Bitcoin Protocol Specification

This is a specification of the Bitcoin protocol (Copy and Pasted from the EXIM paper) This specification serves as an excellent starting point. We will highlight the difference in TNG protocol based on this document

1. Those who deal with M must participate in a peer-to-peer network, say NM.

2. Participants of NM split in two groups: users and miners (miners must be users as well).
Users profit from the NM’s existence because it provides them with the functionalities
that they need. Users interact with the network though software clients, which may be
but need not be open source programs.

3. Besides users there are (perhaps many more) indirect users, who make use of an intermediary
agent, who is a (mining or non-mining) participant, and who acts on behalf
of a collection of indirect users as an operator on NM. Indirect users may be served
by different intermediate agents. These intermediate agents are delivering participation
services to indirect users.

4. Miners are participants who work for the system, mainly to ensure distributed database
integrity.

5. Miners are rewarded by quantities of the unit uM of M. These rewards may either
embody new money of may be taken from users as fees for validating their (outgoing)
transactions. Rewards are made available to the account from which a miner operates.

6. All circulating quantities at any time have their origin as mining rewards at some stage.

7. There is no penalty system in the Nakamoto architecture, but that is a feature that can
be easily added.12

8. Miners work in regular competitions to produce a transaction chain. Miners may group
transactions together in blocks but that is merely a matter of implementation.

9. User can have access to so-called accounts, which are natural numbers below given
maximum kM a parameter of M. Access is obtained at the same time with an account
by creating (a user action) a public/secret key pair, say (a, b) with a fixed cryptographic
technique that is suitable for digital signatures. Then a is an address, which the creating
user may publish to some other users or indirect users and b is the secret key through
which the user has access to account a.

10. Accounts give access to non-negative rational quantities of the unit of M. In practice
such quantities may be multiples of a predetermined smallest fraction of the unit, but
when needed the network can be adapted so as to permit further division of its unit.
Logically speaking at any instant of time a function q is maintained in public that assigns
to each address a that has been generated an amount q(a) accessible via that address
for any agent who has access to the corresponding secret key.

11. A pair (a, q(a)) that represents the result of the chain of validated transactions concerning
an address a at some moment is considered an informational coin in existence at
that moment. Informational coins have an age, found by determining the time elapsed
since the last transaction involving its address.13

12. Users have a single action at their disposal, effecting an outgoing transaction: to transfer
a quantity q uM from account a to another account c.14

13. A transfer effected by user U works as follows:
(a) U creates a random nonce (bit string of a fixed length; the length being determined
by a parameter nM of NM) r which is supposed to be unique for the transaction
during the entire life-cycle of NM,
(b) U chooses a fee f as a reward for the forthcoming validator of the transaction,
(there may be prescribed fees, suggested fees, or minimum fees, validation may be
refused when a fee is considered too low),
(c) U checks that the informational coin (a, q(a)) satisfies q(a)  q +f, (otherwise the
transfer cannot be validated),
(d) U posts on the internet (intending to reach all of NM) the message signb(r, a, q, c, f)
in such a way that all participants can take notice of that posting.
(e) By inspecting the growth of the transaction chain (see below), U can confirm that
the transaction has been validated; an informal rule of thumb determines how
many successive validations of other transactions (effected by arbitrary users) must
be observed by U for U to be sure (sufficiently sure for practical purposes) that the
transfer has been successful.
(f) In theory (though with a probability decreasing exponentially in the number of
later transactions that were subsequently confirmed) at any moment U may find
out that a transaction that has been successfully validated loses that status.
14. Transactions can be more involved than indicated in 12 and 13 above by featuring several
input accounts and output accounts at the same time. Transactions always include a
nonnegative fee expressed in units or a fraction thereof which is meant to be used as a
reward for the miner, or miners if they operate in a pool, who succeeded in validating
the transaction. Price competition among miners introduces a permanent downward
pressure on fees.

15. DISCLAIMER 1. The description of transactions in 12, 13, and 14 above is an over–
specification and a simplification at the same time. What we intend to express is that
“some notion of transaction is used that makes the design/architecture work”, but that
provides not enough information. What is specified here is not meant as a specification
that must be met in each NM but as a simple example of how transactions might look
like, but permissive of minor modifications of the design.15

16. Besides (ordinary) transactions there are mining steps, which are a special kind of transactions.
Again simplifying, abstracting, and modifying the actual working of Bitcoin, a
picture of mining steps is as follows.16
(a) A mining step is a tuple (d, n,m, g, h, P, s) where:
• d is the account from which the miner is working,
• n is the number of previous ordinary transactions that the step covers,
• m is the external difficulty of the problem P. The value of m is supplied by the
mining algorithm, primarily depending on the transaction chain, and possibly
depending on a variety of other parameters, in such a way that the validity of
m can be checked at any time by all users.
• g is the (total) fee collected in the mining step, that is the sum of the fees given
by the preceding n (ordinary) transactions,
• h is the size of the coin that is newly created in the mining step; a fixed
algorithm determines how h decreases with increasing n,
• P is a mathematical problem, which depends on the preceding transaction
chain, and grows exponentially in n and polynomially in m; it is assumed that
all users and miners can uniquely and efficiently generate P from these data,17
• s is a bit string which constitutes a solution of the problem P; again it is
assumed that all agents (in particular all users) can efficiently check whether
or not s solves problem P,
• as a transaction the effect of the mining step is that the informational coin at
address d has its value incremented by g+h, (the miner earns the fees plus the
newly created amount).
(b) A transaction chain consists of a sequence of transactions and mining steps, where
the following conditions (which can be efficiently checked by all participants) are
met:
i. The first element of the chain creates an initial coin at the disposal of the first
miner,
ii. All digital signatures are valid; this can be checked by all participants without
knowledge of any secret key information,
iii. the n of each mining step equals the number of ordinary transactions the precede
it in the sequence,
iv. g equals the sum of all fees contained in the last n ordinary transactions, in
the transaction chain,
v. all transactions and mining steps from the beginning fit together in such a way
that transactions only extract coins from pre-existing coins that are sufficiently
large,

17. Transactions and mining steps are grouped together in so-called blocks. A block has a
length n  0, and it consists of n transactions followed by
(a) a sequence number k,
(b) if k > 0 a message digest h of another block (the message digest function used for
this purpose is a parameter of the architecture; the hashed block is supposed to be
the preceding block in the so-called blockchain which is mentioned below),
(c) a sequence of n transactions, t1, ..., tn,
(d) a mining step (d, n,m, g, h, P, s),
(e) and the combination of these items signed by the secret key of the miner. With
d the account used by the miner, let (d, e) be the public/secret key pair that the
miner has access to

Summarizing a block has the following form. signe(k, h, (t1, ..., tn), (d, n,m, g, h, P, s)).
The task of miners is to produce blocks and to send these around to all participants.
The workload of that task is dominated by the effort required to solve the problem P in
order to create a mining step as the final component of a (yet unsigned) block.

18. The history of the system up to some moment consists of a consecutive sequence of blocks,
where all transfers fit. This is called the blockchain. All active participants maintain a
current version of the blockchain. This requires both extension of the blockchain by new
blocks that have come available, and replacement of a tail of the blockchain if a block
has been generated.

19. Assuming that some part of the transaction chain has been created, and is known to all
participants, by being stored in their local database, then the mechanism of transaction
chain extension works as follows.
New transactions (yet unconfirmed by any miner) are being created by users and sent
around. Participants store such candidate transactions in a local database in the socalled
transaction pool. In addition miners will group suitable subsets of candidate
transactions (that have not yet been included in the current blockchain) together into a
sequence for which they can produce a mining step that completes it.
Once that is done, say by miner X, the block sequence number and the digest of the
existing blockchain are integrated into these data and signed with the secret key that X
is using. Then X sends around the new block just finished to all participants.
Upon receiving the new block they will all check that it satisfies the mentioned requirements
and if so, the participants subsequently extend their instance of the blockchain
accordingly, by appending the block just received, summing that its sequence number is
the successor of the last sequence number of a block in their current block chain.


20. Now suppose that somewhat later miner Y sends around a longer ordinary transaction
sequence ending in a mining step (that is a longer block), then all participants will drop
the last part of the chain, (that is the block that X had produced and sent around), and
will make use of this later entry instead by appending Y ’s block. A block that survives
this competition is called winning. A voting mechanism among users for determining
the winning block at any instant of time is a parameter of the architecture.

21. Miner Y of item 20 above may be seen as an attacker who attacks the block that had been
produced by X. A miner, say Z, may succeed in selecting a sequence of transactions
that is so long that it attacks two or more blocks. An attempt to do this occurs if
the sequence number claimed for the block is lower than the number of the last winning
block that all participants have in store up to the moment of the attack on the blockchain
consensus mounted by Z. Such an attack is successful if the new block chain is correct,
and if the total difficulty (determined using a method to combine the problem difficulty
of consecutive blocks which is a parameter of the architecture) of the single problem that
the miner had to solve exceeds the sum of the difficulties of the blocks that are being
replaced, to a degree which is a parameter of the architecture.18

22. DISCLAIMER 2. Corresponding to the disclaimer mentioned in item 15 above, it must
be stated that the above presentation of the mechanism of mining and the syntax of
blocks and blockchains constitutes an abstraction and an over–specification at the same
time. Variations on this theme are meant to be captured under the umbrella of the
Nakamoto architecture.

23. Miners are constantly trying to group collections of new and not so new transactions
together in order to append mining steps in the hope of creating a winning block that
secures them control over combined fees plus the newly coined reward for successful
mining.

24. Supposing that user V is in control of account c, then V can check by means of U’s
public key b that the transfer signb(r, a, q, c, f) is authentic. Nevertheless V must wait
until at least one miner has completed so much of the validated transaction history of
the system, including a log of the mentioned transaction, that V may safely believe that
the transaction took place and will not be reversed.
This calls for a somewhat arbitrary threshold kc (c for confirmation) where V awaits
validation of kc subsequent transactions before it performs any activity conditional upon
having received q as a payment beforehand.

25. In spite of the soft guarantees implied by item 24 transactions that seem to have been
performed are reversed if some miner succeeds in recomputing the history into a new
blockchain that is more convincing to the majority of users. It will prove progressively
harder for a miner to succeed with this effort if a longer part of the blockchain must be
rewritten.

26. A miner who is in control of over 50% of the computing power of all miners combined
has a chance of succeeding in rewriting the entire block chain.

27. If no clear majority can be found when voting for blockchain extensions and two or
more transaction histories are maintained simultaneously by different groups of users a
so-called fork has arisen and some mechanism must be in place to detect this problem
and to terminate that state of affairs. A fork is a fundamental problem, if it cannot be
resolved it will disable the system forever.

28. Forks arise from so-called double-spending attacks which take place when a user transfers
fractions of the same informational coin to different accounts simultaneously or almost
simultaneously. The idea of double-spending is to receive a service in return from the
agent in control of at least one of these accounts before they find out that the transaction
won’t be validated after all.
The rationale for the mining mechanism stems exclusively from the need to prevent
successful double-spending attacks and to have the prevention of those attacks effected
by participants of the peer-to-peer network without the introduction of a single point of
failure.

29. Because miners will be rewarded with an informational coin, and because validation
itself is a trivial task, the need arises for miners to be in a significant competition for
that money in such a way that successful completion of the competition can be checked
by every user. The work to be performed for the competition is called the mining contest
assignment.

30. The interaction between participants is constrained by a protocol, which essentially
consists of the following elements:
• Data formats for signed transaction (sent around) and unsigned transactions (appearing
as entries in the transaction chain),
• A common standard for digital signatures, a type of problem that (a) miners can
both generate and competitively solve, and (b) for which users can check the correctness
of the problem solution.19
• A data format for solutions to the competition that miners perform.
• A voting criterion to be used by all users indicating which miner has been victorious.
• A yield expression that determines how much reward for the winner of a mining
competition is generated.

31. The earnings of miners in terms of new money diminish in time in such a way that
an asymptotic growth of the total quantity of units circulating in M is built in in the
system. The limit value thus obtained serves as a maximum CM, or better upper bound.
CN is a key system parameter and its value is encoded in the yield expression in the
protocol.
This maximum is reached along a predictable curve and within a predictable expected
time, say TM. Both the shape of that curve and the last moment of new unit creation
is determined by the yield expression.