How do cryptocurrencies work?

Decentralized consensus

As stated in the introduction the focus isn’t on technical details, but it’s a hard balance to make between keeping it simple and explaining how cryptocurrencies work. If this chapter is too technical you can safely skip to the next chapter or just read the summary, it’s not required knowledge.

This is my attempt to explain how a standard cryptocurrency like Bitcoin works. Other cryptocurrencies may diverge on various points but the fundamentals are the same.For example Ethereum adds Turing complete smart contracts and CryptoNote protocols (like Monero) hides transaction details.

The ledger

If you want to create a digital currency you only really need to keep track of how many coins everyone have. For example your bank might have entries in a ledger like this:

PersonSwedish krona
Sneaky Steve7 000 SEK
Honest Harry1 000 SEK

When Sneaky Steve wants to send 500 SEK to Honest Harry the bank simply updates the ledger:

PersonSwedish krona
Sneaky Steve6 500 SEK (-500 SEK)
Honest Harry1 500 SEK (+500 SEK)

Cryptocurrencies work this way as well. In fact the ledger in a cryptocurrency, often referred to as the blockchain, contains the balance of all addresses. It’s a slight simplification to say the blockchain stores balances. It actually stores all transactions from which you can calculate all balances.To lighten the load you can run your software in a pruned mode which discards the transactions after validation and only keeps the balances.

Your keys, your coins

To be able to create a transaction you need to have the private keys to the address you want to send from. Think of it as a secret password that unlocks your account. This prevents anyone else from stealing your coins, unless of course they steal your private key!You typically don’t use the private key directly. Instead you can interact with a seed, which encodes the private key hash into a human-readable format. It’s commonly made of 12 or 24 words.

It uses public-key cryptography which allows you to prove you control the private key without sharing the private key itself. Compare it to credit card numbers which act as both a private and public key. Explaining how the cryptographic primitives work is out of the scope of this book.If you’re intrigued by the promise of public-key cryptography I encourage you to look it up, it’s quite fascinating.If the history of cryptography interests you I can also recommend the book “The Code-Breakers” by David Kahn. You can enjoy it even without much math knowledge.

Copying a coin & double spending

So far cryptocurrencies don’t do anything new. The hard problem is how do you prevent someone from copying a coin and sending the copies the different receivers?

For example Sneaky Steve wants to buy a computer from Honest Harry and wants to pay with Bitcoin. The computer costs 1 BTC and the Bitcoin ledger looks like this:

AddressBitcoin
Sneaky Steve 11 BTC
Sneaky Steve 20 BTC
Honese Harry0 BTC

What Sneaky Steve tries to do is send 1 BTC to the merchant Honest Harry and then send the same 1 BTC to his other address Sneaky Steve 2. It’s possible because you can have as many addresses you want, this is a consequence of the permissionless nature of Bitcoin.

Sneaky Steve sends a digital coin both to Honest Harry and himself.

If we didn’t prevent this the ledger might look like this:

AddressBitcoinDiff
Sneaky Steve 1-1 BTC(-2 BTC)
Sneaky Steve 21 BTC(+1 BTC)
Honest Harry1 BTC(+1 BTC)

We copied our coin and printed 1 BTC out of thin air, so now the ledger contains a negative balance. This is a form of double spending—spending the same coin twice.

This isn’t really a problem with physical cash since you can’t just copy gold coins or paper notes. It’s not a problem for banks either since the bank can just deny one or both of the transactions.

But this is a hard problem for a digital currency that tries to remove the central authority. This is why before Bitcoin no decentralizedDecentralization is a common term used to refer to the lack of trusted third party. Instead multiple unrelated entities come together and decide as a group.There are different types of decentralization in a cryptocurrency to consider. For example:1. Mining centralization
2. Development centralization
3. Node centralization
digital currency existed.

The Byzantine Generals Problem

To resolve double spending it’s enough to choose one of double spending transactions. But how do you do that when there are many unrelated people—some who wants to cheat?

This is the same problem known as the Byzantine Generals Problem. Here’s my description of a simple variation:

In the Eastern Roman Empire, also referred to as the Byzantine Empire, a couple of generals surround an enemy city:

The five generals surround a well defended enemy city. They don’t have direct contact and instead need to communicate by sending messengers.

The city is very well defended and if they attack individually they will get crushed. They will have to work together and coordinate to attack at the same time or to retreat as a unit. Doing nothing is not an option either as they have limited food supply and the city is waiting for reinforcements.

If they try to act without a majority they will for sure get defeated, they must coordinate.

This would be very easy if they could trust each other. Unfortunately they cannot trust the messages—either the messenger or the message itself could be replaced—and even some of the generals could be traitors.One countermeasure is to encrypt messages. Unfortunately it doesn’t protect against a traitor who knows the code, like one of the generals. Also in ancient times encryption weren’t very advanced and could possibly be broken, see the Ceasar cipher as an example.

One general sends out messengers declaring his intent to attack to the generals next to him, who then sends messengers of their own, and so on until all generals have received the message. However two of the messengers are traitors and change the message from “attack” to “retreat”.

In this simple example three of the generals now believe they will attack while two are preparing to retreat. In a more complex scenario they might receive conflicting messages and notice something is amiss, but they don’t know what’s real and what’s not.

To relate it back to cryptocurrencies the choice between “attack” and “retreat” is similar to choosing between two transactions in a double spend. You know there are bad actors—like Sneaky Steve—but who can you trust?

Sybil attack

You may think most in the network are honest so can’t you just ask everyone?

Unfortunately there’s a serious problem here. As there is no barrier to participate in the network and no identity control a single person can have multiple identities.

This is what Honest Harry sees. A diverse group of honest individuals.
But in reality they’re all controlled by Sneaky Steve.

This is called a Sybil attack. Think of how one person can use multiple online identities to troll or attack people online, it’s hard to know who’s real.It’s very common for cryptocurrency communites to be flooded with trolls pushing their own agenda.

Proof-of-work

If you’ve heard about cryptocurrencies then maybe you’ve also heard about cryptocurrency miners or Bitcoin miners. This is how Bitcoin provides sybil resistance and prevents double spends.

The core idea is: if you want to choose which transaction is validRemember that to resolve double spending one transaction must be chosen, which one doesn’t matter. you have to do work. The process is known as proof-of-work, shortened to POW.

The work is to find a solution to a computing problemIn Bitcoin specialized hardware, ASICs, are used which are many magnitudes faster than regular computers at solving POW problems.They can only be used for a specific type of POW algorithm and cannot be used to mine on any cryptocurrency.. The problem itself is not that important and it doesn’t have any meaning outside of mining.It’s difficult to create a problem that satisfy the POW properties while having a useful side-effect. For example The Protein Folding Problem is not easy to verify and it’s hard to adjust the problem difficulty.Additionally if there was a useful side-effect it might alter the economic incentives of mining. If mining is purely done to secure a cryptocurrency then the miners investment rests on the success of the cryptocurrency. A secondary use for specialized mining hardware lessens the incentive to secure the chain. There some important properties it should have:

Cryptographic hash functions are excellent choices, Bitcoin uses SHA-256 for example. For more details I recommend this post (2014) which shows how to mine Bitcoin with pen and paper.

A solution is proof that you’ve done the work—it’s proof that you’ve expended energy. It’s like a lottery and you can get lucky, but in the long run it balances out. Since you require a significant investment to find a block this can be used as sybil resistance. You can’t just create thousands of fake identities for free.

Important to note is that everyone doesn’t have to be a miner. The blockchain is open for anyone to read and validate, it’s only writing that’s exclusive to miners.

The blockchain

When a miner finds a solution she can then update the ledger by adding a block to the blockchain. A block is basically a collection of transactions.

A blockchain is what it sounds like: a chain of blocks where a new block builds on previous blocks. When a miner searches for a solution she must target a block on a specific height—the POW problem includes a reference to the previous block. It only fits at a specific place in the chain.This is why forks naturally happen.It’s also a necessity to prevent miners from pooling blocks and using them to assemble a very long chain at a later date in an attempt to reverse transactions. When a new block is added all miners need to work on a new problem targeting that block.

The blocks in the blockchain are linked with a key obtained by solving the POW problem.

The transactions must follow common rules, called consensus rules, otherwise other miners and users who use the blockchain will discard the block. For example a transaction cannot spend coins from an empty wallet or spend coins without having access to the private key of an address.

In return for adding the block you get to collect the rewards. One for finding a blockAs I’m writing this the current block reward for Bitcoin is 12.5 BTC, about $50,000. With one block expected every 10 min that’s about $7,200,000 per day. Bitcoin mining is big business. and you can also collect transaction fees for the transactions you include in the block.

The blockchain is public and anyone can see all transactions. You can use a blockchain explorer to see for yourself. See for example the full history of this random address or this transaction which contains one input and two outputs.One output is usually a change output where you send change back to one of your own addresses.

Cryptocurrencies like Monero also have a public blockchain—see this blockchain explorer—but they hide transaction amounts, where the coins are coming from and where they’re going. Exactly how it works is outside the scope of this book.

The blockchain is duplicated, stored and maintained with many different people, you might think of it as similar to how torrents work. When you send and receive transactions you’re really interacting with the blockchain and not with each other directly.There are several differnet ways to interact with the blockchain. For the end user there are three main ways, with different trade-offs:1. Run a full node
2. Use an SPV wallet
3. Use a light wallet
A full node stores a complete copy of the blockchain on your computer and verifies all transactions. This is the most trustless way but also the most resource intensive.An SPV wallet confirms that the proof-of-work is valid and that your transaction is inside the block but it does not validate the transactions. This means it’s trusting that the longest chain is always valid—a reasonable assumption—and is much less resource intensive.A light wallet interacts with a third party node but does not validate anything itself. The least resource intensive but you also need to trust a third party service.

A payment is sent to the network and not directly to the receiver. The transaction then gets forwarded to miners who eventually add it to the blockchain. The receiver then confirms the payment in the blockchain, without trusting the payee.

Forks

But what happens if two miners find a block at the same height? For example one where Sneaky Steve sends money to Honest Harry and one where Sneaky Steve sends money to himself?

Two blocks at the same height with different transactions.

The chain will split and there will be a fork.Forking a cryptocurrency is different from forking the code, although both are common. Each miner will independently choose which one they will build on and one will eventually become longer:

Here there are two chains after a fork, one of height two and one of height four.

The longer chain is to be considered “the correct” chain and the shorter chain will be abandoned.When a shorter chain gets abandoned we say it gets orphaned. It is a natural consequence of the system but high orphan rates are problematic because they hurt smaller miners more than larger miners. Coming to consensus by following the longest chain is often referred to as Nakamoto consensus.

Because rewards on each chain can only be used on that particular chain any rewards on the abandoned chain will be effectively worthless. Therefore the miners are heavily incentivized to work on the longest chain and so the shorter chain will get abandoned quickly.

In the example Honest Harry should wait until he knows which chain is longer and then decide from there.

Reversing transactions

If Sneaky Steve can’t trick Honest Harry by showing him a fake transaction he can try to reverse his payment after receiving goods from Honest Harry.In the credit card world this type of fraud is called chargeback fraud or friendly fraud.

It works like this:

  1. Make a transaction to Honest Harry which is confirmed on the blockchain.
  2. Create a longer hidden chain where Sneaky Steve instead keeps the money.
  3. After receiving the goods Sneaky Steve publishes the second chain.

    Because people automatically follow the longer chain this effectively reverses the transaction to Honest Harry and Sneaky Steve has successfully commited fraud.

Sneaky Steve pays Honest Harry and they wait until the transaction has two confirmations.
Satisfied, Honest Harry gives Sneaky Steve a new pair of beautiful jeans.
Sneaky Steve walks away with his jeans, all while secretly working on his own chain.
After Sneaky Steve has walked away he releases his hidden chain of length four, which doesn’t contain his payment to Honest Harry. Since the new chain is longer the old chain will get discarded and the payment to Honest Harry will also disappear. It will seem like the payment never happened.

This is a different type of double spend and it’s the primary attack vector the white paper is concerned about. It’s called a 51% attack, for reasons we’ll soon explain.

Transaction security

The deeper a transaction is in the blockchain—the more confirmations it has—the harder a transaction is to reverse.

Confirmations for different blocks.
Each block added to the blockchain makes every earlier block—and transaction—more secure.

Bitcoin’s security isn’t absolute but probabilistic. One way to think about it is to find one block you need to get lucky. To find more blocks you need to get lucky several times, which you have to do if you want to reverse a transaction with more confirmations.

Bitcoin’s white paper goes into more details and recommends 6 confirmations—roughly one hour—to be sure you don’t get defrauded. Today for most normal payments a single confirmation is enough.You can actually even accept transactions without any confirmation, called 0-conf. They are much less secure than a confirmed transaction but since most miners respect the first seen rule it’s fairly safe for small purchases.There are investigations on how to make 0-conf more secure. One of the more interesting proposals is 0-conf forfeits where you provide a larger sum as hostage and if you try to double spend you lose them.

A crucial mistake people make is to think more miners, or more energy used, means more transactions can be handled. This is not true. Miners only care about securing the chain and to prevent your transactions from being reversed.

In fact we could spend 100x more energy on mining and process the same amount of transactions or we could spend 1% of the energy and process more transactions. Transaction throughput is a separate problem.There is some correlation here. Because each transaction contains a fee the miner can claim, more transactions means the reward is bigger which supports more miners. But the reverse is not true, more energy does not mean higher transaction throughput.

The 50% security assumption

The whole system relies on a majority of miners being honest—it’s the core security assumption behind proof-of-work.

Honest miners work for profit so they absolutely don’t want to risk their block being rejected by the other miners and lose their reward. Therefore the rational thing to do is to work on the longest chain.

This means for Sneaky Steve to successfully reverse a transaction he needs to control more than half of all mining power—otherwise his hidden chain can never become the longest. It’s called a 51% attack because you need to control at least 51% of all mining power to pull it off consistently.Bitcoin Gold was successfully 51% attacked and exchanges were double spent. The attacker managed to reverse transactions 22 blocks deep.This is the danger for smaller cryptocurrencies who don’t have much mining power securing the chain. 51% attacking Bitcoin would be much harder.

This touches on the immutability of the blockchain. As long as more than 50% of miners don’t want to change the chain it will always be longest and correct. But if they do then they can reverse transactions.

Economics of a 51% attack

How secure is Bitcoin, really? What do we need to pull off a 51% attack?

Here’s some quick napkin math to estimate the cost to achieve 51% of mining power:

Total Bitcoin hash rate 44,078,986 TH/s
Antminer S9i hash rate 14 TH/s (+-5%)
Antminer S9i cost $400
Number of S9i to cover the whole network 3,148,499
Total network miner cost $1,259,399,600

So about $650 million for just the miners themselves (assuming you could purchase that many). On top of that we need power supply, cooling, storage and maintenance for more than a million miners. We’re looking at a massive warehouse, or several. Suffice to say it’s a very large investment, but maybe not impossible to get.

If we manage to get enough miners it should allow us to double-spend and defraud exchanges and merchants. It almost sounds like we can get free money, but it’s not that simple.

A 51% can be detected and there can be severe negative consequences:

Bitcoin miners are rewarded in bitcoin and they also can’t be spent until after 100 blocks—roughly 16 hours. Executing a 51% attack that crashes the price would directly affect the rewards. If the community goes for the nuclear option and change POW then the massive initial investment into mining equipment might be lost.

These risks needs to weighed against what profits a 51% attack could generate. Maybe exchanges could get defrauded for $50 million? A 51% miner would make that back in about two weeks—risk free.The case is a little different for cryptocurrencies that share POW algorithm with others. The miners could attack the minority chain and jump back to the majority chain after executing the attack.

The economic incentives are so strong that it might be rational even for a 51% for-profit miner to be honest. In fact Bitcoin has had pools with 51% before without incidents.

The biggest security risk for Bitcoin might instead be actors of state levels who wants to destroy it no matter the costs. For example if the United States would spend billions on a “War on Bitcoin”.

An economic innovation

While cryptocurrencies combine several different technologies in an interesting way the real innovation is how they’re secured by economic incentives—the most profitable way for miners is to follow the network rules.

As noted earlier the current block reward for Bitcoin is 12.5 BTC—about $50,000. Losing out on just one block reward is a big loss in the cutthroat mining business, so miners are heavily incentivized to always work on the longest chain.

For example in a fork with two competing chains the most profitable move is to jump to the longest chain as quickly as possible. This ensures a double-spend gets resolved quickly.

It also doesn’t make sense for a minority miner to try to double-spend, it will only cause them to lose money in the long run. Therefore only a miner with 51% can compromise the network security, and even then it might be more profitable to play by the rules.

Network upgrades and new cryptocurrencies

There is another situation where forks can arise: when consensus rules are changed. Here are some examples of consensus changes:

Some cryptocurrencies, for example Monero and Bitcoin Cash, have regular network upgrades where consensus rules are changed.I have deliberatly simplified my usage of fork terminology. On a technical level it’s useful to distinguish between two types of forks: hard-forks and soft-forks.A hard-fork is a backwards incompatible change and all nodes must upgrade to avoid ending up on the old chain. Bitcoin Cash forked off from Bitcoin using a hard-fork for example.A soft-fork instead doesn’t break older node implementations. They will simply ignore the new soft-fork rules—they will not fully validate the chain anymore but they will follow it. The rules are instead enforced by the miners who must upgrade. SegWit in Bitcoin was for example implemented using a soft-fork.

Because a network upgrade is a fork there will be two chains (as long as someone mines them). Sometimes the minority chain lives on as a new cryptocurrency, Ethereum Classic is for example the continuation of the old chain after an Ethereum fork.

Other times the fork is initiated by people who want to create a new cryptocurrency from another one, but the mechanism is exactly the same. This means you can fork Bitcoin at any point if you want, the tricky part is getting other people to join you.

You may then wonder—what decides which is the correct one? There is no clear answer, social consensus decide which of the chains is called “Original Coin” and which is called “New Coin”.

Alternative consensus models

There are alternatives to proof-of-work but none have so far been proven to work well. The most popular is proof-of-stake where instead of miners expending energy you have coin holders who vote.

One problem is the nothing at stake problem where a coin holder can vote on all forks where a proof-of-work miner can only vote on one of the forks.

It causes a situation where everyone are incentivized to vote on all forks. An attacker can abuse it to reverse a transaction by only mining on their fork, which is initially a block behind, to overtake the main chain and reverse their transaction. This only requires a small percentage of total voting power in contrast to proof-of-work where you need 50%.

More details

The chapter became very long despite skipping out on details here and there. If you want to go deeper I encourage you to do more research on your own.

Bitcoin’s white paper is always a good place to begin and there are many good resources online. I’ve tried to include key concepts which you can use as starting points in your search.

Summary

  1. The blockchain is like a ledger which stores balances
  2. The crucial problem is deciding between double spends (using a coin twice)
  3. Proof-of-work makes miners expend energy and compete for rewards
  4. Miners are used to resolve double spends
  5. The security assumption is that most miners work for profit