Bitcoin: a cryptocurrency
Bitcoin as an online payment solution
The problem with secure online payments
The issue with securing online payments with credit or debt cards is that revealing the 16 digit card number, expiry dates and 3 digit CVV number allows an attacker to masquerade as the original card owner. Solutions such as online payment service providers (PayPal) attempt to overcome this vulnerability by requiring a username and password to authenticate the user. However, passwords tend to have low entropy (i.e. they can be cracked by brute force) and are often re-used across multiple websites. A single leaked password database can result in an attacker masquerading as the user on websites that re-use these credentials. Notably, a website www.haveibeenpwned.com has been set up to let users check if their usernames or passwords are publicly accessible in the wild.
Ultimately, the fundamental issue with most online payments today is that the user does not have real autonomy over their money. There is an assumption that users need to trust their bank to both store their money, and authenticate them correctly before authorising payments from their bank accounts. In fact, if a fraudulent payment does occur, then the onus can be on the customer to prove it wasn’t their doing. Perhaps controversially, the bank’s solvency itself is a risk that can result in the loss of customer’s savings before online payments can begin. For example, customers with more than €100k savings in the Bank of Cyprus or Laiki Bank were forced to suffer haircuts (i.e. a loss of equity) up to 47.5% to prop up the increasingly insolvent banks.
The poor security conditions for online payments and the lack of an equivalent for cash on the internet has spurred digital cash research for over thirty years. Unfortunately, none of the proposed schemes were adopted for several reasons, including their reliance on banks to issue digital coins, and the limited attractiveness for digital coins. Portable computing devices had not yet reached the mass market and there was little demand for financial privacy for online payments.
The birth of bitcoin
Remarkably, the ingenuity of Satoshi Nakamoto led to the birth of Bitcoin in 2008 which has become the most successful digital cash (‘cryptocurrency’) system with a current market capitalisation of $15bn. The motivation for Bitcoin came from Nakamoto’s lack of confidence in the stability of the current banking system as he stored this message in Bitcoin’s genesis block:
“The Times 03/Jan/2009 Chancellor on brink of second bailout for banks”
His insight was that a public ledger that records all financial transactions did not need to be maintained by the banks. Instead, leaders could be probabilistically selected from a peer-to-peer network using a computational competition. The first to find a solution to the computational puzzle effectively wins the right to authorise a block of recent transactions and append it to the previous block of authorised transactions. This append-only feature has resulted in the name Blockchain for Bitcoin’s public ledger as there is a sequential list of blocks that each contain a list of authorised transactions. Most importantly, the fact that the leader is based on winning a computational competition allows anyone willing to invest in hardware to participate and maintain the Blockchain.
Furthermore, the success of Bitcoin relies on the fact that users do not need to register with a bank or payment service provider to begin exchanging bitcoins. Users independently compute their credentials (‘Bitcoin Address’) using their personal devices. This Bitcoin address can be shared with others to receive bitcoins, and bitcoins can be spent using the Bitcoin address’ corresponding private key. The security of a Bitcoin address relies on public key cryptography and mathematics as opposed to human memory. This allows users to have full autonomy over their money without relying on external parties to safe-guard their money. Most importantly, it is the role of software (‘Bitcoin wallets’) to manage these credentials on the user’s behalf.
Of course, there are several problems with using Bitcoin as an option for online payment:
Pseudonymity. Despite claims of anonymity linking use of Bitcoin to the dark-web, Bitcoin is not in fact anonymous and there is a significant lack of financial privacy. Research has demonstrated that Bitcoin offers pseudonymity, as it is possible to link two or more Bitcoin addresses to the same user based on transactions stored in the Blockchain. In fact, some companies such as ChainAnalysis actively attempt to de-anonymise users using transactions in the Blockchain to help companies comply with anti-money laundering regulation. This has led to the recommended practice of using a new Bitcoin address for each transaction to reduce the privacy leak.
Limited Throughput. Bitcoin can only support 3.3-7 transactions per second due to an artificial cap established by Satoshi Nakamoto to prevent spam attacks that might hamper its growth. Removing this artificial cap is currently a contentious issue in the community as it requires agreement from nearly all economically active users of the network. To overcome this issue, members of the community are proposing alternative protocols such as the Lightning Network that bootstraps Bitcoin as an adjudicator to resolve disputes and provides a method to allow two users to privately exchange thousands of transactions amongst them. If either user disagrees with the final balance of their transactions, then they can settle the dispute in the Blockchain.
Loss of bitcoins. As mentioned earlier, the wallet software is responsible for managing the user’s credentials for the network and it is critical that this wallet is securely backed up on paper or on secure hardware tokens such as Trezor. If the user’s personal device crashes and their wallet is not backed up, then access to these bitcoins are lost forever (known as ‘zombiecoins’). After all, there is no central authority that is entrusted to keep the bitcoins safe or responsible for authenticating the user to restore access.
Online wallets. The possible loss of bitcoins and the responsibility of maintaining its security has resulted in people using online wallets that host their credentials on trusted wallet websites. This emulates the role of banks as access to the user’s bitcoins is governed using passwords and two-factor authentication. Unfortunately, there is a history in Bitcoin of heists stealing significant quantities of bitcoins or online wallet providers simply disappearing with customer funds. The classic example is MtGox which at one point accounted for more than 70% of transactions on the network. It declared insolvency in February 2014 and claimed that a bug in Bitcoin was responsible for the theft of 850k bitcoins. Research was able to provide publicly verifiable evidence that the MtGox loss was not due to any bug in Bitcoin, and it remains unknown today why these bitcoins disappeared.
Blockchain applied to Digital Voting
Our research team at Newcastle University has applied Blockchain technology to address aspects of voting: ensuring privacy while being able to confirm votes, protecting voters under duress and resolving disputes after elections. The team of three PhD students, Maryam Mehrnezhad, Ehsan Toreini and Patrick Mccorry, came 3rd in Kaspersky Lab’s Cyber Security Case Study competition with their submission. A video about the case study can be viewed here.
© Newcastle University