The Bitcoin Backbone Protocol: Analysis and Applications

  • Juan Garay
  • Aggelos KiayiasEmail author
  • Nikos Leonardos
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9057)


Bitcoin is the first and most popular decentralized cryptocurrency to date. In this work, we extract and analyze the core of the Bitcoin protocol, which we term the Bitcoin backbone, and prove two of its fundamental properties which we call common prefix and chain quality in the static setting where the number of players remains fixed. Our proofs hinge on appropriate and novel assumptions on the “hashing power” of the adversary relative to network synchronicity; we show our results to be tight under high synchronization.

Next, we propose and analyze applications that can be built “on top” of the backbone protocol, specifically focusing on Byzantine agreement (BA) and on the notion of a public transaction ledger. Regarding BA, we observe that Nakamoto’s suggestion falls short of solving it, and present a simple alternative which works assuming that the adversary’s hashing power is bounded by \(1/3\). The public transaction ledger captures the essence of Bitcoin’s operation as a cryptocurrency, in the sense that it guarantees the liveness and persistence of committed transactions. Based on this notion we describe and analyze the Bitcoin system as well as a more elaborate BA protocol, proving them secure assuming high network synchronicity and that the adversary’s hashing power is strictly less than \(1/2\), while the adversarial bound needed for security decreases as the network desynchronizes.


Hash Function Random Oracle Input Tape Overwhelming Probability Cryptographic Hash Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Andrychowicz, M., Dziembowski, S., Malinowski, D., Mazurek, Ł.: Secure multiparty computations on bitcoin. IEEE Security and Privacy (2014)Google Scholar
  2. 2.
    Aspnes, J., Jackson, C., Krishnamurthy, A.: Exposing computationally-challenged Byzantine impostors. Technical Report YALEU/DCS/TR-1332, Yale University Department of Computer Science (July 2005)Google Scholar
  3. 3.
    Babaioff, M., Dobzinski, S., Oren, S., Zohar, A.: On bitcoin and red balloons. In: Faltings, B., Leyton-Brown, K., Ipeirotis, P. (eds.) EC, pp. 56–73. ACM (2012)Google Scholar
  4. 4.
    Back, A.: Hashcash (1997).
  5. 5.
    Barak, B., Canetti, R., Lindell, Y., Pass, R., Rabin, T.: Secure computation without authentication. J. Cryptology 24(4), 720–760 (2011)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: CCS 1993, Proceedings of the 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, USA, November 3–5, pp. 62–73 (1993)Google Scholar
  7. 7.
    Ben-Or, M.: Another advantage of free choice: Completely asynchronous agreement protocols (extended abstract). In: Probert, R.L., Lynch, N.A., Santoro, N. (eds.) PODC, pp. 27–30. ACM (1983)Google Scholar
  8. 8.
    Ben-Sasson, E., Chiesa, A., Garman, C., Green, M., Miers, I., Tromer, E., Virza, M.: Zerocash: Decentralized anonymous payments from bitcoin. IACR Cryptology ePrint Archive 2014, 349 (2014)Google Scholar
  9. 9.
    Bentov, I., Kumaresan, R.: How to Use Bitcoin to Design Fair Protocols. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 421–439. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  10. 10.
    Bentov, I., Kumaresan, R.: How to use bitcoin to incentivize correct computations. ACM CCS 2014, (2014)Google Scholar
  11. 11.
    Berman, P., Garay, J.A.: Randomized distributed agreement revisited. In: Digest of Papers: FTCS-23, The Twenty-Third Annual International Symposium on Fault-Tolerant Computing, Toulouse, France, June 22–24, pp. 412–419. IEEE Computer Society (1993)Google Scholar
  12. 12.
    Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptology 13(1), 143–202 (2000)CrossRefzbMATHMathSciNetGoogle Scholar
  13. 13.
    Chaum, D.: Blind signatures for untraceable payments, pp. 199–203 (1982)Google Scholar
  14. 14.
    Cunicula. Why doesn’t bitcoin use a tiebreaking rule when comparing chains of equal length? (2013)
  15. 15.
    Decker, C., Wattenhofer, R.: Information propagation in the bitcoin network. In: P2P, pp. 1–10. IEEE (2013)Google Scholar
  16. 16.
    Dwork, C., Naor, M.: Pricing via Processing or Combatting Junk Mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993) CrossRefGoogle Scholar
  17. 17.
    Eyal, I., Sirer, E.G.: Majority is not enough: Bitcoin mining is vulnerable. In: Financial Cryptography (2014)Google Scholar
  18. 18.
    Feldman, P., Micali, S.: An optimal probabilistic protocol for synchronous byzantine agreement. SIAM J. Comput. 26(4), 873–933 (1997)CrossRefzbMATHMathSciNetGoogle Scholar
  19. 19.
    Fischer, M.J., Lynch, N.A., Paterson, M.: Impossibility of distributed consensus with one faulty process. J. ACM 32(2), 374–382 (1985)CrossRefzbMATHMathSciNetGoogle Scholar
  20. 20.
    Fitzi, M., Garay, J.A.: Efficient player-optimal protocols for strong and differential consensus. In: Borowsky, E., Rajsbaum, S. (eds.) PODC, pp. 211–220. ACM (2003)Google Scholar
  21. 21.
    Garay, J.A., Katz, J., Kumaresan, R., Zhou, H.: Adaptively secure broadcast, revisited. In: Gavoille, C., Fraigniaud, P., (eds.) Proceedings of the 30th Annual ACM Symposium on Principles of Distributed Computing, PODC 2011, San Jose, CA, USA, June 6–8, pp. 179–186. ACM (2011)Google Scholar
  22. 22.
    Garay, J.A., Kiayias, A., Leonardos, N.: The Bitcoin Backbone Protocol: Analysis and Applications. IACR Cryptology ePrint Archive 2014, 765 (2014)Google Scholar
  23. 23.
    Hirt, M., Zikas, V.: Adaptively Secure Broadcast. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 466–485. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  24. 24.
    Juels, A., Brainard, J.G.: Client puzzles: A cryptographic countermeasure against connection depletion attacks. In: NDSS. The Internet Society (1999)Google Scholar
  25. 25.
    Katz, J., Koo, C.-Y.: On expected constant-round protocols for byzantine agreement. Journal of Computer and System Sciences 75(2), 91–112 (2009)CrossRefzbMATHMathSciNetGoogle Scholar
  26. 26.
    King, S.: Primecoin: Cryptocurrency with prime number proof-of-work (July 2013).
  27. 27.
    Lamport, L., Shostak, R.E., Pease, M.C.: The byzantine generals problem. ACM Trans. Program. Lang. Syst. 4(3), 382–401 (1982)CrossRefzbMATHGoogle Scholar
  28. 28.
    Miller, A., LaViola, J.J.: Anonymous byzantine consensus from moderately-hard puzzles: A model for bitcoin. University of Central Florida. Tech Report, CS-TR-14-01 (April 2014)Google Scholar
  29. 29.
    Nakamoto, S.: Bitcoin: A peer-to-peer electronic cash system. (2008)
  30. 30.
    Nakamoto, S.: The proof-of-work chain is a solution to the byzantine generals’ problem. The Cryptography Mailing List (November 2008).
  31. 31.
    Nakamoto, S.: Bitcoin open source implementation of p2p currency (February 2009).
  32. 32.
    Neiger, G.: Distributed consensus revisited. Inf. Process. Lett. 49(4), 195–201 (1994)CrossRefzbMATHGoogle Scholar
  33. 33.
    Okun, M.: Agreement Among Unacquainted Byzantine Generals. In: Fraigniaud, P. (ed.) DISC 2005. LNCS, vol. 3724, pp. 499–500. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  34. 34.
    Okun, M.: Distributed computing among unacquainted processors in the presence of byzantine distributed computing among unacquainted processors in the presence of byzantine failures. Ph.D. Thesis Hebrew University of Jerusalem (2005)Google Scholar
  35. 35.
    Okun, M., Barak, A.: Efficient algorithms for anonymous byzantine agreement. Theor. Comp. Sys. 42(2), 222–238 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  36. 36.
    Pease, M.C., Shostak, R.E., Lamport, L.: Reaching agreement in the presence of faults. J. ACM 27(2), 228–234 (1980)CrossRefzbMATHMathSciNetGoogle Scholar
  37. 37.
    Rabin, M.O.: Randomized byzantine generals. In: FOCS, pp. 403–409. IEEE Computer Society (1983)Google Scholar
  38. 38.
    Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto. Technical report, Cambridge, MA, USA (1996)Google Scholar
  39. 39.
    Sompolinsky, Y., Zohar, A.: Accelerating bitcoin’s transaction processing. fast money grows on trees, not chains. IACR Cryptology ePrint Archive, 2013:881 (2013)Google Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  1. 1.Yahoo LabsSunnyvaleUSA
  2. 2.Department of Informatics and TelecommunicationsUniversity of AthensAthensGreece
  3. 3.LIAFAUniversité Paris Diderot–Paris 7ParisFrance

Personalised recommendations