sci-fi author Daniel Suarez, also played a role. Its technological origins date back to the 1970s.
In the early 1970s, Ralph Merkle laid the groundwork for secure communication over the Internet when he developed a “collision-resistant” cryptographic hash function and the concept of a Merkle tree for efficient data verification. In 1976, an academic paper introduced mechanisms for secure cryptographic key exchanges over public networks, setting the stage for the development of digital signatures, and in 1978, the RSA algorithm was developed. All these innovations became cornerstones of Bitcoin’s decentralized Public Key Infrastructure. In 1991, an academic paper on cryptographically secured chains of time-stamps was published—another essential concept that inspired Bitcoin’s system architecture.
In the early 1980s, David Chaum advocated privacy-preserving digital signatures and launched “Ecash,” an early form of cryptographic electronic money. Ecash was commercialized through his company, “Digicash,” and was used as a micropayment system at one US bank from 1995 to 1998. However, its system architecture could not defend against Sybil attacks and required some form of centralized coordination. Ecash was shut down in 1998, possibly because it was ahead of its time—e-commerce applications were not yet widespread—as well as due to regulatory scrutiny.
In 1997, Adam Back created “Hashcash,” which was the first proof-of-work system designed to limit email spam and denial-of-service attacks by requiring computers to perform computational work before sending a message. The original idea was proposed in an academic paper by Cynthia Dwork and Moni Naor in 1992. The concept of proof-of-work was also adopted as a mining mechanism in “B-money,” a proposal by Wei Dai for creating an “anonymous, distributed electronic cash system” in 1998. The idea was proposed on the “cypherpunk mailing list,” which represented a group of activists advocating the use of strong cryptography and privacy-enhancing technologies over the Internet. However, B-money was never deployed in practice. It did, however, lay the groundwork for Bitcoin’s proof-of-work.
In 1998, Nick Szabo designed a mechanism for a decentralized digital currency—“BitGold”—where he implemented many of his prior ideas around smart contracts and added a proof-of-work-based consensus algorithm. Like B-money, BitGold was never deployed, possibly because the proposal had not resolved the problem of double-spending in a fully decentralized, Sybil attack–resistant way. Szabo, however, was speculated to be behind Bitcoin’s anonymous creator, Satoshi Nakamoto—a rumor he always denied.
The late 1990s and early 2000s were also significant, marking important developments in P2P networks, highlighted by music-sharing applications like “Napster,” where users could upload their music files and share them with others who could, in turn, download them. Napster was designed as a decentralized file-sharing network independent of the Internet's physical structure. Even though its system architecture reduced the need for centralized coordination, it still relied on a central indexing server, making it prone to shutdowns by governments. Gnutella” in 2000 and later “BitTorrent” further developed decentralized file-sharing architecture by eliminating central points of failure and using distributed hash tables to enhance privacy and security. However, the greatest challenge that remained was the lack of incentives for network contribution and the resulting free-rider problem. Most of the early file-sharing networks eventually collapsed, either because they could be shut down by regulatory action or because their users consumed network services (downloading music and video files) without contributing to the network (uploading music and video files). Hal Finney’s “reusable Proof-of-Work” system, proposed in 2004, tied token value to real-world resources, hinting at a mechanism to incentivize network contributions—an idea that likely inspired Bitcoin’s reward mechanism.
The Bitcoin white paper, published in 2008, was groundbreaking because it resolved the lack of incentives in early P2P networks by proposing a Sybil attack–resistant incentive mechanism for network contributions. It solved the Byzantine Generals' Problem by uniquely combining cryptographic methods (hashing & public-private key infrastructure) with economic anti-spam mechanisms (“Hashcash”), alternative data architectures (a chain of timestamped transaction blocks), and network incentives (block rewards). The cryptoeconomic system architecture of Bitcoin and the subsequent blockchain networks that emerged later have pushed cryptographic tools deeper into the infrastructure layer of the web.
Hash Functions
In blockchain networks, hashes are a key cryptographic building block used for many network operations. A hash is a mathematical algorithm that transforms input data of arbitrary size—such as a human-readable text, a picture, or a video—into a fixed-size text that is unintelligible to a human reader. It is not a cipher used for encrypting or decrypting but rather a one-way mathematical function (aka “trapdoor function”) that is easy to create but hard to reverse. As a result, small changes in input data lead to drastically different outputs, making hashes ideal for detecting even minor modifications to the original text or digital file. A document’s hash value can, therefore, serve as a cryptographic twin of the file, which is why it is often referred to as a “digital fingerprint.” Different forms of hashing algorithms exist: cryptographic hash functions and non-cryptographic hash functions. Cryptographic hash functions are designed to be secure against tampering and collisions, while non-cryptographic hash functions are usually designed for other purposes without cryptographic security. Blockchain networks use public cryptographic hash functions, such as SHA-256, to convert any input into a fixed-size string. Anyone can use these public algorithms to produce a hash with online tools. Here is a practical example:
~
Hash of the sentence “How to buy Bitcoin?” using SHA-256:
156aedcfab1d49f73abddd89faf78d9930e4b523ab804026310c973bfa707d37
Hash of the sentence “How to buy Bitcoin” using SHA-256:
4314d903f04e90e4a5057685243c903fbcfa4f8ec75ec797e1780ed5c891b1bf
Note how the same sentence without the question mark produces a completely different hash.
Hashing the hash using SHA-256 produces:
4c9622e1148ff0b855de50e62999d194039eb2faa9e715cc9d9ef604015aa1fe
~
In blockchain networks, hashes are used for different components of the system architecture. The fact that the original input data cannot be feasibly derived from the hash ensures data integrity, as well as system security and efficiency. Hashes are used for account creation, password management, and digital signatures. Hashes are also used to link blocks of transaction data together, effectively creating the alternative data structure of a chain of cryptographically linked transaction blocks. This is needed to collectively validate transactions and verify account balances without the need for central coordinators. Hashes are essential to the consensus process of Proof-of-Work, where they are used in the computational puzzle nodes need to resolve in order to obtain the right to add new blocks of validated transactions to the ledger. Hashes also enable efficient data verification in structures like Merkle trees, allowing light clients to verify transactions without having to download the entire ledger.
Merkle Trees
A Merkle tree is a cryptographic data structure that organizes data into a tree-like hierarchy of hashes, culminating in a single hash at the top called the Merkle root. This root serves as a compact representation of all the data below it, allowing for the efficient verification of data integrity across large amounts of data. In the Bitcoin network, for example, Merkle trees are used to organize all transactions collected and verified within a block. The Merkle root is stored in the block header and ensures tamper detection: even a small change to any transaction within a block alters the root hash, making any tampering by one network node immediately detectable to all other network nodes.
Similar to how blocks are linked together using the hash of the previous block to form a cryptographically linked list, Merkle trees link all transactions within a block together through their hashes of each individual transaction. Each transaction within a block is hashed, and pairs of transaction hashes are recursively combined and hashed again to form parent nodes, ultimately culminating in the Merkle root at the top of the tree. This root represents a cryptographic summary of all transactions in the block. Any change to a single transaction would propagate through the tree, altering the Merkle root and ensuring easy tamper detection.
Just as the blockchain structure ensures the integrity of the chain of blocks, the Merkle tree structure ensures the integrity of the transactions within a block. Together, these mechanisms create a multi-layered system of cryptographic linking and verification that secures the blockchain's data from manipulation. It also allows small computers that do not have the capacity to store the full ledger data to verify transactions without needing to download the full ledger. This is important for small devices such as mobile wallets or hardware wallets.
Other blockchain networks use variations of Merkle trees or alternative data structures. The choice of data structure depends on the general goal and system architecture of a particular blockchain network. Ethereum, for example, uses a variation of Merkle trees to efficiently manage account states, which come with additional smart contract data attached (which Bitcoin doesn't need). “IOTA” and “Nano” use completely different data structures called “Directed Acyclic Graphs.” zk-Rollups and other second-layer blockchain networks that emerged later utilize alternative cryptographic proofs such as zk-SNARKs, which reduce the reliance on Merkle trees for transaction validation.
Public Key Infrastructure
A secure digital reference about who is who and who owns how many tokens in the network is the basis for secure token transactions over a public blockchain network. Bitcoin and other blockchain networks use decentralized Public Key Infrastructure, based on asymmetric encryption, to create a secure and pseudonymous digital reference about the identity of their network participants. Asymmetric encryption was chosen as it uses two keys, which is more adequate for decentralized account management than symmetric tools.
Symmetric encryption uses the same key for both encryption and decryption: the key that locks (encrypts) the data is identical to the key that unlocks (decrypts) it. While such systems are easy and robust, they require the key to be securely shared between all participating parties in an analog form so it cannot be intercepted, which makes it unsuitable for most internet-based applications.
Asymmetric encryption uses a pair of mathematically related keys: a public key and a private key. The public key can be shared openly to encrypt data, but only the private key can be used to decrypt it. This double-key system resolves the key exchange problem over the internet since the public key does not need to be kept secret. An analogy for public key encryption is a padlock: if Bob wants to send Alice a secure message, Alice sends Bob an unlocked padlock (public key). Bob locks his message in a box using her padlock and sends the locked box to Alice. Only Alice, who has the corresponding key (private key) to the padlock, can unlock and read the message. Although brute force could theoretically break the box, the difficulty depends on the strength of the box and padlock as well as the sophistication of the analog key. The same is true for the algorithms used for generating digital key pairs. The combination of the public and private key allows the creation of secure digital signatures over the internet. These digital signatures can be authenticated by anyone who has the public key. In combination, the public-private key pair can confirm the sender’s identity and ensure transaction authenticity. Anyone over the internet can verify whether the signature of the sender is valid with the corresponding public key. This system secures both the privacy and integrity of communication in public networks.
Public Key Infrastructure (PKI) is a broader term that refers to the certification framework that supports the use of asymmetric encryption: all the tools, systems, policies, and procedures necessary to create, manage, distribute, and validate the key pairs to ensure that the public key can be trusted. This key infrastructure can be centralized or decentralized, depending on whether or not it relies on trusted entities—such as certificate authorities—to issue and validate certificates. Most internet applications today use centralized PKI for certification. Decentralized PKI eliminates the need for centralized certification authorities by using blockchain networks to collectively verify and manage public keys. While decentralized PKI concepts existed before Bitcoin, they had limitations in terms of scalability, automation, and robustness. The Bitcoin protocol improved previous versions of decentralized PKI by resolving trust, coordination, and security challenges that earlier systems could not fully address.
Decentralized Accounts
In blockchain networks, identities, accounts, and passwords are established collectively by all network participants using open-source cryptographic tools. No single authority verifies identities and related account balances; instead, users generate their own public-private key pairs as the basis of their account to prove token ownership via digital signatures, which other network participants collectively verify through the process of consensus. Wallet software generates and manages the key pairs—without the need for a system administrator to create, verify, or manage network accounts.
The most important building blocks of blockchain accounts are the blockchain address, private key, public key, digital signature, and seed phrase:
- Blockchain addresses function like bank account numbers or email addresses, serving as identifiers that one shares with others so they know where to send tokens and related information.
- The private key is like a computational password used for authenticating token holders and signing transactions.
- Digital signature: In combination with a token transaction, the private key creates a digital signature that proves ownership of one’s tokens.
- The public key is used by all other network participants to verify the authenticity of the digital signature.
- The seed phrase is a combination of words that serves as a human-readable backup for the wallet in case one loses the password used to access the wallet.
Account structures can vary across blockchain ecosystems. Bitcoin, for example, does not have traditional "accounts." Instead, it works more like digital cash. One’s Bitcoin balance isn’t stored in a single place like a bank account. Instead, it’s a collection of unspent transaction outputs (UTXOs)—small chunks of Bitcoin leftover from past transactions associated with various Bitcoin addresses that were generated with the same private key. Unspent transactions in Bitcoin are equivalent to the change that one gets back when paying with cash. Bitcoin addresses behave more like receiving addresses rather than persistent accounts because a Bitcoin wallet can manage multiple addresses, and addresses are often used only once for privacy reasons. The same is true for Bitcoin clones that also have UTXO-based systems. In contrast, Ethereum and similar blockchain ecosystems use true account-based models, similar to traditional banking. Token balances, smart contract information, and other important data are stored within the account itself. In Ethereum, two types of accounts exist: externally owned accounts (controlled by private keys, used for sending transactions and managing assets) and smart contract accounts (controlled by code, allowing decentralized applications and programmable functions). Other blockchain networks have slightly different account designs.
Key Generation
Both key generation and key management are conducted autonomously and automatically by the blockchain wallet, directly on the user’s device (computer, mobile phone, or dedicated piece of hardware) and not remotely in the cloud. The wallet software uses cryptographic libraries to execute the key generation process the first time a wallet is launched. The rules are specified in the blockchain’s protocol and implemented by wallet developers. The cryptographic algorithms and addressing scheme used can vary from network to network. The main goal of the key generation process is to ensure randomness and security.
The private key is a large random number, which is created by the wallet software using a cryptographically secure random number generator. The aim is to produce a number that cannot be feasibly predicted or reproduced. This private key is typically a 256-bit number—so large that the odds of generating the same number by chance twice are extremely low. This size is necessary to make the private key unique and sufficiently secure against brute-force attacks. Given its size, 256-bit numbers are not practically manageable by humans, which is why the private key is derived from a human-readable combination of words (seed phrase).
The public key is mathematically derived from the private key. The algorithm used by the wallet to do this relies on one-way functions. It is easy to generate the public key from the private key but practically impossible to reverse-engineer the private key from the public key. In the Bitcoin network, for example, the public key is hashed using a cryptographic hash function, such as SHA-256, often followed by an additional hash (e.g., RIPEMD-160) to produce a shorter, more manageable result. Double hashing with two different algorithms creates an extra layer of security, similar to using two locks on a bike.
The blockchain address is also created by the wallet. It is derived from the public key using a different hash function from the one that was used to derive the public key, adding metadata like checksums and prefixes. The blockchain address acts as a digital fingerprint of the public key but does not reveal any information about the person’s public key (unless they send the first transaction). This is important for decentralized coordination of various system functions. Depending on the type of blockchain network, addressing schemes can vary.
Digital signatures: Unlike handwritten signatures or password authentication in traditional computer systems, blockchain signatures utilize public key cryptography for creating digital signatures. A private key is used to sign a transaction to confirm ownership of tokens, while the corresponding public key enables other network participants to verify the signature’s authenticity. Properly implemented, they are more difficult to forge than handwritten signatures. Depending on the type of wallet developed, different methods of digital signing schemes can be used, such as simple signatures, multi-signatures, Shamir's Secret Sharing (SSS), or secure multi-party computation (sMPC).
Seed phrase (aka mnemonic phrase): A seed phrase is a list of words (12, 18, or 24) that serves as a human-readable backup phrase for a wallet if one loses the password. The seed phrase can be used to restore a wallet (including all keys) on a different device to regain access to funds. It provides a more practical way to secure tokens without the need to remember long and complex strings of characters for each key. Think of it as a human-readable master key to a blockchain wallet. The same seed phrase will always generate the same key pairs. Anyone with access to a seed phrase can access the wallet. This is why it must be kept secret and secure. While in theory, one could choose a seed phrase when setting up a wallet for the first time, this could compromise security if the phrase isn’t random enough. Account security always depends on having enough unpredictability when generating a private key, from which everything else is mathematically derived. Humans are not good at creating randomness and are likely to choose the same seed phrase. It is therefore recommended to let the wallet software randomly generate the seed phrase, from which the private key is then derived, instead of the other way around. Modern wallets can generate an entire tree of keys from one seed phrase, making multi-purpose key management easier.
Security: The security of public key cryptography depends on computational hardness assumptions, which determine how much more difficult it is to derive a private key from a public key than vice versa. The effectiveness of this difficulty gap depends on factors like the size and randomness of the private key, the computational effort required to guess it, and the time and cost involved in brute-force attacks—attempting all possible combinations until the correct key is found. Larger, randomly generated private keys are harder to guess and, therefore, more secure, although they can also be slower to compute.
For a private key to be secure, it must meet specific requirements: it should be (i) randomly generated, (ii) sufficiently large, and (iii) created using a secure, proven algorithm. Randomness is essential to ensure uniqueness and prevent key duplication, as humans and simple machines are not good at generating randomness. Larger keys distribute randomness over a broader range and are computationally expensive to crack, but this complexity requires careful balancing to avoid inefficiencies. Secure algorithms must always be sufficiently stress-tested and peer-reviewed to withstand attacks. Developing new algorithms without rigorous validation is a risky endeavor in blockchain networks. The IOTA network, for example, initially developed a new hash function called “Curl,” which was eventually found to be non-collision resistant—a critical vulnerability that undermines cryptographic integrity and asset management security in blockchain networks.
Types of Wallets
Wallets are the most important user-oriented software in a blockchain ecosystem. They are the interface that allows users to access and control their blockchain accounts, through which they can initiate and sign token transactions. If users switch their wallets, let’s say from Ledger to MetaMask, their account would stay the same. The old account can be accessed with a new interface, but only after importing one’s seed phrase. Once it is set up, the wallet software automatically performs various cryptographic functions and communicates with all other nodes in the blockchain network, using the private key to sign transactions, while other network nodes verify the signature with the corresponding public key. Once the other nodes reach consensus about the truthfulness of the transaction, all token balances related to the accounts involved in the transactions are adjusted on all copies of the ledger. Depending on the blockchain ecosystem and the type of wallet used, a wallet can manage either one or multiple accounts. Wallets were originally designed to be user-controlled; however, hosted/custodial wallet services have also emerged over the years, though the lines might be blurring as more sophisticated wallet solutions are emerging.
User-controlled wallets are the very reason why Bitcoin and other blockchain networks were created in the first place, namely to provide true P2P transactions without a financial intermediary. Wallets were designed to be user-controlled. The aim was to allow users to generate and control their keys at all times, enabling true peer-to-peer transactions and sovereign asset management; however, this also places the full burden of security on the user, as losing access to the private key or seed phrase means permanently losing access to one’s tokens. Advanced solutions such as social key recovery or multi-signature schemes can mitigate this risk by allowing users to delegate recovery authority to trusted parties.
Hosted wallets (custodial wallets) are typically offered by exchanges or other financial service providers, who manage tokens on behalf of their users. These service providers often maintain a private ledger to track ownership and execute transactions on behalf of their users, who have no access to their private keys and therefore no control over their assets. At the time of writing, most exchanges don’t even provide separate wallets for all their users. Cryptocurrency exchanges have therefore become the de facto banks of Web3, offering a range of custodial services. While convenient for those concerned about losing their private keys, hosted wallets reintroduce dependency on third parties. Accounts could be unilaterally frozen if the financial institution becomes illiquid or if state authorities decide to seize the funds. In spite of this, many people prefer to deposit their tokens with exchange services—delegating key-management responsibilities to them. While this is convenient, it defies the principles of sovereign asset management that Bitcoin was built on.
At the time of writing this book, wallet solutions are becoming increasingly versatile and usable. This can potentially blur the lines between the above-mentioned distinctions. While custodial wallets inherently manage keys on behalf of users, more sophisticated wallet features could grant users more autonomy to co-manage their private keys. Multi-signatures, social recovery, and flexible transaction approvals—which traditionally belonged to self-hosted solutions—could also be offered by exchanges. This would allow users to retain more influence over their account operations, even when a third party is involved in key management, thereby increasing transparency and reducing reliance on a single point of control.
The concept of account abstraction, for example, that emerged within the Ethereum community, allows for the creation of more versatile wallets. It decouples account management from fixed protocol rules, allowing for more versatile accounts to be generated with smart contracts. Rather than relying solely on a protocol-level key-pair mechanism for transaction authorization, blockchain accounts can be customized, with built-in features such as multi-signature capabilities, social key recovery solutions, and flexible fee payments. This approach allows more sophisticated key management and simplifies wallet usability. It can also simplify interaction with decentralized applications—such as eliminating the need to manage native token balances to pay for network fees. Although Ethereum remains the flagship network for implementing account abstraction, other blockchain ecosystems are also exploring similar account models. Even in Bitcoin, proposals for account abstraction have been discussed, though progress is slower due to its more limited scripting language.
Sending & Validating Transactions P2P
A blockchain transaction generally involves specifying the number of tokens one wants to send, identifying the recipient’s address, and signing the transaction. The exact process of initiating and validating a transaction depends on the type of blockchain network. In the Bitcoin network, it works as follows:
Transaction creation: Alice uses her wallet software to indicate Bob’s address and the amount of Bitcoin she wishes to send him. The wallet includes Alice’s public key and creates a unique transaction hash.
Digital signature & digital timestamp: To prove her ownership of the funds and authorize the transaction, Alice signs the transaction hash with her own private key. This process digitally timestamps the transaction and provides authentication. The wallet software performs this step automatically.
Broadcasting the transaction: Alice’s wallet now broadcasts the transaction, including the plaintext transaction details and the signed hash, to all other nodes in the Bitcoin network.
Transaction collection & validation: Other network nodes collect the transaction and verify their validity by performing two checks: (i) They use Alice’s public key to confirm that the signed hash matches her private key, proving her ownership. (ii) They perform the same hashing operation on the plaintext transaction and verify that it matches the provided hash, ensuring data integrity.
Mempool & ordering: Once the transaction is validated, it is pooled in the mempool (short for "memory pool") with other transactions awaiting inclusion in the next block. Each node maintains its own version of the mempool, which may vary slightly depending on network conditions and transaction propagation. Transactions in the mempool are prioritized based on the transaction fees the user is willing to pay. Nodes participating in the consensus process generally prefer to include transactions with higher fees first, as these fees serve as their incentive for processing and securing the network.
Consensus & block creation: Once these nodes select and order transactions, they compete with others to solve a complex mathematical puzzle, which is part of the consensus mechanism, Proof-of-Work. When a mining node successfully solves the puzzle, it gains the right to add the block of transactions—including Alice's transaction—to the ledger, aka blockchain. The block is hashed, linking it cryptographically to the previous block, and broadcast to the entire network for validation.
Block validation & ledger update: Other nodes collect the new block information and verify its validity before appending it to their local copy of the ledger. Once this process is completed by the majority of network nodes, Alice's transaction becomes part of the ledger.
Finality & immutability: Finality in Bitcoin is typically reached after six additional blocks are added to the ledger after the block containing the original transaction. At this point, the computational work required to manipulate Alice’s transaction on all nodes in the network becomes prohibitively expensive, as this would require an attacker to redo the Proof-of-Work for the block containing her transaction and all subsequent blocks. This becomes even more difficult as more blocks are added to the ledger.
Proof-of-Work
In Bitcoin, when tokens are sent over the network, each node can compete to propose new transaction blocks to be added to the ledger. To do so, mining nodes validate transactions and compete with each other to solve a complex computational puzzle.
Competing: In this process, they have to collect all recent network transactions, including some additional metadata, verify all the collected transactions, guess a pseudo-random number (also referred to as a “nonce”), and run all the data through a cryptographic algorithm (SHA-256) to find the hash of the new block. To do so, they have to perform computational work, which is the reason why this process is referred to as “Proof-of-Work.” The hash is difficult to find, but once found, the solution can be easily verified by all other network nodes. The hash of a validated block, therefore, represents the work done by the miner.
Creating: If a node is the first one in the network to find that hash value, it can add the block of collected and validated transactions to its version of the ledger and broadcast the hash value of the new block, including all block data, to the rest of the network. The winning node that gets to create the new block is also awarded the “block reward” with newly minted Bitcoins. These newly mined Bitcoins are generated and recorded in the coinbase transaction of the new block. This way, the minting of new Bitcoins is also decentralized, replacing the need for a centralized issuer. In addition, the mining node creating the new block also receives all transaction fees paid for the transactions included in the block. This is why the process is referred to as “mining.” At the time of publishing this book, the reward for successful block creation in the Bitcoin network is 3.125 BTC per block. The block reward gets reduced by 50 percent every 210,000 blocks, around every four years.
Verifying: Once the block is created and broadcast to the network, the other nodes can verify the validity of the hash of the newly added block. If the other nodes accept this newly added block, they add it to their copy of the ledger.
How security is achieved: The high competition for block rewards drives miners to invest heavily in powerful hardware and electricity, which in turn increases the difficulty of participating in the process. If a cheating miner were the fastest computer to find the hash and manipulate a transaction in the current block, the rest of the network would detect a false hash value and not add the new block to their version of the ledger. Cheating miners would not receive the block reward, even though they invested computational power and energy. A rational economic actor would, therefore, refrain from cheating the system, as this would result in sunk costs of energy and infrastructure investment. Through the backdoor of infrastructure and electricity costs, network attacks are made prohibitively expensive. This built-in economic difficulty makes it prohibitively expensive for any malicious actor to accumulate enough resources to manipulate the ledger and create fake Bitcoins. A successful attack would require a prohibitive amount of computational power, energy consumption, and time—which makes the Bitcoin network also energy-consuming.
10-minute interval: New blocks of transactions are created every 10 minutes. This delay was chosen by Bitcoin’s creators to balance the speed of block verification and network security. This interval allows sufficient time for transactions to propagate across the network, accounting for network latencies, thus making participation more inclusive and allowing more computers to participate in reaching a broader consensus on the latest state of the ledger. While longer intervals are considered to be more inclusive and decentralized, increasing security and reducing the frequency, shorter intervals would speed up transaction confirmations. However, they are also considered to be less inclusive and can increase the likelihood of competing blocks being mined simultaneously, which could lead to more frequent forks, potentially destabilizing the network.
Difficulty adapter: The system is designed in a way that the “difficulty” of finding that hash value, and therefore creating a block, adjusts over time in order to keep the interblock time of 10 minutes relatively constant. It is adjusted periodically as a function of how much hashing power has been deployed by the network of mining nodes. If blocks are created in less time than 10 minutes, difficulty increases. Likewise, if blocks take longer than 10 minutes to be created, difficulty decreases. Difficulty also increases with the level of competition—the number of other computers competing to validate a block.
Network Security & 51 Percent Attacks
A Proof-of-Work network like Bitcoin is considered safe as long as more than 50 percent of the work is being put in by honest miners. A so-called “51% attack” can happen when a single person or institution is able to control the majority of the computing power—also referred to as “hash rate”—to manipulate the network. The following websites provide real-time information about how much it currently costs to attack different Proof-of-Work networks:
- Cost of manipulating the Bitcoin network: https://gobitcoin.io/tools/cost-51-attack/
- Cost of manipulating other Proof-of-Work networks: https://www.crypto51.app/
As previously mentioned, once a block of transactions is accepted by the majority of network nodes, it cannot be easily changed or removed. The block containing the transaction and all subsequent blocks would have to be recomputed for that to happen, which would require the majority of the network participants to agree on such changes. An attacker would need to redo the computational work of all successor blocks on the majority of the network nodes within the block-creation period of 10 minutes. This would require control over, or bribing of, the majority of the network nodes. Even if it were possible to perform these computations within the short block-creation period, the cost would be much higher than the rewards gained from attacking the network.
A successful 51% attack would allow the attacker to:
(i) change blocks by adding or removing transactions (older transactions are harder to reverse);
(ii) censor participants and therefore transactions of these participants;
(iii) send transactions and then reverse them;
(iv) change protocol rules.
A 51% attack cannot:
(i) Change the amount sent in an existing transaction;
(ii) Change the recipient of an existing transaction;
(iii) Send someone else’s tokens without their approval.
This type of manipulation is not possible with a 51% attack because transactions need to be signed with the private key of the token owner, which cannot be revealed by a majority vote of the network. Changing a detail in an existing transaction without the private key would render the ledger 'illegitimate,' as a transaction without a valid signature would not be accepted by other nodes. Changing a detail in an existing transaction for which one does have the private key can only be achieved by brute-forcing the private key of the respective sender. Alternatively, one could try to break the cryptographic algorithm used by the protocol to create signatures, which would corrupt the whole network. This is why it is so essential that blockchain protocols only use cryptographic algorithms that have been properly stress-tested and combine various algorithms in their system architecture.