A Survey on Security and Privacy Issues of BitcoinMauro Conti Senior Member IEEE Sandeep Kumar E Member IEEE Chhagan Lal Member IEEE

Sushmita Ruj Senior Member IEEE

AbstractmdashBitcoin is a popular cryptocurrency that records alltransactions in a distributed append-only public ledger calledblockchain The security of Bitcoin heavily relies on the incentive-compatible proof-of-work (PoW) based distributed consensusprotocol which is run by network nodes called miners Inexchange for the incentive the miners are expected to honestlymaintain the blockchain Since its launch in 2009 Bitcoin econ-omy has grown at an enormous rate and it is now worth about170 billions of dollars This exponential growth in the marketvalue of Bitcoin motivates adversaries to exploit weaknesses forprofit and researchers to discover new vulnerabilities in thesystem propose countermeasures and predict upcoming trends

In this paper we present a systematic survey that covers thesecurity and privacy aspects of Bitcoin We start by presenting anoverview of the Bitcoin protocol and its major components alongwith their functionality and interactions within the system Wereview the existing vulnerabilities in Bitcoin and its underlyingmajor technologies such as blockchain and PoW based consensusprotocol These vulnerabilities lead to the execution of varioussecurity threats to the normal functionality of Bitcoin Wethen discuss the feasibility and robustness of the state-of-the-art security solutions Additionally we present current privacyand anonymity considerations in Bitcoin and discuss the privacy-related threats to Bitcoin users along with the analysis of theexisting privacy-preserving solutions Finally we summarize thecritical open challenges and suggest directions for future researchtowards provisioning stringent security and privacy techniquesfor Bitcoin

Index TermsmdashBitcoins cryptocurrency security threats userprivacy

I INTRODUCTION

B ITCOIN uses peer-to-peer (P2P) technology and it op-erates without any trusted third party authority that may

appear as a bank a Chartered Accountant (CA) a notary orany other centralized service [1] In particular an owner hasfull control over its bitcoins and she could spend them anytimeand anywhere without involving any centralized authorityBitcoin design is open-source and nobody owns or controls it

Prof Mauro Conti is with Department of Mathematics University ofPadua Padua Italy e-mailcontimathunipdit The work of M Conti wassupported by a Marie Curie Fellowship funded by the European Commissionunder the agreement PCIG11-GA-2012-321980 This work is also partiallysupported by the EU TagItSmart Project H2020-ICT30-2015-688061 theEU-India REACH Project ICI+2014342-896 the TENACE PRIN Project20103P34XC funded by the Italian MIUR and by the projects TacklingMobile Malware with Innovative Machine Learning Techniques Physical-Layer Security for Wireless Communication and Content Centric NetworkingSecurity and Privacy Issues funded by the University of Padua

Mr Sandeep Kumar E is with Department of TelecommunicationEngineering Ramaiah Institute of Technology Bengaluru India e-mailsandeepe31gmailcom

Dr Chhagan Lal is with Department of Mathematics University of PaduaPadua Italy e-mailchhaganmathunipdit

Prof Sushmita Ruj is with Cryptology and Security Research UnitComputer and Communication Sciences Division Indian Statistical InstituteIndia e-mailsushisicalacin

Moreover it is a cryptographically secure electronic paymentsystem and it enables transactions involving virtual currencyin the form of digital tokens called Bitcoin coins (BTC orsimply bitcoins)

Since its deployment in 2009 Bitcoin has attracted a lotsof attention from both academia and industry With a marketcapitalization of 170 billion and more than 375000 aggregatenumber of confirmed transactions per day (December 2017)Bitcoin is the most successful cryptocurrency to date Giventhe amount of money at stake Bitcoin is an obvious targetfor adversaries Indeed numerous attacks have been describedtargeting different aspects of the system including doublespending [2] netsplit [3] transaction malleability [4] net-working attacks [5] or attacks targeting mining [6] [7] [8] andmining pools [9] In [10] authors claim that ldquoBitcoin works inpractice and not in theoryrdquo due to the lack of security researchto find out theoretical foundation for Bitcoin protocols Untiltoday the incomplete existence of a robust theoretical baseforces the security research community for dismissing theuse of bitcoins Existing security solutions for Bitcoin lacksthe required measures that could ensure an adequate levelof security for its users We believe that security solutionsshould cover all the major protocols running critical functionsin Bitcoin such as blockchain consensus key managementand networking protocols Although the online communitieshave already started to use bitcoins with the belief that Bitcoinwill soon take over the online trading business For instanceldquoWiki leaksrdquo request its users to donate using the bitcoinsThe request quote is ldquoBitcoin is a secure and anonymousdigital currency bitcoins cannot be easily tracked back to youand are safer and are the faster alternative to other donationmethodsrdquo Wiki leaks also support the use of Litecoin anothercryptocurrency for the same reason [11]

Recently Bitcoin technology is grabbing lots of attentionfrom government bodies due to its increasing use by themalicious users to undermine legal controls In [12] authorscall bitcoins ldquoEnigmatic and Controversial Digital Cryptocur-rencyrdquo due to mysterious concepts underneath the Bitcoinsystem and severe opposition from the government Accordingto [13] the current bitcoin exchange rate is approximatelyUSD 13k (as of December 2017) from around 1000 dollars atthe start of 2016 The major technologies such as blockchainand consensus protocols that makes the Bitcoin a huge successwill now also being envisioned in various next-generationapplications including smart trading in smart grids [14]Internet of Things (IoT) [15] [16] vehicular networks [17]healthcare data management [18] and smart cities [19] toname a few As the length of popularity largely depends onthe amount of security built on the system which surpasses allits other benefits we aim to investigate the associated security

arX

iv1

706

0091

6v3

[cs

CR

] 2

5 D

ec 2

017

and privacy issues in Bitcoin and its underlying techniques

A Contribution

In this paper we present a comprehensive survey specif-ically targeting the security and privacy aspects of Bitcoinand its related concepts We discuss the state-of-the-art attackvector which includes various user security and transactionanonymity threats that limits (or threatens) the applicability (orcontinuity) of bitcoins in real-world applications and servicesWe also discuss the efficiency of various security solutions thatare proposed over the years to address the existing security andprivacy challenges in Bitcoin In particular we mainly focus onthe security challenges and their countermeasures with respectto major components of Bitcoin In addition we discuss theissues of user privacy and transaction anonymity along with alarge array of research that has been done for enabling privacyand improving anonymity in Bitcoin

In the literature [20] provides a comprehensive technicalsurvey on decentralized digital currencies with mainly em-phasizing on bitcoins The authors explore the technical back-ground of Bitcoin and discuss the implications of the centraldesign decisions for various Bitcoin technologies In [10]authors discuss various cryptocurrencies in detail and providesa preliminary overview of the advantages and disadvantagesof the use of bitcoins However all the existing works lack adetailed survey about security and privacy aspects of Bitcoinand are a bit outdated given the extensive research was donein the last couple of years on security and privacy Moreoverthere are numerous papers on Bitcoin and Cryptocurrencysecurity and privacy however a concise survey is requiredfor an audience who are planning to initiate research in thisdirection This paper does not attempt to solve any newchallenge but presents an overview and discussion of theBitcoin security and privacy threats along with their availablecountermeasures In particular the main contributions of thissurvey are as followbull We present the essential background knowledge for Bit-

coin its functionalities and related concepts The goal isto enable the new readers to get the required familiaritywith the Bitcoin and its underlying technologies such astransactions blockchain and consensus protocols This isrequired in order to understand the working methodol-ogy benefits and challenges that are associated with theuse of bitcoins

bull We systematically present and discuss all the existingsecurity and privacy related threats that are associatedeither directly or indirectly (ie by exploiting one ofits underlying technology) with the use of bitcoins Atvarious levels of its overall operation we investigate thepossibilities which includes both practical and theoreticalrisks that an adversary could exploit to launch an attackon the Bitcoin

bull We discuss the efficiency and limitations of the state-of-the-art solutions that address the security threats andenables strong privacy in Bitcoin thus we provide aholistic technical perspective on these challenges in theuse of bitcoins Finally based on our survey we provide

the list of lessons learned open issues and directions forfuture work

To the best of our knowledge this is the first survey that dis-cusses and highlights the impact of existing as well as possiblefuture security and privacy threats Bitcoin and its associatedtechnologies The paper aims to assist the interested readers(i) to understand the scope and impact of security and privacychallenges in Bitcoin (ii) to estimate the possible damagecaused by these threats and (iii) to point in the directionthat will possibly lead to the detection and containment ofthe identified threats In particular the goal of our researchis to raise the awareness in the Bitcoin research communityon the pressing requirement to prevent various attacks fromdisrupting the cryptocurrency For most of the security threatsdiscussed in this paper we have no evidence that such attackshave already been performed on Bitcoin However we believethat some of the important characteristics of Bitcoin makethese attacks practical and potentially highly disruptive Thesecharacteristics include the high centralization of Bitcoin (froma mining and routing perspective) the lack of authenticationand integrity checks for network nodes and some designchoices pertaining for instance how in the Bitcoin network anode requests a block

B Organization

The rest of the paper is organized as follow In Section II wepresent a brief overview of Bitcoin which includes the descrip-tion of its major components along with their functionalitiesand interactions In Section III we discuss a number of secu-rity threats associated with the development implementationand use of bitcoins In Section IV we discuss the state-of-the-art proposals that either countermeasure a security threator enhances the existing security in Bitcoin In Section V wediscuss the anonymity and privacy threats towards the use ofbitcoins along with their existing solutions We present thesummary of the observations and future research directionsthat are learned from our survey in Section VI Finally weconclude the paper in Section VII

II OVERVIEW OF BITCOIN

Bitcoin is a decentralized electronic payment system intro-duced by Nakamoto [1] It is based on peer-to-peer (P2P)network and a probabilistic distributed consensus protocol InBitcoin electronic payments are done by generating transac-tions that transfer bitcoins among users The destination ad-dress (also called Bitcoin address) is generated by performinga series of irreversible cryptographic hashing operations onthe userrsquos public key In Bitcoin a user can have multiple ad-dresses by generating multiple public keys and these addressescould be associated with one or more of her wallets [21] Theprivate key of the user is required to spend the owned bitcoinsin the form of digitally signed transactions Using the hashof the public key as a receiving address provides the usersa certain degree of anonymity and it is recommended thepractice to use different Bitcoin address for each receivingtransaction

In Bitcoin transactions are processed to verify their in-tegrity authenticity and correctness by a group of resource-ful network nodes called ldquoMinersrdquo In particular instead ofmining a single transaction the miners bundle a number oftransactions that are waiting for the network to get processedin a single unit called ldquoblockrdquo The miner advertises a block inthe whole network as soon as it completes its processing (orvalidation) in order to claim the mining reward This blockis then verified by the majority of miners in the networkbefore it is successfully added in a distributed public ledgercalled ldquoblockchainrdquo The miner who mines a block receivesa reward when the mined block is successfully added in theblockchain We now present an overview of the major techni-cal components and operational features that are essential forthe practical realization of the Bitcoin

A Transaction and Proof-of-Work

Bitcoin use transactions to move coins from one user walletto another In particular the coins are represented in the formof transactions more specifically a chain of transactions Asdepicted in Figure 1 the key fields in a transaction includesBitcoin version hash of the transaction Locktime1 one ormore inputs and one or more outputs Every input in atransaction belongs to a particular user and it consists of thefollowing (i) hash pointer to a previous transaction whichserves as the identifier of the transaction that includes theoutput we now want to utilise as an input (ii) an indexto specific unspent previous transaction output (UTXO) thatwe want to spend in the current transaction (iii) unlockingscript length and (iv) unlocking script (also referred to asscriptSig) which satisfies the conditions associated with the useof UTXO While a transaction output consists of the numberof bitcoins that are being transferred locking script lengthand locking script (also referred to as scriptPubKey) whichimposes a condition that must be met before the UTXO canbe spent To authorize a transaction input the correspondinguser of the input provides the public key and the cryptographicsignature generated using her private key Multiple inputs areoften listed in a transaction All of the transactionrsquos inputvalues are added up and the total (excluding transaction feeif any) is completely used by the outputs of the transactionIn particular when the output of a previous transaction isused as the input in a new transaction it must be spent inits entirety Sometimes the coin value of the output is higherthan what the user wishes to pay In this case the sendergenerates a new Bitcoin address and sends the difference backto this address For instance Bob has 50 coins from one of itsprevious transactionrsquos output and he wants to transfer 5 coinsto Alice using that output as an input in a new transactionFor this purpose Bob has to create a new transaction withone input (ie output from its previous transaction) and twoor more outputs In the outputs one output will show that 5coins are transferred to Alice and other output(s) will showtransfer of the remaining coins to one (or more) wallet(s)owned by Bob With this approach the Bitcoin achieves two

1It indicates the earliest time or blockchain length when this transactionmay be spent to the blockchain

goals (i) it implements the idea of change and (ii) one caneasily identify the unspent coins or balance of a user by onlylooking the outputs from its previous transactions An outputin a transaction specifies the number of coins being transferredalong with the Bitcoin address of the new owner These inputsand outputs are managed using a Forth-like scripting languagewhich dictates the essential conditions to claim the coins Thedominant script in todayrsquos market is the ldquoPay-to-PubKeyHashrdquo(P2PKH) which requires only one signature from the ownerto authorize a payment While the other script is called ldquoPay-to-ScriptHashrdquo (P2SH) [22] which is typically used as multi-signature addresses but it also enables a variety of transactiontypes and supports future developments

Fig 1 Bitcoin transactions

Unlike central bank in which all the transactions are verifiedprocessed and recorded in a centralized private ledger inBitcoin every user acts as a bank and keep a copy of thisledger In Bitcoin the role of the distributed ledger is playedby the so-called blockchain However storing multiple copiesof the blockchain in the network adds new vulnerabilities inthe system such as keeping the global view of the blockchainconsistent For instance a user (say Alice) could generatetwo different transactions simultaneously using the same setof coins to two different receivers (say Bob and Carol)This type of malicious behavior by a user is termed asdouble spending If both the receiver processes the transactionindependently based on their local view of the blockchainand the transaction verification is successful this leaves theblockchain into an inconsistent state The main requirementsto avoid the above problem is two-folded (i) distribute thetransaction verification process to ensure the correctness ofthe transaction and (ii) everyone in the network should knowquickly about a successfully processed transaction to ensurethe consistent state of the blockchain To fulfill the aforemen-tioned requirements Bitcoin uses the concept of Proof-of-Work(PoW) and a probabilistic distributed consensus protocol

The distributed transaction verification process ensures thata majority of miners will verify the legitimacy of a transactionbefore it is added in the blockchain In this way wheneverthe blockchain goes into an inconsistent state all the nodesupdate their local copy of blockchain with the state on whicha majority of miners agree in this way the correct state ofthe blockchain is obtained by election However this schemeis vulnerable to the sybil attacks [23] With sybil attack aminer creates multiple virtual nodes in the network and thesenodes could disrupt the election process by injecting falseinformation in the network such as voting positive for a faultytransactionBitcoin counters the sybil attacks by making use ofPoW based consensus model in which to verify a transactionthe miners have to perform some sort of computational task toprove that they are not virtual entities The PoW consists of acomplex cryptographic math puzzle similar to Adam BackrsquosHashcash [24] In particular PoW involves scanning for avalue (called nonce) that when hashed such as with SHA-256 the resulting hash begins with a number of zeros Theaverage work required is exponential to the number of zerosin the correct hash however the verification process consists ofa single step ie by executing a single hash In this way PoWimposes a high level of computational cost on the transactionverification process and the verification will be dependent onthe computing power of a miner instead of the number of(possibly virtual) identities The main idea is that it is muchharder to fake the computing resources than it is to perform asybil attack in the network

In practice the miners do not mine individual transactionsinstead they collect pending transactions to form a block Theminers mine a block by calculating the hash of that blockalong with a varying nonce The nonce is varied until theresultant hash value becomes lower or equal to a given targetvalue The target is a 256-bit number that all miners shareCalculating the desired hash value is computationally difficultFor hashing Bitcoin uses SHA-256 hash function [25] Unlessthe cryptographic hash function finds the required hash valuethe only option is to try different nonces until a solution (ahash value lower than the target) is discovered Consequentlythe difficulty of the puzzle depends on the target value ielower the target the fewer solutions exist hence more difficultthe hash calculation becomes Once a miner calculates thecorrect hash value for a block it immediately broadcast theblock in the network along with the calculated hash value andnonce and it also appends the block in its private blockchainThe rest of the miners when receiving a mined block canquickly verify its correctness by comparing the hash valuegiven in the received block with the target value The minerswill also update their local blockchain by adding the newlymined block

Once a block is successfully added in the blockchain (iea majority of miners consider the block valid) the miner whofirst solved the PoW will be rewarded (as of May 2017 125BTCs) with a set of newly generated coins This reward halvesevery 210000 blocks In particular these mining rewards arenot really received from anyone because there is no centralauthority that would be able to do this In Bitcoin rewards arepart of the block generation process in which a miner inserts

a reward generating transaction (or a coinbase transaction) forits own Bitcoin address and it is always the first transactionappearing in every block If the mined block is validated andaccepted by the peers then this inserted transaction becomesvalid and the miner receives the rewarded bitcoins

Apart from the mining reward for every successful additionof a transaction in the blockchain the miner will also receivean amount called transaction fee which is equivalent to theamount remaining when the value of all outputs in a transac-tion is subtracted from all its inputs [26] As the mining rewardkeep on decreasing with time and the number of transactionsis rapidly increasing in the network the transaction fee takesa major role for how fast a transaction is to be included inthe blockchain The Bitcoin never mandates transaction feeand it is only specified by the owner(s) of a transactionand it is different for each transaction A transaction withlow transaction fee could suffer from the starvation problemie denied service for a long time if the miners are busyprocessing the transactions with a higher transaction fee

All the miners race to calculate the correct hash value fora block by performing the PoW so that they can collect thecorresponding reward The chance of being the first to solvethe puzzle is higher for the miners who own or control morenumber of computing resources By this rule a miner withhigher computing resources can always increase her chancesto win the reward To enforce reasonable waiting time for theblock validation and generation the target value is adjustedafter every 2016 blocks This adjustment of the target alsohelps in keeping per block verification time to approximately10 minutes It further effects the new bitcoins generation ratein the Bitcoin because keeping the block verification time nearto 10 minutes implies that only 125 new coins can be addedin the network per 10 minutes In [27] authors propose anequation to calculate the new target value for the BitcoinThe new target is given by the following Equation

T = Tprev lowastTactual

2016 lowast 10min (1)

Here Tprev is the old target value and Tactual is the timeperiod that the Bitcoin network took to generate the last 2016blocks

B Blockchain and Mining

The blockchain is a public append-only link-list based datastructure which stores the entire networkrsquos transaction historyin terms of blocks In each block the transactions are storedusing Merkle Tree [28] and a relatively secure time-stamp anda hash of the previous block is also stored Figure 2 showsthe working methodology that is being in use for creating andmaintaining the Bitcoinrsquos blockchain To successfully add anew block in the blockchain the miners need to verify (mine)a block by solving a computationally difficult PoW puzzleOne can traverse the blockchain in order to determine theownership of each bitcoin because the blocks are stored in anordered form Also tempering within a block is not possibleas it would change the hash of the block In particular ifa transaction in a block is tampered with the hash valueof that block changes this in turn changes the subsequent

Fig 2 Creation and addition of blocks in blockchain

Fig 3 Blockchain consensus model

blocks because each block contains the hash of the previousblock The blockchain constantly grows in length due to thecontinuous mining process in the network The process ofadding a new block is as follows (i) once a miner determinesa valid hash value (ie a hash equal or lower than target)for a block it adds the block in her local blockchain andbroadcast the solution and (ii) upon receiving a solution fora valid block the miners will quickly check for its validity ifthe solution is correct the miners update their local copy ofblockchain else discard the block

Due to the distributed nature of the block validation processit is possible that two valid solutions are found approximatelyat the same time or distribution of a verified block is delayeddue to network latency this results in valid blockchain forksof equal length The forks are undesirable as the miners needto keep a global state of the blockchain consisting of thetotally ordered set of transactions However when multipleforks exist the miners are free to choose a fork and continueto mine on top of it Now that the network is having multipleforks and miners are extending different but valid versions ofthe blockchain based on their local view a time will comedue to the random nature of PoW where miners operating onone fork will broadcast a valid block before the others Dueto this a longer version of the blockchain now exists in thenetwork and all the miners will start adding their following

blocks on top of this longer blockchain The aforementionedbehavior of blockchain is shown in Figure 3

The presence of blockchain forks in Bitcoin could beexploited by a malicious miner to gain profits or to disturb thenormal functioning of the Bitcoin In particular a resourcefulminer (or mining pool) could force a blockchain fork in thenetwork by privately mining on it Once the malicious minersees that the length of the public blockchain is catching up fastwith her private chain the miner broadcast her blockchain inthe network and due to its longer length all the other minerswill start mining on top of it In this process all the mined (ievalid) blocks on the other parallel blockchain get discardedwhich makes the efforts of the genuine miners useless InSection III we will discuss an array of attacks on Bitcointhat exploits the forking nature of Bitcoin blockchain

In general the security in Bitcoin is on the assumptionthat the honest players control a majority of the computingresources The main driving factor for miners to honestlyverify a block is the reward (ie 125 BTCs) that they receiveupon every successful block addition in the blockchain Asmentioned before that to verify a block the miners needto solve the associated hard crypto-puzzle The probabilityof solving the crypto-puzzle is proportional to a numberof computing resources used As per [29] a single homeminer which uses a dedicated Application-Specific Integrated

Fig 4 Bitcoin transaction processing steps

Circuit (ASIC) for mining will unlikely verify a single blockin years For this reason miners mine in the form of theso-called mining pools All miners that are associated witha pool works collectively to mine a particular block underthe control of a pool manager Upon successful mining themanager distributes the reward among all the associated minersproportional to the resources expended by each miner Adetailed discussion of different pooled mining approaches andtheir reward systems is given in [30] [31]

For the better understanding how a transaction is beingprocessed in the Bitcoin please refer to Figure 4 Assumethat Bob wants to transfer 5 bitcoins to Alice In order topay to Alice Bob needs a device such as a smartphonetablet or laptop that runs the Bitcoin full or lightweight client-side software and two pieces of information which includeBobprimes private key and Aliceprimes Bitcoin address Any userin the network can send money to a Bitcoin address butonly a unique signature generated using the private key canrelease bitcoins from the account Bob uses a cryptographickey to digitally sign off on the transaction proving that heowns those coins When Bob broadcast a transaction in thenetwork an alert is sent to all the miners in the networkinforming them about this new transaction The miners checkthat the digital signatures are correct and Bob has enoughbitcoins to complete the transactions Additionally miners raceto bundle all the pending transactions (including bobprimes) in thenetwork and mine the resulting block by varying the nonceIn particular the miners create a hash of the block and ifthe hash does not begin with a particular number of zerosthe hash function is rerun using a new random number (iethe nonce) The required hash value must have a certain butarbitrary number of zeros at the beginning It is unpredictablewhich nonce will generate the required hash with a correctnumber of zeros so the miners have to keep trying by usingdifferent nonces to find the desired hash value When theminer finds a hash value with the correct number of zeros(ie the discovered value is lower than target value) the

discovery is announced in the network and both the Bob andthe Alice will also receive a confirmation about the successfultransaction Other miners communicate their acceptance andthey turn their attention to discover the next block in thenetwork However a successful transaction could be discardedor deemed invalid at latter period of time if it is unable tostay in the blockchain due to reasons such as existence ofmultiple forks majority of miners does not agree to considerthe block containing this transaction as a valid block a doublespending attack is detected to name a few

The Bitcoin protocol rewards the winning miner with theset of newly minted bitcoins as incentive and the hashedblock is published in the public ledger Once Bobprimes transactionhas been added in the blockchain he and Alice each receivethe first confirmation stating that the Bitcoin has been signedover to Alice In terms of transaction time it depends on thecurrent network load and the transaction fee included in thetransaction by Bob but at the minimum it would be around10 minutes However receiving the first confirmation doesnot mean that the transaction is processed successfully and itcannot be invalidated at a latter point in time In particularit has been recommended by the Bitcoin community thatafter a block is mined it should receive enough consecutiveblock confirmations (currently 6 confirmations) before it isconsidered as a valid transaction

C Consensus Protocol

Bitcoin blockchain is a decentralized system thus it doesnot require authorization from any trusted third party (TTP)to process the transactions In particular the nodes com-municate over a network and collaboratively construct theblockchain without relying on a central authority Howeverindividual nodes might crash behave maliciously act againstthe common goal or the network communication may becomeinterrupted For delivering a continuous service the nodestherefore run a fault-tolerant consensus protocol to ensure that

they all agree on the order in which entries are appended tothe blockchain To add a new block in the blockchain everyminer must follow a set of rules specified in the consensusprotocol Bitcoin achieves the distributed consensus by usingPoW based consensus algorithm This algorithm imposes thefollowing major rules (i) input and output values are rational(ii) transactions only spend unspent outputs (iii) all inputsbeing spent have valid signatures (iv) no coinbase2 transactionoutputs were spent within 100 blocks of their creation and (v)no transactions spend inputs with a locktime before the blockin which they are confirmed Generally a blockchain basedsystem such as Bitcoin is considered as secure and robust asits consensus model

In the PoW based consensus algorithm the participantsrequire no authentication to join the network which makesthe Bitcoin consensus model extremely scalable in termsof supporting thousands of network nodes However PoWbased consensus is vulnerable to ldquo51rdquo attacks in whichan adversary has control over 51 of the mining power (iehashrate) in the network hence it can write its own blocksor fork the blockchain that at a later point converges withthe main blockchain This behavior of adversary helps her toperform several other types of attacks in the Bitcoin whichincludes double spending eclipse and denial-of-service Inparticular 51 attack drives away the honest miners from themining process thus weakens the consensus protocol whichposes a threat to Bitcoin security and robustness One way toachieve the 51 attack in Bitcoin system is to incentivize (orbribe) the honest miners to join the attackersrsquo coalition

Along with the various security attacks (please refer totables I and II) the effectiveness of a consensus protocol alsodepends on the performance and stability of the network Forinstance an increase in the latency between the validationof a block and its receipt by all other miners increases thepossibility of a temporary blockchain fork Although due tothe PoW model eventual consistency in the blockchain willbe reached despite the temporary forks however it resultsin longer transaction confirmation times Today the Bitcoinnetwork is restricted to a sustained rate of 7 transactionsper section (tps) due to the Bitcoin protocol restricting blocksizes to 1MB This is very slow when considered the highprocessing speed of MasterCard or VISAs ie millions oftps Therefore it is important for Bitcoin to have a broadcastnetwork which is not only decentralized but it also provideslow latency and it is difficult to deliberately censor or delaymessages The PoW based consensus algorithm also wastesa lot of energy in hash computations during the miningprocess However it facilitates high scalability in terms ofnodes participating in the network and operates completely ina decentralized fashion

Bitcoin consensus algorithm has been its most widelydebated component in the Bitcoin research community This isbecause the consensus algorithm rises (i) open questions aboutthe Bitcoin stability [10] (ii) concerns about the performanceand scalability of the protocol [32] and (iii) concerns for

2A coinbase transaction is a unique type of bitcoin transaction that can onlybe created by a miner

computational resource wastage [33] In particular the PoWconsensus model used by Bitcoin blockchain is very inefficientin terms of power consumption and the overall generationtime of new blocks Hence to overcome or limit someof the aforementioned disadvantages of PoW various otherconsensus protocols such as Proof-of-Stake (PoS) [34] Proofof Elapsed Time (PoET) Proof of Authority (PoA) Practicalbyzantine fault tolerance (PBFT) [35] Federated ByzantineFault Tolerance (FBFT) Proof of Storage [36] [37] to namea few are designed The most obvious difference betweenthese consensus protocols and PoW is that each of thesealternative protocols the consensus is driven at the expenseof internal resources (eg coins or reputation) instead ofexternal resources (eg electricity) This creates an entirelydifferent set of incentives for (and trust in) network nodes (ieminers) which drastically changes the network security modelDetailed discussions on these alternative consensus protocolsare out of the scope of our survey hence we direct interestedusers to [38] [20] [39] [40] [41]

D Networking Infrastructure

Bitcoin uses an unstructured peer-to-peer (P2P) networkbased on unencrypted persistent TCP connections as its foun-dational communication structure In general unstructuredoverlays are easily constructed and robust against highlydynamic network topologies ie against frequently joiningand leaving peers These type of networks are best suitedfor Bitcoin as the aim is to distribute information as fastas possible to reach consensus on the blockchain Howeverexperimenting with the Bitcoin networkprotocol poses a chal-lenge By now there are a few possibilities to approach thistask One way is to connect to the mainnet ie the live Bitcoinnetwork or the testnet Another way is to use the simulationenvironments such as Shadow [42] event discrete simulatorwhich aims at simulating large-scale Bitcoin networks whilekeeping full control over all components

Bitcoin nodes maintain a list of IP addresses of potentialpeers and the list is bootstrapped via a DNS server and addi-tional addresses are exchanged between peers Each peer aimsto maintain a minimum of 8 unencrypted TCP connections inthe overlay ie the peer actively tries to establish additionalconnections if the current number of connections is lowerthan 8 The number of eight connections can be significantlyexceeded if incoming connections are accepted by a Bitcoinpeer upto a maximum of 125 connections at a time By defaultpeers listen on port 8333 for inbound connections When peersestablish a new connection they perform an application layerhandshake consisting of version and verack messages Themessages include a timestamp for time synchronization IPaddresses and the protocol version A node selects its peersin a random fashion and it selects a new set of peers after afixed amount of time This is done to minimize the possibilityand effects of netsplit attack in which an attacker creates aninconsistent view of the network (and the blockchain) at theattacked node Since Bitcoin version 07 IPv6 is supported Inorder to detect when peers have left Bitcoin uses a softstateapproach If 30 minutes have been passed since messages were

last exchanged between neighbors peers will transmit a hellomessage to keep the connection alive

Miners continually listen to new block announcementswhich are sent via INV messages containing the hash ofthe mined block If a miner discovers that it does not hold anewly announced block it transmits a GETDATA messageto one of its neighbor The neighbor then respond by sendingthe requested information in a BLOCK message In casethe requested block do not arrive within 20 minutes theminer trigger the disconnection of that particular neighborand request the same information from another neighbor Thepropagation of transactions occur in a sequence given as INV GETDATA and TX messages in which nodes announcerequest and share transactions that have not yet been includedin the blockchain

In order to form the distributed consensus newly discoveredtransactions and blocks are propagated (through flooding) inthe whole network Miners store new transactions for themining purposes but after some time remove them if they donot make it on the blockchain It is the responsibility of thetransaction originator that the transaction is received by all thepeers in the network To this end the originator might need torebroadcast the transaction if it did not get into the blockchainin first attempt This is to ensure that the transaction getsconsidered in the next block An adversary could introducedelay in the propagation of both new transactions and minedblock for the purpose of launching the double spend andnetsplit attacks As shown in [43] the propagation time caneven be further extended under reasonable circumstancesAuthors in [5] presents a taxonomy of routing attacks andtheir impact on Bitcoin considering both small-scale attackstargeting individual nodes and large-scale attacks targetingthe network as a whole By isolating parts of the network ordelaying block propagation adversaries could cause significantamount of mining power to be wasted leading to revenuelosses and exposing the network to a wide range of exploitssuch as double spending

The use of an unstructured P2P network in Bitcoin enablesthe required rapid distribution of information in every partof the network The security of Bitcoin heavily depends onthe global consistent state of blockchain which relies on theefficiency of its PoW based consensus protocol The variationsin the propagation mechanisms could adversely affect theconsensus protocol The presence of inconsistent blockchainstates if exploited correctly could lead to a successful doublespending To this end it is essential that the Bitcoin networkshould remains scalable in terms of network bandwidth net-work size and storage requirements because this will facilitatethe increase in number of honest miners in the network whichwill strengthen the consensus protocol In Bitcoin full nodesdownload and verify all blocks starting from the genesis blockbecause it is the most secure way Full nodes participate inthe P2P network and help to propagate information althoughits not mandatory to do so Alternatively the thin clients usethe simplified payment verification (SPV) to perform Bitcointransactions The SPV is a method used by Bitcoin thin clientfor verifying if particular transactions are included in a blockwithout downloading the entire block However the use of

SPV costs the thin clients because it introduces weaknessessuch as Denial of Service (DoS) and privacy leakage forthe thin client In particular the general scalability issues ofunstructured overlays combined with the issues induced bythe Bitcoin protocol itself remains in the system Many of theresults suggest that scalability remains an open problem [44]and it is hard to keep the fully decentralized network infuture [45] [46]

E Benefits and Challenges

Same as any other emerging technology use of Bitcoincomes with certain benefits and challenges and various typesof risks are associated with its use It is believed3 that Bitcoinhas the following benefits and challenges

Benefits -bull No Third-Party Seizure No central authority can manip-

ulate or seize the currency since every currency transferhappens peer-to-peer just like hard cash In particular bit-coins are yours and only yours and the central authoritycant take your cryptocurrency because it does not printit own it and control it correspondingly

bull Anonymity and transparency Unless Bitcoin users pub-licize their wallet addresses publicly it is extremely hardto trace transactions back to them However even if thewallet addresses was publicized a new wallet addresscan be easily generated This greatly increases privacywhen compared to traditional currency systems wherethird parties potentially have access to personal financialdata Moreover this high anonymity is achieved withoutsacrificing the system transparency as all the bitcointransactions are documented in a public ledger

bull No taxes and lower transaction fees Due to its decen-tralized nature and user anonymity there is no viableway to implement a Bitcoin taxation system In the pastBitcoin provided instant transactions at nearly no costEven now Bitcoin has lower transaction costs than acredit card Paypal and bank transfers However thelower transaction fee is only beneficial in situations wherethe user performs a large value international transactionsThis is because the average transaction fee becomeshigher for very small value transfers or purchases suchas paying for regular household commodities

bull Theft resistance Stealing of bitcoins is not possible untilthe adversary have the private keys (usually kept offline)that are associated with the user wallet In particular Bit-coin provides security by design for instance unlike withcredit cards you dont expose your secret (private key)whenever you make a transaction Moreover bitcoinsare free from Charge-backs ie once bitcoins are sentthe transaction cannot be reversed Since the ownershipaddress of the sent bitcoins will be changed to the newowner and it is impossible to revert This ensures thatthere is no risk involved when receiving bitcoins

3As some of these benefits and challenges are not entirely true at all thetimes for instance Bitcoin transactions are not fully anonymous and theprivacy of Bitcoin users could be threatened

Challengesbull High energy consumption Bitcoinrsquos blockchain uses

PoW model to achieve distributed consensus in thenetwork Although the use of PoW makes the miningprocess more resistant to various security threats suchas sybil and double spending it consumes a ridicu-lous amount of energy and computing resources [47]In particular processing a bitcoin transaction consumesmore than 5000 times as much energy as using a Visacredit card hence innovative technologies that reduce thisenergy consumption are required to ensure a sustainablefuture for Bitcoin Furthermore due to the continuousincrease in network load and energy consumption thetime required for transaction processing is increasing

bull Wallets can be lost Since there is no trusted third partyif a uses lost the private key associated with her walletdue to a hard drive crash or a virus corrupts data or lostthe device carrying the key all the bitcoins in the wallethas been considered lost for forever There is nothingthat can be done to recover the bitcoins and these willbe forever orphaned in the system This can bankrupt awealthy Bitcoin investor within seconds

bull (Facilitate) Criminal activity The considerable amountof anonymity provided by the Bitcoin system helps thewould-be cyber criminals to perform various illicit activ-ities such as ransomware [48] tax evasion undergroundmarket and money laundering

According to [49] the risk is the exposure to the level ofdanger associated with Bitcoin technology in fact the samecan be applied to any such digital cryptocurrency The majorrisks that threaten the wide usability of the Bitcoin paymentsystems are as followbull Social risks it includes bubble formation (ie risk of

socio-economic relationship such as what people talk andgossip) cool factor (ie entering the networking withoutknowing the ill effects) construction of chain (ie riskrelated with the blockchain formation like hashing andmining rewards) and new coins release (ie on whatbasis the new coins to be generated is there a need etc)

bull Legal risks Bitcoin technology opposes rules and regula-tions and hence it finds opposition from the governmentThis risk also includes law enforcement towards handlingfinancial operational customer protection and securitybreaches that arise due to Bitcoin system

bull Economic risks deflation volatility and timing issues infinding a block which might lead the users to migratetowards other currencies that offer faster services

bull Technological risks this includes the following net-work equipment and its loss network with which thepeers are connected and its associated parameters threatvulnerabilities on the system hash functions with itsassociated robustness factor and software associated risksthat Bitcoin system demands

bull Security risks security is a major issue in Bitcoin systemwe will discuss risks associated due to various securitythreats in detail in Section III

In [50] authors perform a survey on the peoplersquos opinion

about bitcoins usage Participants argue that the greatest barrierto the usage of bitcoins is the lack of support by higherauthorities (ie government) Participants felt that bitcoinsmust be accepted as legitimate and reputable currency Ad-ditionally the participants expressed that the system mustprovide support towards transacting fearlessly without criminalexploitation Furthermore the Bitcoin is mainly dependent onthe socio-technical actors and the impact of their opinion onthe public Few among participants have suggested that theblockchain construction is the major cause of disruption dueto its tendency to get manipulated by adversaries

In [51] it was stated that many Bitcoin users already losttheir money due to poor usability of key management andsecurity breaches such as malicious exchanges and walletsAround 225 of the participants reported having lost theirbitcoins due to security breaches Also many participantsstated that for a fast flow of bitcoins in the user communitysimple and impressive user interface are even more importantthan security In addition participants highlighted that the poorusability and lack of knowledge regarding the Bitcoin usageare the major contributors to the security failures

III SECURITY ATTACKS ON BITCOIN SYSTEMS

Bitcoin is the most popular cryptocurrency4 and has stoodfirst in the market capital investment from day one Since itis a decentralized model with an uncontrollable environmenthackers and thieves find cryptocurrency system an easy wayto fraud the transactions In this section we discuss existingsecurity threats and their countermeasures for Bitcoin andits underlying technologies We provide a detailed discussionof potential vulnerabilities that can be found in the Bitcoinprotocols as well as in the Bitcoin network this will bedone by taking a close look at the broad attack vector andtheir impact on the particular components in the BitcoinApart from double spending which is and will always bepossible in Bitcoin the attack space includes a range of walletattacks (ie client-side security) network attacks (such asDDoS sybil and eclipse) and mining attacks (such as 50block withholding and bribery) Tables I and II provides acomprehensive overview of the potential security threats alongwith their impacts on various entities in Bitcoin and theirpossible solutions that exist in literature so far

A Double Spending

A client in the Bitcoin network achieves a double spend(ie send two conflicting transactions in rapid succession) ifshe is able to simultaneously spend the same set of bitcoinsin two different transactions [2] For instance a dishonestclient (Cd) creates a transaction TCd

V at time t using a setof bitcoins (Bc) with a recipient address of a vendor (V ) topurchase some product from V Cd broadcast TCd

V in theBitcoin network At time tprime where tprime asymp t Cd create andbroadcast another transaction TCd

Cdusing the same coins (ie

Bc) with the recipient address of Cd or a wallet which isunder the control of Cd In the above scenario the double

4wwwcryptocoinsnewscom

TABLE IMAJOR ATTACKS ON BITCOIN SYSTEM AND ITS POW BASED CONSENSUS PROTOCOL

Attack Description Primary targets Adverse effects Possible countermeasures

Double spending or Raceattack [2] spent the same bitcoins

in multiple transactionssend two conflicting trans-actions in rapid succession

sellers or mer-chants

sellers lose theirproducts drive away the

honest users createblockchain forks

inserting observers in network [2]communicating double spendingalerts among peers [2] nearbypeers should notify the merchantabout an ongoing double spend assoon as possible [52] merchantsshould disable the direct incomingconnections [53] [54]

Finney attack [55] dishonest miner broad-casts a pre-mined blockfor the purpose of dou-ble spending as soon asit receives product from amerchant

sellers or mer-chants

facilitates doublespending wait for multi-confirmations for

transactions

Brute force attack [56] privately mining onblockchain fork toperform double spending

sellers or mer-chants

facilitates doublespending creates largesize blockchain forks

inserting observers in the net-work [2] notify the merchant aboutan ongoing double spend [53]

Vector 76 orone-confirmation

attack [57]combination of the doublespending and the finneyattack

Bitcoin exchangeservices

facilitates doublespending of largernumber of bitcoins

wait for multi-confirmations fortransactions

gt 50 hashpower orGoldfinger [45] adversary controls more

than gt 50 HashrateBitcoin networkminers Bitcoinexchange centersand users

drive away the minersworking alone or within

small mining poolsweakens consensus

protocol DoS

inserting observers in thenetwork [2] communicatingdouble spending alerts amongpeers [2] disincentivizelarge mining pools [58] [59]TwinsCoin [60] PieceWork [61]

Blockdiscarding [62] [54] or

Selfish mining [6]abuses Bitcoin forkingfeature to derive an unfairreward

honest miners (ormining pools)

introduce race conditionsby forking waste the

computational power ofhonest miners withgt 50 it leads toGoldfinger attack

ZeroBlock technique [63] [64]timestamp based techniquessuch as freshness preferred [65]DECOR+ protocol [66]

Blockwithholding [29] [67] miner in a pool sub-

mits only PPoWs but notFPoWs

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueinclude only known and trustedminers in pool dissolve and closea pool when revenue drops fromexpected [62] cryptographic com-mitment schemes [67]

fork after withholding(FAW) attack [68] improves on adverse ef-

fects of selfish mining andblock withholding attack

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueno practical defense reported so far

spending attack performed by Cd is successful if Cd tricksthe V to accept TCd

V (ie V deliver the purchased productsto Cd) but V will not be able to redeem subsequently InBitcoin the network of miners verify and process all thetransactions and they ensure that only the unspent coinsthat are specified in previous transaction outputs can be usedas input for a follow-up transaction This rule is enforceddynamically at run-time to protect against the possible doublespending in the network The distributed time-stamping andPoW-based consensus protocol is used for orderly storage ofthe transactions in the blockchain For example when a minerreceives TCd

V and TCd

Cdtransactions it will be able to identify

that both the transactions are trying to use the same inputs

during the transaction propagation and mining thus it onlyprocess one of the transaction and reject the other Figure 5shows the working methodology of a double spending attackdepicting the above explanation

Despite the use of strict ordering of transactions in theblockchain PoW scheme distributed time-stamping [69] andconsensus protocol [70] [71] double spending is still possiblein Bitcoin To perform a successful double spending attackfollowing requirements need to be fulfilled (i) part of thenetwork miners accept the transaction TCd

V and the vendor(V ) receives the confirmation from these miners thus releasesthe product to dishonest client (Cd) (ii) at the same time otherpart of the network miners accept the transaction TCd

Cd hence

Fig 5 Double Spending Attack

lead to blockchain forks in the network (iii) the vendor re-ceives the confirmation of transaction TCd

Cdafter accepting the

transaction TCd

V thus losses the product and (iv) a majorityof miners mine on top of the blockchain which contains TCd

Cd

as a valid transaction If the aforementioned steps took placein the given order then the dishonest client is able to performa successful double spend In the rest of this section we willdiscuss the variants of double spending attack that are used inorder to realize the aforementioned double spend requirementswith varying difficulties and complexities

A form of double spending called Finney attack [55] herea dishonest client (Cd) pre-mines (ie privately) a blockwhich contains the transaction TCd

Cd and then it creates a

transaction TCd

V using the same bitcoins for a vendor (V )The mined block is not informed to the network and the Cd

waits until the transaction TCd

V is accepted by the V On theother hand V only accept TCd

V when it receives a confirmationfrom miners indicating that TCd

V is valid and included in theexisting blockchain Once Cd receives the product from V theattacker releases the pre-mined block into the network thuscreates a blockchain fork (say Bprimefork) of equal length to theexisting fork (say Bfork) Now if the next mined block in thenetwork extends Bprimefork blockchain instead of Bfork then asper the Bitcoin protocol rules all the miners in the networkwill build on top of Bprimefork As the blockchain Bprimefork becomesthe longest chain in the network all the miners ignore Bforkhence the top block on Bfork which contains the transactionTCd

V becomes invalid This makes the transaction TCd

V invalidthe client will get back her coins through transaction TCd

Cd

but resulting the V losing the product However with Finneyattack an adversary can only perform double spending in thepresence of one-confirmation vendors

To avoid the Finney attack the vendor should wait formultiple confirmations before releasing the product to theclient The waiting for multiple confirmations will only makethe double spend for the attacker harder but the possibilityof the double spend remains An advancement of the Finneyattack is called Brute-force attack [56] in which a resourcefulattacker has control over n nodes in the network and these

nodes collectively work on a private mining scheme withthe motive of double spend An attacker introduces a doublespend transaction in a block as in the previous case whilecontinuously works on the extension of a private blockchain(ie Bprimefork) Suppose a vendor waits for x confirmationsbefore accepting a transaction and it sends the product to theclient once it receives the x confirmations Later the attackeris able to mine the x number of blocks ahead (ie privately)then she can release these blocks in the network and dueto its higher length than Bfork blockchain Bprimefork will beextended by all the miners in the network This causes thesame after effects as Finney attack thus causing a successfuldouble spending attack

Another attack that uses the privately mined block toperform a new form of double spending attack on Bitcoin ex-change networks is popularly known as Vector 76 attack [57]A Bitcoin exchange is a digital marketplace where traderscan buy sell or exchange bitcoins for other assets such asfiat currencies or altcoins In this a dishonest client (Cd)withholds a pre-mined block which consists of a transactionthat implements a specific deposit (ie deposit coins in aBitcoin exchange) The attacker (Cd) waits for the next blockannouncement and quickly sends the pre-mined block alongwith the recently mined block directly to the Bitcoin exchangeor towards its nearby peers with hope that the exchangeand probably some of the nearby miners will consider theblockchain containing the pre-mined block (ie Bprimefork) as themain chain The attacker quickly sends another transaction thatrequests a withdrawal from the exchange of the same coins thatwas deposited by the attacker in its previous transaction Atthis point of time if the other fork (ie Bfork) which does notcontain the transaction that is used by the attacker to depositthe coins survives the deposit will become invalidated but theattacker has already performed a withdrawal by now thus theexchanges losses the coins

Recently authors in [72] proposes a new attack againstthe PoW-based consensus mechanism in Bitcoin called theBalance attack The attack consists of delaying networkcommunications between multiple subgroups of miners withbalanced hash power The theoretical analysis provides theprecise trade-off between the Bitcoin network communicationdelay and the mining power of the attacker(s) needed to doublespend in Ethereum [73] with high probability

Based on the above discussion on double spending attackand its variants one main point that emerges is that if aminer (or mining pool) is able to mine blocks with a fasterrate than the rest of the Bitcoin network the possibility ofa successful double spending attack is high The rate ofmining a block depends upon solving the associated proof-of-work this again depends on the computing power of aminer Apart from the computing resources the success ofdouble spending attack depends on other factors as wellwhich includes network propagation delay vendor client andBitcoin exchange services connectivity or positioning in theBitcoin network and the number of honest miners Clearlyas the number of confirmations for transaction increases thepossibility that it will become invalid at a later stage decreasesthus decreases the possibility of a double spend On the other

hand with the increase in the computing resources of a minerthe probability of the success of a double spend increases Thisleads to a variant of double spend attack called gt 50 attackor Goldfinger attack [45] in which more than 50 computingresources of the network are under the control of a single miner(or mining pool) The gt 50 attack is considered the worst-case scenario in the Bitcoin network because it has the powerto destroy the stability of the whole network by introducing theactions such as claim all the block intensives perform doublespending reject or include transactions as preferred and playwith the Bitcoin exchange rates The instability in the networkonce started it will further strengths the attackerrsquos position asmore and more honest miners will start leaving the network

From the above discussion on the different type of doublespending attacks we can safely conclude that one can alwaysperform a double spend or it is not possible to entirelyeliminate the risk of double spending in Bitcoin Howeverperforming double spending comes with a certain level ofrisk for instance the attacker might lose the reward forthe withheld block if it is not included in the final publicblockchain Therefore it is necessary to set a lower bound onthe number of double spend bitcoins and this number shouldcompensate the risk of unsuccessful attempts of double spendAdditionally the double spends could be recognized with thecareful analysis and traversing of the blockchain thus it mightlead to blacklisting the detected peer In Section IV-A we willdiscuss in detail the existing solutions and their effectivenessfor detecting and preventing the double spending attacks

B Mining Pool Attacks

Mining pools are created in order to increase the computingpower which directly affects the verification time of a blockhence it increases the chances of winning the mining rewardFor this purpose in recent years a large number of miningpools have been created and the research in the field ofminer strategies is also evolved Generally mining pools aregoverned by pool managers which forwards unsolved workunits to pool members (ie miners) The miners generate par-tial proofs-of-work (PPoWs) and full proofs-of-work (FPoWs)and submit them to the manager as shares Once a minerdiscovers a new block it is submitted to the manager alongwith the FPoW The manager broadcasts the block in theBitcoin network in order to receive the mining reward Themanager distributes the reward to participating miners basedon the fraction of shares contributed when compared with theother miners in the pool Thus participants are rewarded basedon PPoWs which have absolutely no value in the Bitcoinsystem The Bitcoin network currently consists of solo minersopen pools that allow any miner to join and closed (private)pools that require a private relationship to join

In recent years the attack vector that exploits the vulnerabil-ities in pool based mining also increases For instance a groupof dishonest miners could perform a set of internal and externalattacks on a mining pool Internal attacks are those in whichminers act maliciously within the pool to collect more thantheir fair share of collective reward or disrupt the functionalityof the pool to distant it from the successful mining attempts In

external attacks miners could use their higher hash power toperform attacks such as double spending Figure 6 shows themarket share till December 2017 of the most popular miningpools In this section we will discuss a set of popular internaland external attacks on the mining pools

Fig 6 Bitcoin Hashrate Distribution in Present Market

In a mining pool the pool manager determines the amountof work done by individual pool members by using thenumber of shares a member find and submit while tryingto discover a new block The shares consist of a number ofhashes of a block which are low enough to have discovereda block if the difficulty was 1 To be considered as a shareeach hash has a probability of 1232 Assuming correctness ofthe hash function used it is impossible to find shares withoutdoing the work required to discover new blocks or to lookfor blocks without finding shares along the way Due to thisthe number of shares determined by a miner is proportionalon average to the number of hashes the miner calculatedwhile attempting to discover a new block for the mining poolAdditionally in [29] the author discusses the possibility ofusing variable block rewards and difficulty shares as rewardmethods in a pool This variability is introduced due to thefollowing reasons bitcoins generation per block is cut in halfevery 210000 blocks and the transaction fees vary rapidlybased on the currently available transactions in the network Asmost of the mining pools allow any miner to join them using apublic Internet interface such pools are susceptible to varioussecurity threats The adversaries believe that it is profitable tocannibalize pools than mine honestly Letrsquos understand it withan example suppose that an adversary has 30 of hashrate(HR) and 1 BTC is the block mining reward (MR) If themining pool is sharing the reward based on the invested HRthen the adversary will receive 03 BTC for each mined blockNow adversary purchases more mining equipment worth 1of current HR With standard mining strategy the adversarywill gain an additional revenue of 00069 BTC for the 1added HR By performing pool cannibalizing (ie distributeyour 1 equally among all other pools and also withholdthe valid blocks) the attacker will still receive the rewardsfrom its pool but it might also receive additional rewards

from the other pools to which she is sharing its 1 HRThis misbehavior will remain undetectable unless the changein reward is statistically significant

Fig 7 Selfish Mining

In [62] authors use a game theoretic approach to show thatthe miners could have a specific sort of subversive miningstrategy called selfish mining [6] or also popularly known asblock discarding attack [54] [62] In truth all the miners inthe Bitcoin are selfish as they are mining for the reward thatis associated with each block but these miners are also honestand fair with respect to the rest of miners while the selfishmining here refers to the malicious miners only In the selfishmining the dishonest miner(s) perform information hiding(ie withhold a mined block) as well as perform its revealingin a very selective way with a two-fold motive (i) obtain anunfair reward which is bigger than their share of computingpower spent and (ii) confuse other miners and lead them towaste their resources in a wrong direction As it can be seen inFigure 7 that by keeping the mined block(s) the selfish minersintentionally fork the blockchain The selfish pool keeps onmining on top of their private chain (Bprimefork) while the honestminers are mining on the public chain (Bfork) If the selfishminers are able to take a greater lead on Bprimefork and they areable to keep the lead for a longer time period their chancesof gaining more reward coins as well as the wastage of honestminers resources increases To avoid any losses as soon asthe Bfork reaches to the length of Bprimefork the selfish minerspublish their mined blocks All the miners need to adopt toBprimefork which now becomes Bfork as per the longest lengthrule of Bitcoin protocol The honest miners will lose theirrewards for the blocks that they have mined and added to theprevious public chain The analysis in [6] shows that usingthe selfish mining the poolrsquos reward exceed its share of thenetworkrsquos mining power The statement still holds in caseswhere the network found their new block before the adversarycould find a new second block Because in such case the minerwill make use of the race to propagate ie on average theattacker manages to tell 50 of the network about her blockfirst Additionally the analysis reveals that the wastage ofcomputing resources and rewards lure honest miners toward

the selfish mining pools hence it further strengthens the attackThis continuous increase in the selfish poolrsquos size might leadto gt 50 attack and at that point the effect of selfish miningwill be disastrous

Another attack much similar to the selfish mining that couldbe performed on a mining pool is known as Block withholding(BWH) [29] [67] in which a pool member never publishes amined block in order to sabotage the pool revenue howeversubmit shares consists of PPoWs but not FPoWs In particularin [29] two types of block withholding scenarios are presentedcalled ldquoSabotagerdquo and ldquoLie in waitrdquo In the first scenario theadversary does not gain any bitcoins but it just makes otherpool members lose while in the second scenario the adversaryperforms a complex block concealing attack similar to the onedescribed in the selfish mining attack In [29] authors discussa generalized version of the ldquoSabotagerdquo attack which showsthat with slight modification it is possible for the maliciousminer to also earn an additional profit in this scenario Authorsin [33] present a game-theoretic approach to analyzing effectsof block withholding attack on mining pools The analysisshows that the attack is always well-incentivized in the long-run but may not be so for a short duration This impliesthat existing pool protocols are insecure and if the attack isconducted systematically Bitcoin pools could lose millions ofdollars worth in just a few months

To analyze the effects of BWH on mining pools authorsin [9] presents The Miners Dilemma which uses an iterativegame to model attack decisions The game is played betweentwo pools say pool A and pool B and each iteration of thegame is a case of the Prisoners Dilemma ie choose betweenattacking or not attacking If pool A chooses to attack pool Apool A gains revenue pool A loses revenue but pool B canlatter retaliate by attacking pool A and gaining more revenueThus attacking is the dominant strategy in each iterationhence if both pool A and pool B attack each other they will beat a Nash Equilibrium This implies that if both will earn lessthan they would have if neither of them attacked However ifnone of the other pools attack a pool can increase its revenueby attacking the others Recently authors in [68] propose anovel attack called a fork after withholding (FAW) attackAuthors show that the BWH attackers reward is the lowerbound of the FAW attackers and it is usable up to four timesmore often per pool than in BWH attack Moreover the extrareward for a FAW attack when operating on multiple miningpools is around 56 higher than BWH attack Furthermorethe miners dilemma may not hold under certain circumstanceseg when two pools execute FAW attack the larger pool canconsistently win More importantly unlike selfish mining anFAW attack is more practical to execute while using intentionalforks

The Pool Hopping attack presented in [29] [74] uses theinformation about the number of submitted shares in themining pool to perform the selfish mining In this attackthe adversary performs continuous analysis of the number ofshares submitted by fellow miners to the pool manager in orderto discover a new block The idea is that if already a largenumber of shares have been submitted and no new block hasbeen found so far the adversary will be getting a very small

share from the reward because it will be distributed based onthe shares submitted Therefore at some point in time it mightbe more profitable for the adversary to switch to another poolor mine independently

Recently the Bribery attack is described in [75] In thisan attacker might obtain the majority of computing resourcesfor a short duration via bribery Authors discuss three ways tointroduce bribery in the network (i) Out-of-Band Paymentin which the adversary pays directly to the owner of thecomputing resources and these owners then mine blocksassigned by the adversary (ii) Negative-Fee Mining Pool inwhich the attacker forms a pool by paying higher returnand (iii) In-Band Payment via Forking in which the attackerattempts to bribe through Bitcoin itself by creating a forkcontaining bribe money freely available to any miner adoptingthe fork By having the majority of the hash power the attackercould launch different attacks such as double spending andDistributed Denial-of-Service (DDoS) [76] The miners thattook the bribes will get benefits which will be short-lived butthese short-lived benefits might be undermined by the lossesin the long run due to the presence of DDoS and Goldfingerattacks or via an exchange rate crash

Fig 8 Blacklisting via Punitive Forking

An adversary with gt 50 hashrate could perform a suc-cessful selective blacklisting via punitive forking The objec-tive of punitive forking is to censor the Bitcoin addressesowned by certain people say Alice and prevent them fromspending any of their bitcoins The strategy to perform theblacklisting (please refer to Figure 8) is as follows (i) theadversary with gt 50 network hashrate announces to theBitcion network that she will not extend on the blockchaincontaining transactions spending from Alicersquos Bitcoin address(ii) if some other miner include a transaction from Alice ina block the adversary will fork and create a longer proofof work blockchain (iii) Block containing Alicersquos transactionnow invalidated and it can never be published also the minerwho added the block with Alicersquos transaction will lose its blockreward However a weak adversary that has lower hashrate canstill cause delays and inconveniences for Alicersquos transaction

Punitive forking doesnrsquot work unless you have gt 50 ofhashrate However there is another strategy to achieve theblacklisting as presented in [77] In particular authors presenta malicious mining strategy called feather forking in whichan attacker announces that she will attempt to fork if she seesa block containing Alicersquos transaction in the blockchain butshe will give up after a while This is the adversary forks asper its convenience she will continue to extend its fork untilwins (ie outraces the main chain) but she gives up (iediscard its private fork and continue to extend the main chain)after block with Alicersquos transaction contains k confirmations

An adversary with total hash power less than 50 might withhigh probability lose rewards but it will be able to block theblacklisted transaction with positive probability Moreover ifthe adversary can show that she is determined to block theselected transaction and will perform the retaliatory forking ifrequired then the rest of the miners will also be motivated toblock the blacklisted transactions to avoid the losses in case ifthe attacker retaliates and wins If this is the case an attackermight be able to enforce the selective blacklisting with noreal cost because other miners are convinced that the attackerwill perform a costly feather forking attack if provoked Anattacker performing feather forking can also use it to blackmaila client by threatening that all her transactions will be put onthe blacklist until the client pays the asked ransom coins

C Client-side Security Threats

The huge increase in the popularity of bitcoins encouraged alarge number of new users to join the network Each Bitcoinclient posses a set of private-public keys in order to accessits account or wallet Hence it is desirable to have the keymanagement techniques that are secure yet usable This is dueto the fact that unlike many other applications of cryptographyif the keys of a client are lost or compromised the client willsuffer immediate and irrevocable monetary losses To use thebitcoins a user needs to install a wallet on her desktop ormobile device The wallet stores the set of private-public keysassociated with the owner of the wallet thus it is essential totake protective actions to secure the wallet The wallet theftsare mainly performed using mechanisms that include systemhacking installation of buggy software and incorrect usage ofthe wallet

Bitcoin protocol relies heavily on elliptic curve cryptog-raphy [98] for securing the transactions In particular Bitcoinuses elliptic curve digital signature algorithm (ECDSA) whichis standardized by NIST [99] for signing the transactionsFor instance consider the standard ldquoPay-to-PubKeyHashrdquo(P2PKH) transaction script in which the user needs to provideher public key and the signature (using her private key) toprove the ownership To generate a signature the user choosesa per-signature random value For security reason this valuemust be kept secret and it should be different for every othertransaction Repeating per-signature value risks the privatekey computation as it has been shown in [100] that evenpartially bit-wise equal random values suffice to derive a userrsquosprivate key Therefore it is essential for increasing the securityof ECDSA to use highly random and distinct per-signaturevalues for every transaction signature The inspection of theblockchain for instances in which the same public key usesthe same signature nonces for multiple times has been reportedby the authors in [101] In particular the authors report thatthere are 158 public keys which have reused the signaturenonce in more than one transaction signature thus making itpossible to derive userrsquos private key Recently authors in [102]present a systematic analysis of the effects of broken primitiveson Bitcoin Authors highlight the fact that in the currentBitcoin system has no migration plans in-place for both thebroken hash and the broken signature scheme ie the Bitcoins

TABLE IIMISBEHAVIOR ATTACKS TARGETING BITCOIN NETWORK AND ENTITIES

Attack Description Primary targets Adverse effects Possible countermeasures

Bribery attacks [75] adversary bribe miners tomine on her behalf

miners and mer-chants

increases probability of adouble spend or block

withholdingincrease the rewards for honestminers make aware the miners tothe long-term losses of bribery [75]

Refund attacks [78] adversary exploits the re-fund policies of existingpayment processors

sellers or mer-chants users

merchant losses moneywhile honest users might

lose their reputationpublicly verifiable evidence [78]

Punitive and Featherforking [77] [79] dishonest miners blacklist

transactions of specific ad-dress

users freeze the bitcoins of userfor forever remains an open challenge

Transactionmalleability [80] [4] adversary change the

TXID without invalidatingthe transaction

Bitcoin exchangecenters

exchanges loss funds dueto increase in double

deposit or doublewithdrawal instances

multiple metrics for transactionverification [81] malleability-resilient ldquorefundrdquo transaction [80]

Wallet theft [21] adversary stole or destroyprivate key of users

individual usersor businesses

bitcoins in the wallet arelost threshold signature based

two-factor security [82] [83]hardware wallets [84] TrustZone-backed Bitcoin wallet [85]Password-Protected Secret Sharing(PPSS) [86]

Time jacking [87] adversary speed-up themajority of minerrsquos clock

miners

isolate a miner and wasteits resources influencethe mining difficultycalculation process

constraint tolerance ranges [87]network time protocol (NTP) ortime sampling on the values re-ceived from trusted peers [88]

DDoS [89] [90] a collaborative attack toexhaust network resources

Bitcoin networkbusinesses min-ers and users

deny services to honestusersminers isolate ordrive away the miners

Proof-of-Activity (PoA)protocol [91] fast verificationsignature based authentication

Sybil [23] adversary creates multiplevirtual identities

Bitcoin networkminers users

facilitates time jackingDDoS and doublespending attacks

threatens user privacy

Xim (a two-party mixing proto-col) [92]

Eclipse or netsplit [3] adversary monopolizes allincoming and outgoingconnections of victim

miners users

inconsistent view of thenetwork and blockchain

enable double spendswith more than one

confirmation

use whitelists disabling incomingconnections [3]

Tampering [43] delay the propagation oftransactions and blocks tospecific nodes

miners users

mount DoS attackswrongfully increase

mining advantage doublespend

improve block request managementsystem [43]

Routing attacks [5] isolate a set of nodes fromthe Bitcoin network de-laying block propagation

miners users

denial of service attackincreases possibility of0-confirmation doublespends increases forkrate waste the mining

power of the pools

increase the diversity of node con-nections monitor round-trip timeuse gateways in different ASes [5]

Deanonymization [93] [94] linking IP addresses witha Bitcoin wallet

users user privacy violation mixing services [95]CoinJoin [96] CoinShuffle [97]

RIPEMD160 SHA256 and ECDSA techniques are vulnerableto various security threats such as collision attacks [103]The authors in [102] found that the main vectors of attackon bitcoins involve collisions on the main hash or attackingthe signature scheme which directly enables coin stealingHowever a break of the address hash has minimal impact asaddresses do not meaningfully protect the privacy of a user

Unlike most of the online payment systems that rely onlogin details consisting of the password and other confidentialdetails for user authentication Bitcoin relies on public keycryptography This raises the issues of the secure storage andmanagement of the user keys Over the years various typeof wallet implementations are researched to obtain securestorage of the user keys it includes software online or hostedhardware or offline paper and brain wallets Table III shows anumber of popular wallets and their main features Coinbase(coinbasecom) an online wallet is most popular due to itsdesirable features which it provides to the clients that include(i) a web interface using which the wallet can be assessedwith a browser and Internet connection (ii) a mobile appthat allows access to wallet through mobile devices (iii) anaccess to Coinbase do not require a client software and it isindependent in nature due to which the wallet providers doesnot have any control over the funds stored in a clientrsquos walletand (iv) a moderate level of security and privacy The Copaywallet allows multiple users to be associated with the samewallet while the Armory wallet works in online as well as inoffline mode The wallet providers have to find an adequatetrade-off between usability and security while introducing anew wallet into the market For instance an online wallet ismore susceptible to thefts compared to hardware wallets [84]as later are not connected to the Internet but at the same timehardware wallets lacks usability If done right there exist moreadvanced and secure ways to store the user keys called paperand brain wallets As their name indicates in the paper walletthe keys are written on a document which is stored at somephysical location analogizes the cash money storage systemwhile in brain wallet the keys are stored in the clients mind inthe form of a small passphrase The passphrase if memorizedcorrectly is then used to generate the correct private key

To avoid the aforementioned risks such as managing cryp-tographic keys [104] lost or stolen devices equipment failureBitcoin-specific malware [105] to name a few that are asso-ciated while storing the bitcoins in a wallet many users mightprefer to keep their coins with online exchanges Howeverstoring the holdings with an exchange makes the users vulner-able to the exchange systems For instance one of the mostnotorious events in the Bitcoin history is the breakdown andongoing bankruptcy of the oldest and largest exchange calledMt Gox which lost over 450 millions of dollars Moreovera few other exchanges have lost their customers bitcoinsand declared bankruptcy due to external or internal theft ortechnical mistakes [106] Although the vulnerability of anexchange system to the disastrous losses can never be fullyavoided or mitigated therefore the authors in [107] presentsProvisions which is a privacy-preserving proof of solvencyfor Bitcoin exchanges Provision is a sensible safeguard thatrequires the periodic demonstrations from the exchanges to

show that they control enough bitcoins to settle all of itscustomers accounts

D Bitcoin Network Attacks

In this section we will discuss those attacks in the Bitcointhat exploits the existing vulnerabilities in the implementationand design of the Bitcoin protocols and its peer-to-peer com-munication networking protocols We will start our discussionwith the most common networking attack called DistributedDenial-of-Service (DDoS) which targets Bitcoin currency ex-changes mining pools eWallets and other financial servicesin Bitcoin Due to the distributed nature of Bitcoin networkand its consensus protocol launching a DoS attack has noor minimal adverse effect on network functionalities henceattackers have to lunch a powerful DDoS to disturb the net-working tasks Unlike DoS attack in which a single attackercarried out the attack in DDoS multiple attackers launchthe attack simultaneously DDoS attacks are inexpensive tocarry out yet quite disruptive in nature Malicious miners canperform a DDoS (by having access to a distributed Botnet) oncompeting miners effectively taking the competing miners outof the network and increasing the malicious miners effectivehashrate In these attacks the adversary exhausts the networkresources in order to disrupt their access to genuine users Forexample an honest miner is congested with the requests (suchas fake transactions) from a large number of clients actingunder the control of an adversary After a while the minerwill likely to start discarding all the incoming inputsrequestsincluding requests from honest clients In [89] authors providea comprehensive empirical analysis of DDoS attacks in theBitcoin by documenting the following main facts 142 uniqueDDoS attacks on 40 Bitcoin services and 7 of all knownoperators were victims of these attacks The paper also statesthat the majority of DDoS attack targets the exchange servicesand large mining pools because a successful attack on thesewill earn huge revenue for the adversary as compared toattacking an individual or small mining pools

In [90] authors explore the trade-off between the two min-ing pool related strategies using a series of game-theoreticalmodels The first strategy called construction in which amining pool invests in increasing its mining capacity in orderto increase the likelihood of winning the next race While inthe second strategy called destruction in which the miningpool launches a costly DDoS attack to lower the expectedsuccess rate of the competing mining pools The majority ofthe DDoS attacks target large organizations due to bulk ransommotives Companies like CoinWallet and BitQuick were forcedto shut down only after few months of their launch due tothe effects of continuous DDoS attacks As stated above thatDDoS attack take various forms one of which is to discouragea miner so that it will withdraw itself from the mining processFor instance an attacker displays to a colleague miner that it ismore powerful and it can snatch the reward of mining and itis the obvious winner of the mining process An honest minerbackoffs since its chances of winning is less In this way anadversary will be successful in removing individual miners aswell as small pools from the mining network thus imposing a

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

and privacy issues in Bitcoin and its underlying techniques

A Contribution

In this paper we present a comprehensive survey specif-ically targeting the security and privacy aspects of Bitcoinand its related concepts We discuss the state-of-the-art attackvector which includes various user security and transactionanonymity threats that limits (or threatens) the applicability (orcontinuity) of bitcoins in real-world applications and servicesWe also discuss the efficiency of various security solutions thatare proposed over the years to address the existing security andprivacy challenges in Bitcoin In particular we mainly focus onthe security challenges and their countermeasures with respectto major components of Bitcoin In addition we discuss theissues of user privacy and transaction anonymity along with alarge array of research that has been done for enabling privacyand improving anonymity in Bitcoin

In the literature [20] provides a comprehensive technicalsurvey on decentralized digital currencies with mainly em-phasizing on bitcoins The authors explore the technical back-ground of Bitcoin and discuss the implications of the centraldesign decisions for various Bitcoin technologies In [10]authors discuss various cryptocurrencies in detail and providesa preliminary overview of the advantages and disadvantagesof the use of bitcoins However all the existing works lack adetailed survey about security and privacy aspects of Bitcoinand are a bit outdated given the extensive research was donein the last couple of years on security and privacy Moreoverthere are numerous papers on Bitcoin and Cryptocurrencysecurity and privacy however a concise survey is requiredfor an audience who are planning to initiate research in thisdirection This paper does not attempt to solve any newchallenge but presents an overview and discussion of theBitcoin security and privacy threats along with their availablecountermeasures In particular the main contributions of thissurvey are as followbull We present the essential background knowledge for Bit-

coin its functionalities and related concepts The goal isto enable the new readers to get the required familiaritywith the Bitcoin and its underlying technologies such astransactions blockchain and consensus protocols This isrequired in order to understand the working methodol-ogy benefits and challenges that are associated with theuse of bitcoins

bull We systematically present and discuss all the existingsecurity and privacy related threats that are associatedeither directly or indirectly (ie by exploiting one ofits underlying technology) with the use of bitcoins Atvarious levels of its overall operation we investigate thepossibilities which includes both practical and theoreticalrisks that an adversary could exploit to launch an attackon the Bitcoin

bull We discuss the efficiency and limitations of the state-of-the-art solutions that address the security threats andenables strong privacy in Bitcoin thus we provide aholistic technical perspective on these challenges in theuse of bitcoins Finally based on our survey we provide

the list of lessons learned open issues and directions forfuture work

To the best of our knowledge this is the first survey that dis-cusses and highlights the impact of existing as well as possiblefuture security and privacy threats Bitcoin and its associatedtechnologies The paper aims to assist the interested readers(i) to understand the scope and impact of security and privacychallenges in Bitcoin (ii) to estimate the possible damagecaused by these threats and (iii) to point in the directionthat will possibly lead to the detection and containment ofthe identified threats In particular the goal of our researchis to raise the awareness in the Bitcoin research communityon the pressing requirement to prevent various attacks fromdisrupting the cryptocurrency For most of the security threatsdiscussed in this paper we have no evidence that such attackshave already been performed on Bitcoin However we believethat some of the important characteristics of Bitcoin makethese attacks practical and potentially highly disruptive Thesecharacteristics include the high centralization of Bitcoin (froma mining and routing perspective) the lack of authenticationand integrity checks for network nodes and some designchoices pertaining for instance how in the Bitcoin network anode requests a block

B Organization

The rest of the paper is organized as follow In Section II wepresent a brief overview of Bitcoin which includes the descrip-tion of its major components along with their functionalitiesand interactions In Section III we discuss a number of secu-rity threats associated with the development implementationand use of bitcoins In Section IV we discuss the state-of-the-art proposals that either countermeasure a security threator enhances the existing security in Bitcoin In Section V wediscuss the anonymity and privacy threats towards the use ofbitcoins along with their existing solutions We present thesummary of the observations and future research directionsthat are learned from our survey in Section VI Finally weconclude the paper in Section VII

II OVERVIEW OF BITCOIN

Bitcoin is a decentralized electronic payment system intro-duced by Nakamoto [1] It is based on peer-to-peer (P2P)network and a probabilistic distributed consensus protocol InBitcoin electronic payments are done by generating transac-tions that transfer bitcoins among users The destination ad-dress (also called Bitcoin address) is generated by performinga series of irreversible cryptographic hashing operations onthe userrsquos public key In Bitcoin a user can have multiple ad-dresses by generating multiple public keys and these addressescould be associated with one or more of her wallets [21] Theprivate key of the user is required to spend the owned bitcoinsin the form of digitally signed transactions Using the hashof the public key as a receiving address provides the usersa certain degree of anonymity and it is recommended thepractice to use different Bitcoin address for each receivingtransaction

In Bitcoin transactions are processed to verify their in-tegrity authenticity and correctness by a group of resource-ful network nodes called ldquoMinersrdquo In particular instead ofmining a single transaction the miners bundle a number oftransactions that are waiting for the network to get processedin a single unit called ldquoblockrdquo The miner advertises a block inthe whole network as soon as it completes its processing (orvalidation) in order to claim the mining reward This blockis then verified by the majority of miners in the networkbefore it is successfully added in a distributed public ledgercalled ldquoblockchainrdquo The miner who mines a block receivesa reward when the mined block is successfully added in theblockchain We now present an overview of the major techni-cal components and operational features that are essential forthe practical realization of the Bitcoin

A Transaction and Proof-of-Work

Bitcoin use transactions to move coins from one user walletto another In particular the coins are represented in the formof transactions more specifically a chain of transactions Asdepicted in Figure 1 the key fields in a transaction includesBitcoin version hash of the transaction Locktime1 one ormore inputs and one or more outputs Every input in atransaction belongs to a particular user and it consists of thefollowing (i) hash pointer to a previous transaction whichserves as the identifier of the transaction that includes theoutput we now want to utilise as an input (ii) an indexto specific unspent previous transaction output (UTXO) thatwe want to spend in the current transaction (iii) unlockingscript length and (iv) unlocking script (also referred to asscriptSig) which satisfies the conditions associated with the useof UTXO While a transaction output consists of the numberof bitcoins that are being transferred locking script lengthand locking script (also referred to as scriptPubKey) whichimposes a condition that must be met before the UTXO canbe spent To authorize a transaction input the correspondinguser of the input provides the public key and the cryptographicsignature generated using her private key Multiple inputs areoften listed in a transaction All of the transactionrsquos inputvalues are added up and the total (excluding transaction feeif any) is completely used by the outputs of the transactionIn particular when the output of a previous transaction isused as the input in a new transaction it must be spent inits entirety Sometimes the coin value of the output is higherthan what the user wishes to pay In this case the sendergenerates a new Bitcoin address and sends the difference backto this address For instance Bob has 50 coins from one of itsprevious transactionrsquos output and he wants to transfer 5 coinsto Alice using that output as an input in a new transactionFor this purpose Bob has to create a new transaction withone input (ie output from its previous transaction) and twoor more outputs In the outputs one output will show that 5coins are transferred to Alice and other output(s) will showtransfer of the remaining coins to one (or more) wallet(s)owned by Bob With this approach the Bitcoin achieves two

1It indicates the earliest time or blockchain length when this transactionmay be spent to the blockchain

goals (i) it implements the idea of change and (ii) one caneasily identify the unspent coins or balance of a user by onlylooking the outputs from its previous transactions An outputin a transaction specifies the number of coins being transferredalong with the Bitcoin address of the new owner These inputsand outputs are managed using a Forth-like scripting languagewhich dictates the essential conditions to claim the coins Thedominant script in todayrsquos market is the ldquoPay-to-PubKeyHashrdquo(P2PKH) which requires only one signature from the ownerto authorize a payment While the other script is called ldquoPay-to-ScriptHashrdquo (P2SH) [22] which is typically used as multi-signature addresses but it also enables a variety of transactiontypes and supports future developments

Fig 1 Bitcoin transactions

Unlike central bank in which all the transactions are verifiedprocessed and recorded in a centralized private ledger inBitcoin every user acts as a bank and keep a copy of thisledger In Bitcoin the role of the distributed ledger is playedby the so-called blockchain However storing multiple copiesof the blockchain in the network adds new vulnerabilities inthe system such as keeping the global view of the blockchainconsistent For instance a user (say Alice) could generatetwo different transactions simultaneously using the same setof coins to two different receivers (say Bob and Carol)This type of malicious behavior by a user is termed asdouble spending If both the receiver processes the transactionindependently based on their local view of the blockchainand the transaction verification is successful this leaves theblockchain into an inconsistent state The main requirementsto avoid the above problem is two-folded (i) distribute thetransaction verification process to ensure the correctness ofthe transaction and (ii) everyone in the network should knowquickly about a successfully processed transaction to ensurethe consistent state of the blockchain To fulfill the aforemen-tioned requirements Bitcoin uses the concept of Proof-of-Work(PoW) and a probabilistic distributed consensus protocol

The distributed transaction verification process ensures thata majority of miners will verify the legitimacy of a transactionbefore it is added in the blockchain In this way wheneverthe blockchain goes into an inconsistent state all the nodesupdate their local copy of blockchain with the state on whicha majority of miners agree in this way the correct state ofthe blockchain is obtained by election However this schemeis vulnerable to the sybil attacks [23] With sybil attack aminer creates multiple virtual nodes in the network and thesenodes could disrupt the election process by injecting falseinformation in the network such as voting positive for a faultytransactionBitcoin counters the sybil attacks by making use ofPoW based consensus model in which to verify a transactionthe miners have to perform some sort of computational task toprove that they are not virtual entities The PoW consists of acomplex cryptographic math puzzle similar to Adam BackrsquosHashcash [24] In particular PoW involves scanning for avalue (called nonce) that when hashed such as with SHA-256 the resulting hash begins with a number of zeros Theaverage work required is exponential to the number of zerosin the correct hash however the verification process consists ofa single step ie by executing a single hash In this way PoWimposes a high level of computational cost on the transactionverification process and the verification will be dependent onthe computing power of a miner instead of the number of(possibly virtual) identities The main idea is that it is muchharder to fake the computing resources than it is to perform asybil attack in the network

In practice the miners do not mine individual transactionsinstead they collect pending transactions to form a block Theminers mine a block by calculating the hash of that blockalong with a varying nonce The nonce is varied until theresultant hash value becomes lower or equal to a given targetvalue The target is a 256-bit number that all miners shareCalculating the desired hash value is computationally difficultFor hashing Bitcoin uses SHA-256 hash function [25] Unlessthe cryptographic hash function finds the required hash valuethe only option is to try different nonces until a solution (ahash value lower than the target) is discovered Consequentlythe difficulty of the puzzle depends on the target value ielower the target the fewer solutions exist hence more difficultthe hash calculation becomes Once a miner calculates thecorrect hash value for a block it immediately broadcast theblock in the network along with the calculated hash value andnonce and it also appends the block in its private blockchainThe rest of the miners when receiving a mined block canquickly verify its correctness by comparing the hash valuegiven in the received block with the target value The minerswill also update their local blockchain by adding the newlymined block

Once a block is successfully added in the blockchain (iea majority of miners consider the block valid) the miner whofirst solved the PoW will be rewarded (as of May 2017 125BTCs) with a set of newly generated coins This reward halvesevery 210000 blocks In particular these mining rewards arenot really received from anyone because there is no centralauthority that would be able to do this In Bitcoin rewards arepart of the block generation process in which a miner inserts

a reward generating transaction (or a coinbase transaction) forits own Bitcoin address and it is always the first transactionappearing in every block If the mined block is validated andaccepted by the peers then this inserted transaction becomesvalid and the miner receives the rewarded bitcoins

Apart from the mining reward for every successful additionof a transaction in the blockchain the miner will also receivean amount called transaction fee which is equivalent to theamount remaining when the value of all outputs in a transac-tion is subtracted from all its inputs [26] As the mining rewardkeep on decreasing with time and the number of transactionsis rapidly increasing in the network the transaction fee takesa major role for how fast a transaction is to be included inthe blockchain The Bitcoin never mandates transaction feeand it is only specified by the owner(s) of a transactionand it is different for each transaction A transaction withlow transaction fee could suffer from the starvation problemie denied service for a long time if the miners are busyprocessing the transactions with a higher transaction fee

All the miners race to calculate the correct hash value fora block by performing the PoW so that they can collect thecorresponding reward The chance of being the first to solvethe puzzle is higher for the miners who own or control morenumber of computing resources By this rule a miner withhigher computing resources can always increase her chancesto win the reward To enforce reasonable waiting time for theblock validation and generation the target value is adjustedafter every 2016 blocks This adjustment of the target alsohelps in keeping per block verification time to approximately10 minutes It further effects the new bitcoins generation ratein the Bitcoin because keeping the block verification time nearto 10 minutes implies that only 125 new coins can be addedin the network per 10 minutes In [27] authors propose anequation to calculate the new target value for the BitcoinThe new target is given by the following Equation

T = Tprev lowastTactual

2016 lowast 10min (1)

Here Tprev is the old target value and Tactual is the timeperiod that the Bitcoin network took to generate the last 2016blocks

B Blockchain and Mining

The blockchain is a public append-only link-list based datastructure which stores the entire networkrsquos transaction historyin terms of blocks In each block the transactions are storedusing Merkle Tree [28] and a relatively secure time-stamp anda hash of the previous block is also stored Figure 2 showsthe working methodology that is being in use for creating andmaintaining the Bitcoinrsquos blockchain To successfully add anew block in the blockchain the miners need to verify (mine)a block by solving a computationally difficult PoW puzzleOne can traverse the blockchain in order to determine theownership of each bitcoin because the blocks are stored in anordered form Also tempering within a block is not possibleas it would change the hash of the block In particular ifa transaction in a block is tampered with the hash valueof that block changes this in turn changes the subsequent

Fig 2 Creation and addition of blocks in blockchain

Fig 3 Blockchain consensus model

blocks because each block contains the hash of the previousblock The blockchain constantly grows in length due to thecontinuous mining process in the network The process ofadding a new block is as follows (i) once a miner determinesa valid hash value (ie a hash equal or lower than target)for a block it adds the block in her local blockchain andbroadcast the solution and (ii) upon receiving a solution fora valid block the miners will quickly check for its validity ifthe solution is correct the miners update their local copy ofblockchain else discard the block

Due to the distributed nature of the block validation processit is possible that two valid solutions are found approximatelyat the same time or distribution of a verified block is delayeddue to network latency this results in valid blockchain forksof equal length The forks are undesirable as the miners needto keep a global state of the blockchain consisting of thetotally ordered set of transactions However when multipleforks exist the miners are free to choose a fork and continueto mine on top of it Now that the network is having multipleforks and miners are extending different but valid versions ofthe blockchain based on their local view a time will comedue to the random nature of PoW where miners operating onone fork will broadcast a valid block before the others Dueto this a longer version of the blockchain now exists in thenetwork and all the miners will start adding their following

blocks on top of this longer blockchain The aforementionedbehavior of blockchain is shown in Figure 3

The presence of blockchain forks in Bitcoin could beexploited by a malicious miner to gain profits or to disturb thenormal functioning of the Bitcoin In particular a resourcefulminer (or mining pool) could force a blockchain fork in thenetwork by privately mining on it Once the malicious minersees that the length of the public blockchain is catching up fastwith her private chain the miner broadcast her blockchain inthe network and due to its longer length all the other minerswill start mining on top of it In this process all the mined (ievalid) blocks on the other parallel blockchain get discardedwhich makes the efforts of the genuine miners useless InSection III we will discuss an array of attacks on Bitcointhat exploits the forking nature of Bitcoin blockchain

In general the security in Bitcoin is on the assumptionthat the honest players control a majority of the computingresources The main driving factor for miners to honestlyverify a block is the reward (ie 125 BTCs) that they receiveupon every successful block addition in the blockchain Asmentioned before that to verify a block the miners needto solve the associated hard crypto-puzzle The probabilityof solving the crypto-puzzle is proportional to a numberof computing resources used As per [29] a single homeminer which uses a dedicated Application-Specific Integrated

Fig 4 Bitcoin transaction processing steps

Circuit (ASIC) for mining will unlikely verify a single blockin years For this reason miners mine in the form of theso-called mining pools All miners that are associated witha pool works collectively to mine a particular block underthe control of a pool manager Upon successful mining themanager distributes the reward among all the associated minersproportional to the resources expended by each miner Adetailed discussion of different pooled mining approaches andtheir reward systems is given in [30] [31]

For the better understanding how a transaction is beingprocessed in the Bitcoin please refer to Figure 4 Assumethat Bob wants to transfer 5 bitcoins to Alice In order topay to Alice Bob needs a device such as a smartphonetablet or laptop that runs the Bitcoin full or lightweight client-side software and two pieces of information which includeBobprimes private key and Aliceprimes Bitcoin address Any userin the network can send money to a Bitcoin address butonly a unique signature generated using the private key canrelease bitcoins from the account Bob uses a cryptographickey to digitally sign off on the transaction proving that heowns those coins When Bob broadcast a transaction in thenetwork an alert is sent to all the miners in the networkinforming them about this new transaction The miners checkthat the digital signatures are correct and Bob has enoughbitcoins to complete the transactions Additionally miners raceto bundle all the pending transactions (including bobprimes) in thenetwork and mine the resulting block by varying the nonceIn particular the miners create a hash of the block and ifthe hash does not begin with a particular number of zerosthe hash function is rerun using a new random number (iethe nonce) The required hash value must have a certain butarbitrary number of zeros at the beginning It is unpredictablewhich nonce will generate the required hash with a correctnumber of zeros so the miners have to keep trying by usingdifferent nonces to find the desired hash value When theminer finds a hash value with the correct number of zeros(ie the discovered value is lower than target value) the

discovery is announced in the network and both the Bob andthe Alice will also receive a confirmation about the successfultransaction Other miners communicate their acceptance andthey turn their attention to discover the next block in thenetwork However a successful transaction could be discardedor deemed invalid at latter period of time if it is unable tostay in the blockchain due to reasons such as existence ofmultiple forks majority of miners does not agree to considerthe block containing this transaction as a valid block a doublespending attack is detected to name a few

The Bitcoin protocol rewards the winning miner with theset of newly minted bitcoins as incentive and the hashedblock is published in the public ledger Once Bobprimes transactionhas been added in the blockchain he and Alice each receivethe first confirmation stating that the Bitcoin has been signedover to Alice In terms of transaction time it depends on thecurrent network load and the transaction fee included in thetransaction by Bob but at the minimum it would be around10 minutes However receiving the first confirmation doesnot mean that the transaction is processed successfully and itcannot be invalidated at a latter point in time In particularit has been recommended by the Bitcoin community thatafter a block is mined it should receive enough consecutiveblock confirmations (currently 6 confirmations) before it isconsidered as a valid transaction

C Consensus Protocol

Bitcoin blockchain is a decentralized system thus it doesnot require authorization from any trusted third party (TTP)to process the transactions In particular the nodes com-municate over a network and collaboratively construct theblockchain without relying on a central authority Howeverindividual nodes might crash behave maliciously act againstthe common goal or the network communication may becomeinterrupted For delivering a continuous service the nodestherefore run a fault-tolerant consensus protocol to ensure that

they all agree on the order in which entries are appended tothe blockchain To add a new block in the blockchain everyminer must follow a set of rules specified in the consensusprotocol Bitcoin achieves the distributed consensus by usingPoW based consensus algorithm This algorithm imposes thefollowing major rules (i) input and output values are rational(ii) transactions only spend unspent outputs (iii) all inputsbeing spent have valid signatures (iv) no coinbase2 transactionoutputs were spent within 100 blocks of their creation and (v)no transactions spend inputs with a locktime before the blockin which they are confirmed Generally a blockchain basedsystem such as Bitcoin is considered as secure and robust asits consensus model

In the PoW based consensus algorithm the participantsrequire no authentication to join the network which makesthe Bitcoin consensus model extremely scalable in termsof supporting thousands of network nodes However PoWbased consensus is vulnerable to ldquo51rdquo attacks in whichan adversary has control over 51 of the mining power (iehashrate) in the network hence it can write its own blocksor fork the blockchain that at a later point converges withthe main blockchain This behavior of adversary helps her toperform several other types of attacks in the Bitcoin whichincludes double spending eclipse and denial-of-service Inparticular 51 attack drives away the honest miners from themining process thus weakens the consensus protocol whichposes a threat to Bitcoin security and robustness One way toachieve the 51 attack in Bitcoin system is to incentivize (orbribe) the honest miners to join the attackersrsquo coalition

Along with the various security attacks (please refer totables I and II) the effectiveness of a consensus protocol alsodepends on the performance and stability of the network Forinstance an increase in the latency between the validationof a block and its receipt by all other miners increases thepossibility of a temporary blockchain fork Although due tothe PoW model eventual consistency in the blockchain willbe reached despite the temporary forks however it resultsin longer transaction confirmation times Today the Bitcoinnetwork is restricted to a sustained rate of 7 transactionsper section (tps) due to the Bitcoin protocol restricting blocksizes to 1MB This is very slow when considered the highprocessing speed of MasterCard or VISAs ie millions oftps Therefore it is important for Bitcoin to have a broadcastnetwork which is not only decentralized but it also provideslow latency and it is difficult to deliberately censor or delaymessages The PoW based consensus algorithm also wastesa lot of energy in hash computations during the miningprocess However it facilitates high scalability in terms ofnodes participating in the network and operates completely ina decentralized fashion

Bitcoin consensus algorithm has been its most widelydebated component in the Bitcoin research community This isbecause the consensus algorithm rises (i) open questions aboutthe Bitcoin stability [10] (ii) concerns about the performanceand scalability of the protocol [32] and (iii) concerns for

2A coinbase transaction is a unique type of bitcoin transaction that can onlybe created by a miner

computational resource wastage [33] In particular the PoWconsensus model used by Bitcoin blockchain is very inefficientin terms of power consumption and the overall generationtime of new blocks Hence to overcome or limit someof the aforementioned disadvantages of PoW various otherconsensus protocols such as Proof-of-Stake (PoS) [34] Proofof Elapsed Time (PoET) Proof of Authority (PoA) Practicalbyzantine fault tolerance (PBFT) [35] Federated ByzantineFault Tolerance (FBFT) Proof of Storage [36] [37] to namea few are designed The most obvious difference betweenthese consensus protocols and PoW is that each of thesealternative protocols the consensus is driven at the expenseof internal resources (eg coins or reputation) instead ofexternal resources (eg electricity) This creates an entirelydifferent set of incentives for (and trust in) network nodes (ieminers) which drastically changes the network security modelDetailed discussions on these alternative consensus protocolsare out of the scope of our survey hence we direct interestedusers to [38] [20] [39] [40] [41]

D Networking Infrastructure

Bitcoin uses an unstructured peer-to-peer (P2P) networkbased on unencrypted persistent TCP connections as its foun-dational communication structure In general unstructuredoverlays are easily constructed and robust against highlydynamic network topologies ie against frequently joiningand leaving peers These type of networks are best suitedfor Bitcoin as the aim is to distribute information as fastas possible to reach consensus on the blockchain Howeverexperimenting with the Bitcoin networkprotocol poses a chal-lenge By now there are a few possibilities to approach thistask One way is to connect to the mainnet ie the live Bitcoinnetwork or the testnet Another way is to use the simulationenvironments such as Shadow [42] event discrete simulatorwhich aims at simulating large-scale Bitcoin networks whilekeeping full control over all components

Bitcoin nodes maintain a list of IP addresses of potentialpeers and the list is bootstrapped via a DNS server and addi-tional addresses are exchanged between peers Each peer aimsto maintain a minimum of 8 unencrypted TCP connections inthe overlay ie the peer actively tries to establish additionalconnections if the current number of connections is lowerthan 8 The number of eight connections can be significantlyexceeded if incoming connections are accepted by a Bitcoinpeer upto a maximum of 125 connections at a time By defaultpeers listen on port 8333 for inbound connections When peersestablish a new connection they perform an application layerhandshake consisting of version and verack messages Themessages include a timestamp for time synchronization IPaddresses and the protocol version A node selects its peersin a random fashion and it selects a new set of peers after afixed amount of time This is done to minimize the possibilityand effects of netsplit attack in which an attacker creates aninconsistent view of the network (and the blockchain) at theattacked node Since Bitcoin version 07 IPv6 is supported Inorder to detect when peers have left Bitcoin uses a softstateapproach If 30 minutes have been passed since messages were

last exchanged between neighbors peers will transmit a hellomessage to keep the connection alive

Miners continually listen to new block announcementswhich are sent via INV messages containing the hash ofthe mined block If a miner discovers that it does not hold anewly announced block it transmits a GETDATA messageto one of its neighbor The neighbor then respond by sendingthe requested information in a BLOCK message In casethe requested block do not arrive within 20 minutes theminer trigger the disconnection of that particular neighborand request the same information from another neighbor Thepropagation of transactions occur in a sequence given as INV GETDATA and TX messages in which nodes announcerequest and share transactions that have not yet been includedin the blockchain

In order to form the distributed consensus newly discoveredtransactions and blocks are propagated (through flooding) inthe whole network Miners store new transactions for themining purposes but after some time remove them if they donot make it on the blockchain It is the responsibility of thetransaction originator that the transaction is received by all thepeers in the network To this end the originator might need torebroadcast the transaction if it did not get into the blockchainin first attempt This is to ensure that the transaction getsconsidered in the next block An adversary could introducedelay in the propagation of both new transactions and minedblock for the purpose of launching the double spend andnetsplit attacks As shown in [43] the propagation time caneven be further extended under reasonable circumstancesAuthors in [5] presents a taxonomy of routing attacks andtheir impact on Bitcoin considering both small-scale attackstargeting individual nodes and large-scale attacks targetingthe network as a whole By isolating parts of the network ordelaying block propagation adversaries could cause significantamount of mining power to be wasted leading to revenuelosses and exposing the network to a wide range of exploitssuch as double spending

The use of an unstructured P2P network in Bitcoin enablesthe required rapid distribution of information in every partof the network The security of Bitcoin heavily depends onthe global consistent state of blockchain which relies on theefficiency of its PoW based consensus protocol The variationsin the propagation mechanisms could adversely affect theconsensus protocol The presence of inconsistent blockchainstates if exploited correctly could lead to a successful doublespending To this end it is essential that the Bitcoin networkshould remains scalable in terms of network bandwidth net-work size and storage requirements because this will facilitatethe increase in number of honest miners in the network whichwill strengthen the consensus protocol In Bitcoin full nodesdownload and verify all blocks starting from the genesis blockbecause it is the most secure way Full nodes participate inthe P2P network and help to propagate information althoughits not mandatory to do so Alternatively the thin clients usethe simplified payment verification (SPV) to perform Bitcointransactions The SPV is a method used by Bitcoin thin clientfor verifying if particular transactions are included in a blockwithout downloading the entire block However the use of

SPV costs the thin clients because it introduces weaknessessuch as Denial of Service (DoS) and privacy leakage forthe thin client In particular the general scalability issues ofunstructured overlays combined with the issues induced bythe Bitcoin protocol itself remains in the system Many of theresults suggest that scalability remains an open problem [44]and it is hard to keep the fully decentralized network infuture [45] [46]

E Benefits and Challenges

Same as any other emerging technology use of Bitcoincomes with certain benefits and challenges and various typesof risks are associated with its use It is believed3 that Bitcoinhas the following benefits and challenges

Benefits -bull No Third-Party Seizure No central authority can manip-

ulate or seize the currency since every currency transferhappens peer-to-peer just like hard cash In particular bit-coins are yours and only yours and the central authoritycant take your cryptocurrency because it does not printit own it and control it correspondingly

bull Anonymity and transparency Unless Bitcoin users pub-licize their wallet addresses publicly it is extremely hardto trace transactions back to them However even if thewallet addresses was publicized a new wallet addresscan be easily generated This greatly increases privacywhen compared to traditional currency systems wherethird parties potentially have access to personal financialdata Moreover this high anonymity is achieved withoutsacrificing the system transparency as all the bitcointransactions are documented in a public ledger

bull No taxes and lower transaction fees Due to its decen-tralized nature and user anonymity there is no viableway to implement a Bitcoin taxation system In the pastBitcoin provided instant transactions at nearly no costEven now Bitcoin has lower transaction costs than acredit card Paypal and bank transfers However thelower transaction fee is only beneficial in situations wherethe user performs a large value international transactionsThis is because the average transaction fee becomeshigher for very small value transfers or purchases suchas paying for regular household commodities

bull Theft resistance Stealing of bitcoins is not possible untilthe adversary have the private keys (usually kept offline)that are associated with the user wallet In particular Bit-coin provides security by design for instance unlike withcredit cards you dont expose your secret (private key)whenever you make a transaction Moreover bitcoinsare free from Charge-backs ie once bitcoins are sentthe transaction cannot be reversed Since the ownershipaddress of the sent bitcoins will be changed to the newowner and it is impossible to revert This ensures thatthere is no risk involved when receiving bitcoins

3As some of these benefits and challenges are not entirely true at all thetimes for instance Bitcoin transactions are not fully anonymous and theprivacy of Bitcoin users could be threatened

Challengesbull High energy consumption Bitcoinrsquos blockchain uses

PoW model to achieve distributed consensus in thenetwork Although the use of PoW makes the miningprocess more resistant to various security threats suchas sybil and double spending it consumes a ridicu-lous amount of energy and computing resources [47]In particular processing a bitcoin transaction consumesmore than 5000 times as much energy as using a Visacredit card hence innovative technologies that reduce thisenergy consumption are required to ensure a sustainablefuture for Bitcoin Furthermore due to the continuousincrease in network load and energy consumption thetime required for transaction processing is increasing

bull Wallets can be lost Since there is no trusted third partyif a uses lost the private key associated with her walletdue to a hard drive crash or a virus corrupts data or lostthe device carrying the key all the bitcoins in the wallethas been considered lost for forever There is nothingthat can be done to recover the bitcoins and these willbe forever orphaned in the system This can bankrupt awealthy Bitcoin investor within seconds

bull (Facilitate) Criminal activity The considerable amountof anonymity provided by the Bitcoin system helps thewould-be cyber criminals to perform various illicit activ-ities such as ransomware [48] tax evasion undergroundmarket and money laundering

According to [49] the risk is the exposure to the level ofdanger associated with Bitcoin technology in fact the samecan be applied to any such digital cryptocurrency The majorrisks that threaten the wide usability of the Bitcoin paymentsystems are as followbull Social risks it includes bubble formation (ie risk of

socio-economic relationship such as what people talk andgossip) cool factor (ie entering the networking withoutknowing the ill effects) construction of chain (ie riskrelated with the blockchain formation like hashing andmining rewards) and new coins release (ie on whatbasis the new coins to be generated is there a need etc)

bull Legal risks Bitcoin technology opposes rules and regula-tions and hence it finds opposition from the governmentThis risk also includes law enforcement towards handlingfinancial operational customer protection and securitybreaches that arise due to Bitcoin system

bull Economic risks deflation volatility and timing issues infinding a block which might lead the users to migratetowards other currencies that offer faster services

bull Technological risks this includes the following net-work equipment and its loss network with which thepeers are connected and its associated parameters threatvulnerabilities on the system hash functions with itsassociated robustness factor and software associated risksthat Bitcoin system demands

bull Security risks security is a major issue in Bitcoin systemwe will discuss risks associated due to various securitythreats in detail in Section III

In [50] authors perform a survey on the peoplersquos opinion

about bitcoins usage Participants argue that the greatest barrierto the usage of bitcoins is the lack of support by higherauthorities (ie government) Participants felt that bitcoinsmust be accepted as legitimate and reputable currency Ad-ditionally the participants expressed that the system mustprovide support towards transacting fearlessly without criminalexploitation Furthermore the Bitcoin is mainly dependent onthe socio-technical actors and the impact of their opinion onthe public Few among participants have suggested that theblockchain construction is the major cause of disruption dueto its tendency to get manipulated by adversaries

In [51] it was stated that many Bitcoin users already losttheir money due to poor usability of key management andsecurity breaches such as malicious exchanges and walletsAround 225 of the participants reported having lost theirbitcoins due to security breaches Also many participantsstated that for a fast flow of bitcoins in the user communitysimple and impressive user interface are even more importantthan security In addition participants highlighted that the poorusability and lack of knowledge regarding the Bitcoin usageare the major contributors to the security failures

III SECURITY ATTACKS ON BITCOIN SYSTEMS

Bitcoin is the most popular cryptocurrency4 and has stoodfirst in the market capital investment from day one Since itis a decentralized model with an uncontrollable environmenthackers and thieves find cryptocurrency system an easy wayto fraud the transactions In this section we discuss existingsecurity threats and their countermeasures for Bitcoin andits underlying technologies We provide a detailed discussionof potential vulnerabilities that can be found in the Bitcoinprotocols as well as in the Bitcoin network this will bedone by taking a close look at the broad attack vector andtheir impact on the particular components in the BitcoinApart from double spending which is and will always bepossible in Bitcoin the attack space includes a range of walletattacks (ie client-side security) network attacks (such asDDoS sybil and eclipse) and mining attacks (such as 50block withholding and bribery) Tables I and II provides acomprehensive overview of the potential security threats alongwith their impacts on various entities in Bitcoin and theirpossible solutions that exist in literature so far

A Double Spending

A client in the Bitcoin network achieves a double spend(ie send two conflicting transactions in rapid succession) ifshe is able to simultaneously spend the same set of bitcoinsin two different transactions [2] For instance a dishonestclient (Cd) creates a transaction TCd

V at time t using a setof bitcoins (Bc) with a recipient address of a vendor (V ) topurchase some product from V Cd broadcast TCd

V in theBitcoin network At time tprime where tprime asymp t Cd create andbroadcast another transaction TCd

Cdusing the same coins (ie

Bc) with the recipient address of Cd or a wallet which isunder the control of Cd In the above scenario the double

4wwwcryptocoinsnewscom

TABLE IMAJOR ATTACKS ON BITCOIN SYSTEM AND ITS POW BASED CONSENSUS PROTOCOL

Attack Description Primary targets Adverse effects Possible countermeasures

Double spending or Raceattack [2] spent the same bitcoins

in multiple transactionssend two conflicting trans-actions in rapid succession

sellers or mer-chants

sellers lose theirproducts drive away the

honest users createblockchain forks

inserting observers in network [2]communicating double spendingalerts among peers [2] nearbypeers should notify the merchantabout an ongoing double spend assoon as possible [52] merchantsshould disable the direct incomingconnections [53] [54]

Finney attack [55] dishonest miner broad-casts a pre-mined blockfor the purpose of dou-ble spending as soon asit receives product from amerchant

sellers or mer-chants

facilitates doublespending wait for multi-confirmations for

transactions

Brute force attack [56] privately mining onblockchain fork toperform double spending

sellers or mer-chants

facilitates doublespending creates largesize blockchain forks

inserting observers in the net-work [2] notify the merchant aboutan ongoing double spend [53]

Vector 76 orone-confirmation

attack [57]combination of the doublespending and the finneyattack

Bitcoin exchangeservices

facilitates doublespending of largernumber of bitcoins

wait for multi-confirmations fortransactions

gt 50 hashpower orGoldfinger [45] adversary controls more

than gt 50 HashrateBitcoin networkminers Bitcoinexchange centersand users

drive away the minersworking alone or within

small mining poolsweakens consensus

protocol DoS

inserting observers in thenetwork [2] communicatingdouble spending alerts amongpeers [2] disincentivizelarge mining pools [58] [59]TwinsCoin [60] PieceWork [61]

Blockdiscarding [62] [54] or

Selfish mining [6]abuses Bitcoin forkingfeature to derive an unfairreward

honest miners (ormining pools)

introduce race conditionsby forking waste the

computational power ofhonest miners withgt 50 it leads toGoldfinger attack

ZeroBlock technique [63] [64]timestamp based techniquessuch as freshness preferred [65]DECOR+ protocol [66]

Blockwithholding [29] [67] miner in a pool sub-

mits only PPoWs but notFPoWs

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueinclude only known and trustedminers in pool dissolve and closea pool when revenue drops fromexpected [62] cryptographic com-mitment schemes [67]

fork after withholding(FAW) attack [68] improves on adverse ef-

fects of selfish mining andblock withholding attack

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueno practical defense reported so far

spending attack performed by Cd is successful if Cd tricksthe V to accept TCd

V (ie V deliver the purchased productsto Cd) but V will not be able to redeem subsequently InBitcoin the network of miners verify and process all thetransactions and they ensure that only the unspent coinsthat are specified in previous transaction outputs can be usedas input for a follow-up transaction This rule is enforceddynamically at run-time to protect against the possible doublespending in the network The distributed time-stamping andPoW-based consensus protocol is used for orderly storage ofthe transactions in the blockchain For example when a minerreceives TCd

V and TCd

Cdtransactions it will be able to identify

that both the transactions are trying to use the same inputs

during the transaction propagation and mining thus it onlyprocess one of the transaction and reject the other Figure 5shows the working methodology of a double spending attackdepicting the above explanation

Despite the use of strict ordering of transactions in theblockchain PoW scheme distributed time-stamping [69] andconsensus protocol [70] [71] double spending is still possiblein Bitcoin To perform a successful double spending attackfollowing requirements need to be fulfilled (i) part of thenetwork miners accept the transaction TCd

V and the vendor(V ) receives the confirmation from these miners thus releasesthe product to dishonest client (Cd) (ii) at the same time otherpart of the network miners accept the transaction TCd

Cd hence

Fig 5 Double Spending Attack

lead to blockchain forks in the network (iii) the vendor re-ceives the confirmation of transaction TCd

Cdafter accepting the

transaction TCd

V thus losses the product and (iv) a majorityof miners mine on top of the blockchain which contains TCd

Cd

as a valid transaction If the aforementioned steps took placein the given order then the dishonest client is able to performa successful double spend In the rest of this section we willdiscuss the variants of double spending attack that are used inorder to realize the aforementioned double spend requirementswith varying difficulties and complexities

A form of double spending called Finney attack [55] herea dishonest client (Cd) pre-mines (ie privately) a blockwhich contains the transaction TCd

Cd and then it creates a

transaction TCd

V using the same bitcoins for a vendor (V )The mined block is not informed to the network and the Cd

waits until the transaction TCd

V is accepted by the V On theother hand V only accept TCd

V when it receives a confirmationfrom miners indicating that TCd

V is valid and included in theexisting blockchain Once Cd receives the product from V theattacker releases the pre-mined block into the network thuscreates a blockchain fork (say Bprimefork) of equal length to theexisting fork (say Bfork) Now if the next mined block in thenetwork extends Bprimefork blockchain instead of Bfork then asper the Bitcoin protocol rules all the miners in the networkwill build on top of Bprimefork As the blockchain Bprimefork becomesthe longest chain in the network all the miners ignore Bforkhence the top block on Bfork which contains the transactionTCd

V becomes invalid This makes the transaction TCd

V invalidthe client will get back her coins through transaction TCd

Cd

but resulting the V losing the product However with Finneyattack an adversary can only perform double spending in thepresence of one-confirmation vendors

To avoid the Finney attack the vendor should wait formultiple confirmations before releasing the product to theclient The waiting for multiple confirmations will only makethe double spend for the attacker harder but the possibilityof the double spend remains An advancement of the Finneyattack is called Brute-force attack [56] in which a resourcefulattacker has control over n nodes in the network and these

nodes collectively work on a private mining scheme withthe motive of double spend An attacker introduces a doublespend transaction in a block as in the previous case whilecontinuously works on the extension of a private blockchain(ie Bprimefork) Suppose a vendor waits for x confirmationsbefore accepting a transaction and it sends the product to theclient once it receives the x confirmations Later the attackeris able to mine the x number of blocks ahead (ie privately)then she can release these blocks in the network and dueto its higher length than Bfork blockchain Bprimefork will beextended by all the miners in the network This causes thesame after effects as Finney attack thus causing a successfuldouble spending attack

Another attack that uses the privately mined block toperform a new form of double spending attack on Bitcoin ex-change networks is popularly known as Vector 76 attack [57]A Bitcoin exchange is a digital marketplace where traderscan buy sell or exchange bitcoins for other assets such asfiat currencies or altcoins In this a dishonest client (Cd)withholds a pre-mined block which consists of a transactionthat implements a specific deposit (ie deposit coins in aBitcoin exchange) The attacker (Cd) waits for the next blockannouncement and quickly sends the pre-mined block alongwith the recently mined block directly to the Bitcoin exchangeor towards its nearby peers with hope that the exchangeand probably some of the nearby miners will consider theblockchain containing the pre-mined block (ie Bprimefork) as themain chain The attacker quickly sends another transaction thatrequests a withdrawal from the exchange of the same coins thatwas deposited by the attacker in its previous transaction Atthis point of time if the other fork (ie Bfork) which does notcontain the transaction that is used by the attacker to depositthe coins survives the deposit will become invalidated but theattacker has already performed a withdrawal by now thus theexchanges losses the coins

Recently authors in [72] proposes a new attack againstthe PoW-based consensus mechanism in Bitcoin called theBalance attack The attack consists of delaying networkcommunications between multiple subgroups of miners withbalanced hash power The theoretical analysis provides theprecise trade-off between the Bitcoin network communicationdelay and the mining power of the attacker(s) needed to doublespend in Ethereum [73] with high probability

Based on the above discussion on double spending attackand its variants one main point that emerges is that if aminer (or mining pool) is able to mine blocks with a fasterrate than the rest of the Bitcoin network the possibility ofa successful double spending attack is high The rate ofmining a block depends upon solving the associated proof-of-work this again depends on the computing power of aminer Apart from the computing resources the success ofdouble spending attack depends on other factors as wellwhich includes network propagation delay vendor client andBitcoin exchange services connectivity or positioning in theBitcoin network and the number of honest miners Clearlyas the number of confirmations for transaction increases thepossibility that it will become invalid at a later stage decreasesthus decreases the possibility of a double spend On the other

hand with the increase in the computing resources of a minerthe probability of the success of a double spend increases Thisleads to a variant of double spend attack called gt 50 attackor Goldfinger attack [45] in which more than 50 computingresources of the network are under the control of a single miner(or mining pool) The gt 50 attack is considered the worst-case scenario in the Bitcoin network because it has the powerto destroy the stability of the whole network by introducing theactions such as claim all the block intensives perform doublespending reject or include transactions as preferred and playwith the Bitcoin exchange rates The instability in the networkonce started it will further strengths the attackerrsquos position asmore and more honest miners will start leaving the network

From the above discussion on the different type of doublespending attacks we can safely conclude that one can alwaysperform a double spend or it is not possible to entirelyeliminate the risk of double spending in Bitcoin Howeverperforming double spending comes with a certain level ofrisk for instance the attacker might lose the reward forthe withheld block if it is not included in the final publicblockchain Therefore it is necessary to set a lower bound onthe number of double spend bitcoins and this number shouldcompensate the risk of unsuccessful attempts of double spendAdditionally the double spends could be recognized with thecareful analysis and traversing of the blockchain thus it mightlead to blacklisting the detected peer In Section IV-A we willdiscuss in detail the existing solutions and their effectivenessfor detecting and preventing the double spending attacks

B Mining Pool Attacks

Mining pools are created in order to increase the computingpower which directly affects the verification time of a blockhence it increases the chances of winning the mining rewardFor this purpose in recent years a large number of miningpools have been created and the research in the field ofminer strategies is also evolved Generally mining pools aregoverned by pool managers which forwards unsolved workunits to pool members (ie miners) The miners generate par-tial proofs-of-work (PPoWs) and full proofs-of-work (FPoWs)and submit them to the manager as shares Once a minerdiscovers a new block it is submitted to the manager alongwith the FPoW The manager broadcasts the block in theBitcoin network in order to receive the mining reward Themanager distributes the reward to participating miners basedon the fraction of shares contributed when compared with theother miners in the pool Thus participants are rewarded basedon PPoWs which have absolutely no value in the Bitcoinsystem The Bitcoin network currently consists of solo minersopen pools that allow any miner to join and closed (private)pools that require a private relationship to join

In recent years the attack vector that exploits the vulnerabil-ities in pool based mining also increases For instance a groupof dishonest miners could perform a set of internal and externalattacks on a mining pool Internal attacks are those in whichminers act maliciously within the pool to collect more thantheir fair share of collective reward or disrupt the functionalityof the pool to distant it from the successful mining attempts In

external attacks miners could use their higher hash power toperform attacks such as double spending Figure 6 shows themarket share till December 2017 of the most popular miningpools In this section we will discuss a set of popular internaland external attacks on the mining pools

Fig 6 Bitcoin Hashrate Distribution in Present Market

In a mining pool the pool manager determines the amountof work done by individual pool members by using thenumber of shares a member find and submit while tryingto discover a new block The shares consist of a number ofhashes of a block which are low enough to have discovereda block if the difficulty was 1 To be considered as a shareeach hash has a probability of 1232 Assuming correctness ofthe hash function used it is impossible to find shares withoutdoing the work required to discover new blocks or to lookfor blocks without finding shares along the way Due to thisthe number of shares determined by a miner is proportionalon average to the number of hashes the miner calculatedwhile attempting to discover a new block for the mining poolAdditionally in [29] the author discusses the possibility ofusing variable block rewards and difficulty shares as rewardmethods in a pool This variability is introduced due to thefollowing reasons bitcoins generation per block is cut in halfevery 210000 blocks and the transaction fees vary rapidlybased on the currently available transactions in the network Asmost of the mining pools allow any miner to join them using apublic Internet interface such pools are susceptible to varioussecurity threats The adversaries believe that it is profitable tocannibalize pools than mine honestly Letrsquos understand it withan example suppose that an adversary has 30 of hashrate(HR) and 1 BTC is the block mining reward (MR) If themining pool is sharing the reward based on the invested HRthen the adversary will receive 03 BTC for each mined blockNow adversary purchases more mining equipment worth 1of current HR With standard mining strategy the adversarywill gain an additional revenue of 00069 BTC for the 1added HR By performing pool cannibalizing (ie distributeyour 1 equally among all other pools and also withholdthe valid blocks) the attacker will still receive the rewardsfrom its pool but it might also receive additional rewards

from the other pools to which she is sharing its 1 HRThis misbehavior will remain undetectable unless the changein reward is statistically significant

Fig 7 Selfish Mining

In [62] authors use a game theoretic approach to show thatthe miners could have a specific sort of subversive miningstrategy called selfish mining [6] or also popularly known asblock discarding attack [54] [62] In truth all the miners inthe Bitcoin are selfish as they are mining for the reward thatis associated with each block but these miners are also honestand fair with respect to the rest of miners while the selfishmining here refers to the malicious miners only In the selfishmining the dishonest miner(s) perform information hiding(ie withhold a mined block) as well as perform its revealingin a very selective way with a two-fold motive (i) obtain anunfair reward which is bigger than their share of computingpower spent and (ii) confuse other miners and lead them towaste their resources in a wrong direction As it can be seen inFigure 7 that by keeping the mined block(s) the selfish minersintentionally fork the blockchain The selfish pool keeps onmining on top of their private chain (Bprimefork) while the honestminers are mining on the public chain (Bfork) If the selfishminers are able to take a greater lead on Bprimefork and they areable to keep the lead for a longer time period their chancesof gaining more reward coins as well as the wastage of honestminers resources increases To avoid any losses as soon asthe Bfork reaches to the length of Bprimefork the selfish minerspublish their mined blocks All the miners need to adopt toBprimefork which now becomes Bfork as per the longest lengthrule of Bitcoin protocol The honest miners will lose theirrewards for the blocks that they have mined and added to theprevious public chain The analysis in [6] shows that usingthe selfish mining the poolrsquos reward exceed its share of thenetworkrsquos mining power The statement still holds in caseswhere the network found their new block before the adversarycould find a new second block Because in such case the minerwill make use of the race to propagate ie on average theattacker manages to tell 50 of the network about her blockfirst Additionally the analysis reveals that the wastage ofcomputing resources and rewards lure honest miners toward

the selfish mining pools hence it further strengthens the attackThis continuous increase in the selfish poolrsquos size might leadto gt 50 attack and at that point the effect of selfish miningwill be disastrous

Another attack much similar to the selfish mining that couldbe performed on a mining pool is known as Block withholding(BWH) [29] [67] in which a pool member never publishes amined block in order to sabotage the pool revenue howeversubmit shares consists of PPoWs but not FPoWs In particularin [29] two types of block withholding scenarios are presentedcalled ldquoSabotagerdquo and ldquoLie in waitrdquo In the first scenario theadversary does not gain any bitcoins but it just makes otherpool members lose while in the second scenario the adversaryperforms a complex block concealing attack similar to the onedescribed in the selfish mining attack In [29] authors discussa generalized version of the ldquoSabotagerdquo attack which showsthat with slight modification it is possible for the maliciousminer to also earn an additional profit in this scenario Authorsin [33] present a game-theoretic approach to analyzing effectsof block withholding attack on mining pools The analysisshows that the attack is always well-incentivized in the long-run but may not be so for a short duration This impliesthat existing pool protocols are insecure and if the attack isconducted systematically Bitcoin pools could lose millions ofdollars worth in just a few months

To analyze the effects of BWH on mining pools authorsin [9] presents The Miners Dilemma which uses an iterativegame to model attack decisions The game is played betweentwo pools say pool A and pool B and each iteration of thegame is a case of the Prisoners Dilemma ie choose betweenattacking or not attacking If pool A chooses to attack pool Apool A gains revenue pool A loses revenue but pool B canlatter retaliate by attacking pool A and gaining more revenueThus attacking is the dominant strategy in each iterationhence if both pool A and pool B attack each other they will beat a Nash Equilibrium This implies that if both will earn lessthan they would have if neither of them attacked However ifnone of the other pools attack a pool can increase its revenueby attacking the others Recently authors in [68] propose anovel attack called a fork after withholding (FAW) attackAuthors show that the BWH attackers reward is the lowerbound of the FAW attackers and it is usable up to four timesmore often per pool than in BWH attack Moreover the extrareward for a FAW attack when operating on multiple miningpools is around 56 higher than BWH attack Furthermorethe miners dilemma may not hold under certain circumstanceseg when two pools execute FAW attack the larger pool canconsistently win More importantly unlike selfish mining anFAW attack is more practical to execute while using intentionalforks

The Pool Hopping attack presented in [29] [74] uses theinformation about the number of submitted shares in themining pool to perform the selfish mining In this attackthe adversary performs continuous analysis of the number ofshares submitted by fellow miners to the pool manager in orderto discover a new block The idea is that if already a largenumber of shares have been submitted and no new block hasbeen found so far the adversary will be getting a very small

share from the reward because it will be distributed based onthe shares submitted Therefore at some point in time it mightbe more profitable for the adversary to switch to another poolor mine independently

Recently the Bribery attack is described in [75] In thisan attacker might obtain the majority of computing resourcesfor a short duration via bribery Authors discuss three ways tointroduce bribery in the network (i) Out-of-Band Paymentin which the adversary pays directly to the owner of thecomputing resources and these owners then mine blocksassigned by the adversary (ii) Negative-Fee Mining Pool inwhich the attacker forms a pool by paying higher returnand (iii) In-Band Payment via Forking in which the attackerattempts to bribe through Bitcoin itself by creating a forkcontaining bribe money freely available to any miner adoptingthe fork By having the majority of the hash power the attackercould launch different attacks such as double spending andDistributed Denial-of-Service (DDoS) [76] The miners thattook the bribes will get benefits which will be short-lived butthese short-lived benefits might be undermined by the lossesin the long run due to the presence of DDoS and Goldfingerattacks or via an exchange rate crash

Fig 8 Blacklisting via Punitive Forking

An adversary with gt 50 hashrate could perform a suc-cessful selective blacklisting via punitive forking The objec-tive of punitive forking is to censor the Bitcoin addressesowned by certain people say Alice and prevent them fromspending any of their bitcoins The strategy to perform theblacklisting (please refer to Figure 8) is as follows (i) theadversary with gt 50 network hashrate announces to theBitcion network that she will not extend on the blockchaincontaining transactions spending from Alicersquos Bitcoin address(ii) if some other miner include a transaction from Alice ina block the adversary will fork and create a longer proofof work blockchain (iii) Block containing Alicersquos transactionnow invalidated and it can never be published also the minerwho added the block with Alicersquos transaction will lose its blockreward However a weak adversary that has lower hashrate canstill cause delays and inconveniences for Alicersquos transaction

Punitive forking doesnrsquot work unless you have gt 50 ofhashrate However there is another strategy to achieve theblacklisting as presented in [77] In particular authors presenta malicious mining strategy called feather forking in whichan attacker announces that she will attempt to fork if she seesa block containing Alicersquos transaction in the blockchain butshe will give up after a while This is the adversary forks asper its convenience she will continue to extend its fork untilwins (ie outraces the main chain) but she gives up (iediscard its private fork and continue to extend the main chain)after block with Alicersquos transaction contains k confirmations

An adversary with total hash power less than 50 might withhigh probability lose rewards but it will be able to block theblacklisted transaction with positive probability Moreover ifthe adversary can show that she is determined to block theselected transaction and will perform the retaliatory forking ifrequired then the rest of the miners will also be motivated toblock the blacklisted transactions to avoid the losses in case ifthe attacker retaliates and wins If this is the case an attackermight be able to enforce the selective blacklisting with noreal cost because other miners are convinced that the attackerwill perform a costly feather forking attack if provoked Anattacker performing feather forking can also use it to blackmaila client by threatening that all her transactions will be put onthe blacklist until the client pays the asked ransom coins

C Client-side Security Threats

The huge increase in the popularity of bitcoins encouraged alarge number of new users to join the network Each Bitcoinclient posses a set of private-public keys in order to accessits account or wallet Hence it is desirable to have the keymanagement techniques that are secure yet usable This is dueto the fact that unlike many other applications of cryptographyif the keys of a client are lost or compromised the client willsuffer immediate and irrevocable monetary losses To use thebitcoins a user needs to install a wallet on her desktop ormobile device The wallet stores the set of private-public keysassociated with the owner of the wallet thus it is essential totake protective actions to secure the wallet The wallet theftsare mainly performed using mechanisms that include systemhacking installation of buggy software and incorrect usage ofthe wallet

Bitcoin protocol relies heavily on elliptic curve cryptog-raphy [98] for securing the transactions In particular Bitcoinuses elliptic curve digital signature algorithm (ECDSA) whichis standardized by NIST [99] for signing the transactionsFor instance consider the standard ldquoPay-to-PubKeyHashrdquo(P2PKH) transaction script in which the user needs to provideher public key and the signature (using her private key) toprove the ownership To generate a signature the user choosesa per-signature random value For security reason this valuemust be kept secret and it should be different for every othertransaction Repeating per-signature value risks the privatekey computation as it has been shown in [100] that evenpartially bit-wise equal random values suffice to derive a userrsquosprivate key Therefore it is essential for increasing the securityof ECDSA to use highly random and distinct per-signaturevalues for every transaction signature The inspection of theblockchain for instances in which the same public key usesthe same signature nonces for multiple times has been reportedby the authors in [101] In particular the authors report thatthere are 158 public keys which have reused the signaturenonce in more than one transaction signature thus making itpossible to derive userrsquos private key Recently authors in [102]present a systematic analysis of the effects of broken primitiveson Bitcoin Authors highlight the fact that in the currentBitcoin system has no migration plans in-place for both thebroken hash and the broken signature scheme ie the Bitcoins

TABLE IIMISBEHAVIOR ATTACKS TARGETING BITCOIN NETWORK AND ENTITIES

Attack Description Primary targets Adverse effects Possible countermeasures

Bribery attacks [75] adversary bribe miners tomine on her behalf

miners and mer-chants

increases probability of adouble spend or block

withholdingincrease the rewards for honestminers make aware the miners tothe long-term losses of bribery [75]

Refund attacks [78] adversary exploits the re-fund policies of existingpayment processors

sellers or mer-chants users

merchant losses moneywhile honest users might

lose their reputationpublicly verifiable evidence [78]

Punitive and Featherforking [77] [79] dishonest miners blacklist

transactions of specific ad-dress

users freeze the bitcoins of userfor forever remains an open challenge

Transactionmalleability [80] [4] adversary change the

TXID without invalidatingthe transaction

Bitcoin exchangecenters

exchanges loss funds dueto increase in double

deposit or doublewithdrawal instances

multiple metrics for transactionverification [81] malleability-resilient ldquorefundrdquo transaction [80]

Wallet theft [21] adversary stole or destroyprivate key of users

individual usersor businesses

bitcoins in the wallet arelost threshold signature based

two-factor security [82] [83]hardware wallets [84] TrustZone-backed Bitcoin wallet [85]Password-Protected Secret Sharing(PPSS) [86]

Time jacking [87] adversary speed-up themajority of minerrsquos clock

miners

isolate a miner and wasteits resources influencethe mining difficultycalculation process

constraint tolerance ranges [87]network time protocol (NTP) ortime sampling on the values re-ceived from trusted peers [88]

DDoS [89] [90] a collaborative attack toexhaust network resources

Bitcoin networkbusinesses min-ers and users

deny services to honestusersminers isolate ordrive away the miners

Proof-of-Activity (PoA)protocol [91] fast verificationsignature based authentication

Sybil [23] adversary creates multiplevirtual identities

Bitcoin networkminers users

facilitates time jackingDDoS and doublespending attacks

threatens user privacy

Xim (a two-party mixing proto-col) [92]

Eclipse or netsplit [3] adversary monopolizes allincoming and outgoingconnections of victim

miners users

inconsistent view of thenetwork and blockchain

enable double spendswith more than one

confirmation

use whitelists disabling incomingconnections [3]

Tampering [43] delay the propagation oftransactions and blocks tospecific nodes

miners users

mount DoS attackswrongfully increase

mining advantage doublespend

improve block request managementsystem [43]

Routing attacks [5] isolate a set of nodes fromthe Bitcoin network de-laying block propagation

miners users

denial of service attackincreases possibility of0-confirmation doublespends increases forkrate waste the mining

power of the pools

increase the diversity of node con-nections monitor round-trip timeuse gateways in different ASes [5]

Deanonymization [93] [94] linking IP addresses witha Bitcoin wallet

users user privacy violation mixing services [95]CoinJoin [96] CoinShuffle [97]

RIPEMD160 SHA256 and ECDSA techniques are vulnerableto various security threats such as collision attacks [103]The authors in [102] found that the main vectors of attackon bitcoins involve collisions on the main hash or attackingthe signature scheme which directly enables coin stealingHowever a break of the address hash has minimal impact asaddresses do not meaningfully protect the privacy of a user

Unlike most of the online payment systems that rely onlogin details consisting of the password and other confidentialdetails for user authentication Bitcoin relies on public keycryptography This raises the issues of the secure storage andmanagement of the user keys Over the years various typeof wallet implementations are researched to obtain securestorage of the user keys it includes software online or hostedhardware or offline paper and brain wallets Table III shows anumber of popular wallets and their main features Coinbase(coinbasecom) an online wallet is most popular due to itsdesirable features which it provides to the clients that include(i) a web interface using which the wallet can be assessedwith a browser and Internet connection (ii) a mobile appthat allows access to wallet through mobile devices (iii) anaccess to Coinbase do not require a client software and it isindependent in nature due to which the wallet providers doesnot have any control over the funds stored in a clientrsquos walletand (iv) a moderate level of security and privacy The Copaywallet allows multiple users to be associated with the samewallet while the Armory wallet works in online as well as inoffline mode The wallet providers have to find an adequatetrade-off between usability and security while introducing anew wallet into the market For instance an online wallet ismore susceptible to thefts compared to hardware wallets [84]as later are not connected to the Internet but at the same timehardware wallets lacks usability If done right there exist moreadvanced and secure ways to store the user keys called paperand brain wallets As their name indicates in the paper walletthe keys are written on a document which is stored at somephysical location analogizes the cash money storage systemwhile in brain wallet the keys are stored in the clients mind inthe form of a small passphrase The passphrase if memorizedcorrectly is then used to generate the correct private key

To avoid the aforementioned risks such as managing cryp-tographic keys [104] lost or stolen devices equipment failureBitcoin-specific malware [105] to name a few that are asso-ciated while storing the bitcoins in a wallet many users mightprefer to keep their coins with online exchanges Howeverstoring the holdings with an exchange makes the users vulner-able to the exchange systems For instance one of the mostnotorious events in the Bitcoin history is the breakdown andongoing bankruptcy of the oldest and largest exchange calledMt Gox which lost over 450 millions of dollars Moreovera few other exchanges have lost their customers bitcoinsand declared bankruptcy due to external or internal theft ortechnical mistakes [106] Although the vulnerability of anexchange system to the disastrous losses can never be fullyavoided or mitigated therefore the authors in [107] presentsProvisions which is a privacy-preserving proof of solvencyfor Bitcoin exchanges Provision is a sensible safeguard thatrequires the periodic demonstrations from the exchanges to

show that they control enough bitcoins to settle all of itscustomers accounts

D Bitcoin Network Attacks

In this section we will discuss those attacks in the Bitcointhat exploits the existing vulnerabilities in the implementationand design of the Bitcoin protocols and its peer-to-peer com-munication networking protocols We will start our discussionwith the most common networking attack called DistributedDenial-of-Service (DDoS) which targets Bitcoin currency ex-changes mining pools eWallets and other financial servicesin Bitcoin Due to the distributed nature of Bitcoin networkand its consensus protocol launching a DoS attack has noor minimal adverse effect on network functionalities henceattackers have to lunch a powerful DDoS to disturb the net-working tasks Unlike DoS attack in which a single attackercarried out the attack in DDoS multiple attackers launchthe attack simultaneously DDoS attacks are inexpensive tocarry out yet quite disruptive in nature Malicious miners canperform a DDoS (by having access to a distributed Botnet) oncompeting miners effectively taking the competing miners outof the network and increasing the malicious miners effectivehashrate In these attacks the adversary exhausts the networkresources in order to disrupt their access to genuine users Forexample an honest miner is congested with the requests (suchas fake transactions) from a large number of clients actingunder the control of an adversary After a while the minerwill likely to start discarding all the incoming inputsrequestsincluding requests from honest clients In [89] authors providea comprehensive empirical analysis of DDoS attacks in theBitcoin by documenting the following main facts 142 uniqueDDoS attacks on 40 Bitcoin services and 7 of all knownoperators were victims of these attacks The paper also statesthat the majority of DDoS attack targets the exchange servicesand large mining pools because a successful attack on thesewill earn huge revenue for the adversary as compared toattacking an individual or small mining pools

In [90] authors explore the trade-off between the two min-ing pool related strategies using a series of game-theoreticalmodels The first strategy called construction in which amining pool invests in increasing its mining capacity in orderto increase the likelihood of winning the next race While inthe second strategy called destruction in which the miningpool launches a costly DDoS attack to lower the expectedsuccess rate of the competing mining pools The majority ofthe DDoS attacks target large organizations due to bulk ransommotives Companies like CoinWallet and BitQuick were forcedto shut down only after few months of their launch due tothe effects of continuous DDoS attacks As stated above thatDDoS attack take various forms one of which is to discouragea miner so that it will withdraw itself from the mining processFor instance an attacker displays to a colleague miner that it ismore powerful and it can snatch the reward of mining and itis the obvious winner of the mining process An honest minerbackoffs since its chances of winning is less In this way anadversary will be successful in removing individual miners aswell as small pools from the mining network thus imposing a

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

In Bitcoin transactions are processed to verify their in-tegrity authenticity and correctness by a group of resource-ful network nodes called ldquoMinersrdquo In particular instead ofmining a single transaction the miners bundle a number oftransactions that are waiting for the network to get processedin a single unit called ldquoblockrdquo The miner advertises a block inthe whole network as soon as it completes its processing (orvalidation) in order to claim the mining reward This blockis then verified by the majority of miners in the networkbefore it is successfully added in a distributed public ledgercalled ldquoblockchainrdquo The miner who mines a block receivesa reward when the mined block is successfully added in theblockchain We now present an overview of the major techni-cal components and operational features that are essential forthe practical realization of the Bitcoin

A Transaction and Proof-of-Work

Bitcoin use transactions to move coins from one user walletto another In particular the coins are represented in the formof transactions more specifically a chain of transactions Asdepicted in Figure 1 the key fields in a transaction includesBitcoin version hash of the transaction Locktime1 one ormore inputs and one or more outputs Every input in atransaction belongs to a particular user and it consists of thefollowing (i) hash pointer to a previous transaction whichserves as the identifier of the transaction that includes theoutput we now want to utilise as an input (ii) an indexto specific unspent previous transaction output (UTXO) thatwe want to spend in the current transaction (iii) unlockingscript length and (iv) unlocking script (also referred to asscriptSig) which satisfies the conditions associated with the useof UTXO While a transaction output consists of the numberof bitcoins that are being transferred locking script lengthand locking script (also referred to as scriptPubKey) whichimposes a condition that must be met before the UTXO canbe spent To authorize a transaction input the correspondinguser of the input provides the public key and the cryptographicsignature generated using her private key Multiple inputs areoften listed in a transaction All of the transactionrsquos inputvalues are added up and the total (excluding transaction feeif any) is completely used by the outputs of the transactionIn particular when the output of a previous transaction isused as the input in a new transaction it must be spent inits entirety Sometimes the coin value of the output is higherthan what the user wishes to pay In this case the sendergenerates a new Bitcoin address and sends the difference backto this address For instance Bob has 50 coins from one of itsprevious transactionrsquos output and he wants to transfer 5 coinsto Alice using that output as an input in a new transactionFor this purpose Bob has to create a new transaction withone input (ie output from its previous transaction) and twoor more outputs In the outputs one output will show that 5coins are transferred to Alice and other output(s) will showtransfer of the remaining coins to one (or more) wallet(s)owned by Bob With this approach the Bitcoin achieves two

1It indicates the earliest time or blockchain length when this transactionmay be spent to the blockchain

goals (i) it implements the idea of change and (ii) one caneasily identify the unspent coins or balance of a user by onlylooking the outputs from its previous transactions An outputin a transaction specifies the number of coins being transferredalong with the Bitcoin address of the new owner These inputsand outputs are managed using a Forth-like scripting languagewhich dictates the essential conditions to claim the coins Thedominant script in todayrsquos market is the ldquoPay-to-PubKeyHashrdquo(P2PKH) which requires only one signature from the ownerto authorize a payment While the other script is called ldquoPay-to-ScriptHashrdquo (P2SH) [22] which is typically used as multi-signature addresses but it also enables a variety of transactiontypes and supports future developments

Fig 1 Bitcoin transactions

Unlike central bank in which all the transactions are verifiedprocessed and recorded in a centralized private ledger inBitcoin every user acts as a bank and keep a copy of thisledger In Bitcoin the role of the distributed ledger is playedby the so-called blockchain However storing multiple copiesof the blockchain in the network adds new vulnerabilities inthe system such as keeping the global view of the blockchainconsistent For instance a user (say Alice) could generatetwo different transactions simultaneously using the same setof coins to two different receivers (say Bob and Carol)This type of malicious behavior by a user is termed asdouble spending If both the receiver processes the transactionindependently based on their local view of the blockchainand the transaction verification is successful this leaves theblockchain into an inconsistent state The main requirementsto avoid the above problem is two-folded (i) distribute thetransaction verification process to ensure the correctness ofthe transaction and (ii) everyone in the network should knowquickly about a successfully processed transaction to ensurethe consistent state of the blockchain To fulfill the aforemen-tioned requirements Bitcoin uses the concept of Proof-of-Work(PoW) and a probabilistic distributed consensus protocol

The distributed transaction verification process ensures thata majority of miners will verify the legitimacy of a transactionbefore it is added in the blockchain In this way wheneverthe blockchain goes into an inconsistent state all the nodesupdate their local copy of blockchain with the state on whicha majority of miners agree in this way the correct state ofthe blockchain is obtained by election However this schemeis vulnerable to the sybil attacks [23] With sybil attack aminer creates multiple virtual nodes in the network and thesenodes could disrupt the election process by injecting falseinformation in the network such as voting positive for a faultytransactionBitcoin counters the sybil attacks by making use ofPoW based consensus model in which to verify a transactionthe miners have to perform some sort of computational task toprove that they are not virtual entities The PoW consists of acomplex cryptographic math puzzle similar to Adam BackrsquosHashcash [24] In particular PoW involves scanning for avalue (called nonce) that when hashed such as with SHA-256 the resulting hash begins with a number of zeros Theaverage work required is exponential to the number of zerosin the correct hash however the verification process consists ofa single step ie by executing a single hash In this way PoWimposes a high level of computational cost on the transactionverification process and the verification will be dependent onthe computing power of a miner instead of the number of(possibly virtual) identities The main idea is that it is muchharder to fake the computing resources than it is to perform asybil attack in the network

In practice the miners do not mine individual transactionsinstead they collect pending transactions to form a block Theminers mine a block by calculating the hash of that blockalong with a varying nonce The nonce is varied until theresultant hash value becomes lower or equal to a given targetvalue The target is a 256-bit number that all miners shareCalculating the desired hash value is computationally difficultFor hashing Bitcoin uses SHA-256 hash function [25] Unlessthe cryptographic hash function finds the required hash valuethe only option is to try different nonces until a solution (ahash value lower than the target) is discovered Consequentlythe difficulty of the puzzle depends on the target value ielower the target the fewer solutions exist hence more difficultthe hash calculation becomes Once a miner calculates thecorrect hash value for a block it immediately broadcast theblock in the network along with the calculated hash value andnonce and it also appends the block in its private blockchainThe rest of the miners when receiving a mined block canquickly verify its correctness by comparing the hash valuegiven in the received block with the target value The minerswill also update their local blockchain by adding the newlymined block

Once a block is successfully added in the blockchain (iea majority of miners consider the block valid) the miner whofirst solved the PoW will be rewarded (as of May 2017 125BTCs) with a set of newly generated coins This reward halvesevery 210000 blocks In particular these mining rewards arenot really received from anyone because there is no centralauthority that would be able to do this In Bitcoin rewards arepart of the block generation process in which a miner inserts

a reward generating transaction (or a coinbase transaction) forits own Bitcoin address and it is always the first transactionappearing in every block If the mined block is validated andaccepted by the peers then this inserted transaction becomesvalid and the miner receives the rewarded bitcoins

Apart from the mining reward for every successful additionof a transaction in the blockchain the miner will also receivean amount called transaction fee which is equivalent to theamount remaining when the value of all outputs in a transac-tion is subtracted from all its inputs [26] As the mining rewardkeep on decreasing with time and the number of transactionsis rapidly increasing in the network the transaction fee takesa major role for how fast a transaction is to be included inthe blockchain The Bitcoin never mandates transaction feeand it is only specified by the owner(s) of a transactionand it is different for each transaction A transaction withlow transaction fee could suffer from the starvation problemie denied service for a long time if the miners are busyprocessing the transactions with a higher transaction fee

All the miners race to calculate the correct hash value fora block by performing the PoW so that they can collect thecorresponding reward The chance of being the first to solvethe puzzle is higher for the miners who own or control morenumber of computing resources By this rule a miner withhigher computing resources can always increase her chancesto win the reward To enforce reasonable waiting time for theblock validation and generation the target value is adjustedafter every 2016 blocks This adjustment of the target alsohelps in keeping per block verification time to approximately10 minutes It further effects the new bitcoins generation ratein the Bitcoin because keeping the block verification time nearto 10 minutes implies that only 125 new coins can be addedin the network per 10 minutes In [27] authors propose anequation to calculate the new target value for the BitcoinThe new target is given by the following Equation

T = Tprev lowastTactual

2016 lowast 10min (1)

Here Tprev is the old target value and Tactual is the timeperiod that the Bitcoin network took to generate the last 2016blocks

B Blockchain and Mining

The blockchain is a public append-only link-list based datastructure which stores the entire networkrsquos transaction historyin terms of blocks In each block the transactions are storedusing Merkle Tree [28] and a relatively secure time-stamp anda hash of the previous block is also stored Figure 2 showsthe working methodology that is being in use for creating andmaintaining the Bitcoinrsquos blockchain To successfully add anew block in the blockchain the miners need to verify (mine)a block by solving a computationally difficult PoW puzzleOne can traverse the blockchain in order to determine theownership of each bitcoin because the blocks are stored in anordered form Also tempering within a block is not possibleas it would change the hash of the block In particular ifa transaction in a block is tampered with the hash valueof that block changes this in turn changes the subsequent

Fig 2 Creation and addition of blocks in blockchain

Fig 3 Blockchain consensus model

blocks because each block contains the hash of the previousblock The blockchain constantly grows in length due to thecontinuous mining process in the network The process ofadding a new block is as follows (i) once a miner determinesa valid hash value (ie a hash equal or lower than target)for a block it adds the block in her local blockchain andbroadcast the solution and (ii) upon receiving a solution fora valid block the miners will quickly check for its validity ifthe solution is correct the miners update their local copy ofblockchain else discard the block

Due to the distributed nature of the block validation processit is possible that two valid solutions are found approximatelyat the same time or distribution of a verified block is delayeddue to network latency this results in valid blockchain forksof equal length The forks are undesirable as the miners needto keep a global state of the blockchain consisting of thetotally ordered set of transactions However when multipleforks exist the miners are free to choose a fork and continueto mine on top of it Now that the network is having multipleforks and miners are extending different but valid versions ofthe blockchain based on their local view a time will comedue to the random nature of PoW where miners operating onone fork will broadcast a valid block before the others Dueto this a longer version of the blockchain now exists in thenetwork and all the miners will start adding their following

blocks on top of this longer blockchain The aforementionedbehavior of blockchain is shown in Figure 3

The presence of blockchain forks in Bitcoin could beexploited by a malicious miner to gain profits or to disturb thenormal functioning of the Bitcoin In particular a resourcefulminer (or mining pool) could force a blockchain fork in thenetwork by privately mining on it Once the malicious minersees that the length of the public blockchain is catching up fastwith her private chain the miner broadcast her blockchain inthe network and due to its longer length all the other minerswill start mining on top of it In this process all the mined (ievalid) blocks on the other parallel blockchain get discardedwhich makes the efforts of the genuine miners useless InSection III we will discuss an array of attacks on Bitcointhat exploits the forking nature of Bitcoin blockchain

In general the security in Bitcoin is on the assumptionthat the honest players control a majority of the computingresources The main driving factor for miners to honestlyverify a block is the reward (ie 125 BTCs) that they receiveupon every successful block addition in the blockchain Asmentioned before that to verify a block the miners needto solve the associated hard crypto-puzzle The probabilityof solving the crypto-puzzle is proportional to a numberof computing resources used As per [29] a single homeminer which uses a dedicated Application-Specific Integrated

Fig 4 Bitcoin transaction processing steps

Circuit (ASIC) for mining will unlikely verify a single blockin years For this reason miners mine in the form of theso-called mining pools All miners that are associated witha pool works collectively to mine a particular block underthe control of a pool manager Upon successful mining themanager distributes the reward among all the associated minersproportional to the resources expended by each miner Adetailed discussion of different pooled mining approaches andtheir reward systems is given in [30] [31]

For the better understanding how a transaction is beingprocessed in the Bitcoin please refer to Figure 4 Assumethat Bob wants to transfer 5 bitcoins to Alice In order topay to Alice Bob needs a device such as a smartphonetablet or laptop that runs the Bitcoin full or lightweight client-side software and two pieces of information which includeBobprimes private key and Aliceprimes Bitcoin address Any userin the network can send money to a Bitcoin address butonly a unique signature generated using the private key canrelease bitcoins from the account Bob uses a cryptographickey to digitally sign off on the transaction proving that heowns those coins When Bob broadcast a transaction in thenetwork an alert is sent to all the miners in the networkinforming them about this new transaction The miners checkthat the digital signatures are correct and Bob has enoughbitcoins to complete the transactions Additionally miners raceto bundle all the pending transactions (including bobprimes) in thenetwork and mine the resulting block by varying the nonceIn particular the miners create a hash of the block and ifthe hash does not begin with a particular number of zerosthe hash function is rerun using a new random number (iethe nonce) The required hash value must have a certain butarbitrary number of zeros at the beginning It is unpredictablewhich nonce will generate the required hash with a correctnumber of zeros so the miners have to keep trying by usingdifferent nonces to find the desired hash value When theminer finds a hash value with the correct number of zeros(ie the discovered value is lower than target value) the

discovery is announced in the network and both the Bob andthe Alice will also receive a confirmation about the successfultransaction Other miners communicate their acceptance andthey turn their attention to discover the next block in thenetwork However a successful transaction could be discardedor deemed invalid at latter period of time if it is unable tostay in the blockchain due to reasons such as existence ofmultiple forks majority of miners does not agree to considerthe block containing this transaction as a valid block a doublespending attack is detected to name a few

The Bitcoin protocol rewards the winning miner with theset of newly minted bitcoins as incentive and the hashedblock is published in the public ledger Once Bobprimes transactionhas been added in the blockchain he and Alice each receivethe first confirmation stating that the Bitcoin has been signedover to Alice In terms of transaction time it depends on thecurrent network load and the transaction fee included in thetransaction by Bob but at the minimum it would be around10 minutes However receiving the first confirmation doesnot mean that the transaction is processed successfully and itcannot be invalidated at a latter point in time In particularit has been recommended by the Bitcoin community thatafter a block is mined it should receive enough consecutiveblock confirmations (currently 6 confirmations) before it isconsidered as a valid transaction

C Consensus Protocol

Bitcoin blockchain is a decentralized system thus it doesnot require authorization from any trusted third party (TTP)to process the transactions In particular the nodes com-municate over a network and collaboratively construct theblockchain without relying on a central authority Howeverindividual nodes might crash behave maliciously act againstthe common goal or the network communication may becomeinterrupted For delivering a continuous service the nodestherefore run a fault-tolerant consensus protocol to ensure that

they all agree on the order in which entries are appended tothe blockchain To add a new block in the blockchain everyminer must follow a set of rules specified in the consensusprotocol Bitcoin achieves the distributed consensus by usingPoW based consensus algorithm This algorithm imposes thefollowing major rules (i) input and output values are rational(ii) transactions only spend unspent outputs (iii) all inputsbeing spent have valid signatures (iv) no coinbase2 transactionoutputs were spent within 100 blocks of their creation and (v)no transactions spend inputs with a locktime before the blockin which they are confirmed Generally a blockchain basedsystem such as Bitcoin is considered as secure and robust asits consensus model

In the PoW based consensus algorithm the participantsrequire no authentication to join the network which makesthe Bitcoin consensus model extremely scalable in termsof supporting thousands of network nodes However PoWbased consensus is vulnerable to ldquo51rdquo attacks in whichan adversary has control over 51 of the mining power (iehashrate) in the network hence it can write its own blocksor fork the blockchain that at a later point converges withthe main blockchain This behavior of adversary helps her toperform several other types of attacks in the Bitcoin whichincludes double spending eclipse and denial-of-service Inparticular 51 attack drives away the honest miners from themining process thus weakens the consensus protocol whichposes a threat to Bitcoin security and robustness One way toachieve the 51 attack in Bitcoin system is to incentivize (orbribe) the honest miners to join the attackersrsquo coalition

Along with the various security attacks (please refer totables I and II) the effectiveness of a consensus protocol alsodepends on the performance and stability of the network Forinstance an increase in the latency between the validationof a block and its receipt by all other miners increases thepossibility of a temporary blockchain fork Although due tothe PoW model eventual consistency in the blockchain willbe reached despite the temporary forks however it resultsin longer transaction confirmation times Today the Bitcoinnetwork is restricted to a sustained rate of 7 transactionsper section (tps) due to the Bitcoin protocol restricting blocksizes to 1MB This is very slow when considered the highprocessing speed of MasterCard or VISAs ie millions oftps Therefore it is important for Bitcoin to have a broadcastnetwork which is not only decentralized but it also provideslow latency and it is difficult to deliberately censor or delaymessages The PoW based consensus algorithm also wastesa lot of energy in hash computations during the miningprocess However it facilitates high scalability in terms ofnodes participating in the network and operates completely ina decentralized fashion

Bitcoin consensus algorithm has been its most widelydebated component in the Bitcoin research community This isbecause the consensus algorithm rises (i) open questions aboutthe Bitcoin stability [10] (ii) concerns about the performanceand scalability of the protocol [32] and (iii) concerns for

2A coinbase transaction is a unique type of bitcoin transaction that can onlybe created by a miner

computational resource wastage [33] In particular the PoWconsensus model used by Bitcoin blockchain is very inefficientin terms of power consumption and the overall generationtime of new blocks Hence to overcome or limit someof the aforementioned disadvantages of PoW various otherconsensus protocols such as Proof-of-Stake (PoS) [34] Proofof Elapsed Time (PoET) Proof of Authority (PoA) Practicalbyzantine fault tolerance (PBFT) [35] Federated ByzantineFault Tolerance (FBFT) Proof of Storage [36] [37] to namea few are designed The most obvious difference betweenthese consensus protocols and PoW is that each of thesealternative protocols the consensus is driven at the expenseof internal resources (eg coins or reputation) instead ofexternal resources (eg electricity) This creates an entirelydifferent set of incentives for (and trust in) network nodes (ieminers) which drastically changes the network security modelDetailed discussions on these alternative consensus protocolsare out of the scope of our survey hence we direct interestedusers to [38] [20] [39] [40] [41]

D Networking Infrastructure

Bitcoin uses an unstructured peer-to-peer (P2P) networkbased on unencrypted persistent TCP connections as its foun-dational communication structure In general unstructuredoverlays are easily constructed and robust against highlydynamic network topologies ie against frequently joiningand leaving peers These type of networks are best suitedfor Bitcoin as the aim is to distribute information as fastas possible to reach consensus on the blockchain Howeverexperimenting with the Bitcoin networkprotocol poses a chal-lenge By now there are a few possibilities to approach thistask One way is to connect to the mainnet ie the live Bitcoinnetwork or the testnet Another way is to use the simulationenvironments such as Shadow [42] event discrete simulatorwhich aims at simulating large-scale Bitcoin networks whilekeeping full control over all components

Bitcoin nodes maintain a list of IP addresses of potentialpeers and the list is bootstrapped via a DNS server and addi-tional addresses are exchanged between peers Each peer aimsto maintain a minimum of 8 unencrypted TCP connections inthe overlay ie the peer actively tries to establish additionalconnections if the current number of connections is lowerthan 8 The number of eight connections can be significantlyexceeded if incoming connections are accepted by a Bitcoinpeer upto a maximum of 125 connections at a time By defaultpeers listen on port 8333 for inbound connections When peersestablish a new connection they perform an application layerhandshake consisting of version and verack messages Themessages include a timestamp for time synchronization IPaddresses and the protocol version A node selects its peersin a random fashion and it selects a new set of peers after afixed amount of time This is done to minimize the possibilityand effects of netsplit attack in which an attacker creates aninconsistent view of the network (and the blockchain) at theattacked node Since Bitcoin version 07 IPv6 is supported Inorder to detect when peers have left Bitcoin uses a softstateapproach If 30 minutes have been passed since messages were

last exchanged between neighbors peers will transmit a hellomessage to keep the connection alive

Miners continually listen to new block announcementswhich are sent via INV messages containing the hash ofthe mined block If a miner discovers that it does not hold anewly announced block it transmits a GETDATA messageto one of its neighbor The neighbor then respond by sendingthe requested information in a BLOCK message In casethe requested block do not arrive within 20 minutes theminer trigger the disconnection of that particular neighborand request the same information from another neighbor Thepropagation of transactions occur in a sequence given as INV GETDATA and TX messages in which nodes announcerequest and share transactions that have not yet been includedin the blockchain

In order to form the distributed consensus newly discoveredtransactions and blocks are propagated (through flooding) inthe whole network Miners store new transactions for themining purposes but after some time remove them if they donot make it on the blockchain It is the responsibility of thetransaction originator that the transaction is received by all thepeers in the network To this end the originator might need torebroadcast the transaction if it did not get into the blockchainin first attempt This is to ensure that the transaction getsconsidered in the next block An adversary could introducedelay in the propagation of both new transactions and minedblock for the purpose of launching the double spend andnetsplit attacks As shown in [43] the propagation time caneven be further extended under reasonable circumstancesAuthors in [5] presents a taxonomy of routing attacks andtheir impact on Bitcoin considering both small-scale attackstargeting individual nodes and large-scale attacks targetingthe network as a whole By isolating parts of the network ordelaying block propagation adversaries could cause significantamount of mining power to be wasted leading to revenuelosses and exposing the network to a wide range of exploitssuch as double spending

The use of an unstructured P2P network in Bitcoin enablesthe required rapid distribution of information in every partof the network The security of Bitcoin heavily depends onthe global consistent state of blockchain which relies on theefficiency of its PoW based consensus protocol The variationsin the propagation mechanisms could adversely affect theconsensus protocol The presence of inconsistent blockchainstates if exploited correctly could lead to a successful doublespending To this end it is essential that the Bitcoin networkshould remains scalable in terms of network bandwidth net-work size and storage requirements because this will facilitatethe increase in number of honest miners in the network whichwill strengthen the consensus protocol In Bitcoin full nodesdownload and verify all blocks starting from the genesis blockbecause it is the most secure way Full nodes participate inthe P2P network and help to propagate information althoughits not mandatory to do so Alternatively the thin clients usethe simplified payment verification (SPV) to perform Bitcointransactions The SPV is a method used by Bitcoin thin clientfor verifying if particular transactions are included in a blockwithout downloading the entire block However the use of

SPV costs the thin clients because it introduces weaknessessuch as Denial of Service (DoS) and privacy leakage forthe thin client In particular the general scalability issues ofunstructured overlays combined with the issues induced bythe Bitcoin protocol itself remains in the system Many of theresults suggest that scalability remains an open problem [44]and it is hard to keep the fully decentralized network infuture [45] [46]

E Benefits and Challenges

Same as any other emerging technology use of Bitcoincomes with certain benefits and challenges and various typesof risks are associated with its use It is believed3 that Bitcoinhas the following benefits and challenges

Benefits -bull No Third-Party Seizure No central authority can manip-

ulate or seize the currency since every currency transferhappens peer-to-peer just like hard cash In particular bit-coins are yours and only yours and the central authoritycant take your cryptocurrency because it does not printit own it and control it correspondingly

bull Anonymity and transparency Unless Bitcoin users pub-licize their wallet addresses publicly it is extremely hardto trace transactions back to them However even if thewallet addresses was publicized a new wallet addresscan be easily generated This greatly increases privacywhen compared to traditional currency systems wherethird parties potentially have access to personal financialdata Moreover this high anonymity is achieved withoutsacrificing the system transparency as all the bitcointransactions are documented in a public ledger

bull No taxes and lower transaction fees Due to its decen-tralized nature and user anonymity there is no viableway to implement a Bitcoin taxation system In the pastBitcoin provided instant transactions at nearly no costEven now Bitcoin has lower transaction costs than acredit card Paypal and bank transfers However thelower transaction fee is only beneficial in situations wherethe user performs a large value international transactionsThis is because the average transaction fee becomeshigher for very small value transfers or purchases suchas paying for regular household commodities

bull Theft resistance Stealing of bitcoins is not possible untilthe adversary have the private keys (usually kept offline)that are associated with the user wallet In particular Bit-coin provides security by design for instance unlike withcredit cards you dont expose your secret (private key)whenever you make a transaction Moreover bitcoinsare free from Charge-backs ie once bitcoins are sentthe transaction cannot be reversed Since the ownershipaddress of the sent bitcoins will be changed to the newowner and it is impossible to revert This ensures thatthere is no risk involved when receiving bitcoins

3As some of these benefits and challenges are not entirely true at all thetimes for instance Bitcoin transactions are not fully anonymous and theprivacy of Bitcoin users could be threatened

Challengesbull High energy consumption Bitcoinrsquos blockchain uses

PoW model to achieve distributed consensus in thenetwork Although the use of PoW makes the miningprocess more resistant to various security threats suchas sybil and double spending it consumes a ridicu-lous amount of energy and computing resources [47]In particular processing a bitcoin transaction consumesmore than 5000 times as much energy as using a Visacredit card hence innovative technologies that reduce thisenergy consumption are required to ensure a sustainablefuture for Bitcoin Furthermore due to the continuousincrease in network load and energy consumption thetime required for transaction processing is increasing

bull Wallets can be lost Since there is no trusted third partyif a uses lost the private key associated with her walletdue to a hard drive crash or a virus corrupts data or lostthe device carrying the key all the bitcoins in the wallethas been considered lost for forever There is nothingthat can be done to recover the bitcoins and these willbe forever orphaned in the system This can bankrupt awealthy Bitcoin investor within seconds

bull (Facilitate) Criminal activity The considerable amountof anonymity provided by the Bitcoin system helps thewould-be cyber criminals to perform various illicit activ-ities such as ransomware [48] tax evasion undergroundmarket and money laundering

According to [49] the risk is the exposure to the level ofdanger associated with Bitcoin technology in fact the samecan be applied to any such digital cryptocurrency The majorrisks that threaten the wide usability of the Bitcoin paymentsystems are as followbull Social risks it includes bubble formation (ie risk of

socio-economic relationship such as what people talk andgossip) cool factor (ie entering the networking withoutknowing the ill effects) construction of chain (ie riskrelated with the blockchain formation like hashing andmining rewards) and new coins release (ie on whatbasis the new coins to be generated is there a need etc)

bull Legal risks Bitcoin technology opposes rules and regula-tions and hence it finds opposition from the governmentThis risk also includes law enforcement towards handlingfinancial operational customer protection and securitybreaches that arise due to Bitcoin system

bull Economic risks deflation volatility and timing issues infinding a block which might lead the users to migratetowards other currencies that offer faster services

bull Technological risks this includes the following net-work equipment and its loss network with which thepeers are connected and its associated parameters threatvulnerabilities on the system hash functions with itsassociated robustness factor and software associated risksthat Bitcoin system demands

bull Security risks security is a major issue in Bitcoin systemwe will discuss risks associated due to various securitythreats in detail in Section III

In [50] authors perform a survey on the peoplersquos opinion

about bitcoins usage Participants argue that the greatest barrierto the usage of bitcoins is the lack of support by higherauthorities (ie government) Participants felt that bitcoinsmust be accepted as legitimate and reputable currency Ad-ditionally the participants expressed that the system mustprovide support towards transacting fearlessly without criminalexploitation Furthermore the Bitcoin is mainly dependent onthe socio-technical actors and the impact of their opinion onthe public Few among participants have suggested that theblockchain construction is the major cause of disruption dueto its tendency to get manipulated by adversaries

In [51] it was stated that many Bitcoin users already losttheir money due to poor usability of key management andsecurity breaches such as malicious exchanges and walletsAround 225 of the participants reported having lost theirbitcoins due to security breaches Also many participantsstated that for a fast flow of bitcoins in the user communitysimple and impressive user interface are even more importantthan security In addition participants highlighted that the poorusability and lack of knowledge regarding the Bitcoin usageare the major contributors to the security failures

III SECURITY ATTACKS ON BITCOIN SYSTEMS

Bitcoin is the most popular cryptocurrency4 and has stoodfirst in the market capital investment from day one Since itis a decentralized model with an uncontrollable environmenthackers and thieves find cryptocurrency system an easy wayto fraud the transactions In this section we discuss existingsecurity threats and their countermeasures for Bitcoin andits underlying technologies We provide a detailed discussionof potential vulnerabilities that can be found in the Bitcoinprotocols as well as in the Bitcoin network this will bedone by taking a close look at the broad attack vector andtheir impact on the particular components in the BitcoinApart from double spending which is and will always bepossible in Bitcoin the attack space includes a range of walletattacks (ie client-side security) network attacks (such asDDoS sybil and eclipse) and mining attacks (such as 50block withholding and bribery) Tables I and II provides acomprehensive overview of the potential security threats alongwith their impacts on various entities in Bitcoin and theirpossible solutions that exist in literature so far

A Double Spending

A client in the Bitcoin network achieves a double spend(ie send two conflicting transactions in rapid succession) ifshe is able to simultaneously spend the same set of bitcoinsin two different transactions [2] For instance a dishonestclient (Cd) creates a transaction TCd

V at time t using a setof bitcoins (Bc) with a recipient address of a vendor (V ) topurchase some product from V Cd broadcast TCd

V in theBitcoin network At time tprime where tprime asymp t Cd create andbroadcast another transaction TCd

Cdusing the same coins (ie

Bc) with the recipient address of Cd or a wallet which isunder the control of Cd In the above scenario the double

4wwwcryptocoinsnewscom

TABLE IMAJOR ATTACKS ON BITCOIN SYSTEM AND ITS POW BASED CONSENSUS PROTOCOL

Attack Description Primary targets Adverse effects Possible countermeasures

Double spending or Raceattack [2] spent the same bitcoins

in multiple transactionssend two conflicting trans-actions in rapid succession

sellers or mer-chants

sellers lose theirproducts drive away the

honest users createblockchain forks

inserting observers in network [2]communicating double spendingalerts among peers [2] nearbypeers should notify the merchantabout an ongoing double spend assoon as possible [52] merchantsshould disable the direct incomingconnections [53] [54]

Finney attack [55] dishonest miner broad-casts a pre-mined blockfor the purpose of dou-ble spending as soon asit receives product from amerchant

sellers or mer-chants

facilitates doublespending wait for multi-confirmations for

transactions

Brute force attack [56] privately mining onblockchain fork toperform double spending

sellers or mer-chants

facilitates doublespending creates largesize blockchain forks

inserting observers in the net-work [2] notify the merchant aboutan ongoing double spend [53]

Vector 76 orone-confirmation

attack [57]combination of the doublespending and the finneyattack

Bitcoin exchangeservices

facilitates doublespending of largernumber of bitcoins

wait for multi-confirmations fortransactions

gt 50 hashpower orGoldfinger [45] adversary controls more

than gt 50 HashrateBitcoin networkminers Bitcoinexchange centersand users

drive away the minersworking alone or within

small mining poolsweakens consensus

protocol DoS

inserting observers in thenetwork [2] communicatingdouble spending alerts amongpeers [2] disincentivizelarge mining pools [58] [59]TwinsCoin [60] PieceWork [61]

Blockdiscarding [62] [54] or

Selfish mining [6]abuses Bitcoin forkingfeature to derive an unfairreward

honest miners (ormining pools)

introduce race conditionsby forking waste the

computational power ofhonest miners withgt 50 it leads toGoldfinger attack

ZeroBlock technique [63] [64]timestamp based techniquessuch as freshness preferred [65]DECOR+ protocol [66]

Blockwithholding [29] [67] miner in a pool sub-

mits only PPoWs but notFPoWs

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueinclude only known and trustedminers in pool dissolve and closea pool when revenue drops fromexpected [62] cryptographic com-mitment schemes [67]

fork after withholding(FAW) attack [68] improves on adverse ef-

fects of selfish mining andblock withholding attack

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueno practical defense reported so far

spending attack performed by Cd is successful if Cd tricksthe V to accept TCd

V (ie V deliver the purchased productsto Cd) but V will not be able to redeem subsequently InBitcoin the network of miners verify and process all thetransactions and they ensure that only the unspent coinsthat are specified in previous transaction outputs can be usedas input for a follow-up transaction This rule is enforceddynamically at run-time to protect against the possible doublespending in the network The distributed time-stamping andPoW-based consensus protocol is used for orderly storage ofthe transactions in the blockchain For example when a minerreceives TCd

V and TCd

Cdtransactions it will be able to identify

that both the transactions are trying to use the same inputs

during the transaction propagation and mining thus it onlyprocess one of the transaction and reject the other Figure 5shows the working methodology of a double spending attackdepicting the above explanation

Despite the use of strict ordering of transactions in theblockchain PoW scheme distributed time-stamping [69] andconsensus protocol [70] [71] double spending is still possiblein Bitcoin To perform a successful double spending attackfollowing requirements need to be fulfilled (i) part of thenetwork miners accept the transaction TCd

V and the vendor(V ) receives the confirmation from these miners thus releasesthe product to dishonest client (Cd) (ii) at the same time otherpart of the network miners accept the transaction TCd

Cd hence

Fig 5 Double Spending Attack

lead to blockchain forks in the network (iii) the vendor re-ceives the confirmation of transaction TCd

Cdafter accepting the

transaction TCd

V thus losses the product and (iv) a majorityof miners mine on top of the blockchain which contains TCd

Cd

as a valid transaction If the aforementioned steps took placein the given order then the dishonest client is able to performa successful double spend In the rest of this section we willdiscuss the variants of double spending attack that are used inorder to realize the aforementioned double spend requirementswith varying difficulties and complexities

A form of double spending called Finney attack [55] herea dishonest client (Cd) pre-mines (ie privately) a blockwhich contains the transaction TCd

Cd and then it creates a

transaction TCd

V using the same bitcoins for a vendor (V )The mined block is not informed to the network and the Cd

waits until the transaction TCd

V is accepted by the V On theother hand V only accept TCd

V when it receives a confirmationfrom miners indicating that TCd

V is valid and included in theexisting blockchain Once Cd receives the product from V theattacker releases the pre-mined block into the network thuscreates a blockchain fork (say Bprimefork) of equal length to theexisting fork (say Bfork) Now if the next mined block in thenetwork extends Bprimefork blockchain instead of Bfork then asper the Bitcoin protocol rules all the miners in the networkwill build on top of Bprimefork As the blockchain Bprimefork becomesthe longest chain in the network all the miners ignore Bforkhence the top block on Bfork which contains the transactionTCd

V becomes invalid This makes the transaction TCd

V invalidthe client will get back her coins through transaction TCd

Cd

but resulting the V losing the product However with Finneyattack an adversary can only perform double spending in thepresence of one-confirmation vendors

To avoid the Finney attack the vendor should wait formultiple confirmations before releasing the product to theclient The waiting for multiple confirmations will only makethe double spend for the attacker harder but the possibilityof the double spend remains An advancement of the Finneyattack is called Brute-force attack [56] in which a resourcefulattacker has control over n nodes in the network and these

nodes collectively work on a private mining scheme withthe motive of double spend An attacker introduces a doublespend transaction in a block as in the previous case whilecontinuously works on the extension of a private blockchain(ie Bprimefork) Suppose a vendor waits for x confirmationsbefore accepting a transaction and it sends the product to theclient once it receives the x confirmations Later the attackeris able to mine the x number of blocks ahead (ie privately)then she can release these blocks in the network and dueto its higher length than Bfork blockchain Bprimefork will beextended by all the miners in the network This causes thesame after effects as Finney attack thus causing a successfuldouble spending attack

Another attack that uses the privately mined block toperform a new form of double spending attack on Bitcoin ex-change networks is popularly known as Vector 76 attack [57]A Bitcoin exchange is a digital marketplace where traderscan buy sell or exchange bitcoins for other assets such asfiat currencies or altcoins In this a dishonest client (Cd)withholds a pre-mined block which consists of a transactionthat implements a specific deposit (ie deposit coins in aBitcoin exchange) The attacker (Cd) waits for the next blockannouncement and quickly sends the pre-mined block alongwith the recently mined block directly to the Bitcoin exchangeor towards its nearby peers with hope that the exchangeand probably some of the nearby miners will consider theblockchain containing the pre-mined block (ie Bprimefork) as themain chain The attacker quickly sends another transaction thatrequests a withdrawal from the exchange of the same coins thatwas deposited by the attacker in its previous transaction Atthis point of time if the other fork (ie Bfork) which does notcontain the transaction that is used by the attacker to depositthe coins survives the deposit will become invalidated but theattacker has already performed a withdrawal by now thus theexchanges losses the coins

Recently authors in [72] proposes a new attack againstthe PoW-based consensus mechanism in Bitcoin called theBalance attack The attack consists of delaying networkcommunications between multiple subgroups of miners withbalanced hash power The theoretical analysis provides theprecise trade-off between the Bitcoin network communicationdelay and the mining power of the attacker(s) needed to doublespend in Ethereum [73] with high probability

Based on the above discussion on double spending attackand its variants one main point that emerges is that if aminer (or mining pool) is able to mine blocks with a fasterrate than the rest of the Bitcoin network the possibility ofa successful double spending attack is high The rate ofmining a block depends upon solving the associated proof-of-work this again depends on the computing power of aminer Apart from the computing resources the success ofdouble spending attack depends on other factors as wellwhich includes network propagation delay vendor client andBitcoin exchange services connectivity or positioning in theBitcoin network and the number of honest miners Clearlyas the number of confirmations for transaction increases thepossibility that it will become invalid at a later stage decreasesthus decreases the possibility of a double spend On the other

hand with the increase in the computing resources of a minerthe probability of the success of a double spend increases Thisleads to a variant of double spend attack called gt 50 attackor Goldfinger attack [45] in which more than 50 computingresources of the network are under the control of a single miner(or mining pool) The gt 50 attack is considered the worst-case scenario in the Bitcoin network because it has the powerto destroy the stability of the whole network by introducing theactions such as claim all the block intensives perform doublespending reject or include transactions as preferred and playwith the Bitcoin exchange rates The instability in the networkonce started it will further strengths the attackerrsquos position asmore and more honest miners will start leaving the network

From the above discussion on the different type of doublespending attacks we can safely conclude that one can alwaysperform a double spend or it is not possible to entirelyeliminate the risk of double spending in Bitcoin Howeverperforming double spending comes with a certain level ofrisk for instance the attacker might lose the reward forthe withheld block if it is not included in the final publicblockchain Therefore it is necessary to set a lower bound onthe number of double spend bitcoins and this number shouldcompensate the risk of unsuccessful attempts of double spendAdditionally the double spends could be recognized with thecareful analysis and traversing of the blockchain thus it mightlead to blacklisting the detected peer In Section IV-A we willdiscuss in detail the existing solutions and their effectivenessfor detecting and preventing the double spending attacks

B Mining Pool Attacks

Mining pools are created in order to increase the computingpower which directly affects the verification time of a blockhence it increases the chances of winning the mining rewardFor this purpose in recent years a large number of miningpools have been created and the research in the field ofminer strategies is also evolved Generally mining pools aregoverned by pool managers which forwards unsolved workunits to pool members (ie miners) The miners generate par-tial proofs-of-work (PPoWs) and full proofs-of-work (FPoWs)and submit them to the manager as shares Once a minerdiscovers a new block it is submitted to the manager alongwith the FPoW The manager broadcasts the block in theBitcoin network in order to receive the mining reward Themanager distributes the reward to participating miners basedon the fraction of shares contributed when compared with theother miners in the pool Thus participants are rewarded basedon PPoWs which have absolutely no value in the Bitcoinsystem The Bitcoin network currently consists of solo minersopen pools that allow any miner to join and closed (private)pools that require a private relationship to join

In recent years the attack vector that exploits the vulnerabil-ities in pool based mining also increases For instance a groupof dishonest miners could perform a set of internal and externalattacks on a mining pool Internal attacks are those in whichminers act maliciously within the pool to collect more thantheir fair share of collective reward or disrupt the functionalityof the pool to distant it from the successful mining attempts In

external attacks miners could use their higher hash power toperform attacks such as double spending Figure 6 shows themarket share till December 2017 of the most popular miningpools In this section we will discuss a set of popular internaland external attacks on the mining pools

Fig 6 Bitcoin Hashrate Distribution in Present Market

In a mining pool the pool manager determines the amountof work done by individual pool members by using thenumber of shares a member find and submit while tryingto discover a new block The shares consist of a number ofhashes of a block which are low enough to have discovereda block if the difficulty was 1 To be considered as a shareeach hash has a probability of 1232 Assuming correctness ofthe hash function used it is impossible to find shares withoutdoing the work required to discover new blocks or to lookfor blocks without finding shares along the way Due to thisthe number of shares determined by a miner is proportionalon average to the number of hashes the miner calculatedwhile attempting to discover a new block for the mining poolAdditionally in [29] the author discusses the possibility ofusing variable block rewards and difficulty shares as rewardmethods in a pool This variability is introduced due to thefollowing reasons bitcoins generation per block is cut in halfevery 210000 blocks and the transaction fees vary rapidlybased on the currently available transactions in the network Asmost of the mining pools allow any miner to join them using apublic Internet interface such pools are susceptible to varioussecurity threats The adversaries believe that it is profitable tocannibalize pools than mine honestly Letrsquos understand it withan example suppose that an adversary has 30 of hashrate(HR) and 1 BTC is the block mining reward (MR) If themining pool is sharing the reward based on the invested HRthen the adversary will receive 03 BTC for each mined blockNow adversary purchases more mining equipment worth 1of current HR With standard mining strategy the adversarywill gain an additional revenue of 00069 BTC for the 1added HR By performing pool cannibalizing (ie distributeyour 1 equally among all other pools and also withholdthe valid blocks) the attacker will still receive the rewardsfrom its pool but it might also receive additional rewards

from the other pools to which she is sharing its 1 HRThis misbehavior will remain undetectable unless the changein reward is statistically significant

Fig 7 Selfish Mining

In [62] authors use a game theoretic approach to show thatthe miners could have a specific sort of subversive miningstrategy called selfish mining [6] or also popularly known asblock discarding attack [54] [62] In truth all the miners inthe Bitcoin are selfish as they are mining for the reward thatis associated with each block but these miners are also honestand fair with respect to the rest of miners while the selfishmining here refers to the malicious miners only In the selfishmining the dishonest miner(s) perform information hiding(ie withhold a mined block) as well as perform its revealingin a very selective way with a two-fold motive (i) obtain anunfair reward which is bigger than their share of computingpower spent and (ii) confuse other miners and lead them towaste their resources in a wrong direction As it can be seen inFigure 7 that by keeping the mined block(s) the selfish minersintentionally fork the blockchain The selfish pool keeps onmining on top of their private chain (Bprimefork) while the honestminers are mining on the public chain (Bfork) If the selfishminers are able to take a greater lead on Bprimefork and they areable to keep the lead for a longer time period their chancesof gaining more reward coins as well as the wastage of honestminers resources increases To avoid any losses as soon asthe Bfork reaches to the length of Bprimefork the selfish minerspublish their mined blocks All the miners need to adopt toBprimefork which now becomes Bfork as per the longest lengthrule of Bitcoin protocol The honest miners will lose theirrewards for the blocks that they have mined and added to theprevious public chain The analysis in [6] shows that usingthe selfish mining the poolrsquos reward exceed its share of thenetworkrsquos mining power The statement still holds in caseswhere the network found their new block before the adversarycould find a new second block Because in such case the minerwill make use of the race to propagate ie on average theattacker manages to tell 50 of the network about her blockfirst Additionally the analysis reveals that the wastage ofcomputing resources and rewards lure honest miners toward

the selfish mining pools hence it further strengthens the attackThis continuous increase in the selfish poolrsquos size might leadto gt 50 attack and at that point the effect of selfish miningwill be disastrous

Another attack much similar to the selfish mining that couldbe performed on a mining pool is known as Block withholding(BWH) [29] [67] in which a pool member never publishes amined block in order to sabotage the pool revenue howeversubmit shares consists of PPoWs but not FPoWs In particularin [29] two types of block withholding scenarios are presentedcalled ldquoSabotagerdquo and ldquoLie in waitrdquo In the first scenario theadversary does not gain any bitcoins but it just makes otherpool members lose while in the second scenario the adversaryperforms a complex block concealing attack similar to the onedescribed in the selfish mining attack In [29] authors discussa generalized version of the ldquoSabotagerdquo attack which showsthat with slight modification it is possible for the maliciousminer to also earn an additional profit in this scenario Authorsin [33] present a game-theoretic approach to analyzing effectsof block withholding attack on mining pools The analysisshows that the attack is always well-incentivized in the long-run but may not be so for a short duration This impliesthat existing pool protocols are insecure and if the attack isconducted systematically Bitcoin pools could lose millions ofdollars worth in just a few months

To analyze the effects of BWH on mining pools authorsin [9] presents The Miners Dilemma which uses an iterativegame to model attack decisions The game is played betweentwo pools say pool A and pool B and each iteration of thegame is a case of the Prisoners Dilemma ie choose betweenattacking or not attacking If pool A chooses to attack pool Apool A gains revenue pool A loses revenue but pool B canlatter retaliate by attacking pool A and gaining more revenueThus attacking is the dominant strategy in each iterationhence if both pool A and pool B attack each other they will beat a Nash Equilibrium This implies that if both will earn lessthan they would have if neither of them attacked However ifnone of the other pools attack a pool can increase its revenueby attacking the others Recently authors in [68] propose anovel attack called a fork after withholding (FAW) attackAuthors show that the BWH attackers reward is the lowerbound of the FAW attackers and it is usable up to four timesmore often per pool than in BWH attack Moreover the extrareward for a FAW attack when operating on multiple miningpools is around 56 higher than BWH attack Furthermorethe miners dilemma may not hold under certain circumstanceseg when two pools execute FAW attack the larger pool canconsistently win More importantly unlike selfish mining anFAW attack is more practical to execute while using intentionalforks

The Pool Hopping attack presented in [29] [74] uses theinformation about the number of submitted shares in themining pool to perform the selfish mining In this attackthe adversary performs continuous analysis of the number ofshares submitted by fellow miners to the pool manager in orderto discover a new block The idea is that if already a largenumber of shares have been submitted and no new block hasbeen found so far the adversary will be getting a very small

share from the reward because it will be distributed based onthe shares submitted Therefore at some point in time it mightbe more profitable for the adversary to switch to another poolor mine independently

Recently the Bribery attack is described in [75] In thisan attacker might obtain the majority of computing resourcesfor a short duration via bribery Authors discuss three ways tointroduce bribery in the network (i) Out-of-Band Paymentin which the adversary pays directly to the owner of thecomputing resources and these owners then mine blocksassigned by the adversary (ii) Negative-Fee Mining Pool inwhich the attacker forms a pool by paying higher returnand (iii) In-Band Payment via Forking in which the attackerattempts to bribe through Bitcoin itself by creating a forkcontaining bribe money freely available to any miner adoptingthe fork By having the majority of the hash power the attackercould launch different attacks such as double spending andDistributed Denial-of-Service (DDoS) [76] The miners thattook the bribes will get benefits which will be short-lived butthese short-lived benefits might be undermined by the lossesin the long run due to the presence of DDoS and Goldfingerattacks or via an exchange rate crash

Fig 8 Blacklisting via Punitive Forking

An adversary with gt 50 hashrate could perform a suc-cessful selective blacklisting via punitive forking The objec-tive of punitive forking is to censor the Bitcoin addressesowned by certain people say Alice and prevent them fromspending any of their bitcoins The strategy to perform theblacklisting (please refer to Figure 8) is as follows (i) theadversary with gt 50 network hashrate announces to theBitcion network that she will not extend on the blockchaincontaining transactions spending from Alicersquos Bitcoin address(ii) if some other miner include a transaction from Alice ina block the adversary will fork and create a longer proofof work blockchain (iii) Block containing Alicersquos transactionnow invalidated and it can never be published also the minerwho added the block with Alicersquos transaction will lose its blockreward However a weak adversary that has lower hashrate canstill cause delays and inconveniences for Alicersquos transaction

Punitive forking doesnrsquot work unless you have gt 50 ofhashrate However there is another strategy to achieve theblacklisting as presented in [77] In particular authors presenta malicious mining strategy called feather forking in whichan attacker announces that she will attempt to fork if she seesa block containing Alicersquos transaction in the blockchain butshe will give up after a while This is the adversary forks asper its convenience she will continue to extend its fork untilwins (ie outraces the main chain) but she gives up (iediscard its private fork and continue to extend the main chain)after block with Alicersquos transaction contains k confirmations

An adversary with total hash power less than 50 might withhigh probability lose rewards but it will be able to block theblacklisted transaction with positive probability Moreover ifthe adversary can show that she is determined to block theselected transaction and will perform the retaliatory forking ifrequired then the rest of the miners will also be motivated toblock the blacklisted transactions to avoid the losses in case ifthe attacker retaliates and wins If this is the case an attackermight be able to enforce the selective blacklisting with noreal cost because other miners are convinced that the attackerwill perform a costly feather forking attack if provoked Anattacker performing feather forking can also use it to blackmaila client by threatening that all her transactions will be put onthe blacklist until the client pays the asked ransom coins

C Client-side Security Threats

The huge increase in the popularity of bitcoins encouraged alarge number of new users to join the network Each Bitcoinclient posses a set of private-public keys in order to accessits account or wallet Hence it is desirable to have the keymanagement techniques that are secure yet usable This is dueto the fact that unlike many other applications of cryptographyif the keys of a client are lost or compromised the client willsuffer immediate and irrevocable monetary losses To use thebitcoins a user needs to install a wallet on her desktop ormobile device The wallet stores the set of private-public keysassociated with the owner of the wallet thus it is essential totake protective actions to secure the wallet The wallet theftsare mainly performed using mechanisms that include systemhacking installation of buggy software and incorrect usage ofthe wallet

Bitcoin protocol relies heavily on elliptic curve cryptog-raphy [98] for securing the transactions In particular Bitcoinuses elliptic curve digital signature algorithm (ECDSA) whichis standardized by NIST [99] for signing the transactionsFor instance consider the standard ldquoPay-to-PubKeyHashrdquo(P2PKH) transaction script in which the user needs to provideher public key and the signature (using her private key) toprove the ownership To generate a signature the user choosesa per-signature random value For security reason this valuemust be kept secret and it should be different for every othertransaction Repeating per-signature value risks the privatekey computation as it has been shown in [100] that evenpartially bit-wise equal random values suffice to derive a userrsquosprivate key Therefore it is essential for increasing the securityof ECDSA to use highly random and distinct per-signaturevalues for every transaction signature The inspection of theblockchain for instances in which the same public key usesthe same signature nonces for multiple times has been reportedby the authors in [101] In particular the authors report thatthere are 158 public keys which have reused the signaturenonce in more than one transaction signature thus making itpossible to derive userrsquos private key Recently authors in [102]present a systematic analysis of the effects of broken primitiveson Bitcoin Authors highlight the fact that in the currentBitcoin system has no migration plans in-place for both thebroken hash and the broken signature scheme ie the Bitcoins

TABLE IIMISBEHAVIOR ATTACKS TARGETING BITCOIN NETWORK AND ENTITIES

Attack Description Primary targets Adverse effects Possible countermeasures

Bribery attacks [75] adversary bribe miners tomine on her behalf

miners and mer-chants

increases probability of adouble spend or block

withholdingincrease the rewards for honestminers make aware the miners tothe long-term losses of bribery [75]

Refund attacks [78] adversary exploits the re-fund policies of existingpayment processors

sellers or mer-chants users

merchant losses moneywhile honest users might

lose their reputationpublicly verifiable evidence [78]

Punitive and Featherforking [77] [79] dishonest miners blacklist

transactions of specific ad-dress

users freeze the bitcoins of userfor forever remains an open challenge

Transactionmalleability [80] [4] adversary change the

TXID without invalidatingthe transaction

Bitcoin exchangecenters

exchanges loss funds dueto increase in double

deposit or doublewithdrawal instances

multiple metrics for transactionverification [81] malleability-resilient ldquorefundrdquo transaction [80]

Wallet theft [21] adversary stole or destroyprivate key of users

individual usersor businesses

bitcoins in the wallet arelost threshold signature based

two-factor security [82] [83]hardware wallets [84] TrustZone-backed Bitcoin wallet [85]Password-Protected Secret Sharing(PPSS) [86]

Time jacking [87] adversary speed-up themajority of minerrsquos clock

miners

isolate a miner and wasteits resources influencethe mining difficultycalculation process

constraint tolerance ranges [87]network time protocol (NTP) ortime sampling on the values re-ceived from trusted peers [88]

DDoS [89] [90] a collaborative attack toexhaust network resources

Bitcoin networkbusinesses min-ers and users

deny services to honestusersminers isolate ordrive away the miners

Proof-of-Activity (PoA)protocol [91] fast verificationsignature based authentication

Sybil [23] adversary creates multiplevirtual identities

Bitcoin networkminers users

facilitates time jackingDDoS and doublespending attacks

threatens user privacy

Xim (a two-party mixing proto-col) [92]

Eclipse or netsplit [3] adversary monopolizes allincoming and outgoingconnections of victim

miners users

inconsistent view of thenetwork and blockchain

enable double spendswith more than one

confirmation

use whitelists disabling incomingconnections [3]

Tampering [43] delay the propagation oftransactions and blocks tospecific nodes

miners users

mount DoS attackswrongfully increase

mining advantage doublespend

improve block request managementsystem [43]

Routing attacks [5] isolate a set of nodes fromthe Bitcoin network de-laying block propagation

miners users

denial of service attackincreases possibility of0-confirmation doublespends increases forkrate waste the mining

power of the pools

increase the diversity of node con-nections monitor round-trip timeuse gateways in different ASes [5]

Deanonymization [93] [94] linking IP addresses witha Bitcoin wallet

users user privacy violation mixing services [95]CoinJoin [96] CoinShuffle [97]

RIPEMD160 SHA256 and ECDSA techniques are vulnerableto various security threats such as collision attacks [103]The authors in [102] found that the main vectors of attackon bitcoins involve collisions on the main hash or attackingthe signature scheme which directly enables coin stealingHowever a break of the address hash has minimal impact asaddresses do not meaningfully protect the privacy of a user

Unlike most of the online payment systems that rely onlogin details consisting of the password and other confidentialdetails for user authentication Bitcoin relies on public keycryptography This raises the issues of the secure storage andmanagement of the user keys Over the years various typeof wallet implementations are researched to obtain securestorage of the user keys it includes software online or hostedhardware or offline paper and brain wallets Table III shows anumber of popular wallets and their main features Coinbase(coinbasecom) an online wallet is most popular due to itsdesirable features which it provides to the clients that include(i) a web interface using which the wallet can be assessedwith a browser and Internet connection (ii) a mobile appthat allows access to wallet through mobile devices (iii) anaccess to Coinbase do not require a client software and it isindependent in nature due to which the wallet providers doesnot have any control over the funds stored in a clientrsquos walletand (iv) a moderate level of security and privacy The Copaywallet allows multiple users to be associated with the samewallet while the Armory wallet works in online as well as inoffline mode The wallet providers have to find an adequatetrade-off between usability and security while introducing anew wallet into the market For instance an online wallet ismore susceptible to thefts compared to hardware wallets [84]as later are not connected to the Internet but at the same timehardware wallets lacks usability If done right there exist moreadvanced and secure ways to store the user keys called paperand brain wallets As their name indicates in the paper walletthe keys are written on a document which is stored at somephysical location analogizes the cash money storage systemwhile in brain wallet the keys are stored in the clients mind inthe form of a small passphrase The passphrase if memorizedcorrectly is then used to generate the correct private key

To avoid the aforementioned risks such as managing cryp-tographic keys [104] lost or stolen devices equipment failureBitcoin-specific malware [105] to name a few that are asso-ciated while storing the bitcoins in a wallet many users mightprefer to keep their coins with online exchanges Howeverstoring the holdings with an exchange makes the users vulner-able to the exchange systems For instance one of the mostnotorious events in the Bitcoin history is the breakdown andongoing bankruptcy of the oldest and largest exchange calledMt Gox which lost over 450 millions of dollars Moreovera few other exchanges have lost their customers bitcoinsand declared bankruptcy due to external or internal theft ortechnical mistakes [106] Although the vulnerability of anexchange system to the disastrous losses can never be fullyavoided or mitigated therefore the authors in [107] presentsProvisions which is a privacy-preserving proof of solvencyfor Bitcoin exchanges Provision is a sensible safeguard thatrequires the periodic demonstrations from the exchanges to

show that they control enough bitcoins to settle all of itscustomers accounts

D Bitcoin Network Attacks

In this section we will discuss those attacks in the Bitcointhat exploits the existing vulnerabilities in the implementationand design of the Bitcoin protocols and its peer-to-peer com-munication networking protocols We will start our discussionwith the most common networking attack called DistributedDenial-of-Service (DDoS) which targets Bitcoin currency ex-changes mining pools eWallets and other financial servicesin Bitcoin Due to the distributed nature of Bitcoin networkand its consensus protocol launching a DoS attack has noor minimal adverse effect on network functionalities henceattackers have to lunch a powerful DDoS to disturb the net-working tasks Unlike DoS attack in which a single attackercarried out the attack in DDoS multiple attackers launchthe attack simultaneously DDoS attacks are inexpensive tocarry out yet quite disruptive in nature Malicious miners canperform a DDoS (by having access to a distributed Botnet) oncompeting miners effectively taking the competing miners outof the network and increasing the malicious miners effectivehashrate In these attacks the adversary exhausts the networkresources in order to disrupt their access to genuine users Forexample an honest miner is congested with the requests (suchas fake transactions) from a large number of clients actingunder the control of an adversary After a while the minerwill likely to start discarding all the incoming inputsrequestsincluding requests from honest clients In [89] authors providea comprehensive empirical analysis of DDoS attacks in theBitcoin by documenting the following main facts 142 uniqueDDoS attacks on 40 Bitcoin services and 7 of all knownoperators were victims of these attacks The paper also statesthat the majority of DDoS attack targets the exchange servicesand large mining pools because a successful attack on thesewill earn huge revenue for the adversary as compared toattacking an individual or small mining pools

In [90] authors explore the trade-off between the two min-ing pool related strategies using a series of game-theoreticalmodels The first strategy called construction in which amining pool invests in increasing its mining capacity in orderto increase the likelihood of winning the next race While inthe second strategy called destruction in which the miningpool launches a costly DDoS attack to lower the expectedsuccess rate of the competing mining pools The majority ofthe DDoS attacks target large organizations due to bulk ransommotives Companies like CoinWallet and BitQuick were forcedto shut down only after few months of their launch due tothe effects of continuous DDoS attacks As stated above thatDDoS attack take various forms one of which is to discouragea miner so that it will withdraw itself from the mining processFor instance an attacker displays to a colleague miner that it ismore powerful and it can snatch the reward of mining and itis the obvious winner of the mining process An honest minerbackoffs since its chances of winning is less In this way anadversary will be successful in removing individual miners aswell as small pools from the mining network thus imposing a

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

The distributed transaction verification process ensures thata majority of miners will verify the legitimacy of a transactionbefore it is added in the blockchain In this way wheneverthe blockchain goes into an inconsistent state all the nodesupdate their local copy of blockchain with the state on whicha majority of miners agree in this way the correct state ofthe blockchain is obtained by election However this schemeis vulnerable to the sybil attacks [23] With sybil attack aminer creates multiple virtual nodes in the network and thesenodes could disrupt the election process by injecting falseinformation in the network such as voting positive for a faultytransactionBitcoin counters the sybil attacks by making use ofPoW based consensus model in which to verify a transactionthe miners have to perform some sort of computational task toprove that they are not virtual entities The PoW consists of acomplex cryptographic math puzzle similar to Adam BackrsquosHashcash [24] In particular PoW involves scanning for avalue (called nonce) that when hashed such as with SHA-256 the resulting hash begins with a number of zeros Theaverage work required is exponential to the number of zerosin the correct hash however the verification process consists ofa single step ie by executing a single hash In this way PoWimposes a high level of computational cost on the transactionverification process and the verification will be dependent onthe computing power of a miner instead of the number of(possibly virtual) identities The main idea is that it is muchharder to fake the computing resources than it is to perform asybil attack in the network

In practice the miners do not mine individual transactionsinstead they collect pending transactions to form a block Theminers mine a block by calculating the hash of that blockalong with a varying nonce The nonce is varied until theresultant hash value becomes lower or equal to a given targetvalue The target is a 256-bit number that all miners shareCalculating the desired hash value is computationally difficultFor hashing Bitcoin uses SHA-256 hash function [25] Unlessthe cryptographic hash function finds the required hash valuethe only option is to try different nonces until a solution (ahash value lower than the target) is discovered Consequentlythe difficulty of the puzzle depends on the target value ielower the target the fewer solutions exist hence more difficultthe hash calculation becomes Once a miner calculates thecorrect hash value for a block it immediately broadcast theblock in the network along with the calculated hash value andnonce and it also appends the block in its private blockchainThe rest of the miners when receiving a mined block canquickly verify its correctness by comparing the hash valuegiven in the received block with the target value The minerswill also update their local blockchain by adding the newlymined block

Once a block is successfully added in the blockchain (iea majority of miners consider the block valid) the miner whofirst solved the PoW will be rewarded (as of May 2017 125BTCs) with a set of newly generated coins This reward halvesevery 210000 blocks In particular these mining rewards arenot really received from anyone because there is no centralauthority that would be able to do this In Bitcoin rewards arepart of the block generation process in which a miner inserts

a reward generating transaction (or a coinbase transaction) forits own Bitcoin address and it is always the first transactionappearing in every block If the mined block is validated andaccepted by the peers then this inserted transaction becomesvalid and the miner receives the rewarded bitcoins

Apart from the mining reward for every successful additionof a transaction in the blockchain the miner will also receivean amount called transaction fee which is equivalent to theamount remaining when the value of all outputs in a transac-tion is subtracted from all its inputs [26] As the mining rewardkeep on decreasing with time and the number of transactionsis rapidly increasing in the network the transaction fee takesa major role for how fast a transaction is to be included inthe blockchain The Bitcoin never mandates transaction feeand it is only specified by the owner(s) of a transactionand it is different for each transaction A transaction withlow transaction fee could suffer from the starvation problemie denied service for a long time if the miners are busyprocessing the transactions with a higher transaction fee

All the miners race to calculate the correct hash value fora block by performing the PoW so that they can collect thecorresponding reward The chance of being the first to solvethe puzzle is higher for the miners who own or control morenumber of computing resources By this rule a miner withhigher computing resources can always increase her chancesto win the reward To enforce reasonable waiting time for theblock validation and generation the target value is adjustedafter every 2016 blocks This adjustment of the target alsohelps in keeping per block verification time to approximately10 minutes It further effects the new bitcoins generation ratein the Bitcoin because keeping the block verification time nearto 10 minutes implies that only 125 new coins can be addedin the network per 10 minutes In [27] authors propose anequation to calculate the new target value for the BitcoinThe new target is given by the following Equation

T = Tprev lowastTactual

2016 lowast 10min (1)

Here Tprev is the old target value and Tactual is the timeperiod that the Bitcoin network took to generate the last 2016blocks

B Blockchain and Mining

The blockchain is a public append-only link-list based datastructure which stores the entire networkrsquos transaction historyin terms of blocks In each block the transactions are storedusing Merkle Tree [28] and a relatively secure time-stamp anda hash of the previous block is also stored Figure 2 showsthe working methodology that is being in use for creating andmaintaining the Bitcoinrsquos blockchain To successfully add anew block in the blockchain the miners need to verify (mine)a block by solving a computationally difficult PoW puzzleOne can traverse the blockchain in order to determine theownership of each bitcoin because the blocks are stored in anordered form Also tempering within a block is not possibleas it would change the hash of the block In particular ifa transaction in a block is tampered with the hash valueof that block changes this in turn changes the subsequent

Fig 2 Creation and addition of blocks in blockchain

Fig 3 Blockchain consensus model

blocks because each block contains the hash of the previousblock The blockchain constantly grows in length due to thecontinuous mining process in the network The process ofadding a new block is as follows (i) once a miner determinesa valid hash value (ie a hash equal or lower than target)for a block it adds the block in her local blockchain andbroadcast the solution and (ii) upon receiving a solution fora valid block the miners will quickly check for its validity ifthe solution is correct the miners update their local copy ofblockchain else discard the block

Due to the distributed nature of the block validation processit is possible that two valid solutions are found approximatelyat the same time or distribution of a verified block is delayeddue to network latency this results in valid blockchain forksof equal length The forks are undesirable as the miners needto keep a global state of the blockchain consisting of thetotally ordered set of transactions However when multipleforks exist the miners are free to choose a fork and continueto mine on top of it Now that the network is having multipleforks and miners are extending different but valid versions ofthe blockchain based on their local view a time will comedue to the random nature of PoW where miners operating onone fork will broadcast a valid block before the others Dueto this a longer version of the blockchain now exists in thenetwork and all the miners will start adding their following

blocks on top of this longer blockchain The aforementionedbehavior of blockchain is shown in Figure 3

The presence of blockchain forks in Bitcoin could beexploited by a malicious miner to gain profits or to disturb thenormal functioning of the Bitcoin In particular a resourcefulminer (or mining pool) could force a blockchain fork in thenetwork by privately mining on it Once the malicious minersees that the length of the public blockchain is catching up fastwith her private chain the miner broadcast her blockchain inthe network and due to its longer length all the other minerswill start mining on top of it In this process all the mined (ievalid) blocks on the other parallel blockchain get discardedwhich makes the efforts of the genuine miners useless InSection III we will discuss an array of attacks on Bitcointhat exploits the forking nature of Bitcoin blockchain

In general the security in Bitcoin is on the assumptionthat the honest players control a majority of the computingresources The main driving factor for miners to honestlyverify a block is the reward (ie 125 BTCs) that they receiveupon every successful block addition in the blockchain Asmentioned before that to verify a block the miners needto solve the associated hard crypto-puzzle The probabilityof solving the crypto-puzzle is proportional to a numberof computing resources used As per [29] a single homeminer which uses a dedicated Application-Specific Integrated

Fig 4 Bitcoin transaction processing steps

Circuit (ASIC) for mining will unlikely verify a single blockin years For this reason miners mine in the form of theso-called mining pools All miners that are associated witha pool works collectively to mine a particular block underthe control of a pool manager Upon successful mining themanager distributes the reward among all the associated minersproportional to the resources expended by each miner Adetailed discussion of different pooled mining approaches andtheir reward systems is given in [30] [31]

For the better understanding how a transaction is beingprocessed in the Bitcoin please refer to Figure 4 Assumethat Bob wants to transfer 5 bitcoins to Alice In order topay to Alice Bob needs a device such as a smartphonetablet or laptop that runs the Bitcoin full or lightweight client-side software and two pieces of information which includeBobprimes private key and Aliceprimes Bitcoin address Any userin the network can send money to a Bitcoin address butonly a unique signature generated using the private key canrelease bitcoins from the account Bob uses a cryptographickey to digitally sign off on the transaction proving that heowns those coins When Bob broadcast a transaction in thenetwork an alert is sent to all the miners in the networkinforming them about this new transaction The miners checkthat the digital signatures are correct and Bob has enoughbitcoins to complete the transactions Additionally miners raceto bundle all the pending transactions (including bobprimes) in thenetwork and mine the resulting block by varying the nonceIn particular the miners create a hash of the block and ifthe hash does not begin with a particular number of zerosthe hash function is rerun using a new random number (iethe nonce) The required hash value must have a certain butarbitrary number of zeros at the beginning It is unpredictablewhich nonce will generate the required hash with a correctnumber of zeros so the miners have to keep trying by usingdifferent nonces to find the desired hash value When theminer finds a hash value with the correct number of zeros(ie the discovered value is lower than target value) the

discovery is announced in the network and both the Bob andthe Alice will also receive a confirmation about the successfultransaction Other miners communicate their acceptance andthey turn their attention to discover the next block in thenetwork However a successful transaction could be discardedor deemed invalid at latter period of time if it is unable tostay in the blockchain due to reasons such as existence ofmultiple forks majority of miners does not agree to considerthe block containing this transaction as a valid block a doublespending attack is detected to name a few

The Bitcoin protocol rewards the winning miner with theset of newly minted bitcoins as incentive and the hashedblock is published in the public ledger Once Bobprimes transactionhas been added in the blockchain he and Alice each receivethe first confirmation stating that the Bitcoin has been signedover to Alice In terms of transaction time it depends on thecurrent network load and the transaction fee included in thetransaction by Bob but at the minimum it would be around10 minutes However receiving the first confirmation doesnot mean that the transaction is processed successfully and itcannot be invalidated at a latter point in time In particularit has been recommended by the Bitcoin community thatafter a block is mined it should receive enough consecutiveblock confirmations (currently 6 confirmations) before it isconsidered as a valid transaction

C Consensus Protocol

Bitcoin blockchain is a decentralized system thus it doesnot require authorization from any trusted third party (TTP)to process the transactions In particular the nodes com-municate over a network and collaboratively construct theblockchain without relying on a central authority Howeverindividual nodes might crash behave maliciously act againstthe common goal or the network communication may becomeinterrupted For delivering a continuous service the nodestherefore run a fault-tolerant consensus protocol to ensure that

they all agree on the order in which entries are appended tothe blockchain To add a new block in the blockchain everyminer must follow a set of rules specified in the consensusprotocol Bitcoin achieves the distributed consensus by usingPoW based consensus algorithm This algorithm imposes thefollowing major rules (i) input and output values are rational(ii) transactions only spend unspent outputs (iii) all inputsbeing spent have valid signatures (iv) no coinbase2 transactionoutputs were spent within 100 blocks of their creation and (v)no transactions spend inputs with a locktime before the blockin which they are confirmed Generally a blockchain basedsystem such as Bitcoin is considered as secure and robust asits consensus model

In the PoW based consensus algorithm the participantsrequire no authentication to join the network which makesthe Bitcoin consensus model extremely scalable in termsof supporting thousands of network nodes However PoWbased consensus is vulnerable to ldquo51rdquo attacks in whichan adversary has control over 51 of the mining power (iehashrate) in the network hence it can write its own blocksor fork the blockchain that at a later point converges withthe main blockchain This behavior of adversary helps her toperform several other types of attacks in the Bitcoin whichincludes double spending eclipse and denial-of-service Inparticular 51 attack drives away the honest miners from themining process thus weakens the consensus protocol whichposes a threat to Bitcoin security and robustness One way toachieve the 51 attack in Bitcoin system is to incentivize (orbribe) the honest miners to join the attackersrsquo coalition

Along with the various security attacks (please refer totables I and II) the effectiveness of a consensus protocol alsodepends on the performance and stability of the network Forinstance an increase in the latency between the validationof a block and its receipt by all other miners increases thepossibility of a temporary blockchain fork Although due tothe PoW model eventual consistency in the blockchain willbe reached despite the temporary forks however it resultsin longer transaction confirmation times Today the Bitcoinnetwork is restricted to a sustained rate of 7 transactionsper section (tps) due to the Bitcoin protocol restricting blocksizes to 1MB This is very slow when considered the highprocessing speed of MasterCard or VISAs ie millions oftps Therefore it is important for Bitcoin to have a broadcastnetwork which is not only decentralized but it also provideslow latency and it is difficult to deliberately censor or delaymessages The PoW based consensus algorithm also wastesa lot of energy in hash computations during the miningprocess However it facilitates high scalability in terms ofnodes participating in the network and operates completely ina decentralized fashion

Bitcoin consensus algorithm has been its most widelydebated component in the Bitcoin research community This isbecause the consensus algorithm rises (i) open questions aboutthe Bitcoin stability [10] (ii) concerns about the performanceand scalability of the protocol [32] and (iii) concerns for

2A coinbase transaction is a unique type of bitcoin transaction that can onlybe created by a miner

computational resource wastage [33] In particular the PoWconsensus model used by Bitcoin blockchain is very inefficientin terms of power consumption and the overall generationtime of new blocks Hence to overcome or limit someof the aforementioned disadvantages of PoW various otherconsensus protocols such as Proof-of-Stake (PoS) [34] Proofof Elapsed Time (PoET) Proof of Authority (PoA) Practicalbyzantine fault tolerance (PBFT) [35] Federated ByzantineFault Tolerance (FBFT) Proof of Storage [36] [37] to namea few are designed The most obvious difference betweenthese consensus protocols and PoW is that each of thesealternative protocols the consensus is driven at the expenseof internal resources (eg coins or reputation) instead ofexternal resources (eg electricity) This creates an entirelydifferent set of incentives for (and trust in) network nodes (ieminers) which drastically changes the network security modelDetailed discussions on these alternative consensus protocolsare out of the scope of our survey hence we direct interestedusers to [38] [20] [39] [40] [41]

D Networking Infrastructure

Bitcoin uses an unstructured peer-to-peer (P2P) networkbased on unencrypted persistent TCP connections as its foun-dational communication structure In general unstructuredoverlays are easily constructed and robust against highlydynamic network topologies ie against frequently joiningand leaving peers These type of networks are best suitedfor Bitcoin as the aim is to distribute information as fastas possible to reach consensus on the blockchain Howeverexperimenting with the Bitcoin networkprotocol poses a chal-lenge By now there are a few possibilities to approach thistask One way is to connect to the mainnet ie the live Bitcoinnetwork or the testnet Another way is to use the simulationenvironments such as Shadow [42] event discrete simulatorwhich aims at simulating large-scale Bitcoin networks whilekeeping full control over all components

Bitcoin nodes maintain a list of IP addresses of potentialpeers and the list is bootstrapped via a DNS server and addi-tional addresses are exchanged between peers Each peer aimsto maintain a minimum of 8 unencrypted TCP connections inthe overlay ie the peer actively tries to establish additionalconnections if the current number of connections is lowerthan 8 The number of eight connections can be significantlyexceeded if incoming connections are accepted by a Bitcoinpeer upto a maximum of 125 connections at a time By defaultpeers listen on port 8333 for inbound connections When peersestablish a new connection they perform an application layerhandshake consisting of version and verack messages Themessages include a timestamp for time synchronization IPaddresses and the protocol version A node selects its peersin a random fashion and it selects a new set of peers after afixed amount of time This is done to minimize the possibilityand effects of netsplit attack in which an attacker creates aninconsistent view of the network (and the blockchain) at theattacked node Since Bitcoin version 07 IPv6 is supported Inorder to detect when peers have left Bitcoin uses a softstateapproach If 30 minutes have been passed since messages were

last exchanged between neighbors peers will transmit a hellomessage to keep the connection alive

Miners continually listen to new block announcementswhich are sent via INV messages containing the hash ofthe mined block If a miner discovers that it does not hold anewly announced block it transmits a GETDATA messageto one of its neighbor The neighbor then respond by sendingthe requested information in a BLOCK message In casethe requested block do not arrive within 20 minutes theminer trigger the disconnection of that particular neighborand request the same information from another neighbor Thepropagation of transactions occur in a sequence given as INV GETDATA and TX messages in which nodes announcerequest and share transactions that have not yet been includedin the blockchain

In order to form the distributed consensus newly discoveredtransactions and blocks are propagated (through flooding) inthe whole network Miners store new transactions for themining purposes but after some time remove them if they donot make it on the blockchain It is the responsibility of thetransaction originator that the transaction is received by all thepeers in the network To this end the originator might need torebroadcast the transaction if it did not get into the blockchainin first attempt This is to ensure that the transaction getsconsidered in the next block An adversary could introducedelay in the propagation of both new transactions and minedblock for the purpose of launching the double spend andnetsplit attacks As shown in [43] the propagation time caneven be further extended under reasonable circumstancesAuthors in [5] presents a taxonomy of routing attacks andtheir impact on Bitcoin considering both small-scale attackstargeting individual nodes and large-scale attacks targetingthe network as a whole By isolating parts of the network ordelaying block propagation adversaries could cause significantamount of mining power to be wasted leading to revenuelosses and exposing the network to a wide range of exploitssuch as double spending

The use of an unstructured P2P network in Bitcoin enablesthe required rapid distribution of information in every partof the network The security of Bitcoin heavily depends onthe global consistent state of blockchain which relies on theefficiency of its PoW based consensus protocol The variationsin the propagation mechanisms could adversely affect theconsensus protocol The presence of inconsistent blockchainstates if exploited correctly could lead to a successful doublespending To this end it is essential that the Bitcoin networkshould remains scalable in terms of network bandwidth net-work size and storage requirements because this will facilitatethe increase in number of honest miners in the network whichwill strengthen the consensus protocol In Bitcoin full nodesdownload and verify all blocks starting from the genesis blockbecause it is the most secure way Full nodes participate inthe P2P network and help to propagate information althoughits not mandatory to do so Alternatively the thin clients usethe simplified payment verification (SPV) to perform Bitcointransactions The SPV is a method used by Bitcoin thin clientfor verifying if particular transactions are included in a blockwithout downloading the entire block However the use of

SPV costs the thin clients because it introduces weaknessessuch as Denial of Service (DoS) and privacy leakage forthe thin client In particular the general scalability issues ofunstructured overlays combined with the issues induced bythe Bitcoin protocol itself remains in the system Many of theresults suggest that scalability remains an open problem [44]and it is hard to keep the fully decentralized network infuture [45] [46]

E Benefits and Challenges

Same as any other emerging technology use of Bitcoincomes with certain benefits and challenges and various typesof risks are associated with its use It is believed3 that Bitcoinhas the following benefits and challenges

Benefits -bull No Third-Party Seizure No central authority can manip-

ulate or seize the currency since every currency transferhappens peer-to-peer just like hard cash In particular bit-coins are yours and only yours and the central authoritycant take your cryptocurrency because it does not printit own it and control it correspondingly

bull Anonymity and transparency Unless Bitcoin users pub-licize their wallet addresses publicly it is extremely hardto trace transactions back to them However even if thewallet addresses was publicized a new wallet addresscan be easily generated This greatly increases privacywhen compared to traditional currency systems wherethird parties potentially have access to personal financialdata Moreover this high anonymity is achieved withoutsacrificing the system transparency as all the bitcointransactions are documented in a public ledger

bull No taxes and lower transaction fees Due to its decen-tralized nature and user anonymity there is no viableway to implement a Bitcoin taxation system In the pastBitcoin provided instant transactions at nearly no costEven now Bitcoin has lower transaction costs than acredit card Paypal and bank transfers However thelower transaction fee is only beneficial in situations wherethe user performs a large value international transactionsThis is because the average transaction fee becomeshigher for very small value transfers or purchases suchas paying for regular household commodities

bull Theft resistance Stealing of bitcoins is not possible untilthe adversary have the private keys (usually kept offline)that are associated with the user wallet In particular Bit-coin provides security by design for instance unlike withcredit cards you dont expose your secret (private key)whenever you make a transaction Moreover bitcoinsare free from Charge-backs ie once bitcoins are sentthe transaction cannot be reversed Since the ownershipaddress of the sent bitcoins will be changed to the newowner and it is impossible to revert This ensures thatthere is no risk involved when receiving bitcoins

3As some of these benefits and challenges are not entirely true at all thetimes for instance Bitcoin transactions are not fully anonymous and theprivacy of Bitcoin users could be threatened

Challengesbull High energy consumption Bitcoinrsquos blockchain uses

PoW model to achieve distributed consensus in thenetwork Although the use of PoW makes the miningprocess more resistant to various security threats suchas sybil and double spending it consumes a ridicu-lous amount of energy and computing resources [47]In particular processing a bitcoin transaction consumesmore than 5000 times as much energy as using a Visacredit card hence innovative technologies that reduce thisenergy consumption are required to ensure a sustainablefuture for Bitcoin Furthermore due to the continuousincrease in network load and energy consumption thetime required for transaction processing is increasing

bull Wallets can be lost Since there is no trusted third partyif a uses lost the private key associated with her walletdue to a hard drive crash or a virus corrupts data or lostthe device carrying the key all the bitcoins in the wallethas been considered lost for forever There is nothingthat can be done to recover the bitcoins and these willbe forever orphaned in the system This can bankrupt awealthy Bitcoin investor within seconds

bull (Facilitate) Criminal activity The considerable amountof anonymity provided by the Bitcoin system helps thewould-be cyber criminals to perform various illicit activ-ities such as ransomware [48] tax evasion undergroundmarket and money laundering

According to [49] the risk is the exposure to the level ofdanger associated with Bitcoin technology in fact the samecan be applied to any such digital cryptocurrency The majorrisks that threaten the wide usability of the Bitcoin paymentsystems are as followbull Social risks it includes bubble formation (ie risk of

socio-economic relationship such as what people talk andgossip) cool factor (ie entering the networking withoutknowing the ill effects) construction of chain (ie riskrelated with the blockchain formation like hashing andmining rewards) and new coins release (ie on whatbasis the new coins to be generated is there a need etc)

bull Legal risks Bitcoin technology opposes rules and regula-tions and hence it finds opposition from the governmentThis risk also includes law enforcement towards handlingfinancial operational customer protection and securitybreaches that arise due to Bitcoin system

bull Economic risks deflation volatility and timing issues infinding a block which might lead the users to migratetowards other currencies that offer faster services

bull Technological risks this includes the following net-work equipment and its loss network with which thepeers are connected and its associated parameters threatvulnerabilities on the system hash functions with itsassociated robustness factor and software associated risksthat Bitcoin system demands

bull Security risks security is a major issue in Bitcoin systemwe will discuss risks associated due to various securitythreats in detail in Section III

In [50] authors perform a survey on the peoplersquos opinion

about bitcoins usage Participants argue that the greatest barrierto the usage of bitcoins is the lack of support by higherauthorities (ie government) Participants felt that bitcoinsmust be accepted as legitimate and reputable currency Ad-ditionally the participants expressed that the system mustprovide support towards transacting fearlessly without criminalexploitation Furthermore the Bitcoin is mainly dependent onthe socio-technical actors and the impact of their opinion onthe public Few among participants have suggested that theblockchain construction is the major cause of disruption dueto its tendency to get manipulated by adversaries

In [51] it was stated that many Bitcoin users already losttheir money due to poor usability of key management andsecurity breaches such as malicious exchanges and walletsAround 225 of the participants reported having lost theirbitcoins due to security breaches Also many participantsstated that for a fast flow of bitcoins in the user communitysimple and impressive user interface are even more importantthan security In addition participants highlighted that the poorusability and lack of knowledge regarding the Bitcoin usageare the major contributors to the security failures

III SECURITY ATTACKS ON BITCOIN SYSTEMS

Bitcoin is the most popular cryptocurrency4 and has stoodfirst in the market capital investment from day one Since itis a decentralized model with an uncontrollable environmenthackers and thieves find cryptocurrency system an easy wayto fraud the transactions In this section we discuss existingsecurity threats and their countermeasures for Bitcoin andits underlying technologies We provide a detailed discussionof potential vulnerabilities that can be found in the Bitcoinprotocols as well as in the Bitcoin network this will bedone by taking a close look at the broad attack vector andtheir impact on the particular components in the BitcoinApart from double spending which is and will always bepossible in Bitcoin the attack space includes a range of walletattacks (ie client-side security) network attacks (such asDDoS sybil and eclipse) and mining attacks (such as 50block withholding and bribery) Tables I and II provides acomprehensive overview of the potential security threats alongwith their impacts on various entities in Bitcoin and theirpossible solutions that exist in literature so far

A Double Spending

A client in the Bitcoin network achieves a double spend(ie send two conflicting transactions in rapid succession) ifshe is able to simultaneously spend the same set of bitcoinsin two different transactions [2] For instance a dishonestclient (Cd) creates a transaction TCd

V at time t using a setof bitcoins (Bc) with a recipient address of a vendor (V ) topurchase some product from V Cd broadcast TCd

V in theBitcoin network At time tprime where tprime asymp t Cd create andbroadcast another transaction TCd

Cdusing the same coins (ie

Bc) with the recipient address of Cd or a wallet which isunder the control of Cd In the above scenario the double

4wwwcryptocoinsnewscom

TABLE IMAJOR ATTACKS ON BITCOIN SYSTEM AND ITS POW BASED CONSENSUS PROTOCOL

Attack Description Primary targets Adverse effects Possible countermeasures

Double spending or Raceattack [2] spent the same bitcoins

in multiple transactionssend two conflicting trans-actions in rapid succession

sellers or mer-chants

sellers lose theirproducts drive away the

honest users createblockchain forks

inserting observers in network [2]communicating double spendingalerts among peers [2] nearbypeers should notify the merchantabout an ongoing double spend assoon as possible [52] merchantsshould disable the direct incomingconnections [53] [54]

Finney attack [55] dishonest miner broad-casts a pre-mined blockfor the purpose of dou-ble spending as soon asit receives product from amerchant

sellers or mer-chants

facilitates doublespending wait for multi-confirmations for

transactions

Brute force attack [56] privately mining onblockchain fork toperform double spending

sellers or mer-chants

facilitates doublespending creates largesize blockchain forks

inserting observers in the net-work [2] notify the merchant aboutan ongoing double spend [53]

Vector 76 orone-confirmation

attack [57]combination of the doublespending and the finneyattack

Bitcoin exchangeservices

facilitates doublespending of largernumber of bitcoins

wait for multi-confirmations fortransactions

gt 50 hashpower orGoldfinger [45] adversary controls more

than gt 50 HashrateBitcoin networkminers Bitcoinexchange centersand users

drive away the minersworking alone or within

small mining poolsweakens consensus

protocol DoS

inserting observers in thenetwork [2] communicatingdouble spending alerts amongpeers [2] disincentivizelarge mining pools [58] [59]TwinsCoin [60] PieceWork [61]

Blockdiscarding [62] [54] or

Selfish mining [6]abuses Bitcoin forkingfeature to derive an unfairreward

honest miners (ormining pools)

introduce race conditionsby forking waste the

computational power ofhonest miners withgt 50 it leads toGoldfinger attack

ZeroBlock technique [63] [64]timestamp based techniquessuch as freshness preferred [65]DECOR+ protocol [66]

Blockwithholding [29] [67] miner in a pool sub-

mits only PPoWs but notFPoWs

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueinclude only known and trustedminers in pool dissolve and closea pool when revenue drops fromexpected [62] cryptographic com-mitment schemes [67]

fork after withholding(FAW) attack [68] improves on adverse ef-

fects of selfish mining andblock withholding attack

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueno practical defense reported so far

spending attack performed by Cd is successful if Cd tricksthe V to accept TCd

V (ie V deliver the purchased productsto Cd) but V will not be able to redeem subsequently InBitcoin the network of miners verify and process all thetransactions and they ensure that only the unspent coinsthat are specified in previous transaction outputs can be usedas input for a follow-up transaction This rule is enforceddynamically at run-time to protect against the possible doublespending in the network The distributed time-stamping andPoW-based consensus protocol is used for orderly storage ofthe transactions in the blockchain For example when a minerreceives TCd

V and TCd

Cdtransactions it will be able to identify

that both the transactions are trying to use the same inputs

during the transaction propagation and mining thus it onlyprocess one of the transaction and reject the other Figure 5shows the working methodology of a double spending attackdepicting the above explanation

Despite the use of strict ordering of transactions in theblockchain PoW scheme distributed time-stamping [69] andconsensus protocol [70] [71] double spending is still possiblein Bitcoin To perform a successful double spending attackfollowing requirements need to be fulfilled (i) part of thenetwork miners accept the transaction TCd

V and the vendor(V ) receives the confirmation from these miners thus releasesthe product to dishonest client (Cd) (ii) at the same time otherpart of the network miners accept the transaction TCd

Cd hence

Fig 5 Double Spending Attack

lead to blockchain forks in the network (iii) the vendor re-ceives the confirmation of transaction TCd

Cdafter accepting the

transaction TCd

V thus losses the product and (iv) a majorityof miners mine on top of the blockchain which contains TCd

Cd

as a valid transaction If the aforementioned steps took placein the given order then the dishonest client is able to performa successful double spend In the rest of this section we willdiscuss the variants of double spending attack that are used inorder to realize the aforementioned double spend requirementswith varying difficulties and complexities

A form of double spending called Finney attack [55] herea dishonest client (Cd) pre-mines (ie privately) a blockwhich contains the transaction TCd

Cd and then it creates a

transaction TCd

V using the same bitcoins for a vendor (V )The mined block is not informed to the network and the Cd

waits until the transaction TCd

V is accepted by the V On theother hand V only accept TCd

V when it receives a confirmationfrom miners indicating that TCd

V is valid and included in theexisting blockchain Once Cd receives the product from V theattacker releases the pre-mined block into the network thuscreates a blockchain fork (say Bprimefork) of equal length to theexisting fork (say Bfork) Now if the next mined block in thenetwork extends Bprimefork blockchain instead of Bfork then asper the Bitcoin protocol rules all the miners in the networkwill build on top of Bprimefork As the blockchain Bprimefork becomesthe longest chain in the network all the miners ignore Bforkhence the top block on Bfork which contains the transactionTCd

V becomes invalid This makes the transaction TCd

V invalidthe client will get back her coins through transaction TCd

Cd

but resulting the V losing the product However with Finneyattack an adversary can only perform double spending in thepresence of one-confirmation vendors

To avoid the Finney attack the vendor should wait formultiple confirmations before releasing the product to theclient The waiting for multiple confirmations will only makethe double spend for the attacker harder but the possibilityof the double spend remains An advancement of the Finneyattack is called Brute-force attack [56] in which a resourcefulattacker has control over n nodes in the network and these

nodes collectively work on a private mining scheme withthe motive of double spend An attacker introduces a doublespend transaction in a block as in the previous case whilecontinuously works on the extension of a private blockchain(ie Bprimefork) Suppose a vendor waits for x confirmationsbefore accepting a transaction and it sends the product to theclient once it receives the x confirmations Later the attackeris able to mine the x number of blocks ahead (ie privately)then she can release these blocks in the network and dueto its higher length than Bfork blockchain Bprimefork will beextended by all the miners in the network This causes thesame after effects as Finney attack thus causing a successfuldouble spending attack

Another attack that uses the privately mined block toperform a new form of double spending attack on Bitcoin ex-change networks is popularly known as Vector 76 attack [57]A Bitcoin exchange is a digital marketplace where traderscan buy sell or exchange bitcoins for other assets such asfiat currencies or altcoins In this a dishonest client (Cd)withholds a pre-mined block which consists of a transactionthat implements a specific deposit (ie deposit coins in aBitcoin exchange) The attacker (Cd) waits for the next blockannouncement and quickly sends the pre-mined block alongwith the recently mined block directly to the Bitcoin exchangeor towards its nearby peers with hope that the exchangeand probably some of the nearby miners will consider theblockchain containing the pre-mined block (ie Bprimefork) as themain chain The attacker quickly sends another transaction thatrequests a withdrawal from the exchange of the same coins thatwas deposited by the attacker in its previous transaction Atthis point of time if the other fork (ie Bfork) which does notcontain the transaction that is used by the attacker to depositthe coins survives the deposit will become invalidated but theattacker has already performed a withdrawal by now thus theexchanges losses the coins

Recently authors in [72] proposes a new attack againstthe PoW-based consensus mechanism in Bitcoin called theBalance attack The attack consists of delaying networkcommunications between multiple subgroups of miners withbalanced hash power The theoretical analysis provides theprecise trade-off between the Bitcoin network communicationdelay and the mining power of the attacker(s) needed to doublespend in Ethereum [73] with high probability

Based on the above discussion on double spending attackand its variants one main point that emerges is that if aminer (or mining pool) is able to mine blocks with a fasterrate than the rest of the Bitcoin network the possibility ofa successful double spending attack is high The rate ofmining a block depends upon solving the associated proof-of-work this again depends on the computing power of aminer Apart from the computing resources the success ofdouble spending attack depends on other factors as wellwhich includes network propagation delay vendor client andBitcoin exchange services connectivity or positioning in theBitcoin network and the number of honest miners Clearlyas the number of confirmations for transaction increases thepossibility that it will become invalid at a later stage decreasesthus decreases the possibility of a double spend On the other

hand with the increase in the computing resources of a minerthe probability of the success of a double spend increases Thisleads to a variant of double spend attack called gt 50 attackor Goldfinger attack [45] in which more than 50 computingresources of the network are under the control of a single miner(or mining pool) The gt 50 attack is considered the worst-case scenario in the Bitcoin network because it has the powerto destroy the stability of the whole network by introducing theactions such as claim all the block intensives perform doublespending reject or include transactions as preferred and playwith the Bitcoin exchange rates The instability in the networkonce started it will further strengths the attackerrsquos position asmore and more honest miners will start leaving the network

From the above discussion on the different type of doublespending attacks we can safely conclude that one can alwaysperform a double spend or it is not possible to entirelyeliminate the risk of double spending in Bitcoin Howeverperforming double spending comes with a certain level ofrisk for instance the attacker might lose the reward forthe withheld block if it is not included in the final publicblockchain Therefore it is necessary to set a lower bound onthe number of double spend bitcoins and this number shouldcompensate the risk of unsuccessful attempts of double spendAdditionally the double spends could be recognized with thecareful analysis and traversing of the blockchain thus it mightlead to blacklisting the detected peer In Section IV-A we willdiscuss in detail the existing solutions and their effectivenessfor detecting and preventing the double spending attacks

B Mining Pool Attacks

Mining pools are created in order to increase the computingpower which directly affects the verification time of a blockhence it increases the chances of winning the mining rewardFor this purpose in recent years a large number of miningpools have been created and the research in the field ofminer strategies is also evolved Generally mining pools aregoverned by pool managers which forwards unsolved workunits to pool members (ie miners) The miners generate par-tial proofs-of-work (PPoWs) and full proofs-of-work (FPoWs)and submit them to the manager as shares Once a minerdiscovers a new block it is submitted to the manager alongwith the FPoW The manager broadcasts the block in theBitcoin network in order to receive the mining reward Themanager distributes the reward to participating miners basedon the fraction of shares contributed when compared with theother miners in the pool Thus participants are rewarded basedon PPoWs which have absolutely no value in the Bitcoinsystem The Bitcoin network currently consists of solo minersopen pools that allow any miner to join and closed (private)pools that require a private relationship to join

In recent years the attack vector that exploits the vulnerabil-ities in pool based mining also increases For instance a groupof dishonest miners could perform a set of internal and externalattacks on a mining pool Internal attacks are those in whichminers act maliciously within the pool to collect more thantheir fair share of collective reward or disrupt the functionalityof the pool to distant it from the successful mining attempts In

external attacks miners could use their higher hash power toperform attacks such as double spending Figure 6 shows themarket share till December 2017 of the most popular miningpools In this section we will discuss a set of popular internaland external attacks on the mining pools

Fig 6 Bitcoin Hashrate Distribution in Present Market

In a mining pool the pool manager determines the amountof work done by individual pool members by using thenumber of shares a member find and submit while tryingto discover a new block The shares consist of a number ofhashes of a block which are low enough to have discovereda block if the difficulty was 1 To be considered as a shareeach hash has a probability of 1232 Assuming correctness ofthe hash function used it is impossible to find shares withoutdoing the work required to discover new blocks or to lookfor blocks without finding shares along the way Due to thisthe number of shares determined by a miner is proportionalon average to the number of hashes the miner calculatedwhile attempting to discover a new block for the mining poolAdditionally in [29] the author discusses the possibility ofusing variable block rewards and difficulty shares as rewardmethods in a pool This variability is introduced due to thefollowing reasons bitcoins generation per block is cut in halfevery 210000 blocks and the transaction fees vary rapidlybased on the currently available transactions in the network Asmost of the mining pools allow any miner to join them using apublic Internet interface such pools are susceptible to varioussecurity threats The adversaries believe that it is profitable tocannibalize pools than mine honestly Letrsquos understand it withan example suppose that an adversary has 30 of hashrate(HR) and 1 BTC is the block mining reward (MR) If themining pool is sharing the reward based on the invested HRthen the adversary will receive 03 BTC for each mined blockNow adversary purchases more mining equipment worth 1of current HR With standard mining strategy the adversarywill gain an additional revenue of 00069 BTC for the 1added HR By performing pool cannibalizing (ie distributeyour 1 equally among all other pools and also withholdthe valid blocks) the attacker will still receive the rewardsfrom its pool but it might also receive additional rewards

from the other pools to which she is sharing its 1 HRThis misbehavior will remain undetectable unless the changein reward is statistically significant

Fig 7 Selfish Mining

In [62] authors use a game theoretic approach to show thatthe miners could have a specific sort of subversive miningstrategy called selfish mining [6] or also popularly known asblock discarding attack [54] [62] In truth all the miners inthe Bitcoin are selfish as they are mining for the reward thatis associated with each block but these miners are also honestand fair with respect to the rest of miners while the selfishmining here refers to the malicious miners only In the selfishmining the dishonest miner(s) perform information hiding(ie withhold a mined block) as well as perform its revealingin a very selective way with a two-fold motive (i) obtain anunfair reward which is bigger than their share of computingpower spent and (ii) confuse other miners and lead them towaste their resources in a wrong direction As it can be seen inFigure 7 that by keeping the mined block(s) the selfish minersintentionally fork the blockchain The selfish pool keeps onmining on top of their private chain (Bprimefork) while the honestminers are mining on the public chain (Bfork) If the selfishminers are able to take a greater lead on Bprimefork and they areable to keep the lead for a longer time period their chancesof gaining more reward coins as well as the wastage of honestminers resources increases To avoid any losses as soon asthe Bfork reaches to the length of Bprimefork the selfish minerspublish their mined blocks All the miners need to adopt toBprimefork which now becomes Bfork as per the longest lengthrule of Bitcoin protocol The honest miners will lose theirrewards for the blocks that they have mined and added to theprevious public chain The analysis in [6] shows that usingthe selfish mining the poolrsquos reward exceed its share of thenetworkrsquos mining power The statement still holds in caseswhere the network found their new block before the adversarycould find a new second block Because in such case the minerwill make use of the race to propagate ie on average theattacker manages to tell 50 of the network about her blockfirst Additionally the analysis reveals that the wastage ofcomputing resources and rewards lure honest miners toward

the selfish mining pools hence it further strengthens the attackThis continuous increase in the selfish poolrsquos size might leadto gt 50 attack and at that point the effect of selfish miningwill be disastrous

Another attack much similar to the selfish mining that couldbe performed on a mining pool is known as Block withholding(BWH) [29] [67] in which a pool member never publishes amined block in order to sabotage the pool revenue howeversubmit shares consists of PPoWs but not FPoWs In particularin [29] two types of block withholding scenarios are presentedcalled ldquoSabotagerdquo and ldquoLie in waitrdquo In the first scenario theadversary does not gain any bitcoins but it just makes otherpool members lose while in the second scenario the adversaryperforms a complex block concealing attack similar to the onedescribed in the selfish mining attack In [29] authors discussa generalized version of the ldquoSabotagerdquo attack which showsthat with slight modification it is possible for the maliciousminer to also earn an additional profit in this scenario Authorsin [33] present a game-theoretic approach to analyzing effectsof block withholding attack on mining pools The analysisshows that the attack is always well-incentivized in the long-run but may not be so for a short duration This impliesthat existing pool protocols are insecure and if the attack isconducted systematically Bitcoin pools could lose millions ofdollars worth in just a few months

To analyze the effects of BWH on mining pools authorsin [9] presents The Miners Dilemma which uses an iterativegame to model attack decisions The game is played betweentwo pools say pool A and pool B and each iteration of thegame is a case of the Prisoners Dilemma ie choose betweenattacking or not attacking If pool A chooses to attack pool Apool A gains revenue pool A loses revenue but pool B canlatter retaliate by attacking pool A and gaining more revenueThus attacking is the dominant strategy in each iterationhence if both pool A and pool B attack each other they will beat a Nash Equilibrium This implies that if both will earn lessthan they would have if neither of them attacked However ifnone of the other pools attack a pool can increase its revenueby attacking the others Recently authors in [68] propose anovel attack called a fork after withholding (FAW) attackAuthors show that the BWH attackers reward is the lowerbound of the FAW attackers and it is usable up to four timesmore often per pool than in BWH attack Moreover the extrareward for a FAW attack when operating on multiple miningpools is around 56 higher than BWH attack Furthermorethe miners dilemma may not hold under certain circumstanceseg when two pools execute FAW attack the larger pool canconsistently win More importantly unlike selfish mining anFAW attack is more practical to execute while using intentionalforks

The Pool Hopping attack presented in [29] [74] uses theinformation about the number of submitted shares in themining pool to perform the selfish mining In this attackthe adversary performs continuous analysis of the number ofshares submitted by fellow miners to the pool manager in orderto discover a new block The idea is that if already a largenumber of shares have been submitted and no new block hasbeen found so far the adversary will be getting a very small

share from the reward because it will be distributed based onthe shares submitted Therefore at some point in time it mightbe more profitable for the adversary to switch to another poolor mine independently

Recently the Bribery attack is described in [75] In thisan attacker might obtain the majority of computing resourcesfor a short duration via bribery Authors discuss three ways tointroduce bribery in the network (i) Out-of-Band Paymentin which the adversary pays directly to the owner of thecomputing resources and these owners then mine blocksassigned by the adversary (ii) Negative-Fee Mining Pool inwhich the attacker forms a pool by paying higher returnand (iii) In-Band Payment via Forking in which the attackerattempts to bribe through Bitcoin itself by creating a forkcontaining bribe money freely available to any miner adoptingthe fork By having the majority of the hash power the attackercould launch different attacks such as double spending andDistributed Denial-of-Service (DDoS) [76] The miners thattook the bribes will get benefits which will be short-lived butthese short-lived benefits might be undermined by the lossesin the long run due to the presence of DDoS and Goldfingerattacks or via an exchange rate crash

Fig 8 Blacklisting via Punitive Forking

An adversary with gt 50 hashrate could perform a suc-cessful selective blacklisting via punitive forking The objec-tive of punitive forking is to censor the Bitcoin addressesowned by certain people say Alice and prevent them fromspending any of their bitcoins The strategy to perform theblacklisting (please refer to Figure 8) is as follows (i) theadversary with gt 50 network hashrate announces to theBitcion network that she will not extend on the blockchaincontaining transactions spending from Alicersquos Bitcoin address(ii) if some other miner include a transaction from Alice ina block the adversary will fork and create a longer proofof work blockchain (iii) Block containing Alicersquos transactionnow invalidated and it can never be published also the minerwho added the block with Alicersquos transaction will lose its blockreward However a weak adversary that has lower hashrate canstill cause delays and inconveniences for Alicersquos transaction

Punitive forking doesnrsquot work unless you have gt 50 ofhashrate However there is another strategy to achieve theblacklisting as presented in [77] In particular authors presenta malicious mining strategy called feather forking in whichan attacker announces that she will attempt to fork if she seesa block containing Alicersquos transaction in the blockchain butshe will give up after a while This is the adversary forks asper its convenience she will continue to extend its fork untilwins (ie outraces the main chain) but she gives up (iediscard its private fork and continue to extend the main chain)after block with Alicersquos transaction contains k confirmations

An adversary with total hash power less than 50 might withhigh probability lose rewards but it will be able to block theblacklisted transaction with positive probability Moreover ifthe adversary can show that she is determined to block theselected transaction and will perform the retaliatory forking ifrequired then the rest of the miners will also be motivated toblock the blacklisted transactions to avoid the losses in case ifthe attacker retaliates and wins If this is the case an attackermight be able to enforce the selective blacklisting with noreal cost because other miners are convinced that the attackerwill perform a costly feather forking attack if provoked Anattacker performing feather forking can also use it to blackmaila client by threatening that all her transactions will be put onthe blacklist until the client pays the asked ransom coins

C Client-side Security Threats

The huge increase in the popularity of bitcoins encouraged alarge number of new users to join the network Each Bitcoinclient posses a set of private-public keys in order to accessits account or wallet Hence it is desirable to have the keymanagement techniques that are secure yet usable This is dueto the fact that unlike many other applications of cryptographyif the keys of a client are lost or compromised the client willsuffer immediate and irrevocable monetary losses To use thebitcoins a user needs to install a wallet on her desktop ormobile device The wallet stores the set of private-public keysassociated with the owner of the wallet thus it is essential totake protective actions to secure the wallet The wallet theftsare mainly performed using mechanisms that include systemhacking installation of buggy software and incorrect usage ofthe wallet

Bitcoin protocol relies heavily on elliptic curve cryptog-raphy [98] for securing the transactions In particular Bitcoinuses elliptic curve digital signature algorithm (ECDSA) whichis standardized by NIST [99] for signing the transactionsFor instance consider the standard ldquoPay-to-PubKeyHashrdquo(P2PKH) transaction script in which the user needs to provideher public key and the signature (using her private key) toprove the ownership To generate a signature the user choosesa per-signature random value For security reason this valuemust be kept secret and it should be different for every othertransaction Repeating per-signature value risks the privatekey computation as it has been shown in [100] that evenpartially bit-wise equal random values suffice to derive a userrsquosprivate key Therefore it is essential for increasing the securityof ECDSA to use highly random and distinct per-signaturevalues for every transaction signature The inspection of theblockchain for instances in which the same public key usesthe same signature nonces for multiple times has been reportedby the authors in [101] In particular the authors report thatthere are 158 public keys which have reused the signaturenonce in more than one transaction signature thus making itpossible to derive userrsquos private key Recently authors in [102]present a systematic analysis of the effects of broken primitiveson Bitcoin Authors highlight the fact that in the currentBitcoin system has no migration plans in-place for both thebroken hash and the broken signature scheme ie the Bitcoins

TABLE IIMISBEHAVIOR ATTACKS TARGETING BITCOIN NETWORK AND ENTITIES

Attack Description Primary targets Adverse effects Possible countermeasures

Bribery attacks [75] adversary bribe miners tomine on her behalf

miners and mer-chants

increases probability of adouble spend or block

withholdingincrease the rewards for honestminers make aware the miners tothe long-term losses of bribery [75]

Refund attacks [78] adversary exploits the re-fund policies of existingpayment processors

sellers or mer-chants users

merchant losses moneywhile honest users might

lose their reputationpublicly verifiable evidence [78]

Punitive and Featherforking [77] [79] dishonest miners blacklist

transactions of specific ad-dress

users freeze the bitcoins of userfor forever remains an open challenge

Transactionmalleability [80] [4] adversary change the

TXID without invalidatingthe transaction

Bitcoin exchangecenters

exchanges loss funds dueto increase in double

deposit or doublewithdrawal instances

multiple metrics for transactionverification [81] malleability-resilient ldquorefundrdquo transaction [80]

Wallet theft [21] adversary stole or destroyprivate key of users

individual usersor businesses

bitcoins in the wallet arelost threshold signature based

two-factor security [82] [83]hardware wallets [84] TrustZone-backed Bitcoin wallet [85]Password-Protected Secret Sharing(PPSS) [86]

Time jacking [87] adversary speed-up themajority of minerrsquos clock

miners

isolate a miner and wasteits resources influencethe mining difficultycalculation process

constraint tolerance ranges [87]network time protocol (NTP) ortime sampling on the values re-ceived from trusted peers [88]

DDoS [89] [90] a collaborative attack toexhaust network resources

Bitcoin networkbusinesses min-ers and users

deny services to honestusersminers isolate ordrive away the miners

Proof-of-Activity (PoA)protocol [91] fast verificationsignature based authentication

Sybil [23] adversary creates multiplevirtual identities

Bitcoin networkminers users

facilitates time jackingDDoS and doublespending attacks

threatens user privacy

Xim (a two-party mixing proto-col) [92]

Eclipse or netsplit [3] adversary monopolizes allincoming and outgoingconnections of victim

miners users

inconsistent view of thenetwork and blockchain

enable double spendswith more than one

confirmation

use whitelists disabling incomingconnections [3]

Tampering [43] delay the propagation oftransactions and blocks tospecific nodes

miners users

mount DoS attackswrongfully increase

mining advantage doublespend

improve block request managementsystem [43]

Routing attacks [5] isolate a set of nodes fromthe Bitcoin network de-laying block propagation

miners users

denial of service attackincreases possibility of0-confirmation doublespends increases forkrate waste the mining

power of the pools

increase the diversity of node con-nections monitor round-trip timeuse gateways in different ASes [5]

Deanonymization [93] [94] linking IP addresses witha Bitcoin wallet

users user privacy violation mixing services [95]CoinJoin [96] CoinShuffle [97]

RIPEMD160 SHA256 and ECDSA techniques are vulnerableto various security threats such as collision attacks [103]The authors in [102] found that the main vectors of attackon bitcoins involve collisions on the main hash or attackingthe signature scheme which directly enables coin stealingHowever a break of the address hash has minimal impact asaddresses do not meaningfully protect the privacy of a user

Unlike most of the online payment systems that rely onlogin details consisting of the password and other confidentialdetails for user authentication Bitcoin relies on public keycryptography This raises the issues of the secure storage andmanagement of the user keys Over the years various typeof wallet implementations are researched to obtain securestorage of the user keys it includes software online or hostedhardware or offline paper and brain wallets Table III shows anumber of popular wallets and their main features Coinbase(coinbasecom) an online wallet is most popular due to itsdesirable features which it provides to the clients that include(i) a web interface using which the wallet can be assessedwith a browser and Internet connection (ii) a mobile appthat allows access to wallet through mobile devices (iii) anaccess to Coinbase do not require a client software and it isindependent in nature due to which the wallet providers doesnot have any control over the funds stored in a clientrsquos walletand (iv) a moderate level of security and privacy The Copaywallet allows multiple users to be associated with the samewallet while the Armory wallet works in online as well as inoffline mode The wallet providers have to find an adequatetrade-off between usability and security while introducing anew wallet into the market For instance an online wallet ismore susceptible to thefts compared to hardware wallets [84]as later are not connected to the Internet but at the same timehardware wallets lacks usability If done right there exist moreadvanced and secure ways to store the user keys called paperand brain wallets As their name indicates in the paper walletthe keys are written on a document which is stored at somephysical location analogizes the cash money storage systemwhile in brain wallet the keys are stored in the clients mind inthe form of a small passphrase The passphrase if memorizedcorrectly is then used to generate the correct private key

To avoid the aforementioned risks such as managing cryp-tographic keys [104] lost or stolen devices equipment failureBitcoin-specific malware [105] to name a few that are asso-ciated while storing the bitcoins in a wallet many users mightprefer to keep their coins with online exchanges Howeverstoring the holdings with an exchange makes the users vulner-able to the exchange systems For instance one of the mostnotorious events in the Bitcoin history is the breakdown andongoing bankruptcy of the oldest and largest exchange calledMt Gox which lost over 450 millions of dollars Moreovera few other exchanges have lost their customers bitcoinsand declared bankruptcy due to external or internal theft ortechnical mistakes [106] Although the vulnerability of anexchange system to the disastrous losses can never be fullyavoided or mitigated therefore the authors in [107] presentsProvisions which is a privacy-preserving proof of solvencyfor Bitcoin exchanges Provision is a sensible safeguard thatrequires the periodic demonstrations from the exchanges to

show that they control enough bitcoins to settle all of itscustomers accounts

D Bitcoin Network Attacks

In this section we will discuss those attacks in the Bitcointhat exploits the existing vulnerabilities in the implementationand design of the Bitcoin protocols and its peer-to-peer com-munication networking protocols We will start our discussionwith the most common networking attack called DistributedDenial-of-Service (DDoS) which targets Bitcoin currency ex-changes mining pools eWallets and other financial servicesin Bitcoin Due to the distributed nature of Bitcoin networkand its consensus protocol launching a DoS attack has noor minimal adverse effect on network functionalities henceattackers have to lunch a powerful DDoS to disturb the net-working tasks Unlike DoS attack in which a single attackercarried out the attack in DDoS multiple attackers launchthe attack simultaneously DDoS attacks are inexpensive tocarry out yet quite disruptive in nature Malicious miners canperform a DDoS (by having access to a distributed Botnet) oncompeting miners effectively taking the competing miners outof the network and increasing the malicious miners effectivehashrate In these attacks the adversary exhausts the networkresources in order to disrupt their access to genuine users Forexample an honest miner is congested with the requests (suchas fake transactions) from a large number of clients actingunder the control of an adversary After a while the minerwill likely to start discarding all the incoming inputsrequestsincluding requests from honest clients In [89] authors providea comprehensive empirical analysis of DDoS attacks in theBitcoin by documenting the following main facts 142 uniqueDDoS attacks on 40 Bitcoin services and 7 of all knownoperators were victims of these attacks The paper also statesthat the majority of DDoS attack targets the exchange servicesand large mining pools because a successful attack on thesewill earn huge revenue for the adversary as compared toattacking an individual or small mining pools

In [90] authors explore the trade-off between the two min-ing pool related strategies using a series of game-theoreticalmodels The first strategy called construction in which amining pool invests in increasing its mining capacity in orderto increase the likelihood of winning the next race While inthe second strategy called destruction in which the miningpool launches a costly DDoS attack to lower the expectedsuccess rate of the competing mining pools The majority ofthe DDoS attacks target large organizations due to bulk ransommotives Companies like CoinWallet and BitQuick were forcedto shut down only after few months of their launch due tothe effects of continuous DDoS attacks As stated above thatDDoS attack take various forms one of which is to discouragea miner so that it will withdraw itself from the mining processFor instance an attacker displays to a colleague miner that it ismore powerful and it can snatch the reward of mining and itis the obvious winner of the mining process An honest minerbackoffs since its chances of winning is less In this way anadversary will be successful in removing individual miners aswell as small pools from the mining network thus imposing a

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

Fig 2 Creation and addition of blocks in blockchain

Fig 3 Blockchain consensus model

blocks because each block contains the hash of the previousblock The blockchain constantly grows in length due to thecontinuous mining process in the network The process ofadding a new block is as follows (i) once a miner determinesa valid hash value (ie a hash equal or lower than target)for a block it adds the block in her local blockchain andbroadcast the solution and (ii) upon receiving a solution fora valid block the miners will quickly check for its validity ifthe solution is correct the miners update their local copy ofblockchain else discard the block

Due to the distributed nature of the block validation processit is possible that two valid solutions are found approximatelyat the same time or distribution of a verified block is delayeddue to network latency this results in valid blockchain forksof equal length The forks are undesirable as the miners needto keep a global state of the blockchain consisting of thetotally ordered set of transactions However when multipleforks exist the miners are free to choose a fork and continueto mine on top of it Now that the network is having multipleforks and miners are extending different but valid versions ofthe blockchain based on their local view a time will comedue to the random nature of PoW where miners operating onone fork will broadcast a valid block before the others Dueto this a longer version of the blockchain now exists in thenetwork and all the miners will start adding their following

blocks on top of this longer blockchain The aforementionedbehavior of blockchain is shown in Figure 3

The presence of blockchain forks in Bitcoin could beexploited by a malicious miner to gain profits or to disturb thenormal functioning of the Bitcoin In particular a resourcefulminer (or mining pool) could force a blockchain fork in thenetwork by privately mining on it Once the malicious minersees that the length of the public blockchain is catching up fastwith her private chain the miner broadcast her blockchain inthe network and due to its longer length all the other minerswill start mining on top of it In this process all the mined (ievalid) blocks on the other parallel blockchain get discardedwhich makes the efforts of the genuine miners useless InSection III we will discuss an array of attacks on Bitcointhat exploits the forking nature of Bitcoin blockchain

In general the security in Bitcoin is on the assumptionthat the honest players control a majority of the computingresources The main driving factor for miners to honestlyverify a block is the reward (ie 125 BTCs) that they receiveupon every successful block addition in the blockchain Asmentioned before that to verify a block the miners needto solve the associated hard crypto-puzzle The probabilityof solving the crypto-puzzle is proportional to a numberof computing resources used As per [29] a single homeminer which uses a dedicated Application-Specific Integrated

Fig 4 Bitcoin transaction processing steps

Circuit (ASIC) for mining will unlikely verify a single blockin years For this reason miners mine in the form of theso-called mining pools All miners that are associated witha pool works collectively to mine a particular block underthe control of a pool manager Upon successful mining themanager distributes the reward among all the associated minersproportional to the resources expended by each miner Adetailed discussion of different pooled mining approaches andtheir reward systems is given in [30] [31]

For the better understanding how a transaction is beingprocessed in the Bitcoin please refer to Figure 4 Assumethat Bob wants to transfer 5 bitcoins to Alice In order topay to Alice Bob needs a device such as a smartphonetablet or laptop that runs the Bitcoin full or lightweight client-side software and two pieces of information which includeBobprimes private key and Aliceprimes Bitcoin address Any userin the network can send money to a Bitcoin address butonly a unique signature generated using the private key canrelease bitcoins from the account Bob uses a cryptographickey to digitally sign off on the transaction proving that heowns those coins When Bob broadcast a transaction in thenetwork an alert is sent to all the miners in the networkinforming them about this new transaction The miners checkthat the digital signatures are correct and Bob has enoughbitcoins to complete the transactions Additionally miners raceto bundle all the pending transactions (including bobprimes) in thenetwork and mine the resulting block by varying the nonceIn particular the miners create a hash of the block and ifthe hash does not begin with a particular number of zerosthe hash function is rerun using a new random number (iethe nonce) The required hash value must have a certain butarbitrary number of zeros at the beginning It is unpredictablewhich nonce will generate the required hash with a correctnumber of zeros so the miners have to keep trying by usingdifferent nonces to find the desired hash value When theminer finds a hash value with the correct number of zeros(ie the discovered value is lower than target value) the

discovery is announced in the network and both the Bob andthe Alice will also receive a confirmation about the successfultransaction Other miners communicate their acceptance andthey turn their attention to discover the next block in thenetwork However a successful transaction could be discardedor deemed invalid at latter period of time if it is unable tostay in the blockchain due to reasons such as existence ofmultiple forks majority of miners does not agree to considerthe block containing this transaction as a valid block a doublespending attack is detected to name a few

The Bitcoin protocol rewards the winning miner with theset of newly minted bitcoins as incentive and the hashedblock is published in the public ledger Once Bobprimes transactionhas been added in the blockchain he and Alice each receivethe first confirmation stating that the Bitcoin has been signedover to Alice In terms of transaction time it depends on thecurrent network load and the transaction fee included in thetransaction by Bob but at the minimum it would be around10 minutes However receiving the first confirmation doesnot mean that the transaction is processed successfully and itcannot be invalidated at a latter point in time In particularit has been recommended by the Bitcoin community thatafter a block is mined it should receive enough consecutiveblock confirmations (currently 6 confirmations) before it isconsidered as a valid transaction

C Consensus Protocol

Bitcoin blockchain is a decentralized system thus it doesnot require authorization from any trusted third party (TTP)to process the transactions In particular the nodes com-municate over a network and collaboratively construct theblockchain without relying on a central authority Howeverindividual nodes might crash behave maliciously act againstthe common goal or the network communication may becomeinterrupted For delivering a continuous service the nodestherefore run a fault-tolerant consensus protocol to ensure that

they all agree on the order in which entries are appended tothe blockchain To add a new block in the blockchain everyminer must follow a set of rules specified in the consensusprotocol Bitcoin achieves the distributed consensus by usingPoW based consensus algorithm This algorithm imposes thefollowing major rules (i) input and output values are rational(ii) transactions only spend unspent outputs (iii) all inputsbeing spent have valid signatures (iv) no coinbase2 transactionoutputs were spent within 100 blocks of their creation and (v)no transactions spend inputs with a locktime before the blockin which they are confirmed Generally a blockchain basedsystem such as Bitcoin is considered as secure and robust asits consensus model

In the PoW based consensus algorithm the participantsrequire no authentication to join the network which makesthe Bitcoin consensus model extremely scalable in termsof supporting thousands of network nodes However PoWbased consensus is vulnerable to ldquo51rdquo attacks in whichan adversary has control over 51 of the mining power (iehashrate) in the network hence it can write its own blocksor fork the blockchain that at a later point converges withthe main blockchain This behavior of adversary helps her toperform several other types of attacks in the Bitcoin whichincludes double spending eclipse and denial-of-service Inparticular 51 attack drives away the honest miners from themining process thus weakens the consensus protocol whichposes a threat to Bitcoin security and robustness One way toachieve the 51 attack in Bitcoin system is to incentivize (orbribe) the honest miners to join the attackersrsquo coalition

Along with the various security attacks (please refer totables I and II) the effectiveness of a consensus protocol alsodepends on the performance and stability of the network Forinstance an increase in the latency between the validationof a block and its receipt by all other miners increases thepossibility of a temporary blockchain fork Although due tothe PoW model eventual consistency in the blockchain willbe reached despite the temporary forks however it resultsin longer transaction confirmation times Today the Bitcoinnetwork is restricted to a sustained rate of 7 transactionsper section (tps) due to the Bitcoin protocol restricting blocksizes to 1MB This is very slow when considered the highprocessing speed of MasterCard or VISAs ie millions oftps Therefore it is important for Bitcoin to have a broadcastnetwork which is not only decentralized but it also provideslow latency and it is difficult to deliberately censor or delaymessages The PoW based consensus algorithm also wastesa lot of energy in hash computations during the miningprocess However it facilitates high scalability in terms ofnodes participating in the network and operates completely ina decentralized fashion

Bitcoin consensus algorithm has been its most widelydebated component in the Bitcoin research community This isbecause the consensus algorithm rises (i) open questions aboutthe Bitcoin stability [10] (ii) concerns about the performanceand scalability of the protocol [32] and (iii) concerns for

2A coinbase transaction is a unique type of bitcoin transaction that can onlybe created by a miner

computational resource wastage [33] In particular the PoWconsensus model used by Bitcoin blockchain is very inefficientin terms of power consumption and the overall generationtime of new blocks Hence to overcome or limit someof the aforementioned disadvantages of PoW various otherconsensus protocols such as Proof-of-Stake (PoS) [34] Proofof Elapsed Time (PoET) Proof of Authority (PoA) Practicalbyzantine fault tolerance (PBFT) [35] Federated ByzantineFault Tolerance (FBFT) Proof of Storage [36] [37] to namea few are designed The most obvious difference betweenthese consensus protocols and PoW is that each of thesealternative protocols the consensus is driven at the expenseof internal resources (eg coins or reputation) instead ofexternal resources (eg electricity) This creates an entirelydifferent set of incentives for (and trust in) network nodes (ieminers) which drastically changes the network security modelDetailed discussions on these alternative consensus protocolsare out of the scope of our survey hence we direct interestedusers to [38] [20] [39] [40] [41]

D Networking Infrastructure

Bitcoin uses an unstructured peer-to-peer (P2P) networkbased on unencrypted persistent TCP connections as its foun-dational communication structure In general unstructuredoverlays are easily constructed and robust against highlydynamic network topologies ie against frequently joiningand leaving peers These type of networks are best suitedfor Bitcoin as the aim is to distribute information as fastas possible to reach consensus on the blockchain Howeverexperimenting with the Bitcoin networkprotocol poses a chal-lenge By now there are a few possibilities to approach thistask One way is to connect to the mainnet ie the live Bitcoinnetwork or the testnet Another way is to use the simulationenvironments such as Shadow [42] event discrete simulatorwhich aims at simulating large-scale Bitcoin networks whilekeeping full control over all components

Bitcoin nodes maintain a list of IP addresses of potentialpeers and the list is bootstrapped via a DNS server and addi-tional addresses are exchanged between peers Each peer aimsto maintain a minimum of 8 unencrypted TCP connections inthe overlay ie the peer actively tries to establish additionalconnections if the current number of connections is lowerthan 8 The number of eight connections can be significantlyexceeded if incoming connections are accepted by a Bitcoinpeer upto a maximum of 125 connections at a time By defaultpeers listen on port 8333 for inbound connections When peersestablish a new connection they perform an application layerhandshake consisting of version and verack messages Themessages include a timestamp for time synchronization IPaddresses and the protocol version A node selects its peersin a random fashion and it selects a new set of peers after afixed amount of time This is done to minimize the possibilityand effects of netsplit attack in which an attacker creates aninconsistent view of the network (and the blockchain) at theattacked node Since Bitcoin version 07 IPv6 is supported Inorder to detect when peers have left Bitcoin uses a softstateapproach If 30 minutes have been passed since messages were

last exchanged between neighbors peers will transmit a hellomessage to keep the connection alive

Miners continually listen to new block announcementswhich are sent via INV messages containing the hash ofthe mined block If a miner discovers that it does not hold anewly announced block it transmits a GETDATA messageto one of its neighbor The neighbor then respond by sendingthe requested information in a BLOCK message In casethe requested block do not arrive within 20 minutes theminer trigger the disconnection of that particular neighborand request the same information from another neighbor Thepropagation of transactions occur in a sequence given as INV GETDATA and TX messages in which nodes announcerequest and share transactions that have not yet been includedin the blockchain

In order to form the distributed consensus newly discoveredtransactions and blocks are propagated (through flooding) inthe whole network Miners store new transactions for themining purposes but after some time remove them if they donot make it on the blockchain It is the responsibility of thetransaction originator that the transaction is received by all thepeers in the network To this end the originator might need torebroadcast the transaction if it did not get into the blockchainin first attempt This is to ensure that the transaction getsconsidered in the next block An adversary could introducedelay in the propagation of both new transactions and minedblock for the purpose of launching the double spend andnetsplit attacks As shown in [43] the propagation time caneven be further extended under reasonable circumstancesAuthors in [5] presents a taxonomy of routing attacks andtheir impact on Bitcoin considering both small-scale attackstargeting individual nodes and large-scale attacks targetingthe network as a whole By isolating parts of the network ordelaying block propagation adversaries could cause significantamount of mining power to be wasted leading to revenuelosses and exposing the network to a wide range of exploitssuch as double spending

The use of an unstructured P2P network in Bitcoin enablesthe required rapid distribution of information in every partof the network The security of Bitcoin heavily depends onthe global consistent state of blockchain which relies on theefficiency of its PoW based consensus protocol The variationsin the propagation mechanisms could adversely affect theconsensus protocol The presence of inconsistent blockchainstates if exploited correctly could lead to a successful doublespending To this end it is essential that the Bitcoin networkshould remains scalable in terms of network bandwidth net-work size and storage requirements because this will facilitatethe increase in number of honest miners in the network whichwill strengthen the consensus protocol In Bitcoin full nodesdownload and verify all blocks starting from the genesis blockbecause it is the most secure way Full nodes participate inthe P2P network and help to propagate information althoughits not mandatory to do so Alternatively the thin clients usethe simplified payment verification (SPV) to perform Bitcointransactions The SPV is a method used by Bitcoin thin clientfor verifying if particular transactions are included in a blockwithout downloading the entire block However the use of

SPV costs the thin clients because it introduces weaknessessuch as Denial of Service (DoS) and privacy leakage forthe thin client In particular the general scalability issues ofunstructured overlays combined with the issues induced bythe Bitcoin protocol itself remains in the system Many of theresults suggest that scalability remains an open problem [44]and it is hard to keep the fully decentralized network infuture [45] [46]

E Benefits and Challenges

Same as any other emerging technology use of Bitcoincomes with certain benefits and challenges and various typesof risks are associated with its use It is believed3 that Bitcoinhas the following benefits and challenges

Benefits -bull No Third-Party Seizure No central authority can manip-

ulate or seize the currency since every currency transferhappens peer-to-peer just like hard cash In particular bit-coins are yours and only yours and the central authoritycant take your cryptocurrency because it does not printit own it and control it correspondingly

bull Anonymity and transparency Unless Bitcoin users pub-licize their wallet addresses publicly it is extremely hardto trace transactions back to them However even if thewallet addresses was publicized a new wallet addresscan be easily generated This greatly increases privacywhen compared to traditional currency systems wherethird parties potentially have access to personal financialdata Moreover this high anonymity is achieved withoutsacrificing the system transparency as all the bitcointransactions are documented in a public ledger

bull No taxes and lower transaction fees Due to its decen-tralized nature and user anonymity there is no viableway to implement a Bitcoin taxation system In the pastBitcoin provided instant transactions at nearly no costEven now Bitcoin has lower transaction costs than acredit card Paypal and bank transfers However thelower transaction fee is only beneficial in situations wherethe user performs a large value international transactionsThis is because the average transaction fee becomeshigher for very small value transfers or purchases suchas paying for regular household commodities

bull Theft resistance Stealing of bitcoins is not possible untilthe adversary have the private keys (usually kept offline)that are associated with the user wallet In particular Bit-coin provides security by design for instance unlike withcredit cards you dont expose your secret (private key)whenever you make a transaction Moreover bitcoinsare free from Charge-backs ie once bitcoins are sentthe transaction cannot be reversed Since the ownershipaddress of the sent bitcoins will be changed to the newowner and it is impossible to revert This ensures thatthere is no risk involved when receiving bitcoins

3As some of these benefits and challenges are not entirely true at all thetimes for instance Bitcoin transactions are not fully anonymous and theprivacy of Bitcoin users could be threatened

Challengesbull High energy consumption Bitcoinrsquos blockchain uses

PoW model to achieve distributed consensus in thenetwork Although the use of PoW makes the miningprocess more resistant to various security threats suchas sybil and double spending it consumes a ridicu-lous amount of energy and computing resources [47]In particular processing a bitcoin transaction consumesmore than 5000 times as much energy as using a Visacredit card hence innovative technologies that reduce thisenergy consumption are required to ensure a sustainablefuture for Bitcoin Furthermore due to the continuousincrease in network load and energy consumption thetime required for transaction processing is increasing

bull Wallets can be lost Since there is no trusted third partyif a uses lost the private key associated with her walletdue to a hard drive crash or a virus corrupts data or lostthe device carrying the key all the bitcoins in the wallethas been considered lost for forever There is nothingthat can be done to recover the bitcoins and these willbe forever orphaned in the system This can bankrupt awealthy Bitcoin investor within seconds

bull (Facilitate) Criminal activity The considerable amountof anonymity provided by the Bitcoin system helps thewould-be cyber criminals to perform various illicit activ-ities such as ransomware [48] tax evasion undergroundmarket and money laundering

According to [49] the risk is the exposure to the level ofdanger associated with Bitcoin technology in fact the samecan be applied to any such digital cryptocurrency The majorrisks that threaten the wide usability of the Bitcoin paymentsystems are as followbull Social risks it includes bubble formation (ie risk of

socio-economic relationship such as what people talk andgossip) cool factor (ie entering the networking withoutknowing the ill effects) construction of chain (ie riskrelated with the blockchain formation like hashing andmining rewards) and new coins release (ie on whatbasis the new coins to be generated is there a need etc)

bull Legal risks Bitcoin technology opposes rules and regula-tions and hence it finds opposition from the governmentThis risk also includes law enforcement towards handlingfinancial operational customer protection and securitybreaches that arise due to Bitcoin system

bull Economic risks deflation volatility and timing issues infinding a block which might lead the users to migratetowards other currencies that offer faster services

bull Technological risks this includes the following net-work equipment and its loss network with which thepeers are connected and its associated parameters threatvulnerabilities on the system hash functions with itsassociated robustness factor and software associated risksthat Bitcoin system demands

bull Security risks security is a major issue in Bitcoin systemwe will discuss risks associated due to various securitythreats in detail in Section III

In [50] authors perform a survey on the peoplersquos opinion

about bitcoins usage Participants argue that the greatest barrierto the usage of bitcoins is the lack of support by higherauthorities (ie government) Participants felt that bitcoinsmust be accepted as legitimate and reputable currency Ad-ditionally the participants expressed that the system mustprovide support towards transacting fearlessly without criminalexploitation Furthermore the Bitcoin is mainly dependent onthe socio-technical actors and the impact of their opinion onthe public Few among participants have suggested that theblockchain construction is the major cause of disruption dueto its tendency to get manipulated by adversaries

In [51] it was stated that many Bitcoin users already losttheir money due to poor usability of key management andsecurity breaches such as malicious exchanges and walletsAround 225 of the participants reported having lost theirbitcoins due to security breaches Also many participantsstated that for a fast flow of bitcoins in the user communitysimple and impressive user interface are even more importantthan security In addition participants highlighted that the poorusability and lack of knowledge regarding the Bitcoin usageare the major contributors to the security failures

III SECURITY ATTACKS ON BITCOIN SYSTEMS

Bitcoin is the most popular cryptocurrency4 and has stoodfirst in the market capital investment from day one Since itis a decentralized model with an uncontrollable environmenthackers and thieves find cryptocurrency system an easy wayto fraud the transactions In this section we discuss existingsecurity threats and their countermeasures for Bitcoin andits underlying technologies We provide a detailed discussionof potential vulnerabilities that can be found in the Bitcoinprotocols as well as in the Bitcoin network this will bedone by taking a close look at the broad attack vector andtheir impact on the particular components in the BitcoinApart from double spending which is and will always bepossible in Bitcoin the attack space includes a range of walletattacks (ie client-side security) network attacks (such asDDoS sybil and eclipse) and mining attacks (such as 50block withholding and bribery) Tables I and II provides acomprehensive overview of the potential security threats alongwith their impacts on various entities in Bitcoin and theirpossible solutions that exist in literature so far

A Double Spending

A client in the Bitcoin network achieves a double spend(ie send two conflicting transactions in rapid succession) ifshe is able to simultaneously spend the same set of bitcoinsin two different transactions [2] For instance a dishonestclient (Cd) creates a transaction TCd

V at time t using a setof bitcoins (Bc) with a recipient address of a vendor (V ) topurchase some product from V Cd broadcast TCd

V in theBitcoin network At time tprime where tprime asymp t Cd create andbroadcast another transaction TCd

Cdusing the same coins (ie

Bc) with the recipient address of Cd or a wallet which isunder the control of Cd In the above scenario the double

4wwwcryptocoinsnewscom

TABLE IMAJOR ATTACKS ON BITCOIN SYSTEM AND ITS POW BASED CONSENSUS PROTOCOL

Attack Description Primary targets Adverse effects Possible countermeasures

Double spending or Raceattack [2] spent the same bitcoins

in multiple transactionssend two conflicting trans-actions in rapid succession

sellers or mer-chants

sellers lose theirproducts drive away the

honest users createblockchain forks

inserting observers in network [2]communicating double spendingalerts among peers [2] nearbypeers should notify the merchantabout an ongoing double spend assoon as possible [52] merchantsshould disable the direct incomingconnections [53] [54]

Finney attack [55] dishonest miner broad-casts a pre-mined blockfor the purpose of dou-ble spending as soon asit receives product from amerchant

sellers or mer-chants

facilitates doublespending wait for multi-confirmations for

transactions

Brute force attack [56] privately mining onblockchain fork toperform double spending

sellers or mer-chants

facilitates doublespending creates largesize blockchain forks

inserting observers in the net-work [2] notify the merchant aboutan ongoing double spend [53]

Vector 76 orone-confirmation

attack [57]combination of the doublespending and the finneyattack

Bitcoin exchangeservices

facilitates doublespending of largernumber of bitcoins

wait for multi-confirmations fortransactions

gt 50 hashpower orGoldfinger [45] adversary controls more

than gt 50 HashrateBitcoin networkminers Bitcoinexchange centersand users

drive away the minersworking alone or within

small mining poolsweakens consensus

protocol DoS

inserting observers in thenetwork [2] communicatingdouble spending alerts amongpeers [2] disincentivizelarge mining pools [58] [59]TwinsCoin [60] PieceWork [61]

Blockdiscarding [62] [54] or

Selfish mining [6]abuses Bitcoin forkingfeature to derive an unfairreward

honest miners (ormining pools)

introduce race conditionsby forking waste the

computational power ofhonest miners withgt 50 it leads toGoldfinger attack

ZeroBlock technique [63] [64]timestamp based techniquessuch as freshness preferred [65]DECOR+ protocol [66]

Blockwithholding [29] [67] miner in a pool sub-

mits only PPoWs but notFPoWs

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueinclude only known and trustedminers in pool dissolve and closea pool when revenue drops fromexpected [62] cryptographic com-mitment schemes [67]

fork after withholding(FAW) attack [68] improves on adverse ef-

fects of selfish mining andblock withholding attack

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueno practical defense reported so far

spending attack performed by Cd is successful if Cd tricksthe V to accept TCd

V (ie V deliver the purchased productsto Cd) but V will not be able to redeem subsequently InBitcoin the network of miners verify and process all thetransactions and they ensure that only the unspent coinsthat are specified in previous transaction outputs can be usedas input for a follow-up transaction This rule is enforceddynamically at run-time to protect against the possible doublespending in the network The distributed time-stamping andPoW-based consensus protocol is used for orderly storage ofthe transactions in the blockchain For example when a minerreceives TCd

V and TCd

Cdtransactions it will be able to identify

that both the transactions are trying to use the same inputs

during the transaction propagation and mining thus it onlyprocess one of the transaction and reject the other Figure 5shows the working methodology of a double spending attackdepicting the above explanation

Despite the use of strict ordering of transactions in theblockchain PoW scheme distributed time-stamping [69] andconsensus protocol [70] [71] double spending is still possiblein Bitcoin To perform a successful double spending attackfollowing requirements need to be fulfilled (i) part of thenetwork miners accept the transaction TCd

V and the vendor(V ) receives the confirmation from these miners thus releasesthe product to dishonest client (Cd) (ii) at the same time otherpart of the network miners accept the transaction TCd

Cd hence

Fig 5 Double Spending Attack

lead to blockchain forks in the network (iii) the vendor re-ceives the confirmation of transaction TCd

Cdafter accepting the

transaction TCd

V thus losses the product and (iv) a majorityof miners mine on top of the blockchain which contains TCd

Cd

as a valid transaction If the aforementioned steps took placein the given order then the dishonest client is able to performa successful double spend In the rest of this section we willdiscuss the variants of double spending attack that are used inorder to realize the aforementioned double spend requirementswith varying difficulties and complexities

A form of double spending called Finney attack [55] herea dishonest client (Cd) pre-mines (ie privately) a blockwhich contains the transaction TCd

Cd and then it creates a

transaction TCd

V using the same bitcoins for a vendor (V )The mined block is not informed to the network and the Cd

waits until the transaction TCd

V is accepted by the V On theother hand V only accept TCd

V when it receives a confirmationfrom miners indicating that TCd

V is valid and included in theexisting blockchain Once Cd receives the product from V theattacker releases the pre-mined block into the network thuscreates a blockchain fork (say Bprimefork) of equal length to theexisting fork (say Bfork) Now if the next mined block in thenetwork extends Bprimefork blockchain instead of Bfork then asper the Bitcoin protocol rules all the miners in the networkwill build on top of Bprimefork As the blockchain Bprimefork becomesthe longest chain in the network all the miners ignore Bforkhence the top block on Bfork which contains the transactionTCd

V becomes invalid This makes the transaction TCd

V invalidthe client will get back her coins through transaction TCd

Cd

but resulting the V losing the product However with Finneyattack an adversary can only perform double spending in thepresence of one-confirmation vendors

To avoid the Finney attack the vendor should wait formultiple confirmations before releasing the product to theclient The waiting for multiple confirmations will only makethe double spend for the attacker harder but the possibilityof the double spend remains An advancement of the Finneyattack is called Brute-force attack [56] in which a resourcefulattacker has control over n nodes in the network and these

nodes collectively work on a private mining scheme withthe motive of double spend An attacker introduces a doublespend transaction in a block as in the previous case whilecontinuously works on the extension of a private blockchain(ie Bprimefork) Suppose a vendor waits for x confirmationsbefore accepting a transaction and it sends the product to theclient once it receives the x confirmations Later the attackeris able to mine the x number of blocks ahead (ie privately)then she can release these blocks in the network and dueto its higher length than Bfork blockchain Bprimefork will beextended by all the miners in the network This causes thesame after effects as Finney attack thus causing a successfuldouble spending attack

Another attack that uses the privately mined block toperform a new form of double spending attack on Bitcoin ex-change networks is popularly known as Vector 76 attack [57]A Bitcoin exchange is a digital marketplace where traderscan buy sell or exchange bitcoins for other assets such asfiat currencies or altcoins In this a dishonest client (Cd)withholds a pre-mined block which consists of a transactionthat implements a specific deposit (ie deposit coins in aBitcoin exchange) The attacker (Cd) waits for the next blockannouncement and quickly sends the pre-mined block alongwith the recently mined block directly to the Bitcoin exchangeor towards its nearby peers with hope that the exchangeand probably some of the nearby miners will consider theblockchain containing the pre-mined block (ie Bprimefork) as themain chain The attacker quickly sends another transaction thatrequests a withdrawal from the exchange of the same coins thatwas deposited by the attacker in its previous transaction Atthis point of time if the other fork (ie Bfork) which does notcontain the transaction that is used by the attacker to depositthe coins survives the deposit will become invalidated but theattacker has already performed a withdrawal by now thus theexchanges losses the coins

Recently authors in [72] proposes a new attack againstthe PoW-based consensus mechanism in Bitcoin called theBalance attack The attack consists of delaying networkcommunications between multiple subgroups of miners withbalanced hash power The theoretical analysis provides theprecise trade-off between the Bitcoin network communicationdelay and the mining power of the attacker(s) needed to doublespend in Ethereum [73] with high probability

Based on the above discussion on double spending attackand its variants one main point that emerges is that if aminer (or mining pool) is able to mine blocks with a fasterrate than the rest of the Bitcoin network the possibility ofa successful double spending attack is high The rate ofmining a block depends upon solving the associated proof-of-work this again depends on the computing power of aminer Apart from the computing resources the success ofdouble spending attack depends on other factors as wellwhich includes network propagation delay vendor client andBitcoin exchange services connectivity or positioning in theBitcoin network and the number of honest miners Clearlyas the number of confirmations for transaction increases thepossibility that it will become invalid at a later stage decreasesthus decreases the possibility of a double spend On the other

hand with the increase in the computing resources of a minerthe probability of the success of a double spend increases Thisleads to a variant of double spend attack called gt 50 attackor Goldfinger attack [45] in which more than 50 computingresources of the network are under the control of a single miner(or mining pool) The gt 50 attack is considered the worst-case scenario in the Bitcoin network because it has the powerto destroy the stability of the whole network by introducing theactions such as claim all the block intensives perform doublespending reject or include transactions as preferred and playwith the Bitcoin exchange rates The instability in the networkonce started it will further strengths the attackerrsquos position asmore and more honest miners will start leaving the network

From the above discussion on the different type of doublespending attacks we can safely conclude that one can alwaysperform a double spend or it is not possible to entirelyeliminate the risk of double spending in Bitcoin Howeverperforming double spending comes with a certain level ofrisk for instance the attacker might lose the reward forthe withheld block if it is not included in the final publicblockchain Therefore it is necessary to set a lower bound onthe number of double spend bitcoins and this number shouldcompensate the risk of unsuccessful attempts of double spendAdditionally the double spends could be recognized with thecareful analysis and traversing of the blockchain thus it mightlead to blacklisting the detected peer In Section IV-A we willdiscuss in detail the existing solutions and their effectivenessfor detecting and preventing the double spending attacks

B Mining Pool Attacks

Mining pools are created in order to increase the computingpower which directly affects the verification time of a blockhence it increases the chances of winning the mining rewardFor this purpose in recent years a large number of miningpools have been created and the research in the field ofminer strategies is also evolved Generally mining pools aregoverned by pool managers which forwards unsolved workunits to pool members (ie miners) The miners generate par-tial proofs-of-work (PPoWs) and full proofs-of-work (FPoWs)and submit them to the manager as shares Once a minerdiscovers a new block it is submitted to the manager alongwith the FPoW The manager broadcasts the block in theBitcoin network in order to receive the mining reward Themanager distributes the reward to participating miners basedon the fraction of shares contributed when compared with theother miners in the pool Thus participants are rewarded basedon PPoWs which have absolutely no value in the Bitcoinsystem The Bitcoin network currently consists of solo minersopen pools that allow any miner to join and closed (private)pools that require a private relationship to join

In recent years the attack vector that exploits the vulnerabil-ities in pool based mining also increases For instance a groupof dishonest miners could perform a set of internal and externalattacks on a mining pool Internal attacks are those in whichminers act maliciously within the pool to collect more thantheir fair share of collective reward or disrupt the functionalityof the pool to distant it from the successful mining attempts In

external attacks miners could use their higher hash power toperform attacks such as double spending Figure 6 shows themarket share till December 2017 of the most popular miningpools In this section we will discuss a set of popular internaland external attacks on the mining pools

Fig 6 Bitcoin Hashrate Distribution in Present Market

In a mining pool the pool manager determines the amountof work done by individual pool members by using thenumber of shares a member find and submit while tryingto discover a new block The shares consist of a number ofhashes of a block which are low enough to have discovereda block if the difficulty was 1 To be considered as a shareeach hash has a probability of 1232 Assuming correctness ofthe hash function used it is impossible to find shares withoutdoing the work required to discover new blocks or to lookfor blocks without finding shares along the way Due to thisthe number of shares determined by a miner is proportionalon average to the number of hashes the miner calculatedwhile attempting to discover a new block for the mining poolAdditionally in [29] the author discusses the possibility ofusing variable block rewards and difficulty shares as rewardmethods in a pool This variability is introduced due to thefollowing reasons bitcoins generation per block is cut in halfevery 210000 blocks and the transaction fees vary rapidlybased on the currently available transactions in the network Asmost of the mining pools allow any miner to join them using apublic Internet interface such pools are susceptible to varioussecurity threats The adversaries believe that it is profitable tocannibalize pools than mine honestly Letrsquos understand it withan example suppose that an adversary has 30 of hashrate(HR) and 1 BTC is the block mining reward (MR) If themining pool is sharing the reward based on the invested HRthen the adversary will receive 03 BTC for each mined blockNow adversary purchases more mining equipment worth 1of current HR With standard mining strategy the adversarywill gain an additional revenue of 00069 BTC for the 1added HR By performing pool cannibalizing (ie distributeyour 1 equally among all other pools and also withholdthe valid blocks) the attacker will still receive the rewardsfrom its pool but it might also receive additional rewards

from the other pools to which she is sharing its 1 HRThis misbehavior will remain undetectable unless the changein reward is statistically significant

Fig 7 Selfish Mining

In [62] authors use a game theoretic approach to show thatthe miners could have a specific sort of subversive miningstrategy called selfish mining [6] or also popularly known asblock discarding attack [54] [62] In truth all the miners inthe Bitcoin are selfish as they are mining for the reward thatis associated with each block but these miners are also honestand fair with respect to the rest of miners while the selfishmining here refers to the malicious miners only In the selfishmining the dishonest miner(s) perform information hiding(ie withhold a mined block) as well as perform its revealingin a very selective way with a two-fold motive (i) obtain anunfair reward which is bigger than their share of computingpower spent and (ii) confuse other miners and lead them towaste their resources in a wrong direction As it can be seen inFigure 7 that by keeping the mined block(s) the selfish minersintentionally fork the blockchain The selfish pool keeps onmining on top of their private chain (Bprimefork) while the honestminers are mining on the public chain (Bfork) If the selfishminers are able to take a greater lead on Bprimefork and they areable to keep the lead for a longer time period their chancesof gaining more reward coins as well as the wastage of honestminers resources increases To avoid any losses as soon asthe Bfork reaches to the length of Bprimefork the selfish minerspublish their mined blocks All the miners need to adopt toBprimefork which now becomes Bfork as per the longest lengthrule of Bitcoin protocol The honest miners will lose theirrewards for the blocks that they have mined and added to theprevious public chain The analysis in [6] shows that usingthe selfish mining the poolrsquos reward exceed its share of thenetworkrsquos mining power The statement still holds in caseswhere the network found their new block before the adversarycould find a new second block Because in such case the minerwill make use of the race to propagate ie on average theattacker manages to tell 50 of the network about her blockfirst Additionally the analysis reveals that the wastage ofcomputing resources and rewards lure honest miners toward

the selfish mining pools hence it further strengthens the attackThis continuous increase in the selfish poolrsquos size might leadto gt 50 attack and at that point the effect of selfish miningwill be disastrous

Another attack much similar to the selfish mining that couldbe performed on a mining pool is known as Block withholding(BWH) [29] [67] in which a pool member never publishes amined block in order to sabotage the pool revenue howeversubmit shares consists of PPoWs but not FPoWs In particularin [29] two types of block withholding scenarios are presentedcalled ldquoSabotagerdquo and ldquoLie in waitrdquo In the first scenario theadversary does not gain any bitcoins but it just makes otherpool members lose while in the second scenario the adversaryperforms a complex block concealing attack similar to the onedescribed in the selfish mining attack In [29] authors discussa generalized version of the ldquoSabotagerdquo attack which showsthat with slight modification it is possible for the maliciousminer to also earn an additional profit in this scenario Authorsin [33] present a game-theoretic approach to analyzing effectsof block withholding attack on mining pools The analysisshows that the attack is always well-incentivized in the long-run but may not be so for a short duration This impliesthat existing pool protocols are insecure and if the attack isconducted systematically Bitcoin pools could lose millions ofdollars worth in just a few months

To analyze the effects of BWH on mining pools authorsin [9] presents The Miners Dilemma which uses an iterativegame to model attack decisions The game is played betweentwo pools say pool A and pool B and each iteration of thegame is a case of the Prisoners Dilemma ie choose betweenattacking or not attacking If pool A chooses to attack pool Apool A gains revenue pool A loses revenue but pool B canlatter retaliate by attacking pool A and gaining more revenueThus attacking is the dominant strategy in each iterationhence if both pool A and pool B attack each other they will beat a Nash Equilibrium This implies that if both will earn lessthan they would have if neither of them attacked However ifnone of the other pools attack a pool can increase its revenueby attacking the others Recently authors in [68] propose anovel attack called a fork after withholding (FAW) attackAuthors show that the BWH attackers reward is the lowerbound of the FAW attackers and it is usable up to four timesmore often per pool than in BWH attack Moreover the extrareward for a FAW attack when operating on multiple miningpools is around 56 higher than BWH attack Furthermorethe miners dilemma may not hold under certain circumstanceseg when two pools execute FAW attack the larger pool canconsistently win More importantly unlike selfish mining anFAW attack is more practical to execute while using intentionalforks

The Pool Hopping attack presented in [29] [74] uses theinformation about the number of submitted shares in themining pool to perform the selfish mining In this attackthe adversary performs continuous analysis of the number ofshares submitted by fellow miners to the pool manager in orderto discover a new block The idea is that if already a largenumber of shares have been submitted and no new block hasbeen found so far the adversary will be getting a very small

share from the reward because it will be distributed based onthe shares submitted Therefore at some point in time it mightbe more profitable for the adversary to switch to another poolor mine independently

Recently the Bribery attack is described in [75] In thisan attacker might obtain the majority of computing resourcesfor a short duration via bribery Authors discuss three ways tointroduce bribery in the network (i) Out-of-Band Paymentin which the adversary pays directly to the owner of thecomputing resources and these owners then mine blocksassigned by the adversary (ii) Negative-Fee Mining Pool inwhich the attacker forms a pool by paying higher returnand (iii) In-Band Payment via Forking in which the attackerattempts to bribe through Bitcoin itself by creating a forkcontaining bribe money freely available to any miner adoptingthe fork By having the majority of the hash power the attackercould launch different attacks such as double spending andDistributed Denial-of-Service (DDoS) [76] The miners thattook the bribes will get benefits which will be short-lived butthese short-lived benefits might be undermined by the lossesin the long run due to the presence of DDoS and Goldfingerattacks or via an exchange rate crash

Fig 8 Blacklisting via Punitive Forking

An adversary with gt 50 hashrate could perform a suc-cessful selective blacklisting via punitive forking The objec-tive of punitive forking is to censor the Bitcoin addressesowned by certain people say Alice and prevent them fromspending any of their bitcoins The strategy to perform theblacklisting (please refer to Figure 8) is as follows (i) theadversary with gt 50 network hashrate announces to theBitcion network that she will not extend on the blockchaincontaining transactions spending from Alicersquos Bitcoin address(ii) if some other miner include a transaction from Alice ina block the adversary will fork and create a longer proofof work blockchain (iii) Block containing Alicersquos transactionnow invalidated and it can never be published also the minerwho added the block with Alicersquos transaction will lose its blockreward However a weak adversary that has lower hashrate canstill cause delays and inconveniences for Alicersquos transaction

Punitive forking doesnrsquot work unless you have gt 50 ofhashrate However there is another strategy to achieve theblacklisting as presented in [77] In particular authors presenta malicious mining strategy called feather forking in whichan attacker announces that she will attempt to fork if she seesa block containing Alicersquos transaction in the blockchain butshe will give up after a while This is the adversary forks asper its convenience she will continue to extend its fork untilwins (ie outraces the main chain) but she gives up (iediscard its private fork and continue to extend the main chain)after block with Alicersquos transaction contains k confirmations

An adversary with total hash power less than 50 might withhigh probability lose rewards but it will be able to block theblacklisted transaction with positive probability Moreover ifthe adversary can show that she is determined to block theselected transaction and will perform the retaliatory forking ifrequired then the rest of the miners will also be motivated toblock the blacklisted transactions to avoid the losses in case ifthe attacker retaliates and wins If this is the case an attackermight be able to enforce the selective blacklisting with noreal cost because other miners are convinced that the attackerwill perform a costly feather forking attack if provoked Anattacker performing feather forking can also use it to blackmaila client by threatening that all her transactions will be put onthe blacklist until the client pays the asked ransom coins

C Client-side Security Threats

The huge increase in the popularity of bitcoins encouraged alarge number of new users to join the network Each Bitcoinclient posses a set of private-public keys in order to accessits account or wallet Hence it is desirable to have the keymanagement techniques that are secure yet usable This is dueto the fact that unlike many other applications of cryptographyif the keys of a client are lost or compromised the client willsuffer immediate and irrevocable monetary losses To use thebitcoins a user needs to install a wallet on her desktop ormobile device The wallet stores the set of private-public keysassociated with the owner of the wallet thus it is essential totake protective actions to secure the wallet The wallet theftsare mainly performed using mechanisms that include systemhacking installation of buggy software and incorrect usage ofthe wallet

Bitcoin protocol relies heavily on elliptic curve cryptog-raphy [98] for securing the transactions In particular Bitcoinuses elliptic curve digital signature algorithm (ECDSA) whichis standardized by NIST [99] for signing the transactionsFor instance consider the standard ldquoPay-to-PubKeyHashrdquo(P2PKH) transaction script in which the user needs to provideher public key and the signature (using her private key) toprove the ownership To generate a signature the user choosesa per-signature random value For security reason this valuemust be kept secret and it should be different for every othertransaction Repeating per-signature value risks the privatekey computation as it has been shown in [100] that evenpartially bit-wise equal random values suffice to derive a userrsquosprivate key Therefore it is essential for increasing the securityof ECDSA to use highly random and distinct per-signaturevalues for every transaction signature The inspection of theblockchain for instances in which the same public key usesthe same signature nonces for multiple times has been reportedby the authors in [101] In particular the authors report thatthere are 158 public keys which have reused the signaturenonce in more than one transaction signature thus making itpossible to derive userrsquos private key Recently authors in [102]present a systematic analysis of the effects of broken primitiveson Bitcoin Authors highlight the fact that in the currentBitcoin system has no migration plans in-place for both thebroken hash and the broken signature scheme ie the Bitcoins

TABLE IIMISBEHAVIOR ATTACKS TARGETING BITCOIN NETWORK AND ENTITIES

Attack Description Primary targets Adverse effects Possible countermeasures

Bribery attacks [75] adversary bribe miners tomine on her behalf

miners and mer-chants

increases probability of adouble spend or block

withholdingincrease the rewards for honestminers make aware the miners tothe long-term losses of bribery [75]

Refund attacks [78] adversary exploits the re-fund policies of existingpayment processors

sellers or mer-chants users

merchant losses moneywhile honest users might

lose their reputationpublicly verifiable evidence [78]

Punitive and Featherforking [77] [79] dishonest miners blacklist

transactions of specific ad-dress

users freeze the bitcoins of userfor forever remains an open challenge

Transactionmalleability [80] [4] adversary change the

TXID without invalidatingthe transaction

Bitcoin exchangecenters

exchanges loss funds dueto increase in double

deposit or doublewithdrawal instances

multiple metrics for transactionverification [81] malleability-resilient ldquorefundrdquo transaction [80]

Wallet theft [21] adversary stole or destroyprivate key of users

individual usersor businesses

bitcoins in the wallet arelost threshold signature based

two-factor security [82] [83]hardware wallets [84] TrustZone-backed Bitcoin wallet [85]Password-Protected Secret Sharing(PPSS) [86]

Time jacking [87] adversary speed-up themajority of minerrsquos clock

miners

isolate a miner and wasteits resources influencethe mining difficultycalculation process

constraint tolerance ranges [87]network time protocol (NTP) ortime sampling on the values re-ceived from trusted peers [88]

DDoS [89] [90] a collaborative attack toexhaust network resources

Bitcoin networkbusinesses min-ers and users

deny services to honestusersminers isolate ordrive away the miners

Proof-of-Activity (PoA)protocol [91] fast verificationsignature based authentication

Sybil [23] adversary creates multiplevirtual identities

Bitcoin networkminers users

facilitates time jackingDDoS and doublespending attacks

threatens user privacy

Xim (a two-party mixing proto-col) [92]

Eclipse or netsplit [3] adversary monopolizes allincoming and outgoingconnections of victim

miners users

inconsistent view of thenetwork and blockchain

enable double spendswith more than one

confirmation

use whitelists disabling incomingconnections [3]

Tampering [43] delay the propagation oftransactions and blocks tospecific nodes

miners users

mount DoS attackswrongfully increase

mining advantage doublespend

improve block request managementsystem [43]

Routing attacks [5] isolate a set of nodes fromthe Bitcoin network de-laying block propagation

miners users

denial of service attackincreases possibility of0-confirmation doublespends increases forkrate waste the mining

power of the pools

increase the diversity of node con-nections monitor round-trip timeuse gateways in different ASes [5]

Deanonymization [93] [94] linking IP addresses witha Bitcoin wallet

users user privacy violation mixing services [95]CoinJoin [96] CoinShuffle [97]

RIPEMD160 SHA256 and ECDSA techniques are vulnerableto various security threats such as collision attacks [103]The authors in [102] found that the main vectors of attackon bitcoins involve collisions on the main hash or attackingthe signature scheme which directly enables coin stealingHowever a break of the address hash has minimal impact asaddresses do not meaningfully protect the privacy of a user

Unlike most of the online payment systems that rely onlogin details consisting of the password and other confidentialdetails for user authentication Bitcoin relies on public keycryptography This raises the issues of the secure storage andmanagement of the user keys Over the years various typeof wallet implementations are researched to obtain securestorage of the user keys it includes software online or hostedhardware or offline paper and brain wallets Table III shows anumber of popular wallets and their main features Coinbase(coinbasecom) an online wallet is most popular due to itsdesirable features which it provides to the clients that include(i) a web interface using which the wallet can be assessedwith a browser and Internet connection (ii) a mobile appthat allows access to wallet through mobile devices (iii) anaccess to Coinbase do not require a client software and it isindependent in nature due to which the wallet providers doesnot have any control over the funds stored in a clientrsquos walletand (iv) a moderate level of security and privacy The Copaywallet allows multiple users to be associated with the samewallet while the Armory wallet works in online as well as inoffline mode The wallet providers have to find an adequatetrade-off between usability and security while introducing anew wallet into the market For instance an online wallet ismore susceptible to thefts compared to hardware wallets [84]as later are not connected to the Internet but at the same timehardware wallets lacks usability If done right there exist moreadvanced and secure ways to store the user keys called paperand brain wallets As their name indicates in the paper walletthe keys are written on a document which is stored at somephysical location analogizes the cash money storage systemwhile in brain wallet the keys are stored in the clients mind inthe form of a small passphrase The passphrase if memorizedcorrectly is then used to generate the correct private key

To avoid the aforementioned risks such as managing cryp-tographic keys [104] lost or stolen devices equipment failureBitcoin-specific malware [105] to name a few that are asso-ciated while storing the bitcoins in a wallet many users mightprefer to keep their coins with online exchanges Howeverstoring the holdings with an exchange makes the users vulner-able to the exchange systems For instance one of the mostnotorious events in the Bitcoin history is the breakdown andongoing bankruptcy of the oldest and largest exchange calledMt Gox which lost over 450 millions of dollars Moreovera few other exchanges have lost their customers bitcoinsand declared bankruptcy due to external or internal theft ortechnical mistakes [106] Although the vulnerability of anexchange system to the disastrous losses can never be fullyavoided or mitigated therefore the authors in [107] presentsProvisions which is a privacy-preserving proof of solvencyfor Bitcoin exchanges Provision is a sensible safeguard thatrequires the periodic demonstrations from the exchanges to

show that they control enough bitcoins to settle all of itscustomers accounts

D Bitcoin Network Attacks

In this section we will discuss those attacks in the Bitcointhat exploits the existing vulnerabilities in the implementationand design of the Bitcoin protocols and its peer-to-peer com-munication networking protocols We will start our discussionwith the most common networking attack called DistributedDenial-of-Service (DDoS) which targets Bitcoin currency ex-changes mining pools eWallets and other financial servicesin Bitcoin Due to the distributed nature of Bitcoin networkand its consensus protocol launching a DoS attack has noor minimal adverse effect on network functionalities henceattackers have to lunch a powerful DDoS to disturb the net-working tasks Unlike DoS attack in which a single attackercarried out the attack in DDoS multiple attackers launchthe attack simultaneously DDoS attacks are inexpensive tocarry out yet quite disruptive in nature Malicious miners canperform a DDoS (by having access to a distributed Botnet) oncompeting miners effectively taking the competing miners outof the network and increasing the malicious miners effectivehashrate In these attacks the adversary exhausts the networkresources in order to disrupt their access to genuine users Forexample an honest miner is congested with the requests (suchas fake transactions) from a large number of clients actingunder the control of an adversary After a while the minerwill likely to start discarding all the incoming inputsrequestsincluding requests from honest clients In [89] authors providea comprehensive empirical analysis of DDoS attacks in theBitcoin by documenting the following main facts 142 uniqueDDoS attacks on 40 Bitcoin services and 7 of all knownoperators were victims of these attacks The paper also statesthat the majority of DDoS attack targets the exchange servicesand large mining pools because a successful attack on thesewill earn huge revenue for the adversary as compared toattacking an individual or small mining pools

In [90] authors explore the trade-off between the two min-ing pool related strategies using a series of game-theoreticalmodels The first strategy called construction in which amining pool invests in increasing its mining capacity in orderto increase the likelihood of winning the next race While inthe second strategy called destruction in which the miningpool launches a costly DDoS attack to lower the expectedsuccess rate of the competing mining pools The majority ofthe DDoS attacks target large organizations due to bulk ransommotives Companies like CoinWallet and BitQuick were forcedto shut down only after few months of their launch due tothe effects of continuous DDoS attacks As stated above thatDDoS attack take various forms one of which is to discouragea miner so that it will withdraw itself from the mining processFor instance an attacker displays to a colleague miner that it ismore powerful and it can snatch the reward of mining and itis the obvious winner of the mining process An honest minerbackoffs since its chances of winning is less In this way anadversary will be successful in removing individual miners aswell as small pools from the mining network thus imposing a

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

Fig 4 Bitcoin transaction processing steps

Circuit (ASIC) for mining will unlikely verify a single blockin years For this reason miners mine in the form of theso-called mining pools All miners that are associated witha pool works collectively to mine a particular block underthe control of a pool manager Upon successful mining themanager distributes the reward among all the associated minersproportional to the resources expended by each miner Adetailed discussion of different pooled mining approaches andtheir reward systems is given in [30] [31]

For the better understanding how a transaction is beingprocessed in the Bitcoin please refer to Figure 4 Assumethat Bob wants to transfer 5 bitcoins to Alice In order topay to Alice Bob needs a device such as a smartphonetablet or laptop that runs the Bitcoin full or lightweight client-side software and two pieces of information which includeBobprimes private key and Aliceprimes Bitcoin address Any userin the network can send money to a Bitcoin address butonly a unique signature generated using the private key canrelease bitcoins from the account Bob uses a cryptographickey to digitally sign off on the transaction proving that heowns those coins When Bob broadcast a transaction in thenetwork an alert is sent to all the miners in the networkinforming them about this new transaction The miners checkthat the digital signatures are correct and Bob has enoughbitcoins to complete the transactions Additionally miners raceto bundle all the pending transactions (including bobprimes) in thenetwork and mine the resulting block by varying the nonceIn particular the miners create a hash of the block and ifthe hash does not begin with a particular number of zerosthe hash function is rerun using a new random number (iethe nonce) The required hash value must have a certain butarbitrary number of zeros at the beginning It is unpredictablewhich nonce will generate the required hash with a correctnumber of zeros so the miners have to keep trying by usingdifferent nonces to find the desired hash value When theminer finds a hash value with the correct number of zeros(ie the discovered value is lower than target value) the

discovery is announced in the network and both the Bob andthe Alice will also receive a confirmation about the successfultransaction Other miners communicate their acceptance andthey turn their attention to discover the next block in thenetwork However a successful transaction could be discardedor deemed invalid at latter period of time if it is unable tostay in the blockchain due to reasons such as existence ofmultiple forks majority of miners does not agree to considerthe block containing this transaction as a valid block a doublespending attack is detected to name a few

The Bitcoin protocol rewards the winning miner with theset of newly minted bitcoins as incentive and the hashedblock is published in the public ledger Once Bobprimes transactionhas been added in the blockchain he and Alice each receivethe first confirmation stating that the Bitcoin has been signedover to Alice In terms of transaction time it depends on thecurrent network load and the transaction fee included in thetransaction by Bob but at the minimum it would be around10 minutes However receiving the first confirmation doesnot mean that the transaction is processed successfully and itcannot be invalidated at a latter point in time In particularit has been recommended by the Bitcoin community thatafter a block is mined it should receive enough consecutiveblock confirmations (currently 6 confirmations) before it isconsidered as a valid transaction

C Consensus Protocol

Bitcoin blockchain is a decentralized system thus it doesnot require authorization from any trusted third party (TTP)to process the transactions In particular the nodes com-municate over a network and collaboratively construct theblockchain without relying on a central authority Howeverindividual nodes might crash behave maliciously act againstthe common goal or the network communication may becomeinterrupted For delivering a continuous service the nodestherefore run a fault-tolerant consensus protocol to ensure that

they all agree on the order in which entries are appended tothe blockchain To add a new block in the blockchain everyminer must follow a set of rules specified in the consensusprotocol Bitcoin achieves the distributed consensus by usingPoW based consensus algorithm This algorithm imposes thefollowing major rules (i) input and output values are rational(ii) transactions only spend unspent outputs (iii) all inputsbeing spent have valid signatures (iv) no coinbase2 transactionoutputs were spent within 100 blocks of their creation and (v)no transactions spend inputs with a locktime before the blockin which they are confirmed Generally a blockchain basedsystem such as Bitcoin is considered as secure and robust asits consensus model

In the PoW based consensus algorithm the participantsrequire no authentication to join the network which makesthe Bitcoin consensus model extremely scalable in termsof supporting thousands of network nodes However PoWbased consensus is vulnerable to ldquo51rdquo attacks in whichan adversary has control over 51 of the mining power (iehashrate) in the network hence it can write its own blocksor fork the blockchain that at a later point converges withthe main blockchain This behavior of adversary helps her toperform several other types of attacks in the Bitcoin whichincludes double spending eclipse and denial-of-service Inparticular 51 attack drives away the honest miners from themining process thus weakens the consensus protocol whichposes a threat to Bitcoin security and robustness One way toachieve the 51 attack in Bitcoin system is to incentivize (orbribe) the honest miners to join the attackersrsquo coalition

Along with the various security attacks (please refer totables I and II) the effectiveness of a consensus protocol alsodepends on the performance and stability of the network Forinstance an increase in the latency between the validationof a block and its receipt by all other miners increases thepossibility of a temporary blockchain fork Although due tothe PoW model eventual consistency in the blockchain willbe reached despite the temporary forks however it resultsin longer transaction confirmation times Today the Bitcoinnetwork is restricted to a sustained rate of 7 transactionsper section (tps) due to the Bitcoin protocol restricting blocksizes to 1MB This is very slow when considered the highprocessing speed of MasterCard or VISAs ie millions oftps Therefore it is important for Bitcoin to have a broadcastnetwork which is not only decentralized but it also provideslow latency and it is difficult to deliberately censor or delaymessages The PoW based consensus algorithm also wastesa lot of energy in hash computations during the miningprocess However it facilitates high scalability in terms ofnodes participating in the network and operates completely ina decentralized fashion

Bitcoin consensus algorithm has been its most widelydebated component in the Bitcoin research community This isbecause the consensus algorithm rises (i) open questions aboutthe Bitcoin stability [10] (ii) concerns about the performanceand scalability of the protocol [32] and (iii) concerns for

2A coinbase transaction is a unique type of bitcoin transaction that can onlybe created by a miner

computational resource wastage [33] In particular the PoWconsensus model used by Bitcoin blockchain is very inefficientin terms of power consumption and the overall generationtime of new blocks Hence to overcome or limit someof the aforementioned disadvantages of PoW various otherconsensus protocols such as Proof-of-Stake (PoS) [34] Proofof Elapsed Time (PoET) Proof of Authority (PoA) Practicalbyzantine fault tolerance (PBFT) [35] Federated ByzantineFault Tolerance (FBFT) Proof of Storage [36] [37] to namea few are designed The most obvious difference betweenthese consensus protocols and PoW is that each of thesealternative protocols the consensus is driven at the expenseof internal resources (eg coins or reputation) instead ofexternal resources (eg electricity) This creates an entirelydifferent set of incentives for (and trust in) network nodes (ieminers) which drastically changes the network security modelDetailed discussions on these alternative consensus protocolsare out of the scope of our survey hence we direct interestedusers to [38] [20] [39] [40] [41]

D Networking Infrastructure

Bitcoin uses an unstructured peer-to-peer (P2P) networkbased on unencrypted persistent TCP connections as its foun-dational communication structure In general unstructuredoverlays are easily constructed and robust against highlydynamic network topologies ie against frequently joiningand leaving peers These type of networks are best suitedfor Bitcoin as the aim is to distribute information as fastas possible to reach consensus on the blockchain Howeverexperimenting with the Bitcoin networkprotocol poses a chal-lenge By now there are a few possibilities to approach thistask One way is to connect to the mainnet ie the live Bitcoinnetwork or the testnet Another way is to use the simulationenvironments such as Shadow [42] event discrete simulatorwhich aims at simulating large-scale Bitcoin networks whilekeeping full control over all components

Bitcoin nodes maintain a list of IP addresses of potentialpeers and the list is bootstrapped via a DNS server and addi-tional addresses are exchanged between peers Each peer aimsto maintain a minimum of 8 unencrypted TCP connections inthe overlay ie the peer actively tries to establish additionalconnections if the current number of connections is lowerthan 8 The number of eight connections can be significantlyexceeded if incoming connections are accepted by a Bitcoinpeer upto a maximum of 125 connections at a time By defaultpeers listen on port 8333 for inbound connections When peersestablish a new connection they perform an application layerhandshake consisting of version and verack messages Themessages include a timestamp for time synchronization IPaddresses and the protocol version A node selects its peersin a random fashion and it selects a new set of peers after afixed amount of time This is done to minimize the possibilityand effects of netsplit attack in which an attacker creates aninconsistent view of the network (and the blockchain) at theattacked node Since Bitcoin version 07 IPv6 is supported Inorder to detect when peers have left Bitcoin uses a softstateapproach If 30 minutes have been passed since messages were

last exchanged between neighbors peers will transmit a hellomessage to keep the connection alive

Miners continually listen to new block announcementswhich are sent via INV messages containing the hash ofthe mined block If a miner discovers that it does not hold anewly announced block it transmits a GETDATA messageto one of its neighbor The neighbor then respond by sendingthe requested information in a BLOCK message In casethe requested block do not arrive within 20 minutes theminer trigger the disconnection of that particular neighborand request the same information from another neighbor Thepropagation of transactions occur in a sequence given as INV GETDATA and TX messages in which nodes announcerequest and share transactions that have not yet been includedin the blockchain

In order to form the distributed consensus newly discoveredtransactions and blocks are propagated (through flooding) inthe whole network Miners store new transactions for themining purposes but after some time remove them if they donot make it on the blockchain It is the responsibility of thetransaction originator that the transaction is received by all thepeers in the network To this end the originator might need torebroadcast the transaction if it did not get into the blockchainin first attempt This is to ensure that the transaction getsconsidered in the next block An adversary could introducedelay in the propagation of both new transactions and minedblock for the purpose of launching the double spend andnetsplit attacks As shown in [43] the propagation time caneven be further extended under reasonable circumstancesAuthors in [5] presents a taxonomy of routing attacks andtheir impact on Bitcoin considering both small-scale attackstargeting individual nodes and large-scale attacks targetingthe network as a whole By isolating parts of the network ordelaying block propagation adversaries could cause significantamount of mining power to be wasted leading to revenuelosses and exposing the network to a wide range of exploitssuch as double spending

The use of an unstructured P2P network in Bitcoin enablesthe required rapid distribution of information in every partof the network The security of Bitcoin heavily depends onthe global consistent state of blockchain which relies on theefficiency of its PoW based consensus protocol The variationsin the propagation mechanisms could adversely affect theconsensus protocol The presence of inconsistent blockchainstates if exploited correctly could lead to a successful doublespending To this end it is essential that the Bitcoin networkshould remains scalable in terms of network bandwidth net-work size and storage requirements because this will facilitatethe increase in number of honest miners in the network whichwill strengthen the consensus protocol In Bitcoin full nodesdownload and verify all blocks starting from the genesis blockbecause it is the most secure way Full nodes participate inthe P2P network and help to propagate information althoughits not mandatory to do so Alternatively the thin clients usethe simplified payment verification (SPV) to perform Bitcointransactions The SPV is a method used by Bitcoin thin clientfor verifying if particular transactions are included in a blockwithout downloading the entire block However the use of

SPV costs the thin clients because it introduces weaknessessuch as Denial of Service (DoS) and privacy leakage forthe thin client In particular the general scalability issues ofunstructured overlays combined with the issues induced bythe Bitcoin protocol itself remains in the system Many of theresults suggest that scalability remains an open problem [44]and it is hard to keep the fully decentralized network infuture [45] [46]

E Benefits and Challenges

Same as any other emerging technology use of Bitcoincomes with certain benefits and challenges and various typesof risks are associated with its use It is believed3 that Bitcoinhas the following benefits and challenges

Benefits -bull No Third-Party Seizure No central authority can manip-

ulate or seize the currency since every currency transferhappens peer-to-peer just like hard cash In particular bit-coins are yours and only yours and the central authoritycant take your cryptocurrency because it does not printit own it and control it correspondingly

bull Anonymity and transparency Unless Bitcoin users pub-licize their wallet addresses publicly it is extremely hardto trace transactions back to them However even if thewallet addresses was publicized a new wallet addresscan be easily generated This greatly increases privacywhen compared to traditional currency systems wherethird parties potentially have access to personal financialdata Moreover this high anonymity is achieved withoutsacrificing the system transparency as all the bitcointransactions are documented in a public ledger

bull No taxes and lower transaction fees Due to its decen-tralized nature and user anonymity there is no viableway to implement a Bitcoin taxation system In the pastBitcoin provided instant transactions at nearly no costEven now Bitcoin has lower transaction costs than acredit card Paypal and bank transfers However thelower transaction fee is only beneficial in situations wherethe user performs a large value international transactionsThis is because the average transaction fee becomeshigher for very small value transfers or purchases suchas paying for regular household commodities

bull Theft resistance Stealing of bitcoins is not possible untilthe adversary have the private keys (usually kept offline)that are associated with the user wallet In particular Bit-coin provides security by design for instance unlike withcredit cards you dont expose your secret (private key)whenever you make a transaction Moreover bitcoinsare free from Charge-backs ie once bitcoins are sentthe transaction cannot be reversed Since the ownershipaddress of the sent bitcoins will be changed to the newowner and it is impossible to revert This ensures thatthere is no risk involved when receiving bitcoins

3As some of these benefits and challenges are not entirely true at all thetimes for instance Bitcoin transactions are not fully anonymous and theprivacy of Bitcoin users could be threatened

Challengesbull High energy consumption Bitcoinrsquos blockchain uses

PoW model to achieve distributed consensus in thenetwork Although the use of PoW makes the miningprocess more resistant to various security threats suchas sybil and double spending it consumes a ridicu-lous amount of energy and computing resources [47]In particular processing a bitcoin transaction consumesmore than 5000 times as much energy as using a Visacredit card hence innovative technologies that reduce thisenergy consumption are required to ensure a sustainablefuture for Bitcoin Furthermore due to the continuousincrease in network load and energy consumption thetime required for transaction processing is increasing

bull Wallets can be lost Since there is no trusted third partyif a uses lost the private key associated with her walletdue to a hard drive crash or a virus corrupts data or lostthe device carrying the key all the bitcoins in the wallethas been considered lost for forever There is nothingthat can be done to recover the bitcoins and these willbe forever orphaned in the system This can bankrupt awealthy Bitcoin investor within seconds

bull (Facilitate) Criminal activity The considerable amountof anonymity provided by the Bitcoin system helps thewould-be cyber criminals to perform various illicit activ-ities such as ransomware [48] tax evasion undergroundmarket and money laundering

According to [49] the risk is the exposure to the level ofdanger associated with Bitcoin technology in fact the samecan be applied to any such digital cryptocurrency The majorrisks that threaten the wide usability of the Bitcoin paymentsystems are as followbull Social risks it includes bubble formation (ie risk of

socio-economic relationship such as what people talk andgossip) cool factor (ie entering the networking withoutknowing the ill effects) construction of chain (ie riskrelated with the blockchain formation like hashing andmining rewards) and new coins release (ie on whatbasis the new coins to be generated is there a need etc)

bull Legal risks Bitcoin technology opposes rules and regula-tions and hence it finds opposition from the governmentThis risk also includes law enforcement towards handlingfinancial operational customer protection and securitybreaches that arise due to Bitcoin system

bull Economic risks deflation volatility and timing issues infinding a block which might lead the users to migratetowards other currencies that offer faster services

bull Technological risks this includes the following net-work equipment and its loss network with which thepeers are connected and its associated parameters threatvulnerabilities on the system hash functions with itsassociated robustness factor and software associated risksthat Bitcoin system demands

bull Security risks security is a major issue in Bitcoin systemwe will discuss risks associated due to various securitythreats in detail in Section III

In [50] authors perform a survey on the peoplersquos opinion

about bitcoins usage Participants argue that the greatest barrierto the usage of bitcoins is the lack of support by higherauthorities (ie government) Participants felt that bitcoinsmust be accepted as legitimate and reputable currency Ad-ditionally the participants expressed that the system mustprovide support towards transacting fearlessly without criminalexploitation Furthermore the Bitcoin is mainly dependent onthe socio-technical actors and the impact of their opinion onthe public Few among participants have suggested that theblockchain construction is the major cause of disruption dueto its tendency to get manipulated by adversaries

In [51] it was stated that many Bitcoin users already losttheir money due to poor usability of key management andsecurity breaches such as malicious exchanges and walletsAround 225 of the participants reported having lost theirbitcoins due to security breaches Also many participantsstated that for a fast flow of bitcoins in the user communitysimple and impressive user interface are even more importantthan security In addition participants highlighted that the poorusability and lack of knowledge regarding the Bitcoin usageare the major contributors to the security failures

III SECURITY ATTACKS ON BITCOIN SYSTEMS

Bitcoin is the most popular cryptocurrency4 and has stoodfirst in the market capital investment from day one Since itis a decentralized model with an uncontrollable environmenthackers and thieves find cryptocurrency system an easy wayto fraud the transactions In this section we discuss existingsecurity threats and their countermeasures for Bitcoin andits underlying technologies We provide a detailed discussionof potential vulnerabilities that can be found in the Bitcoinprotocols as well as in the Bitcoin network this will bedone by taking a close look at the broad attack vector andtheir impact on the particular components in the BitcoinApart from double spending which is and will always bepossible in Bitcoin the attack space includes a range of walletattacks (ie client-side security) network attacks (such asDDoS sybil and eclipse) and mining attacks (such as 50block withholding and bribery) Tables I and II provides acomprehensive overview of the potential security threats alongwith their impacts on various entities in Bitcoin and theirpossible solutions that exist in literature so far

A Double Spending

A client in the Bitcoin network achieves a double spend(ie send two conflicting transactions in rapid succession) ifshe is able to simultaneously spend the same set of bitcoinsin two different transactions [2] For instance a dishonestclient (Cd) creates a transaction TCd

V at time t using a setof bitcoins (Bc) with a recipient address of a vendor (V ) topurchase some product from V Cd broadcast TCd

V in theBitcoin network At time tprime where tprime asymp t Cd create andbroadcast another transaction TCd

Cdusing the same coins (ie

Bc) with the recipient address of Cd or a wallet which isunder the control of Cd In the above scenario the double

4wwwcryptocoinsnewscom

TABLE IMAJOR ATTACKS ON BITCOIN SYSTEM AND ITS POW BASED CONSENSUS PROTOCOL

Attack Description Primary targets Adverse effects Possible countermeasures

Double spending or Raceattack [2] spent the same bitcoins

in multiple transactionssend two conflicting trans-actions in rapid succession

sellers or mer-chants

sellers lose theirproducts drive away the

honest users createblockchain forks

inserting observers in network [2]communicating double spendingalerts among peers [2] nearbypeers should notify the merchantabout an ongoing double spend assoon as possible [52] merchantsshould disable the direct incomingconnections [53] [54]

Finney attack [55] dishonest miner broad-casts a pre-mined blockfor the purpose of dou-ble spending as soon asit receives product from amerchant

sellers or mer-chants

facilitates doublespending wait for multi-confirmations for

transactions

Brute force attack [56] privately mining onblockchain fork toperform double spending

sellers or mer-chants

facilitates doublespending creates largesize blockchain forks

inserting observers in the net-work [2] notify the merchant aboutan ongoing double spend [53]

Vector 76 orone-confirmation

attack [57]combination of the doublespending and the finneyattack

Bitcoin exchangeservices

facilitates doublespending of largernumber of bitcoins

wait for multi-confirmations fortransactions

gt 50 hashpower orGoldfinger [45] adversary controls more

than gt 50 HashrateBitcoin networkminers Bitcoinexchange centersand users

drive away the minersworking alone or within

small mining poolsweakens consensus

protocol DoS

inserting observers in thenetwork [2] communicatingdouble spending alerts amongpeers [2] disincentivizelarge mining pools [58] [59]TwinsCoin [60] PieceWork [61]

Blockdiscarding [62] [54] or

Selfish mining [6]abuses Bitcoin forkingfeature to derive an unfairreward

honest miners (ormining pools)

introduce race conditionsby forking waste the

computational power ofhonest miners withgt 50 it leads toGoldfinger attack

ZeroBlock technique [63] [64]timestamp based techniquessuch as freshness preferred [65]DECOR+ protocol [66]

Blockwithholding [29] [67] miner in a pool sub-

mits only PPoWs but notFPoWs

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueinclude only known and trustedminers in pool dissolve and closea pool when revenue drops fromexpected [62] cryptographic com-mitment schemes [67]

fork after withholding(FAW) attack [68] improves on adverse ef-

fects of selfish mining andblock withholding attack

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueno practical defense reported so far

spending attack performed by Cd is successful if Cd tricksthe V to accept TCd

V (ie V deliver the purchased productsto Cd) but V will not be able to redeem subsequently InBitcoin the network of miners verify and process all thetransactions and they ensure that only the unspent coinsthat are specified in previous transaction outputs can be usedas input for a follow-up transaction This rule is enforceddynamically at run-time to protect against the possible doublespending in the network The distributed time-stamping andPoW-based consensus protocol is used for orderly storage ofthe transactions in the blockchain For example when a minerreceives TCd

V and TCd

Cdtransactions it will be able to identify

that both the transactions are trying to use the same inputs

during the transaction propagation and mining thus it onlyprocess one of the transaction and reject the other Figure 5shows the working methodology of a double spending attackdepicting the above explanation

Despite the use of strict ordering of transactions in theblockchain PoW scheme distributed time-stamping [69] andconsensus protocol [70] [71] double spending is still possiblein Bitcoin To perform a successful double spending attackfollowing requirements need to be fulfilled (i) part of thenetwork miners accept the transaction TCd

V and the vendor(V ) receives the confirmation from these miners thus releasesthe product to dishonest client (Cd) (ii) at the same time otherpart of the network miners accept the transaction TCd

Cd hence

Fig 5 Double Spending Attack

lead to blockchain forks in the network (iii) the vendor re-ceives the confirmation of transaction TCd

Cdafter accepting the

transaction TCd

V thus losses the product and (iv) a majorityof miners mine on top of the blockchain which contains TCd

Cd

as a valid transaction If the aforementioned steps took placein the given order then the dishonest client is able to performa successful double spend In the rest of this section we willdiscuss the variants of double spending attack that are used inorder to realize the aforementioned double spend requirementswith varying difficulties and complexities

A form of double spending called Finney attack [55] herea dishonest client (Cd) pre-mines (ie privately) a blockwhich contains the transaction TCd

Cd and then it creates a

transaction TCd

V using the same bitcoins for a vendor (V )The mined block is not informed to the network and the Cd

waits until the transaction TCd

V is accepted by the V On theother hand V only accept TCd

V when it receives a confirmationfrom miners indicating that TCd

V is valid and included in theexisting blockchain Once Cd receives the product from V theattacker releases the pre-mined block into the network thuscreates a blockchain fork (say Bprimefork) of equal length to theexisting fork (say Bfork) Now if the next mined block in thenetwork extends Bprimefork blockchain instead of Bfork then asper the Bitcoin protocol rules all the miners in the networkwill build on top of Bprimefork As the blockchain Bprimefork becomesthe longest chain in the network all the miners ignore Bforkhence the top block on Bfork which contains the transactionTCd

V becomes invalid This makes the transaction TCd

V invalidthe client will get back her coins through transaction TCd

Cd

but resulting the V losing the product However with Finneyattack an adversary can only perform double spending in thepresence of one-confirmation vendors

To avoid the Finney attack the vendor should wait formultiple confirmations before releasing the product to theclient The waiting for multiple confirmations will only makethe double spend for the attacker harder but the possibilityof the double spend remains An advancement of the Finneyattack is called Brute-force attack [56] in which a resourcefulattacker has control over n nodes in the network and these

nodes collectively work on a private mining scheme withthe motive of double spend An attacker introduces a doublespend transaction in a block as in the previous case whilecontinuously works on the extension of a private blockchain(ie Bprimefork) Suppose a vendor waits for x confirmationsbefore accepting a transaction and it sends the product to theclient once it receives the x confirmations Later the attackeris able to mine the x number of blocks ahead (ie privately)then she can release these blocks in the network and dueto its higher length than Bfork blockchain Bprimefork will beextended by all the miners in the network This causes thesame after effects as Finney attack thus causing a successfuldouble spending attack

Another attack that uses the privately mined block toperform a new form of double spending attack on Bitcoin ex-change networks is popularly known as Vector 76 attack [57]A Bitcoin exchange is a digital marketplace where traderscan buy sell or exchange bitcoins for other assets such asfiat currencies or altcoins In this a dishonest client (Cd)withholds a pre-mined block which consists of a transactionthat implements a specific deposit (ie deposit coins in aBitcoin exchange) The attacker (Cd) waits for the next blockannouncement and quickly sends the pre-mined block alongwith the recently mined block directly to the Bitcoin exchangeor towards its nearby peers with hope that the exchangeand probably some of the nearby miners will consider theblockchain containing the pre-mined block (ie Bprimefork) as themain chain The attacker quickly sends another transaction thatrequests a withdrawal from the exchange of the same coins thatwas deposited by the attacker in its previous transaction Atthis point of time if the other fork (ie Bfork) which does notcontain the transaction that is used by the attacker to depositthe coins survives the deposit will become invalidated but theattacker has already performed a withdrawal by now thus theexchanges losses the coins

Recently authors in [72] proposes a new attack againstthe PoW-based consensus mechanism in Bitcoin called theBalance attack The attack consists of delaying networkcommunications between multiple subgroups of miners withbalanced hash power The theoretical analysis provides theprecise trade-off between the Bitcoin network communicationdelay and the mining power of the attacker(s) needed to doublespend in Ethereum [73] with high probability

Based on the above discussion on double spending attackand its variants one main point that emerges is that if aminer (or mining pool) is able to mine blocks with a fasterrate than the rest of the Bitcoin network the possibility ofa successful double spending attack is high The rate ofmining a block depends upon solving the associated proof-of-work this again depends on the computing power of aminer Apart from the computing resources the success ofdouble spending attack depends on other factors as wellwhich includes network propagation delay vendor client andBitcoin exchange services connectivity or positioning in theBitcoin network and the number of honest miners Clearlyas the number of confirmations for transaction increases thepossibility that it will become invalid at a later stage decreasesthus decreases the possibility of a double spend On the other

hand with the increase in the computing resources of a minerthe probability of the success of a double spend increases Thisleads to a variant of double spend attack called gt 50 attackor Goldfinger attack [45] in which more than 50 computingresources of the network are under the control of a single miner(or mining pool) The gt 50 attack is considered the worst-case scenario in the Bitcoin network because it has the powerto destroy the stability of the whole network by introducing theactions such as claim all the block intensives perform doublespending reject or include transactions as preferred and playwith the Bitcoin exchange rates The instability in the networkonce started it will further strengths the attackerrsquos position asmore and more honest miners will start leaving the network

From the above discussion on the different type of doublespending attacks we can safely conclude that one can alwaysperform a double spend or it is not possible to entirelyeliminate the risk of double spending in Bitcoin Howeverperforming double spending comes with a certain level ofrisk for instance the attacker might lose the reward forthe withheld block if it is not included in the final publicblockchain Therefore it is necessary to set a lower bound onthe number of double spend bitcoins and this number shouldcompensate the risk of unsuccessful attempts of double spendAdditionally the double spends could be recognized with thecareful analysis and traversing of the blockchain thus it mightlead to blacklisting the detected peer In Section IV-A we willdiscuss in detail the existing solutions and their effectivenessfor detecting and preventing the double spending attacks

B Mining Pool Attacks

Mining pools are created in order to increase the computingpower which directly affects the verification time of a blockhence it increases the chances of winning the mining rewardFor this purpose in recent years a large number of miningpools have been created and the research in the field ofminer strategies is also evolved Generally mining pools aregoverned by pool managers which forwards unsolved workunits to pool members (ie miners) The miners generate par-tial proofs-of-work (PPoWs) and full proofs-of-work (FPoWs)and submit them to the manager as shares Once a minerdiscovers a new block it is submitted to the manager alongwith the FPoW The manager broadcasts the block in theBitcoin network in order to receive the mining reward Themanager distributes the reward to participating miners basedon the fraction of shares contributed when compared with theother miners in the pool Thus participants are rewarded basedon PPoWs which have absolutely no value in the Bitcoinsystem The Bitcoin network currently consists of solo minersopen pools that allow any miner to join and closed (private)pools that require a private relationship to join

In recent years the attack vector that exploits the vulnerabil-ities in pool based mining also increases For instance a groupof dishonest miners could perform a set of internal and externalattacks on a mining pool Internal attacks are those in whichminers act maliciously within the pool to collect more thantheir fair share of collective reward or disrupt the functionalityof the pool to distant it from the successful mining attempts In

external attacks miners could use their higher hash power toperform attacks such as double spending Figure 6 shows themarket share till December 2017 of the most popular miningpools In this section we will discuss a set of popular internaland external attacks on the mining pools

Fig 6 Bitcoin Hashrate Distribution in Present Market

In a mining pool the pool manager determines the amountof work done by individual pool members by using thenumber of shares a member find and submit while tryingto discover a new block The shares consist of a number ofhashes of a block which are low enough to have discovereda block if the difficulty was 1 To be considered as a shareeach hash has a probability of 1232 Assuming correctness ofthe hash function used it is impossible to find shares withoutdoing the work required to discover new blocks or to lookfor blocks without finding shares along the way Due to thisthe number of shares determined by a miner is proportionalon average to the number of hashes the miner calculatedwhile attempting to discover a new block for the mining poolAdditionally in [29] the author discusses the possibility ofusing variable block rewards and difficulty shares as rewardmethods in a pool This variability is introduced due to thefollowing reasons bitcoins generation per block is cut in halfevery 210000 blocks and the transaction fees vary rapidlybased on the currently available transactions in the network Asmost of the mining pools allow any miner to join them using apublic Internet interface such pools are susceptible to varioussecurity threats The adversaries believe that it is profitable tocannibalize pools than mine honestly Letrsquos understand it withan example suppose that an adversary has 30 of hashrate(HR) and 1 BTC is the block mining reward (MR) If themining pool is sharing the reward based on the invested HRthen the adversary will receive 03 BTC for each mined blockNow adversary purchases more mining equipment worth 1of current HR With standard mining strategy the adversarywill gain an additional revenue of 00069 BTC for the 1added HR By performing pool cannibalizing (ie distributeyour 1 equally among all other pools and also withholdthe valid blocks) the attacker will still receive the rewardsfrom its pool but it might also receive additional rewards

from the other pools to which she is sharing its 1 HRThis misbehavior will remain undetectable unless the changein reward is statistically significant

Fig 7 Selfish Mining

In [62] authors use a game theoretic approach to show thatthe miners could have a specific sort of subversive miningstrategy called selfish mining [6] or also popularly known asblock discarding attack [54] [62] In truth all the miners inthe Bitcoin are selfish as they are mining for the reward thatis associated with each block but these miners are also honestand fair with respect to the rest of miners while the selfishmining here refers to the malicious miners only In the selfishmining the dishonest miner(s) perform information hiding(ie withhold a mined block) as well as perform its revealingin a very selective way with a two-fold motive (i) obtain anunfair reward which is bigger than their share of computingpower spent and (ii) confuse other miners and lead them towaste their resources in a wrong direction As it can be seen inFigure 7 that by keeping the mined block(s) the selfish minersintentionally fork the blockchain The selfish pool keeps onmining on top of their private chain (Bprimefork) while the honestminers are mining on the public chain (Bfork) If the selfishminers are able to take a greater lead on Bprimefork and they areable to keep the lead for a longer time period their chancesof gaining more reward coins as well as the wastage of honestminers resources increases To avoid any losses as soon asthe Bfork reaches to the length of Bprimefork the selfish minerspublish their mined blocks All the miners need to adopt toBprimefork which now becomes Bfork as per the longest lengthrule of Bitcoin protocol The honest miners will lose theirrewards for the blocks that they have mined and added to theprevious public chain The analysis in [6] shows that usingthe selfish mining the poolrsquos reward exceed its share of thenetworkrsquos mining power The statement still holds in caseswhere the network found their new block before the adversarycould find a new second block Because in such case the minerwill make use of the race to propagate ie on average theattacker manages to tell 50 of the network about her blockfirst Additionally the analysis reveals that the wastage ofcomputing resources and rewards lure honest miners toward

the selfish mining pools hence it further strengthens the attackThis continuous increase in the selfish poolrsquos size might leadto gt 50 attack and at that point the effect of selfish miningwill be disastrous

Another attack much similar to the selfish mining that couldbe performed on a mining pool is known as Block withholding(BWH) [29] [67] in which a pool member never publishes amined block in order to sabotage the pool revenue howeversubmit shares consists of PPoWs but not FPoWs In particularin [29] two types of block withholding scenarios are presentedcalled ldquoSabotagerdquo and ldquoLie in waitrdquo In the first scenario theadversary does not gain any bitcoins but it just makes otherpool members lose while in the second scenario the adversaryperforms a complex block concealing attack similar to the onedescribed in the selfish mining attack In [29] authors discussa generalized version of the ldquoSabotagerdquo attack which showsthat with slight modification it is possible for the maliciousminer to also earn an additional profit in this scenario Authorsin [33] present a game-theoretic approach to analyzing effectsof block withholding attack on mining pools The analysisshows that the attack is always well-incentivized in the long-run but may not be so for a short duration This impliesthat existing pool protocols are insecure and if the attack isconducted systematically Bitcoin pools could lose millions ofdollars worth in just a few months

To analyze the effects of BWH on mining pools authorsin [9] presents The Miners Dilemma which uses an iterativegame to model attack decisions The game is played betweentwo pools say pool A and pool B and each iteration of thegame is a case of the Prisoners Dilemma ie choose betweenattacking or not attacking If pool A chooses to attack pool Apool A gains revenue pool A loses revenue but pool B canlatter retaliate by attacking pool A and gaining more revenueThus attacking is the dominant strategy in each iterationhence if both pool A and pool B attack each other they will beat a Nash Equilibrium This implies that if both will earn lessthan they would have if neither of them attacked However ifnone of the other pools attack a pool can increase its revenueby attacking the others Recently authors in [68] propose anovel attack called a fork after withholding (FAW) attackAuthors show that the BWH attackers reward is the lowerbound of the FAW attackers and it is usable up to four timesmore often per pool than in BWH attack Moreover the extrareward for a FAW attack when operating on multiple miningpools is around 56 higher than BWH attack Furthermorethe miners dilemma may not hold under certain circumstanceseg when two pools execute FAW attack the larger pool canconsistently win More importantly unlike selfish mining anFAW attack is more practical to execute while using intentionalforks

The Pool Hopping attack presented in [29] [74] uses theinformation about the number of submitted shares in themining pool to perform the selfish mining In this attackthe adversary performs continuous analysis of the number ofshares submitted by fellow miners to the pool manager in orderto discover a new block The idea is that if already a largenumber of shares have been submitted and no new block hasbeen found so far the adversary will be getting a very small

share from the reward because it will be distributed based onthe shares submitted Therefore at some point in time it mightbe more profitable for the adversary to switch to another poolor mine independently

Recently the Bribery attack is described in [75] In thisan attacker might obtain the majority of computing resourcesfor a short duration via bribery Authors discuss three ways tointroduce bribery in the network (i) Out-of-Band Paymentin which the adversary pays directly to the owner of thecomputing resources and these owners then mine blocksassigned by the adversary (ii) Negative-Fee Mining Pool inwhich the attacker forms a pool by paying higher returnand (iii) In-Band Payment via Forking in which the attackerattempts to bribe through Bitcoin itself by creating a forkcontaining bribe money freely available to any miner adoptingthe fork By having the majority of the hash power the attackercould launch different attacks such as double spending andDistributed Denial-of-Service (DDoS) [76] The miners thattook the bribes will get benefits which will be short-lived butthese short-lived benefits might be undermined by the lossesin the long run due to the presence of DDoS and Goldfingerattacks or via an exchange rate crash

Fig 8 Blacklisting via Punitive Forking

An adversary with gt 50 hashrate could perform a suc-cessful selective blacklisting via punitive forking The objec-tive of punitive forking is to censor the Bitcoin addressesowned by certain people say Alice and prevent them fromspending any of their bitcoins The strategy to perform theblacklisting (please refer to Figure 8) is as follows (i) theadversary with gt 50 network hashrate announces to theBitcion network that she will not extend on the blockchaincontaining transactions spending from Alicersquos Bitcoin address(ii) if some other miner include a transaction from Alice ina block the adversary will fork and create a longer proofof work blockchain (iii) Block containing Alicersquos transactionnow invalidated and it can never be published also the minerwho added the block with Alicersquos transaction will lose its blockreward However a weak adversary that has lower hashrate canstill cause delays and inconveniences for Alicersquos transaction

Punitive forking doesnrsquot work unless you have gt 50 ofhashrate However there is another strategy to achieve theblacklisting as presented in [77] In particular authors presenta malicious mining strategy called feather forking in whichan attacker announces that she will attempt to fork if she seesa block containing Alicersquos transaction in the blockchain butshe will give up after a while This is the adversary forks asper its convenience she will continue to extend its fork untilwins (ie outraces the main chain) but she gives up (iediscard its private fork and continue to extend the main chain)after block with Alicersquos transaction contains k confirmations

An adversary with total hash power less than 50 might withhigh probability lose rewards but it will be able to block theblacklisted transaction with positive probability Moreover ifthe adversary can show that she is determined to block theselected transaction and will perform the retaliatory forking ifrequired then the rest of the miners will also be motivated toblock the blacklisted transactions to avoid the losses in case ifthe attacker retaliates and wins If this is the case an attackermight be able to enforce the selective blacklisting with noreal cost because other miners are convinced that the attackerwill perform a costly feather forking attack if provoked Anattacker performing feather forking can also use it to blackmaila client by threatening that all her transactions will be put onthe blacklist until the client pays the asked ransom coins

C Client-side Security Threats

The huge increase in the popularity of bitcoins encouraged alarge number of new users to join the network Each Bitcoinclient posses a set of private-public keys in order to accessits account or wallet Hence it is desirable to have the keymanagement techniques that are secure yet usable This is dueto the fact that unlike many other applications of cryptographyif the keys of a client are lost or compromised the client willsuffer immediate and irrevocable monetary losses To use thebitcoins a user needs to install a wallet on her desktop ormobile device The wallet stores the set of private-public keysassociated with the owner of the wallet thus it is essential totake protective actions to secure the wallet The wallet theftsare mainly performed using mechanisms that include systemhacking installation of buggy software and incorrect usage ofthe wallet

Bitcoin protocol relies heavily on elliptic curve cryptog-raphy [98] for securing the transactions In particular Bitcoinuses elliptic curve digital signature algorithm (ECDSA) whichis standardized by NIST [99] for signing the transactionsFor instance consider the standard ldquoPay-to-PubKeyHashrdquo(P2PKH) transaction script in which the user needs to provideher public key and the signature (using her private key) toprove the ownership To generate a signature the user choosesa per-signature random value For security reason this valuemust be kept secret and it should be different for every othertransaction Repeating per-signature value risks the privatekey computation as it has been shown in [100] that evenpartially bit-wise equal random values suffice to derive a userrsquosprivate key Therefore it is essential for increasing the securityof ECDSA to use highly random and distinct per-signaturevalues for every transaction signature The inspection of theblockchain for instances in which the same public key usesthe same signature nonces for multiple times has been reportedby the authors in [101] In particular the authors report thatthere are 158 public keys which have reused the signaturenonce in more than one transaction signature thus making itpossible to derive userrsquos private key Recently authors in [102]present a systematic analysis of the effects of broken primitiveson Bitcoin Authors highlight the fact that in the currentBitcoin system has no migration plans in-place for both thebroken hash and the broken signature scheme ie the Bitcoins

TABLE IIMISBEHAVIOR ATTACKS TARGETING BITCOIN NETWORK AND ENTITIES

Attack Description Primary targets Adverse effects Possible countermeasures

Bribery attacks [75] adversary bribe miners tomine on her behalf

miners and mer-chants

increases probability of adouble spend or block

withholdingincrease the rewards for honestminers make aware the miners tothe long-term losses of bribery [75]

Refund attacks [78] adversary exploits the re-fund policies of existingpayment processors

sellers or mer-chants users

merchant losses moneywhile honest users might

lose their reputationpublicly verifiable evidence [78]

Punitive and Featherforking [77] [79] dishonest miners blacklist

transactions of specific ad-dress

users freeze the bitcoins of userfor forever remains an open challenge

Transactionmalleability [80] [4] adversary change the

TXID without invalidatingthe transaction

Bitcoin exchangecenters

exchanges loss funds dueto increase in double

deposit or doublewithdrawal instances

multiple metrics for transactionverification [81] malleability-resilient ldquorefundrdquo transaction [80]

Wallet theft [21] adversary stole or destroyprivate key of users

individual usersor businesses

bitcoins in the wallet arelost threshold signature based

two-factor security [82] [83]hardware wallets [84] TrustZone-backed Bitcoin wallet [85]Password-Protected Secret Sharing(PPSS) [86]

Time jacking [87] adversary speed-up themajority of minerrsquos clock

miners

isolate a miner and wasteits resources influencethe mining difficultycalculation process

constraint tolerance ranges [87]network time protocol (NTP) ortime sampling on the values re-ceived from trusted peers [88]

DDoS [89] [90] a collaborative attack toexhaust network resources

Bitcoin networkbusinesses min-ers and users

deny services to honestusersminers isolate ordrive away the miners

Proof-of-Activity (PoA)protocol [91] fast verificationsignature based authentication

Sybil [23] adversary creates multiplevirtual identities

Bitcoin networkminers users

facilitates time jackingDDoS and doublespending attacks

threatens user privacy

Xim (a two-party mixing proto-col) [92]

Eclipse or netsplit [3] adversary monopolizes allincoming and outgoingconnections of victim

miners users

inconsistent view of thenetwork and blockchain

enable double spendswith more than one

confirmation

use whitelists disabling incomingconnections [3]

Tampering [43] delay the propagation oftransactions and blocks tospecific nodes

miners users

mount DoS attackswrongfully increase

mining advantage doublespend

improve block request managementsystem [43]

Routing attacks [5] isolate a set of nodes fromthe Bitcoin network de-laying block propagation

miners users

denial of service attackincreases possibility of0-confirmation doublespends increases forkrate waste the mining

power of the pools

increase the diversity of node con-nections monitor round-trip timeuse gateways in different ASes [5]

Deanonymization [93] [94] linking IP addresses witha Bitcoin wallet

users user privacy violation mixing services [95]CoinJoin [96] CoinShuffle [97]

RIPEMD160 SHA256 and ECDSA techniques are vulnerableto various security threats such as collision attacks [103]The authors in [102] found that the main vectors of attackon bitcoins involve collisions on the main hash or attackingthe signature scheme which directly enables coin stealingHowever a break of the address hash has minimal impact asaddresses do not meaningfully protect the privacy of a user

Unlike most of the online payment systems that rely onlogin details consisting of the password and other confidentialdetails for user authentication Bitcoin relies on public keycryptography This raises the issues of the secure storage andmanagement of the user keys Over the years various typeof wallet implementations are researched to obtain securestorage of the user keys it includes software online or hostedhardware or offline paper and brain wallets Table III shows anumber of popular wallets and their main features Coinbase(coinbasecom) an online wallet is most popular due to itsdesirable features which it provides to the clients that include(i) a web interface using which the wallet can be assessedwith a browser and Internet connection (ii) a mobile appthat allows access to wallet through mobile devices (iii) anaccess to Coinbase do not require a client software and it isindependent in nature due to which the wallet providers doesnot have any control over the funds stored in a clientrsquos walletand (iv) a moderate level of security and privacy The Copaywallet allows multiple users to be associated with the samewallet while the Armory wallet works in online as well as inoffline mode The wallet providers have to find an adequatetrade-off between usability and security while introducing anew wallet into the market For instance an online wallet ismore susceptible to thefts compared to hardware wallets [84]as later are not connected to the Internet but at the same timehardware wallets lacks usability If done right there exist moreadvanced and secure ways to store the user keys called paperand brain wallets As their name indicates in the paper walletthe keys are written on a document which is stored at somephysical location analogizes the cash money storage systemwhile in brain wallet the keys are stored in the clients mind inthe form of a small passphrase The passphrase if memorizedcorrectly is then used to generate the correct private key

To avoid the aforementioned risks such as managing cryp-tographic keys [104] lost or stolen devices equipment failureBitcoin-specific malware [105] to name a few that are asso-ciated while storing the bitcoins in a wallet many users mightprefer to keep their coins with online exchanges Howeverstoring the holdings with an exchange makes the users vulner-able to the exchange systems For instance one of the mostnotorious events in the Bitcoin history is the breakdown andongoing bankruptcy of the oldest and largest exchange calledMt Gox which lost over 450 millions of dollars Moreovera few other exchanges have lost their customers bitcoinsand declared bankruptcy due to external or internal theft ortechnical mistakes [106] Although the vulnerability of anexchange system to the disastrous losses can never be fullyavoided or mitigated therefore the authors in [107] presentsProvisions which is a privacy-preserving proof of solvencyfor Bitcoin exchanges Provision is a sensible safeguard thatrequires the periodic demonstrations from the exchanges to

show that they control enough bitcoins to settle all of itscustomers accounts

D Bitcoin Network Attacks

In this section we will discuss those attacks in the Bitcointhat exploits the existing vulnerabilities in the implementationand design of the Bitcoin protocols and its peer-to-peer com-munication networking protocols We will start our discussionwith the most common networking attack called DistributedDenial-of-Service (DDoS) which targets Bitcoin currency ex-changes mining pools eWallets and other financial servicesin Bitcoin Due to the distributed nature of Bitcoin networkand its consensus protocol launching a DoS attack has noor minimal adverse effect on network functionalities henceattackers have to lunch a powerful DDoS to disturb the net-working tasks Unlike DoS attack in which a single attackercarried out the attack in DDoS multiple attackers launchthe attack simultaneously DDoS attacks are inexpensive tocarry out yet quite disruptive in nature Malicious miners canperform a DDoS (by having access to a distributed Botnet) oncompeting miners effectively taking the competing miners outof the network and increasing the malicious miners effectivehashrate In these attacks the adversary exhausts the networkresources in order to disrupt their access to genuine users Forexample an honest miner is congested with the requests (suchas fake transactions) from a large number of clients actingunder the control of an adversary After a while the minerwill likely to start discarding all the incoming inputsrequestsincluding requests from honest clients In [89] authors providea comprehensive empirical analysis of DDoS attacks in theBitcoin by documenting the following main facts 142 uniqueDDoS attacks on 40 Bitcoin services and 7 of all knownoperators were victims of these attacks The paper also statesthat the majority of DDoS attack targets the exchange servicesand large mining pools because a successful attack on thesewill earn huge revenue for the adversary as compared toattacking an individual or small mining pools

In [90] authors explore the trade-off between the two min-ing pool related strategies using a series of game-theoreticalmodels The first strategy called construction in which amining pool invests in increasing its mining capacity in orderto increase the likelihood of winning the next race While inthe second strategy called destruction in which the miningpool launches a costly DDoS attack to lower the expectedsuccess rate of the competing mining pools The majority ofthe DDoS attacks target large organizations due to bulk ransommotives Companies like CoinWallet and BitQuick were forcedto shut down only after few months of their launch due tothe effects of continuous DDoS attacks As stated above thatDDoS attack take various forms one of which is to discouragea miner so that it will withdraw itself from the mining processFor instance an attacker displays to a colleague miner that it ismore powerful and it can snatch the reward of mining and itis the obvious winner of the mining process An honest minerbackoffs since its chances of winning is less In this way anadversary will be successful in removing individual miners aswell as small pools from the mining network thus imposing a

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

they all agree on the order in which entries are appended tothe blockchain To add a new block in the blockchain everyminer must follow a set of rules specified in the consensusprotocol Bitcoin achieves the distributed consensus by usingPoW based consensus algorithm This algorithm imposes thefollowing major rules (i) input and output values are rational(ii) transactions only spend unspent outputs (iii) all inputsbeing spent have valid signatures (iv) no coinbase2 transactionoutputs were spent within 100 blocks of their creation and (v)no transactions spend inputs with a locktime before the blockin which they are confirmed Generally a blockchain basedsystem such as Bitcoin is considered as secure and robust asits consensus model

In the PoW based consensus algorithm the participantsrequire no authentication to join the network which makesthe Bitcoin consensus model extremely scalable in termsof supporting thousands of network nodes However PoWbased consensus is vulnerable to ldquo51rdquo attacks in whichan adversary has control over 51 of the mining power (iehashrate) in the network hence it can write its own blocksor fork the blockchain that at a later point converges withthe main blockchain This behavior of adversary helps her toperform several other types of attacks in the Bitcoin whichincludes double spending eclipse and denial-of-service Inparticular 51 attack drives away the honest miners from themining process thus weakens the consensus protocol whichposes a threat to Bitcoin security and robustness One way toachieve the 51 attack in Bitcoin system is to incentivize (orbribe) the honest miners to join the attackersrsquo coalition

Along with the various security attacks (please refer totables I and II) the effectiveness of a consensus protocol alsodepends on the performance and stability of the network Forinstance an increase in the latency between the validationof a block and its receipt by all other miners increases thepossibility of a temporary blockchain fork Although due tothe PoW model eventual consistency in the blockchain willbe reached despite the temporary forks however it resultsin longer transaction confirmation times Today the Bitcoinnetwork is restricted to a sustained rate of 7 transactionsper section (tps) due to the Bitcoin protocol restricting blocksizes to 1MB This is very slow when considered the highprocessing speed of MasterCard or VISAs ie millions oftps Therefore it is important for Bitcoin to have a broadcastnetwork which is not only decentralized but it also provideslow latency and it is difficult to deliberately censor or delaymessages The PoW based consensus algorithm also wastesa lot of energy in hash computations during the miningprocess However it facilitates high scalability in terms ofnodes participating in the network and operates completely ina decentralized fashion

Bitcoin consensus algorithm has been its most widelydebated component in the Bitcoin research community This isbecause the consensus algorithm rises (i) open questions aboutthe Bitcoin stability [10] (ii) concerns about the performanceand scalability of the protocol [32] and (iii) concerns for

2A coinbase transaction is a unique type of bitcoin transaction that can onlybe created by a miner

computational resource wastage [33] In particular the PoWconsensus model used by Bitcoin blockchain is very inefficientin terms of power consumption and the overall generationtime of new blocks Hence to overcome or limit someof the aforementioned disadvantages of PoW various otherconsensus protocols such as Proof-of-Stake (PoS) [34] Proofof Elapsed Time (PoET) Proof of Authority (PoA) Practicalbyzantine fault tolerance (PBFT) [35] Federated ByzantineFault Tolerance (FBFT) Proof of Storage [36] [37] to namea few are designed The most obvious difference betweenthese consensus protocols and PoW is that each of thesealternative protocols the consensus is driven at the expenseof internal resources (eg coins or reputation) instead ofexternal resources (eg electricity) This creates an entirelydifferent set of incentives for (and trust in) network nodes (ieminers) which drastically changes the network security modelDetailed discussions on these alternative consensus protocolsare out of the scope of our survey hence we direct interestedusers to [38] [20] [39] [40] [41]

D Networking Infrastructure

Bitcoin uses an unstructured peer-to-peer (P2P) networkbased on unencrypted persistent TCP connections as its foun-dational communication structure In general unstructuredoverlays are easily constructed and robust against highlydynamic network topologies ie against frequently joiningand leaving peers These type of networks are best suitedfor Bitcoin as the aim is to distribute information as fastas possible to reach consensus on the blockchain Howeverexperimenting with the Bitcoin networkprotocol poses a chal-lenge By now there are a few possibilities to approach thistask One way is to connect to the mainnet ie the live Bitcoinnetwork or the testnet Another way is to use the simulationenvironments such as Shadow [42] event discrete simulatorwhich aims at simulating large-scale Bitcoin networks whilekeeping full control over all components

Bitcoin nodes maintain a list of IP addresses of potentialpeers and the list is bootstrapped via a DNS server and addi-tional addresses are exchanged between peers Each peer aimsto maintain a minimum of 8 unencrypted TCP connections inthe overlay ie the peer actively tries to establish additionalconnections if the current number of connections is lowerthan 8 The number of eight connections can be significantlyexceeded if incoming connections are accepted by a Bitcoinpeer upto a maximum of 125 connections at a time By defaultpeers listen on port 8333 for inbound connections When peersestablish a new connection they perform an application layerhandshake consisting of version and verack messages Themessages include a timestamp for time synchronization IPaddresses and the protocol version A node selects its peersin a random fashion and it selects a new set of peers after afixed amount of time This is done to minimize the possibilityand effects of netsplit attack in which an attacker creates aninconsistent view of the network (and the blockchain) at theattacked node Since Bitcoin version 07 IPv6 is supported Inorder to detect when peers have left Bitcoin uses a softstateapproach If 30 minutes have been passed since messages were

last exchanged between neighbors peers will transmit a hellomessage to keep the connection alive

Miners continually listen to new block announcementswhich are sent via INV messages containing the hash ofthe mined block If a miner discovers that it does not hold anewly announced block it transmits a GETDATA messageto one of its neighbor The neighbor then respond by sendingthe requested information in a BLOCK message In casethe requested block do not arrive within 20 minutes theminer trigger the disconnection of that particular neighborand request the same information from another neighbor Thepropagation of transactions occur in a sequence given as INV GETDATA and TX messages in which nodes announcerequest and share transactions that have not yet been includedin the blockchain

In order to form the distributed consensus newly discoveredtransactions and blocks are propagated (through flooding) inthe whole network Miners store new transactions for themining purposes but after some time remove them if they donot make it on the blockchain It is the responsibility of thetransaction originator that the transaction is received by all thepeers in the network To this end the originator might need torebroadcast the transaction if it did not get into the blockchainin first attempt This is to ensure that the transaction getsconsidered in the next block An adversary could introducedelay in the propagation of both new transactions and minedblock for the purpose of launching the double spend andnetsplit attacks As shown in [43] the propagation time caneven be further extended under reasonable circumstancesAuthors in [5] presents a taxonomy of routing attacks andtheir impact on Bitcoin considering both small-scale attackstargeting individual nodes and large-scale attacks targetingthe network as a whole By isolating parts of the network ordelaying block propagation adversaries could cause significantamount of mining power to be wasted leading to revenuelosses and exposing the network to a wide range of exploitssuch as double spending

The use of an unstructured P2P network in Bitcoin enablesthe required rapid distribution of information in every partof the network The security of Bitcoin heavily depends onthe global consistent state of blockchain which relies on theefficiency of its PoW based consensus protocol The variationsin the propagation mechanisms could adversely affect theconsensus protocol The presence of inconsistent blockchainstates if exploited correctly could lead to a successful doublespending To this end it is essential that the Bitcoin networkshould remains scalable in terms of network bandwidth net-work size and storage requirements because this will facilitatethe increase in number of honest miners in the network whichwill strengthen the consensus protocol In Bitcoin full nodesdownload and verify all blocks starting from the genesis blockbecause it is the most secure way Full nodes participate inthe P2P network and help to propagate information althoughits not mandatory to do so Alternatively the thin clients usethe simplified payment verification (SPV) to perform Bitcointransactions The SPV is a method used by Bitcoin thin clientfor verifying if particular transactions are included in a blockwithout downloading the entire block However the use of

SPV costs the thin clients because it introduces weaknessessuch as Denial of Service (DoS) and privacy leakage forthe thin client In particular the general scalability issues ofunstructured overlays combined with the issues induced bythe Bitcoin protocol itself remains in the system Many of theresults suggest that scalability remains an open problem [44]and it is hard to keep the fully decentralized network infuture [45] [46]

E Benefits and Challenges

Same as any other emerging technology use of Bitcoincomes with certain benefits and challenges and various typesof risks are associated with its use It is believed3 that Bitcoinhas the following benefits and challenges

Benefits -bull No Third-Party Seizure No central authority can manip-

ulate or seize the currency since every currency transferhappens peer-to-peer just like hard cash In particular bit-coins are yours and only yours and the central authoritycant take your cryptocurrency because it does not printit own it and control it correspondingly

bull Anonymity and transparency Unless Bitcoin users pub-licize their wallet addresses publicly it is extremely hardto trace transactions back to them However even if thewallet addresses was publicized a new wallet addresscan be easily generated This greatly increases privacywhen compared to traditional currency systems wherethird parties potentially have access to personal financialdata Moreover this high anonymity is achieved withoutsacrificing the system transparency as all the bitcointransactions are documented in a public ledger

bull No taxes and lower transaction fees Due to its decen-tralized nature and user anonymity there is no viableway to implement a Bitcoin taxation system In the pastBitcoin provided instant transactions at nearly no costEven now Bitcoin has lower transaction costs than acredit card Paypal and bank transfers However thelower transaction fee is only beneficial in situations wherethe user performs a large value international transactionsThis is because the average transaction fee becomeshigher for very small value transfers or purchases suchas paying for regular household commodities

bull Theft resistance Stealing of bitcoins is not possible untilthe adversary have the private keys (usually kept offline)that are associated with the user wallet In particular Bit-coin provides security by design for instance unlike withcredit cards you dont expose your secret (private key)whenever you make a transaction Moreover bitcoinsare free from Charge-backs ie once bitcoins are sentthe transaction cannot be reversed Since the ownershipaddress of the sent bitcoins will be changed to the newowner and it is impossible to revert This ensures thatthere is no risk involved when receiving bitcoins

3As some of these benefits and challenges are not entirely true at all thetimes for instance Bitcoin transactions are not fully anonymous and theprivacy of Bitcoin users could be threatened

Challengesbull High energy consumption Bitcoinrsquos blockchain uses

PoW model to achieve distributed consensus in thenetwork Although the use of PoW makes the miningprocess more resistant to various security threats suchas sybil and double spending it consumes a ridicu-lous amount of energy and computing resources [47]In particular processing a bitcoin transaction consumesmore than 5000 times as much energy as using a Visacredit card hence innovative technologies that reduce thisenergy consumption are required to ensure a sustainablefuture for Bitcoin Furthermore due to the continuousincrease in network load and energy consumption thetime required for transaction processing is increasing

bull Wallets can be lost Since there is no trusted third partyif a uses lost the private key associated with her walletdue to a hard drive crash or a virus corrupts data or lostthe device carrying the key all the bitcoins in the wallethas been considered lost for forever There is nothingthat can be done to recover the bitcoins and these willbe forever orphaned in the system This can bankrupt awealthy Bitcoin investor within seconds

bull (Facilitate) Criminal activity The considerable amountof anonymity provided by the Bitcoin system helps thewould-be cyber criminals to perform various illicit activ-ities such as ransomware [48] tax evasion undergroundmarket and money laundering

According to [49] the risk is the exposure to the level ofdanger associated with Bitcoin technology in fact the samecan be applied to any such digital cryptocurrency The majorrisks that threaten the wide usability of the Bitcoin paymentsystems are as followbull Social risks it includes bubble formation (ie risk of

socio-economic relationship such as what people talk andgossip) cool factor (ie entering the networking withoutknowing the ill effects) construction of chain (ie riskrelated with the blockchain formation like hashing andmining rewards) and new coins release (ie on whatbasis the new coins to be generated is there a need etc)

bull Legal risks Bitcoin technology opposes rules and regula-tions and hence it finds opposition from the governmentThis risk also includes law enforcement towards handlingfinancial operational customer protection and securitybreaches that arise due to Bitcoin system

bull Economic risks deflation volatility and timing issues infinding a block which might lead the users to migratetowards other currencies that offer faster services

bull Technological risks this includes the following net-work equipment and its loss network with which thepeers are connected and its associated parameters threatvulnerabilities on the system hash functions with itsassociated robustness factor and software associated risksthat Bitcoin system demands

bull Security risks security is a major issue in Bitcoin systemwe will discuss risks associated due to various securitythreats in detail in Section III

In [50] authors perform a survey on the peoplersquos opinion

about bitcoins usage Participants argue that the greatest barrierto the usage of bitcoins is the lack of support by higherauthorities (ie government) Participants felt that bitcoinsmust be accepted as legitimate and reputable currency Ad-ditionally the participants expressed that the system mustprovide support towards transacting fearlessly without criminalexploitation Furthermore the Bitcoin is mainly dependent onthe socio-technical actors and the impact of their opinion onthe public Few among participants have suggested that theblockchain construction is the major cause of disruption dueto its tendency to get manipulated by adversaries

In [51] it was stated that many Bitcoin users already losttheir money due to poor usability of key management andsecurity breaches such as malicious exchanges and walletsAround 225 of the participants reported having lost theirbitcoins due to security breaches Also many participantsstated that for a fast flow of bitcoins in the user communitysimple and impressive user interface are even more importantthan security In addition participants highlighted that the poorusability and lack of knowledge regarding the Bitcoin usageare the major contributors to the security failures

III SECURITY ATTACKS ON BITCOIN SYSTEMS

Bitcoin is the most popular cryptocurrency4 and has stoodfirst in the market capital investment from day one Since itis a decentralized model with an uncontrollable environmenthackers and thieves find cryptocurrency system an easy wayto fraud the transactions In this section we discuss existingsecurity threats and their countermeasures for Bitcoin andits underlying technologies We provide a detailed discussionof potential vulnerabilities that can be found in the Bitcoinprotocols as well as in the Bitcoin network this will bedone by taking a close look at the broad attack vector andtheir impact on the particular components in the BitcoinApart from double spending which is and will always bepossible in Bitcoin the attack space includes a range of walletattacks (ie client-side security) network attacks (such asDDoS sybil and eclipse) and mining attacks (such as 50block withholding and bribery) Tables I and II provides acomprehensive overview of the potential security threats alongwith their impacts on various entities in Bitcoin and theirpossible solutions that exist in literature so far

A Double Spending

A client in the Bitcoin network achieves a double spend(ie send two conflicting transactions in rapid succession) ifshe is able to simultaneously spend the same set of bitcoinsin two different transactions [2] For instance a dishonestclient (Cd) creates a transaction TCd

V at time t using a setof bitcoins (Bc) with a recipient address of a vendor (V ) topurchase some product from V Cd broadcast TCd

V in theBitcoin network At time tprime where tprime asymp t Cd create andbroadcast another transaction TCd

Cdusing the same coins (ie

Bc) with the recipient address of Cd or a wallet which isunder the control of Cd In the above scenario the double

4wwwcryptocoinsnewscom

TABLE IMAJOR ATTACKS ON BITCOIN SYSTEM AND ITS POW BASED CONSENSUS PROTOCOL

Attack Description Primary targets Adverse effects Possible countermeasures

Double spending or Raceattack [2] spent the same bitcoins

in multiple transactionssend two conflicting trans-actions in rapid succession

sellers or mer-chants

sellers lose theirproducts drive away the

honest users createblockchain forks

inserting observers in network [2]communicating double spendingalerts among peers [2] nearbypeers should notify the merchantabout an ongoing double spend assoon as possible [52] merchantsshould disable the direct incomingconnections [53] [54]

Finney attack [55] dishonest miner broad-casts a pre-mined blockfor the purpose of dou-ble spending as soon asit receives product from amerchant

sellers or mer-chants

facilitates doublespending wait for multi-confirmations for

transactions

Brute force attack [56] privately mining onblockchain fork toperform double spending

sellers or mer-chants

facilitates doublespending creates largesize blockchain forks

inserting observers in the net-work [2] notify the merchant aboutan ongoing double spend [53]

Vector 76 orone-confirmation

attack [57]combination of the doublespending and the finneyattack

Bitcoin exchangeservices

facilitates doublespending of largernumber of bitcoins

wait for multi-confirmations fortransactions

gt 50 hashpower orGoldfinger [45] adversary controls more

than gt 50 HashrateBitcoin networkminers Bitcoinexchange centersand users

drive away the minersworking alone or within

small mining poolsweakens consensus

protocol DoS

inserting observers in thenetwork [2] communicatingdouble spending alerts amongpeers [2] disincentivizelarge mining pools [58] [59]TwinsCoin [60] PieceWork [61]

Blockdiscarding [62] [54] or

Selfish mining [6]abuses Bitcoin forkingfeature to derive an unfairreward

honest miners (ormining pools)

introduce race conditionsby forking waste the

computational power ofhonest miners withgt 50 it leads toGoldfinger attack

ZeroBlock technique [63] [64]timestamp based techniquessuch as freshness preferred [65]DECOR+ protocol [66]

Blockwithholding [29] [67] miner in a pool sub-

mits only PPoWs but notFPoWs

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueinclude only known and trustedminers in pool dissolve and closea pool when revenue drops fromexpected [62] cryptographic com-mitment schemes [67]

fork after withholding(FAW) attack [68] improves on adverse ef-

fects of selfish mining andblock withholding attack

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueno practical defense reported so far

spending attack performed by Cd is successful if Cd tricksthe V to accept TCd

V (ie V deliver the purchased productsto Cd) but V will not be able to redeem subsequently InBitcoin the network of miners verify and process all thetransactions and they ensure that only the unspent coinsthat are specified in previous transaction outputs can be usedas input for a follow-up transaction This rule is enforceddynamically at run-time to protect against the possible doublespending in the network The distributed time-stamping andPoW-based consensus protocol is used for orderly storage ofthe transactions in the blockchain For example when a minerreceives TCd

V and TCd

Cdtransactions it will be able to identify

that both the transactions are trying to use the same inputs

during the transaction propagation and mining thus it onlyprocess one of the transaction and reject the other Figure 5shows the working methodology of a double spending attackdepicting the above explanation

Despite the use of strict ordering of transactions in theblockchain PoW scheme distributed time-stamping [69] andconsensus protocol [70] [71] double spending is still possiblein Bitcoin To perform a successful double spending attackfollowing requirements need to be fulfilled (i) part of thenetwork miners accept the transaction TCd

V and the vendor(V ) receives the confirmation from these miners thus releasesthe product to dishonest client (Cd) (ii) at the same time otherpart of the network miners accept the transaction TCd

Cd hence

Fig 5 Double Spending Attack

lead to blockchain forks in the network (iii) the vendor re-ceives the confirmation of transaction TCd

Cdafter accepting the

transaction TCd

V thus losses the product and (iv) a majorityof miners mine on top of the blockchain which contains TCd

Cd

as a valid transaction If the aforementioned steps took placein the given order then the dishonest client is able to performa successful double spend In the rest of this section we willdiscuss the variants of double spending attack that are used inorder to realize the aforementioned double spend requirementswith varying difficulties and complexities

A form of double spending called Finney attack [55] herea dishonest client (Cd) pre-mines (ie privately) a blockwhich contains the transaction TCd

Cd and then it creates a

transaction TCd

V using the same bitcoins for a vendor (V )The mined block is not informed to the network and the Cd

waits until the transaction TCd

V is accepted by the V On theother hand V only accept TCd

V when it receives a confirmationfrom miners indicating that TCd

V is valid and included in theexisting blockchain Once Cd receives the product from V theattacker releases the pre-mined block into the network thuscreates a blockchain fork (say Bprimefork) of equal length to theexisting fork (say Bfork) Now if the next mined block in thenetwork extends Bprimefork blockchain instead of Bfork then asper the Bitcoin protocol rules all the miners in the networkwill build on top of Bprimefork As the blockchain Bprimefork becomesthe longest chain in the network all the miners ignore Bforkhence the top block on Bfork which contains the transactionTCd

V becomes invalid This makes the transaction TCd

V invalidthe client will get back her coins through transaction TCd

Cd

but resulting the V losing the product However with Finneyattack an adversary can only perform double spending in thepresence of one-confirmation vendors

To avoid the Finney attack the vendor should wait formultiple confirmations before releasing the product to theclient The waiting for multiple confirmations will only makethe double spend for the attacker harder but the possibilityof the double spend remains An advancement of the Finneyattack is called Brute-force attack [56] in which a resourcefulattacker has control over n nodes in the network and these

nodes collectively work on a private mining scheme withthe motive of double spend An attacker introduces a doublespend transaction in a block as in the previous case whilecontinuously works on the extension of a private blockchain(ie Bprimefork) Suppose a vendor waits for x confirmationsbefore accepting a transaction and it sends the product to theclient once it receives the x confirmations Later the attackeris able to mine the x number of blocks ahead (ie privately)then she can release these blocks in the network and dueto its higher length than Bfork blockchain Bprimefork will beextended by all the miners in the network This causes thesame after effects as Finney attack thus causing a successfuldouble spending attack

Another attack that uses the privately mined block toperform a new form of double spending attack on Bitcoin ex-change networks is popularly known as Vector 76 attack [57]A Bitcoin exchange is a digital marketplace where traderscan buy sell or exchange bitcoins for other assets such asfiat currencies or altcoins In this a dishonest client (Cd)withholds a pre-mined block which consists of a transactionthat implements a specific deposit (ie deposit coins in aBitcoin exchange) The attacker (Cd) waits for the next blockannouncement and quickly sends the pre-mined block alongwith the recently mined block directly to the Bitcoin exchangeor towards its nearby peers with hope that the exchangeand probably some of the nearby miners will consider theblockchain containing the pre-mined block (ie Bprimefork) as themain chain The attacker quickly sends another transaction thatrequests a withdrawal from the exchange of the same coins thatwas deposited by the attacker in its previous transaction Atthis point of time if the other fork (ie Bfork) which does notcontain the transaction that is used by the attacker to depositthe coins survives the deposit will become invalidated but theattacker has already performed a withdrawal by now thus theexchanges losses the coins

Recently authors in [72] proposes a new attack againstthe PoW-based consensus mechanism in Bitcoin called theBalance attack The attack consists of delaying networkcommunications between multiple subgroups of miners withbalanced hash power The theoretical analysis provides theprecise trade-off between the Bitcoin network communicationdelay and the mining power of the attacker(s) needed to doublespend in Ethereum [73] with high probability

Based on the above discussion on double spending attackand its variants one main point that emerges is that if aminer (or mining pool) is able to mine blocks with a fasterrate than the rest of the Bitcoin network the possibility ofa successful double spending attack is high The rate ofmining a block depends upon solving the associated proof-of-work this again depends on the computing power of aminer Apart from the computing resources the success ofdouble spending attack depends on other factors as wellwhich includes network propagation delay vendor client andBitcoin exchange services connectivity or positioning in theBitcoin network and the number of honest miners Clearlyas the number of confirmations for transaction increases thepossibility that it will become invalid at a later stage decreasesthus decreases the possibility of a double spend On the other

hand with the increase in the computing resources of a minerthe probability of the success of a double spend increases Thisleads to a variant of double spend attack called gt 50 attackor Goldfinger attack [45] in which more than 50 computingresources of the network are under the control of a single miner(or mining pool) The gt 50 attack is considered the worst-case scenario in the Bitcoin network because it has the powerto destroy the stability of the whole network by introducing theactions such as claim all the block intensives perform doublespending reject or include transactions as preferred and playwith the Bitcoin exchange rates The instability in the networkonce started it will further strengths the attackerrsquos position asmore and more honest miners will start leaving the network

From the above discussion on the different type of doublespending attacks we can safely conclude that one can alwaysperform a double spend or it is not possible to entirelyeliminate the risk of double spending in Bitcoin Howeverperforming double spending comes with a certain level ofrisk for instance the attacker might lose the reward forthe withheld block if it is not included in the final publicblockchain Therefore it is necessary to set a lower bound onthe number of double spend bitcoins and this number shouldcompensate the risk of unsuccessful attempts of double spendAdditionally the double spends could be recognized with thecareful analysis and traversing of the blockchain thus it mightlead to blacklisting the detected peer In Section IV-A we willdiscuss in detail the existing solutions and their effectivenessfor detecting and preventing the double spending attacks

B Mining Pool Attacks

Mining pools are created in order to increase the computingpower which directly affects the verification time of a blockhence it increases the chances of winning the mining rewardFor this purpose in recent years a large number of miningpools have been created and the research in the field ofminer strategies is also evolved Generally mining pools aregoverned by pool managers which forwards unsolved workunits to pool members (ie miners) The miners generate par-tial proofs-of-work (PPoWs) and full proofs-of-work (FPoWs)and submit them to the manager as shares Once a minerdiscovers a new block it is submitted to the manager alongwith the FPoW The manager broadcasts the block in theBitcoin network in order to receive the mining reward Themanager distributes the reward to participating miners basedon the fraction of shares contributed when compared with theother miners in the pool Thus participants are rewarded basedon PPoWs which have absolutely no value in the Bitcoinsystem The Bitcoin network currently consists of solo minersopen pools that allow any miner to join and closed (private)pools that require a private relationship to join

In recent years the attack vector that exploits the vulnerabil-ities in pool based mining also increases For instance a groupof dishonest miners could perform a set of internal and externalattacks on a mining pool Internal attacks are those in whichminers act maliciously within the pool to collect more thantheir fair share of collective reward or disrupt the functionalityof the pool to distant it from the successful mining attempts In

external attacks miners could use their higher hash power toperform attacks such as double spending Figure 6 shows themarket share till December 2017 of the most popular miningpools In this section we will discuss a set of popular internaland external attacks on the mining pools

Fig 6 Bitcoin Hashrate Distribution in Present Market

In a mining pool the pool manager determines the amountof work done by individual pool members by using thenumber of shares a member find and submit while tryingto discover a new block The shares consist of a number ofhashes of a block which are low enough to have discovereda block if the difficulty was 1 To be considered as a shareeach hash has a probability of 1232 Assuming correctness ofthe hash function used it is impossible to find shares withoutdoing the work required to discover new blocks or to lookfor blocks without finding shares along the way Due to thisthe number of shares determined by a miner is proportionalon average to the number of hashes the miner calculatedwhile attempting to discover a new block for the mining poolAdditionally in [29] the author discusses the possibility ofusing variable block rewards and difficulty shares as rewardmethods in a pool This variability is introduced due to thefollowing reasons bitcoins generation per block is cut in halfevery 210000 blocks and the transaction fees vary rapidlybased on the currently available transactions in the network Asmost of the mining pools allow any miner to join them using apublic Internet interface such pools are susceptible to varioussecurity threats The adversaries believe that it is profitable tocannibalize pools than mine honestly Letrsquos understand it withan example suppose that an adversary has 30 of hashrate(HR) and 1 BTC is the block mining reward (MR) If themining pool is sharing the reward based on the invested HRthen the adversary will receive 03 BTC for each mined blockNow adversary purchases more mining equipment worth 1of current HR With standard mining strategy the adversarywill gain an additional revenue of 00069 BTC for the 1added HR By performing pool cannibalizing (ie distributeyour 1 equally among all other pools and also withholdthe valid blocks) the attacker will still receive the rewardsfrom its pool but it might also receive additional rewards

from the other pools to which she is sharing its 1 HRThis misbehavior will remain undetectable unless the changein reward is statistically significant

Fig 7 Selfish Mining

In [62] authors use a game theoretic approach to show thatthe miners could have a specific sort of subversive miningstrategy called selfish mining [6] or also popularly known asblock discarding attack [54] [62] In truth all the miners inthe Bitcoin are selfish as they are mining for the reward thatis associated with each block but these miners are also honestand fair with respect to the rest of miners while the selfishmining here refers to the malicious miners only In the selfishmining the dishonest miner(s) perform information hiding(ie withhold a mined block) as well as perform its revealingin a very selective way with a two-fold motive (i) obtain anunfair reward which is bigger than their share of computingpower spent and (ii) confuse other miners and lead them towaste their resources in a wrong direction As it can be seen inFigure 7 that by keeping the mined block(s) the selfish minersintentionally fork the blockchain The selfish pool keeps onmining on top of their private chain (Bprimefork) while the honestminers are mining on the public chain (Bfork) If the selfishminers are able to take a greater lead on Bprimefork and they areable to keep the lead for a longer time period their chancesof gaining more reward coins as well as the wastage of honestminers resources increases To avoid any losses as soon asthe Bfork reaches to the length of Bprimefork the selfish minerspublish their mined blocks All the miners need to adopt toBprimefork which now becomes Bfork as per the longest lengthrule of Bitcoin protocol The honest miners will lose theirrewards for the blocks that they have mined and added to theprevious public chain The analysis in [6] shows that usingthe selfish mining the poolrsquos reward exceed its share of thenetworkrsquos mining power The statement still holds in caseswhere the network found their new block before the adversarycould find a new second block Because in such case the minerwill make use of the race to propagate ie on average theattacker manages to tell 50 of the network about her blockfirst Additionally the analysis reveals that the wastage ofcomputing resources and rewards lure honest miners toward

the selfish mining pools hence it further strengthens the attackThis continuous increase in the selfish poolrsquos size might leadto gt 50 attack and at that point the effect of selfish miningwill be disastrous

Another attack much similar to the selfish mining that couldbe performed on a mining pool is known as Block withholding(BWH) [29] [67] in which a pool member never publishes amined block in order to sabotage the pool revenue howeversubmit shares consists of PPoWs but not FPoWs In particularin [29] two types of block withholding scenarios are presentedcalled ldquoSabotagerdquo and ldquoLie in waitrdquo In the first scenario theadversary does not gain any bitcoins but it just makes otherpool members lose while in the second scenario the adversaryperforms a complex block concealing attack similar to the onedescribed in the selfish mining attack In [29] authors discussa generalized version of the ldquoSabotagerdquo attack which showsthat with slight modification it is possible for the maliciousminer to also earn an additional profit in this scenario Authorsin [33] present a game-theoretic approach to analyzing effectsof block withholding attack on mining pools The analysisshows that the attack is always well-incentivized in the long-run but may not be so for a short duration This impliesthat existing pool protocols are insecure and if the attack isconducted systematically Bitcoin pools could lose millions ofdollars worth in just a few months

To analyze the effects of BWH on mining pools authorsin [9] presents The Miners Dilemma which uses an iterativegame to model attack decisions The game is played betweentwo pools say pool A and pool B and each iteration of thegame is a case of the Prisoners Dilemma ie choose betweenattacking or not attacking If pool A chooses to attack pool Apool A gains revenue pool A loses revenue but pool B canlatter retaliate by attacking pool A and gaining more revenueThus attacking is the dominant strategy in each iterationhence if both pool A and pool B attack each other they will beat a Nash Equilibrium This implies that if both will earn lessthan they would have if neither of them attacked However ifnone of the other pools attack a pool can increase its revenueby attacking the others Recently authors in [68] propose anovel attack called a fork after withholding (FAW) attackAuthors show that the BWH attackers reward is the lowerbound of the FAW attackers and it is usable up to four timesmore often per pool than in BWH attack Moreover the extrareward for a FAW attack when operating on multiple miningpools is around 56 higher than BWH attack Furthermorethe miners dilemma may not hold under certain circumstanceseg when two pools execute FAW attack the larger pool canconsistently win More importantly unlike selfish mining anFAW attack is more practical to execute while using intentionalforks

The Pool Hopping attack presented in [29] [74] uses theinformation about the number of submitted shares in themining pool to perform the selfish mining In this attackthe adversary performs continuous analysis of the number ofshares submitted by fellow miners to the pool manager in orderto discover a new block The idea is that if already a largenumber of shares have been submitted and no new block hasbeen found so far the adversary will be getting a very small

share from the reward because it will be distributed based onthe shares submitted Therefore at some point in time it mightbe more profitable for the adversary to switch to another poolor mine independently

Recently the Bribery attack is described in [75] In thisan attacker might obtain the majority of computing resourcesfor a short duration via bribery Authors discuss three ways tointroduce bribery in the network (i) Out-of-Band Paymentin which the adversary pays directly to the owner of thecomputing resources and these owners then mine blocksassigned by the adversary (ii) Negative-Fee Mining Pool inwhich the attacker forms a pool by paying higher returnand (iii) In-Band Payment via Forking in which the attackerattempts to bribe through Bitcoin itself by creating a forkcontaining bribe money freely available to any miner adoptingthe fork By having the majority of the hash power the attackercould launch different attacks such as double spending andDistributed Denial-of-Service (DDoS) [76] The miners thattook the bribes will get benefits which will be short-lived butthese short-lived benefits might be undermined by the lossesin the long run due to the presence of DDoS and Goldfingerattacks or via an exchange rate crash

Fig 8 Blacklisting via Punitive Forking

An adversary with gt 50 hashrate could perform a suc-cessful selective blacklisting via punitive forking The objec-tive of punitive forking is to censor the Bitcoin addressesowned by certain people say Alice and prevent them fromspending any of their bitcoins The strategy to perform theblacklisting (please refer to Figure 8) is as follows (i) theadversary with gt 50 network hashrate announces to theBitcion network that she will not extend on the blockchaincontaining transactions spending from Alicersquos Bitcoin address(ii) if some other miner include a transaction from Alice ina block the adversary will fork and create a longer proofof work blockchain (iii) Block containing Alicersquos transactionnow invalidated and it can never be published also the minerwho added the block with Alicersquos transaction will lose its blockreward However a weak adversary that has lower hashrate canstill cause delays and inconveniences for Alicersquos transaction

Punitive forking doesnrsquot work unless you have gt 50 ofhashrate However there is another strategy to achieve theblacklisting as presented in [77] In particular authors presenta malicious mining strategy called feather forking in whichan attacker announces that she will attempt to fork if she seesa block containing Alicersquos transaction in the blockchain butshe will give up after a while This is the adversary forks asper its convenience she will continue to extend its fork untilwins (ie outraces the main chain) but she gives up (iediscard its private fork and continue to extend the main chain)after block with Alicersquos transaction contains k confirmations

An adversary with total hash power less than 50 might withhigh probability lose rewards but it will be able to block theblacklisted transaction with positive probability Moreover ifthe adversary can show that she is determined to block theselected transaction and will perform the retaliatory forking ifrequired then the rest of the miners will also be motivated toblock the blacklisted transactions to avoid the losses in case ifthe attacker retaliates and wins If this is the case an attackermight be able to enforce the selective blacklisting with noreal cost because other miners are convinced that the attackerwill perform a costly feather forking attack if provoked Anattacker performing feather forking can also use it to blackmaila client by threatening that all her transactions will be put onthe blacklist until the client pays the asked ransom coins

C Client-side Security Threats

The huge increase in the popularity of bitcoins encouraged alarge number of new users to join the network Each Bitcoinclient posses a set of private-public keys in order to accessits account or wallet Hence it is desirable to have the keymanagement techniques that are secure yet usable This is dueto the fact that unlike many other applications of cryptographyif the keys of a client are lost or compromised the client willsuffer immediate and irrevocable monetary losses To use thebitcoins a user needs to install a wallet on her desktop ormobile device The wallet stores the set of private-public keysassociated with the owner of the wallet thus it is essential totake protective actions to secure the wallet The wallet theftsare mainly performed using mechanisms that include systemhacking installation of buggy software and incorrect usage ofthe wallet

Bitcoin protocol relies heavily on elliptic curve cryptog-raphy [98] for securing the transactions In particular Bitcoinuses elliptic curve digital signature algorithm (ECDSA) whichis standardized by NIST [99] for signing the transactionsFor instance consider the standard ldquoPay-to-PubKeyHashrdquo(P2PKH) transaction script in which the user needs to provideher public key and the signature (using her private key) toprove the ownership To generate a signature the user choosesa per-signature random value For security reason this valuemust be kept secret and it should be different for every othertransaction Repeating per-signature value risks the privatekey computation as it has been shown in [100] that evenpartially bit-wise equal random values suffice to derive a userrsquosprivate key Therefore it is essential for increasing the securityof ECDSA to use highly random and distinct per-signaturevalues for every transaction signature The inspection of theblockchain for instances in which the same public key usesthe same signature nonces for multiple times has been reportedby the authors in [101] In particular the authors report thatthere are 158 public keys which have reused the signaturenonce in more than one transaction signature thus making itpossible to derive userrsquos private key Recently authors in [102]present a systematic analysis of the effects of broken primitiveson Bitcoin Authors highlight the fact that in the currentBitcoin system has no migration plans in-place for both thebroken hash and the broken signature scheme ie the Bitcoins

TABLE IIMISBEHAVIOR ATTACKS TARGETING BITCOIN NETWORK AND ENTITIES

Attack Description Primary targets Adverse effects Possible countermeasures

Bribery attacks [75] adversary bribe miners tomine on her behalf

miners and mer-chants

increases probability of adouble spend or block

withholdingincrease the rewards for honestminers make aware the miners tothe long-term losses of bribery [75]

Refund attacks [78] adversary exploits the re-fund policies of existingpayment processors

sellers or mer-chants users

merchant losses moneywhile honest users might

lose their reputationpublicly verifiable evidence [78]

Punitive and Featherforking [77] [79] dishonest miners blacklist

transactions of specific ad-dress

users freeze the bitcoins of userfor forever remains an open challenge

Transactionmalleability [80] [4] adversary change the

TXID without invalidatingthe transaction

Bitcoin exchangecenters

exchanges loss funds dueto increase in double

deposit or doublewithdrawal instances

multiple metrics for transactionverification [81] malleability-resilient ldquorefundrdquo transaction [80]

Wallet theft [21] adversary stole or destroyprivate key of users

individual usersor businesses

bitcoins in the wallet arelost threshold signature based

two-factor security [82] [83]hardware wallets [84] TrustZone-backed Bitcoin wallet [85]Password-Protected Secret Sharing(PPSS) [86]

Time jacking [87] adversary speed-up themajority of minerrsquos clock

miners

isolate a miner and wasteits resources influencethe mining difficultycalculation process

constraint tolerance ranges [87]network time protocol (NTP) ortime sampling on the values re-ceived from trusted peers [88]

DDoS [89] [90] a collaborative attack toexhaust network resources

Bitcoin networkbusinesses min-ers and users

deny services to honestusersminers isolate ordrive away the miners

Proof-of-Activity (PoA)protocol [91] fast verificationsignature based authentication

Sybil [23] adversary creates multiplevirtual identities

Bitcoin networkminers users

facilitates time jackingDDoS and doublespending attacks

threatens user privacy

Xim (a two-party mixing proto-col) [92]

Eclipse or netsplit [3] adversary monopolizes allincoming and outgoingconnections of victim

miners users

inconsistent view of thenetwork and blockchain

enable double spendswith more than one

confirmation

use whitelists disabling incomingconnections [3]

Tampering [43] delay the propagation oftransactions and blocks tospecific nodes

miners users

mount DoS attackswrongfully increase

mining advantage doublespend

improve block request managementsystem [43]

Routing attacks [5] isolate a set of nodes fromthe Bitcoin network de-laying block propagation

miners users

denial of service attackincreases possibility of0-confirmation doublespends increases forkrate waste the mining

power of the pools

increase the diversity of node con-nections monitor round-trip timeuse gateways in different ASes [5]

Deanonymization [93] [94] linking IP addresses witha Bitcoin wallet

users user privacy violation mixing services [95]CoinJoin [96] CoinShuffle [97]

RIPEMD160 SHA256 and ECDSA techniques are vulnerableto various security threats such as collision attacks [103]The authors in [102] found that the main vectors of attackon bitcoins involve collisions on the main hash or attackingthe signature scheme which directly enables coin stealingHowever a break of the address hash has minimal impact asaddresses do not meaningfully protect the privacy of a user

Unlike most of the online payment systems that rely onlogin details consisting of the password and other confidentialdetails for user authentication Bitcoin relies on public keycryptography This raises the issues of the secure storage andmanagement of the user keys Over the years various typeof wallet implementations are researched to obtain securestorage of the user keys it includes software online or hostedhardware or offline paper and brain wallets Table III shows anumber of popular wallets and their main features Coinbase(coinbasecom) an online wallet is most popular due to itsdesirable features which it provides to the clients that include(i) a web interface using which the wallet can be assessedwith a browser and Internet connection (ii) a mobile appthat allows access to wallet through mobile devices (iii) anaccess to Coinbase do not require a client software and it isindependent in nature due to which the wallet providers doesnot have any control over the funds stored in a clientrsquos walletand (iv) a moderate level of security and privacy The Copaywallet allows multiple users to be associated with the samewallet while the Armory wallet works in online as well as inoffline mode The wallet providers have to find an adequatetrade-off between usability and security while introducing anew wallet into the market For instance an online wallet ismore susceptible to thefts compared to hardware wallets [84]as later are not connected to the Internet but at the same timehardware wallets lacks usability If done right there exist moreadvanced and secure ways to store the user keys called paperand brain wallets As their name indicates in the paper walletthe keys are written on a document which is stored at somephysical location analogizes the cash money storage systemwhile in brain wallet the keys are stored in the clients mind inthe form of a small passphrase The passphrase if memorizedcorrectly is then used to generate the correct private key

To avoid the aforementioned risks such as managing cryp-tographic keys [104] lost or stolen devices equipment failureBitcoin-specific malware [105] to name a few that are asso-ciated while storing the bitcoins in a wallet many users mightprefer to keep their coins with online exchanges Howeverstoring the holdings with an exchange makes the users vulner-able to the exchange systems For instance one of the mostnotorious events in the Bitcoin history is the breakdown andongoing bankruptcy of the oldest and largest exchange calledMt Gox which lost over 450 millions of dollars Moreovera few other exchanges have lost their customers bitcoinsand declared bankruptcy due to external or internal theft ortechnical mistakes [106] Although the vulnerability of anexchange system to the disastrous losses can never be fullyavoided or mitigated therefore the authors in [107] presentsProvisions which is a privacy-preserving proof of solvencyfor Bitcoin exchanges Provision is a sensible safeguard thatrequires the periodic demonstrations from the exchanges to

show that they control enough bitcoins to settle all of itscustomers accounts

D Bitcoin Network Attacks

In this section we will discuss those attacks in the Bitcointhat exploits the existing vulnerabilities in the implementationand design of the Bitcoin protocols and its peer-to-peer com-munication networking protocols We will start our discussionwith the most common networking attack called DistributedDenial-of-Service (DDoS) which targets Bitcoin currency ex-changes mining pools eWallets and other financial servicesin Bitcoin Due to the distributed nature of Bitcoin networkand its consensus protocol launching a DoS attack has noor minimal adverse effect on network functionalities henceattackers have to lunch a powerful DDoS to disturb the net-working tasks Unlike DoS attack in which a single attackercarried out the attack in DDoS multiple attackers launchthe attack simultaneously DDoS attacks are inexpensive tocarry out yet quite disruptive in nature Malicious miners canperform a DDoS (by having access to a distributed Botnet) oncompeting miners effectively taking the competing miners outof the network and increasing the malicious miners effectivehashrate In these attacks the adversary exhausts the networkresources in order to disrupt their access to genuine users Forexample an honest miner is congested with the requests (suchas fake transactions) from a large number of clients actingunder the control of an adversary After a while the minerwill likely to start discarding all the incoming inputsrequestsincluding requests from honest clients In [89] authors providea comprehensive empirical analysis of DDoS attacks in theBitcoin by documenting the following main facts 142 uniqueDDoS attacks on 40 Bitcoin services and 7 of all knownoperators were victims of these attacks The paper also statesthat the majority of DDoS attack targets the exchange servicesand large mining pools because a successful attack on thesewill earn huge revenue for the adversary as compared toattacking an individual or small mining pools

In [90] authors explore the trade-off between the two min-ing pool related strategies using a series of game-theoreticalmodels The first strategy called construction in which amining pool invests in increasing its mining capacity in orderto increase the likelihood of winning the next race While inthe second strategy called destruction in which the miningpool launches a costly DDoS attack to lower the expectedsuccess rate of the competing mining pools The majority ofthe DDoS attacks target large organizations due to bulk ransommotives Companies like CoinWallet and BitQuick were forcedto shut down only after few months of their launch due tothe effects of continuous DDoS attacks As stated above thatDDoS attack take various forms one of which is to discouragea miner so that it will withdraw itself from the mining processFor instance an attacker displays to a colleague miner that it ismore powerful and it can snatch the reward of mining and itis the obvious winner of the mining process An honest minerbackoffs since its chances of winning is less In this way anadversary will be successful in removing individual miners aswell as small pools from the mining network thus imposing a

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

last exchanged between neighbors peers will transmit a hellomessage to keep the connection alive

Miners continually listen to new block announcementswhich are sent via INV messages containing the hash ofthe mined block If a miner discovers that it does not hold anewly announced block it transmits a GETDATA messageto one of its neighbor The neighbor then respond by sendingthe requested information in a BLOCK message In casethe requested block do not arrive within 20 minutes theminer trigger the disconnection of that particular neighborand request the same information from another neighbor Thepropagation of transactions occur in a sequence given as INV GETDATA and TX messages in which nodes announcerequest and share transactions that have not yet been includedin the blockchain

In order to form the distributed consensus newly discoveredtransactions and blocks are propagated (through flooding) inthe whole network Miners store new transactions for themining purposes but after some time remove them if they donot make it on the blockchain It is the responsibility of thetransaction originator that the transaction is received by all thepeers in the network To this end the originator might need torebroadcast the transaction if it did not get into the blockchainin first attempt This is to ensure that the transaction getsconsidered in the next block An adversary could introducedelay in the propagation of both new transactions and minedblock for the purpose of launching the double spend andnetsplit attacks As shown in [43] the propagation time caneven be further extended under reasonable circumstancesAuthors in [5] presents a taxonomy of routing attacks andtheir impact on Bitcoin considering both small-scale attackstargeting individual nodes and large-scale attacks targetingthe network as a whole By isolating parts of the network ordelaying block propagation adversaries could cause significantamount of mining power to be wasted leading to revenuelosses and exposing the network to a wide range of exploitssuch as double spending

The use of an unstructured P2P network in Bitcoin enablesthe required rapid distribution of information in every partof the network The security of Bitcoin heavily depends onthe global consistent state of blockchain which relies on theefficiency of its PoW based consensus protocol The variationsin the propagation mechanisms could adversely affect theconsensus protocol The presence of inconsistent blockchainstates if exploited correctly could lead to a successful doublespending To this end it is essential that the Bitcoin networkshould remains scalable in terms of network bandwidth net-work size and storage requirements because this will facilitatethe increase in number of honest miners in the network whichwill strengthen the consensus protocol In Bitcoin full nodesdownload and verify all blocks starting from the genesis blockbecause it is the most secure way Full nodes participate inthe P2P network and help to propagate information althoughits not mandatory to do so Alternatively the thin clients usethe simplified payment verification (SPV) to perform Bitcointransactions The SPV is a method used by Bitcoin thin clientfor verifying if particular transactions are included in a blockwithout downloading the entire block However the use of

SPV costs the thin clients because it introduces weaknessessuch as Denial of Service (DoS) and privacy leakage forthe thin client In particular the general scalability issues ofunstructured overlays combined with the issues induced bythe Bitcoin protocol itself remains in the system Many of theresults suggest that scalability remains an open problem [44]and it is hard to keep the fully decentralized network infuture [45] [46]

E Benefits and Challenges

Same as any other emerging technology use of Bitcoincomes with certain benefits and challenges and various typesof risks are associated with its use It is believed3 that Bitcoinhas the following benefits and challenges

Benefits -bull No Third-Party Seizure No central authority can manip-

ulate or seize the currency since every currency transferhappens peer-to-peer just like hard cash In particular bit-coins are yours and only yours and the central authoritycant take your cryptocurrency because it does not printit own it and control it correspondingly

bull Anonymity and transparency Unless Bitcoin users pub-licize their wallet addresses publicly it is extremely hardto trace transactions back to them However even if thewallet addresses was publicized a new wallet addresscan be easily generated This greatly increases privacywhen compared to traditional currency systems wherethird parties potentially have access to personal financialdata Moreover this high anonymity is achieved withoutsacrificing the system transparency as all the bitcointransactions are documented in a public ledger

bull No taxes and lower transaction fees Due to its decen-tralized nature and user anonymity there is no viableway to implement a Bitcoin taxation system In the pastBitcoin provided instant transactions at nearly no costEven now Bitcoin has lower transaction costs than acredit card Paypal and bank transfers However thelower transaction fee is only beneficial in situations wherethe user performs a large value international transactionsThis is because the average transaction fee becomeshigher for very small value transfers or purchases suchas paying for regular household commodities

bull Theft resistance Stealing of bitcoins is not possible untilthe adversary have the private keys (usually kept offline)that are associated with the user wallet In particular Bit-coin provides security by design for instance unlike withcredit cards you dont expose your secret (private key)whenever you make a transaction Moreover bitcoinsare free from Charge-backs ie once bitcoins are sentthe transaction cannot be reversed Since the ownershipaddress of the sent bitcoins will be changed to the newowner and it is impossible to revert This ensures thatthere is no risk involved when receiving bitcoins

3As some of these benefits and challenges are not entirely true at all thetimes for instance Bitcoin transactions are not fully anonymous and theprivacy of Bitcoin users could be threatened

Challengesbull High energy consumption Bitcoinrsquos blockchain uses

PoW model to achieve distributed consensus in thenetwork Although the use of PoW makes the miningprocess more resistant to various security threats suchas sybil and double spending it consumes a ridicu-lous amount of energy and computing resources [47]In particular processing a bitcoin transaction consumesmore than 5000 times as much energy as using a Visacredit card hence innovative technologies that reduce thisenergy consumption are required to ensure a sustainablefuture for Bitcoin Furthermore due to the continuousincrease in network load and energy consumption thetime required for transaction processing is increasing

bull Wallets can be lost Since there is no trusted third partyif a uses lost the private key associated with her walletdue to a hard drive crash or a virus corrupts data or lostthe device carrying the key all the bitcoins in the wallethas been considered lost for forever There is nothingthat can be done to recover the bitcoins and these willbe forever orphaned in the system This can bankrupt awealthy Bitcoin investor within seconds

bull (Facilitate) Criminal activity The considerable amountof anonymity provided by the Bitcoin system helps thewould-be cyber criminals to perform various illicit activ-ities such as ransomware [48] tax evasion undergroundmarket and money laundering

According to [49] the risk is the exposure to the level ofdanger associated with Bitcoin technology in fact the samecan be applied to any such digital cryptocurrency The majorrisks that threaten the wide usability of the Bitcoin paymentsystems are as followbull Social risks it includes bubble formation (ie risk of

socio-economic relationship such as what people talk andgossip) cool factor (ie entering the networking withoutknowing the ill effects) construction of chain (ie riskrelated with the blockchain formation like hashing andmining rewards) and new coins release (ie on whatbasis the new coins to be generated is there a need etc)

bull Legal risks Bitcoin technology opposes rules and regula-tions and hence it finds opposition from the governmentThis risk also includes law enforcement towards handlingfinancial operational customer protection and securitybreaches that arise due to Bitcoin system

bull Economic risks deflation volatility and timing issues infinding a block which might lead the users to migratetowards other currencies that offer faster services

bull Technological risks this includes the following net-work equipment and its loss network with which thepeers are connected and its associated parameters threatvulnerabilities on the system hash functions with itsassociated robustness factor and software associated risksthat Bitcoin system demands

bull Security risks security is a major issue in Bitcoin systemwe will discuss risks associated due to various securitythreats in detail in Section III

In [50] authors perform a survey on the peoplersquos opinion

about bitcoins usage Participants argue that the greatest barrierto the usage of bitcoins is the lack of support by higherauthorities (ie government) Participants felt that bitcoinsmust be accepted as legitimate and reputable currency Ad-ditionally the participants expressed that the system mustprovide support towards transacting fearlessly without criminalexploitation Furthermore the Bitcoin is mainly dependent onthe socio-technical actors and the impact of their opinion onthe public Few among participants have suggested that theblockchain construction is the major cause of disruption dueto its tendency to get manipulated by adversaries

In [51] it was stated that many Bitcoin users already losttheir money due to poor usability of key management andsecurity breaches such as malicious exchanges and walletsAround 225 of the participants reported having lost theirbitcoins due to security breaches Also many participantsstated that for a fast flow of bitcoins in the user communitysimple and impressive user interface are even more importantthan security In addition participants highlighted that the poorusability and lack of knowledge regarding the Bitcoin usageare the major contributors to the security failures

III SECURITY ATTACKS ON BITCOIN SYSTEMS

Bitcoin is the most popular cryptocurrency4 and has stoodfirst in the market capital investment from day one Since itis a decentralized model with an uncontrollable environmenthackers and thieves find cryptocurrency system an easy wayto fraud the transactions In this section we discuss existingsecurity threats and their countermeasures for Bitcoin andits underlying technologies We provide a detailed discussionof potential vulnerabilities that can be found in the Bitcoinprotocols as well as in the Bitcoin network this will bedone by taking a close look at the broad attack vector andtheir impact on the particular components in the BitcoinApart from double spending which is and will always bepossible in Bitcoin the attack space includes a range of walletattacks (ie client-side security) network attacks (such asDDoS sybil and eclipse) and mining attacks (such as 50block withholding and bribery) Tables I and II provides acomprehensive overview of the potential security threats alongwith their impacts on various entities in Bitcoin and theirpossible solutions that exist in literature so far

A Double Spending

A client in the Bitcoin network achieves a double spend(ie send two conflicting transactions in rapid succession) ifshe is able to simultaneously spend the same set of bitcoinsin two different transactions [2] For instance a dishonestclient (Cd) creates a transaction TCd

V at time t using a setof bitcoins (Bc) with a recipient address of a vendor (V ) topurchase some product from V Cd broadcast TCd

V in theBitcoin network At time tprime where tprime asymp t Cd create andbroadcast another transaction TCd

Cdusing the same coins (ie

Bc) with the recipient address of Cd or a wallet which isunder the control of Cd In the above scenario the double

4wwwcryptocoinsnewscom

TABLE IMAJOR ATTACKS ON BITCOIN SYSTEM AND ITS POW BASED CONSENSUS PROTOCOL

Attack Description Primary targets Adverse effects Possible countermeasures

Double spending or Raceattack [2] spent the same bitcoins

in multiple transactionssend two conflicting trans-actions in rapid succession

sellers or mer-chants

sellers lose theirproducts drive away the

honest users createblockchain forks

inserting observers in network [2]communicating double spendingalerts among peers [2] nearbypeers should notify the merchantabout an ongoing double spend assoon as possible [52] merchantsshould disable the direct incomingconnections [53] [54]

Finney attack [55] dishonest miner broad-casts a pre-mined blockfor the purpose of dou-ble spending as soon asit receives product from amerchant

sellers or mer-chants

facilitates doublespending wait for multi-confirmations for

transactions

Brute force attack [56] privately mining onblockchain fork toperform double spending

sellers or mer-chants

facilitates doublespending creates largesize blockchain forks

inserting observers in the net-work [2] notify the merchant aboutan ongoing double spend [53]

Vector 76 orone-confirmation

attack [57]combination of the doublespending and the finneyattack

Bitcoin exchangeservices

facilitates doublespending of largernumber of bitcoins

wait for multi-confirmations fortransactions

gt 50 hashpower orGoldfinger [45] adversary controls more

than gt 50 HashrateBitcoin networkminers Bitcoinexchange centersand users

drive away the minersworking alone or within

small mining poolsweakens consensus

protocol DoS

inserting observers in thenetwork [2] communicatingdouble spending alerts amongpeers [2] disincentivizelarge mining pools [58] [59]TwinsCoin [60] PieceWork [61]

Blockdiscarding [62] [54] or

Selfish mining [6]abuses Bitcoin forkingfeature to derive an unfairreward

honest miners (ormining pools)

introduce race conditionsby forking waste the

computational power ofhonest miners withgt 50 it leads toGoldfinger attack

ZeroBlock technique [63] [64]timestamp based techniquessuch as freshness preferred [65]DECOR+ protocol [66]

Blockwithholding [29] [67] miner in a pool sub-

mits only PPoWs but notFPoWs

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueinclude only known and trustedminers in pool dissolve and closea pool when revenue drops fromexpected [62] cryptographic com-mitment schemes [67]

fork after withholding(FAW) attack [68] improves on adverse ef-

fects of selfish mining andblock withholding attack

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueno practical defense reported so far

spending attack performed by Cd is successful if Cd tricksthe V to accept TCd

V (ie V deliver the purchased productsto Cd) but V will not be able to redeem subsequently InBitcoin the network of miners verify and process all thetransactions and they ensure that only the unspent coinsthat are specified in previous transaction outputs can be usedas input for a follow-up transaction This rule is enforceddynamically at run-time to protect against the possible doublespending in the network The distributed time-stamping andPoW-based consensus protocol is used for orderly storage ofthe transactions in the blockchain For example when a minerreceives TCd

V and TCd

Cdtransactions it will be able to identify

that both the transactions are trying to use the same inputs

during the transaction propagation and mining thus it onlyprocess one of the transaction and reject the other Figure 5shows the working methodology of a double spending attackdepicting the above explanation

Despite the use of strict ordering of transactions in theblockchain PoW scheme distributed time-stamping [69] andconsensus protocol [70] [71] double spending is still possiblein Bitcoin To perform a successful double spending attackfollowing requirements need to be fulfilled (i) part of thenetwork miners accept the transaction TCd

V and the vendor(V ) receives the confirmation from these miners thus releasesthe product to dishonest client (Cd) (ii) at the same time otherpart of the network miners accept the transaction TCd

Cd hence

Fig 5 Double Spending Attack

lead to blockchain forks in the network (iii) the vendor re-ceives the confirmation of transaction TCd

Cdafter accepting the

transaction TCd

V thus losses the product and (iv) a majorityof miners mine on top of the blockchain which contains TCd

Cd

as a valid transaction If the aforementioned steps took placein the given order then the dishonest client is able to performa successful double spend In the rest of this section we willdiscuss the variants of double spending attack that are used inorder to realize the aforementioned double spend requirementswith varying difficulties and complexities

A form of double spending called Finney attack [55] herea dishonest client (Cd) pre-mines (ie privately) a blockwhich contains the transaction TCd

Cd and then it creates a

transaction TCd

V using the same bitcoins for a vendor (V )The mined block is not informed to the network and the Cd

waits until the transaction TCd

V is accepted by the V On theother hand V only accept TCd

V when it receives a confirmationfrom miners indicating that TCd

V is valid and included in theexisting blockchain Once Cd receives the product from V theattacker releases the pre-mined block into the network thuscreates a blockchain fork (say Bprimefork) of equal length to theexisting fork (say Bfork) Now if the next mined block in thenetwork extends Bprimefork blockchain instead of Bfork then asper the Bitcoin protocol rules all the miners in the networkwill build on top of Bprimefork As the blockchain Bprimefork becomesthe longest chain in the network all the miners ignore Bforkhence the top block on Bfork which contains the transactionTCd

V becomes invalid This makes the transaction TCd

V invalidthe client will get back her coins through transaction TCd

Cd

but resulting the V losing the product However with Finneyattack an adversary can only perform double spending in thepresence of one-confirmation vendors

To avoid the Finney attack the vendor should wait formultiple confirmations before releasing the product to theclient The waiting for multiple confirmations will only makethe double spend for the attacker harder but the possibilityof the double spend remains An advancement of the Finneyattack is called Brute-force attack [56] in which a resourcefulattacker has control over n nodes in the network and these

nodes collectively work on a private mining scheme withthe motive of double spend An attacker introduces a doublespend transaction in a block as in the previous case whilecontinuously works on the extension of a private blockchain(ie Bprimefork) Suppose a vendor waits for x confirmationsbefore accepting a transaction and it sends the product to theclient once it receives the x confirmations Later the attackeris able to mine the x number of blocks ahead (ie privately)then she can release these blocks in the network and dueto its higher length than Bfork blockchain Bprimefork will beextended by all the miners in the network This causes thesame after effects as Finney attack thus causing a successfuldouble spending attack

Another attack that uses the privately mined block toperform a new form of double spending attack on Bitcoin ex-change networks is popularly known as Vector 76 attack [57]A Bitcoin exchange is a digital marketplace where traderscan buy sell or exchange bitcoins for other assets such asfiat currencies or altcoins In this a dishonest client (Cd)withholds a pre-mined block which consists of a transactionthat implements a specific deposit (ie deposit coins in aBitcoin exchange) The attacker (Cd) waits for the next blockannouncement and quickly sends the pre-mined block alongwith the recently mined block directly to the Bitcoin exchangeor towards its nearby peers with hope that the exchangeand probably some of the nearby miners will consider theblockchain containing the pre-mined block (ie Bprimefork) as themain chain The attacker quickly sends another transaction thatrequests a withdrawal from the exchange of the same coins thatwas deposited by the attacker in its previous transaction Atthis point of time if the other fork (ie Bfork) which does notcontain the transaction that is used by the attacker to depositthe coins survives the deposit will become invalidated but theattacker has already performed a withdrawal by now thus theexchanges losses the coins

Recently authors in [72] proposes a new attack againstthe PoW-based consensus mechanism in Bitcoin called theBalance attack The attack consists of delaying networkcommunications between multiple subgroups of miners withbalanced hash power The theoretical analysis provides theprecise trade-off between the Bitcoin network communicationdelay and the mining power of the attacker(s) needed to doublespend in Ethereum [73] with high probability

Based on the above discussion on double spending attackand its variants one main point that emerges is that if aminer (or mining pool) is able to mine blocks with a fasterrate than the rest of the Bitcoin network the possibility ofa successful double spending attack is high The rate ofmining a block depends upon solving the associated proof-of-work this again depends on the computing power of aminer Apart from the computing resources the success ofdouble spending attack depends on other factors as wellwhich includes network propagation delay vendor client andBitcoin exchange services connectivity or positioning in theBitcoin network and the number of honest miners Clearlyas the number of confirmations for transaction increases thepossibility that it will become invalid at a later stage decreasesthus decreases the possibility of a double spend On the other

hand with the increase in the computing resources of a minerthe probability of the success of a double spend increases Thisleads to a variant of double spend attack called gt 50 attackor Goldfinger attack [45] in which more than 50 computingresources of the network are under the control of a single miner(or mining pool) The gt 50 attack is considered the worst-case scenario in the Bitcoin network because it has the powerto destroy the stability of the whole network by introducing theactions such as claim all the block intensives perform doublespending reject or include transactions as preferred and playwith the Bitcoin exchange rates The instability in the networkonce started it will further strengths the attackerrsquos position asmore and more honest miners will start leaving the network

From the above discussion on the different type of doublespending attacks we can safely conclude that one can alwaysperform a double spend or it is not possible to entirelyeliminate the risk of double spending in Bitcoin Howeverperforming double spending comes with a certain level ofrisk for instance the attacker might lose the reward forthe withheld block if it is not included in the final publicblockchain Therefore it is necessary to set a lower bound onthe number of double spend bitcoins and this number shouldcompensate the risk of unsuccessful attempts of double spendAdditionally the double spends could be recognized with thecareful analysis and traversing of the blockchain thus it mightlead to blacklisting the detected peer In Section IV-A we willdiscuss in detail the existing solutions and their effectivenessfor detecting and preventing the double spending attacks

B Mining Pool Attacks

Mining pools are created in order to increase the computingpower which directly affects the verification time of a blockhence it increases the chances of winning the mining rewardFor this purpose in recent years a large number of miningpools have been created and the research in the field ofminer strategies is also evolved Generally mining pools aregoverned by pool managers which forwards unsolved workunits to pool members (ie miners) The miners generate par-tial proofs-of-work (PPoWs) and full proofs-of-work (FPoWs)and submit them to the manager as shares Once a minerdiscovers a new block it is submitted to the manager alongwith the FPoW The manager broadcasts the block in theBitcoin network in order to receive the mining reward Themanager distributes the reward to participating miners basedon the fraction of shares contributed when compared with theother miners in the pool Thus participants are rewarded basedon PPoWs which have absolutely no value in the Bitcoinsystem The Bitcoin network currently consists of solo minersopen pools that allow any miner to join and closed (private)pools that require a private relationship to join

In recent years the attack vector that exploits the vulnerabil-ities in pool based mining also increases For instance a groupof dishonest miners could perform a set of internal and externalattacks on a mining pool Internal attacks are those in whichminers act maliciously within the pool to collect more thantheir fair share of collective reward or disrupt the functionalityof the pool to distant it from the successful mining attempts In

external attacks miners could use their higher hash power toperform attacks such as double spending Figure 6 shows themarket share till December 2017 of the most popular miningpools In this section we will discuss a set of popular internaland external attacks on the mining pools

Fig 6 Bitcoin Hashrate Distribution in Present Market

In a mining pool the pool manager determines the amountof work done by individual pool members by using thenumber of shares a member find and submit while tryingto discover a new block The shares consist of a number ofhashes of a block which are low enough to have discovereda block if the difficulty was 1 To be considered as a shareeach hash has a probability of 1232 Assuming correctness ofthe hash function used it is impossible to find shares withoutdoing the work required to discover new blocks or to lookfor blocks without finding shares along the way Due to thisthe number of shares determined by a miner is proportionalon average to the number of hashes the miner calculatedwhile attempting to discover a new block for the mining poolAdditionally in [29] the author discusses the possibility ofusing variable block rewards and difficulty shares as rewardmethods in a pool This variability is introduced due to thefollowing reasons bitcoins generation per block is cut in halfevery 210000 blocks and the transaction fees vary rapidlybased on the currently available transactions in the network Asmost of the mining pools allow any miner to join them using apublic Internet interface such pools are susceptible to varioussecurity threats The adversaries believe that it is profitable tocannibalize pools than mine honestly Letrsquos understand it withan example suppose that an adversary has 30 of hashrate(HR) and 1 BTC is the block mining reward (MR) If themining pool is sharing the reward based on the invested HRthen the adversary will receive 03 BTC for each mined blockNow adversary purchases more mining equipment worth 1of current HR With standard mining strategy the adversarywill gain an additional revenue of 00069 BTC for the 1added HR By performing pool cannibalizing (ie distributeyour 1 equally among all other pools and also withholdthe valid blocks) the attacker will still receive the rewardsfrom its pool but it might also receive additional rewards

from the other pools to which she is sharing its 1 HRThis misbehavior will remain undetectable unless the changein reward is statistically significant

Fig 7 Selfish Mining

In [62] authors use a game theoretic approach to show thatthe miners could have a specific sort of subversive miningstrategy called selfish mining [6] or also popularly known asblock discarding attack [54] [62] In truth all the miners inthe Bitcoin are selfish as they are mining for the reward thatis associated with each block but these miners are also honestand fair with respect to the rest of miners while the selfishmining here refers to the malicious miners only In the selfishmining the dishonest miner(s) perform information hiding(ie withhold a mined block) as well as perform its revealingin a very selective way with a two-fold motive (i) obtain anunfair reward which is bigger than their share of computingpower spent and (ii) confuse other miners and lead them towaste their resources in a wrong direction As it can be seen inFigure 7 that by keeping the mined block(s) the selfish minersintentionally fork the blockchain The selfish pool keeps onmining on top of their private chain (Bprimefork) while the honestminers are mining on the public chain (Bfork) If the selfishminers are able to take a greater lead on Bprimefork and they areable to keep the lead for a longer time period their chancesof gaining more reward coins as well as the wastage of honestminers resources increases To avoid any losses as soon asthe Bfork reaches to the length of Bprimefork the selfish minerspublish their mined blocks All the miners need to adopt toBprimefork which now becomes Bfork as per the longest lengthrule of Bitcoin protocol The honest miners will lose theirrewards for the blocks that they have mined and added to theprevious public chain The analysis in [6] shows that usingthe selfish mining the poolrsquos reward exceed its share of thenetworkrsquos mining power The statement still holds in caseswhere the network found their new block before the adversarycould find a new second block Because in such case the minerwill make use of the race to propagate ie on average theattacker manages to tell 50 of the network about her blockfirst Additionally the analysis reveals that the wastage ofcomputing resources and rewards lure honest miners toward

the selfish mining pools hence it further strengthens the attackThis continuous increase in the selfish poolrsquos size might leadto gt 50 attack and at that point the effect of selfish miningwill be disastrous

Another attack much similar to the selfish mining that couldbe performed on a mining pool is known as Block withholding(BWH) [29] [67] in which a pool member never publishes amined block in order to sabotage the pool revenue howeversubmit shares consists of PPoWs but not FPoWs In particularin [29] two types of block withholding scenarios are presentedcalled ldquoSabotagerdquo and ldquoLie in waitrdquo In the first scenario theadversary does not gain any bitcoins but it just makes otherpool members lose while in the second scenario the adversaryperforms a complex block concealing attack similar to the onedescribed in the selfish mining attack In [29] authors discussa generalized version of the ldquoSabotagerdquo attack which showsthat with slight modification it is possible for the maliciousminer to also earn an additional profit in this scenario Authorsin [33] present a game-theoretic approach to analyzing effectsof block withholding attack on mining pools The analysisshows that the attack is always well-incentivized in the long-run but may not be so for a short duration This impliesthat existing pool protocols are insecure and if the attack isconducted systematically Bitcoin pools could lose millions ofdollars worth in just a few months

To analyze the effects of BWH on mining pools authorsin [9] presents The Miners Dilemma which uses an iterativegame to model attack decisions The game is played betweentwo pools say pool A and pool B and each iteration of thegame is a case of the Prisoners Dilemma ie choose betweenattacking or not attacking If pool A chooses to attack pool Apool A gains revenue pool A loses revenue but pool B canlatter retaliate by attacking pool A and gaining more revenueThus attacking is the dominant strategy in each iterationhence if both pool A and pool B attack each other they will beat a Nash Equilibrium This implies that if both will earn lessthan they would have if neither of them attacked However ifnone of the other pools attack a pool can increase its revenueby attacking the others Recently authors in [68] propose anovel attack called a fork after withholding (FAW) attackAuthors show that the BWH attackers reward is the lowerbound of the FAW attackers and it is usable up to four timesmore often per pool than in BWH attack Moreover the extrareward for a FAW attack when operating on multiple miningpools is around 56 higher than BWH attack Furthermorethe miners dilemma may not hold under certain circumstanceseg when two pools execute FAW attack the larger pool canconsistently win More importantly unlike selfish mining anFAW attack is more practical to execute while using intentionalforks

The Pool Hopping attack presented in [29] [74] uses theinformation about the number of submitted shares in themining pool to perform the selfish mining In this attackthe adversary performs continuous analysis of the number ofshares submitted by fellow miners to the pool manager in orderto discover a new block The idea is that if already a largenumber of shares have been submitted and no new block hasbeen found so far the adversary will be getting a very small

share from the reward because it will be distributed based onthe shares submitted Therefore at some point in time it mightbe more profitable for the adversary to switch to another poolor mine independently

Recently the Bribery attack is described in [75] In thisan attacker might obtain the majority of computing resourcesfor a short duration via bribery Authors discuss three ways tointroduce bribery in the network (i) Out-of-Band Paymentin which the adversary pays directly to the owner of thecomputing resources and these owners then mine blocksassigned by the adversary (ii) Negative-Fee Mining Pool inwhich the attacker forms a pool by paying higher returnand (iii) In-Band Payment via Forking in which the attackerattempts to bribe through Bitcoin itself by creating a forkcontaining bribe money freely available to any miner adoptingthe fork By having the majority of the hash power the attackercould launch different attacks such as double spending andDistributed Denial-of-Service (DDoS) [76] The miners thattook the bribes will get benefits which will be short-lived butthese short-lived benefits might be undermined by the lossesin the long run due to the presence of DDoS and Goldfingerattacks or via an exchange rate crash

Fig 8 Blacklisting via Punitive Forking

An adversary with gt 50 hashrate could perform a suc-cessful selective blacklisting via punitive forking The objec-tive of punitive forking is to censor the Bitcoin addressesowned by certain people say Alice and prevent them fromspending any of their bitcoins The strategy to perform theblacklisting (please refer to Figure 8) is as follows (i) theadversary with gt 50 network hashrate announces to theBitcion network that she will not extend on the blockchaincontaining transactions spending from Alicersquos Bitcoin address(ii) if some other miner include a transaction from Alice ina block the adversary will fork and create a longer proofof work blockchain (iii) Block containing Alicersquos transactionnow invalidated and it can never be published also the minerwho added the block with Alicersquos transaction will lose its blockreward However a weak adversary that has lower hashrate canstill cause delays and inconveniences for Alicersquos transaction

Punitive forking doesnrsquot work unless you have gt 50 ofhashrate However there is another strategy to achieve theblacklisting as presented in [77] In particular authors presenta malicious mining strategy called feather forking in whichan attacker announces that she will attempt to fork if she seesa block containing Alicersquos transaction in the blockchain butshe will give up after a while This is the adversary forks asper its convenience she will continue to extend its fork untilwins (ie outraces the main chain) but she gives up (iediscard its private fork and continue to extend the main chain)after block with Alicersquos transaction contains k confirmations

An adversary with total hash power less than 50 might withhigh probability lose rewards but it will be able to block theblacklisted transaction with positive probability Moreover ifthe adversary can show that she is determined to block theselected transaction and will perform the retaliatory forking ifrequired then the rest of the miners will also be motivated toblock the blacklisted transactions to avoid the losses in case ifthe attacker retaliates and wins If this is the case an attackermight be able to enforce the selective blacklisting with noreal cost because other miners are convinced that the attackerwill perform a costly feather forking attack if provoked Anattacker performing feather forking can also use it to blackmaila client by threatening that all her transactions will be put onthe blacklist until the client pays the asked ransom coins

C Client-side Security Threats

The huge increase in the popularity of bitcoins encouraged alarge number of new users to join the network Each Bitcoinclient posses a set of private-public keys in order to accessits account or wallet Hence it is desirable to have the keymanagement techniques that are secure yet usable This is dueto the fact that unlike many other applications of cryptographyif the keys of a client are lost or compromised the client willsuffer immediate and irrevocable monetary losses To use thebitcoins a user needs to install a wallet on her desktop ormobile device The wallet stores the set of private-public keysassociated with the owner of the wallet thus it is essential totake protective actions to secure the wallet The wallet theftsare mainly performed using mechanisms that include systemhacking installation of buggy software and incorrect usage ofthe wallet

Bitcoin protocol relies heavily on elliptic curve cryptog-raphy [98] for securing the transactions In particular Bitcoinuses elliptic curve digital signature algorithm (ECDSA) whichis standardized by NIST [99] for signing the transactionsFor instance consider the standard ldquoPay-to-PubKeyHashrdquo(P2PKH) transaction script in which the user needs to provideher public key and the signature (using her private key) toprove the ownership To generate a signature the user choosesa per-signature random value For security reason this valuemust be kept secret and it should be different for every othertransaction Repeating per-signature value risks the privatekey computation as it has been shown in [100] that evenpartially bit-wise equal random values suffice to derive a userrsquosprivate key Therefore it is essential for increasing the securityof ECDSA to use highly random and distinct per-signaturevalues for every transaction signature The inspection of theblockchain for instances in which the same public key usesthe same signature nonces for multiple times has been reportedby the authors in [101] In particular the authors report thatthere are 158 public keys which have reused the signaturenonce in more than one transaction signature thus making itpossible to derive userrsquos private key Recently authors in [102]present a systematic analysis of the effects of broken primitiveson Bitcoin Authors highlight the fact that in the currentBitcoin system has no migration plans in-place for both thebroken hash and the broken signature scheme ie the Bitcoins

TABLE IIMISBEHAVIOR ATTACKS TARGETING BITCOIN NETWORK AND ENTITIES

Attack Description Primary targets Adverse effects Possible countermeasures

Bribery attacks [75] adversary bribe miners tomine on her behalf

miners and mer-chants

increases probability of adouble spend or block

withholdingincrease the rewards for honestminers make aware the miners tothe long-term losses of bribery [75]

Refund attacks [78] adversary exploits the re-fund policies of existingpayment processors

sellers or mer-chants users

merchant losses moneywhile honest users might

lose their reputationpublicly verifiable evidence [78]

Punitive and Featherforking [77] [79] dishonest miners blacklist

transactions of specific ad-dress

users freeze the bitcoins of userfor forever remains an open challenge

Transactionmalleability [80] [4] adversary change the

TXID without invalidatingthe transaction

Bitcoin exchangecenters

exchanges loss funds dueto increase in double

deposit or doublewithdrawal instances

multiple metrics for transactionverification [81] malleability-resilient ldquorefundrdquo transaction [80]

Wallet theft [21] adversary stole or destroyprivate key of users

individual usersor businesses

bitcoins in the wallet arelost threshold signature based

two-factor security [82] [83]hardware wallets [84] TrustZone-backed Bitcoin wallet [85]Password-Protected Secret Sharing(PPSS) [86]

Time jacking [87] adversary speed-up themajority of minerrsquos clock

miners

isolate a miner and wasteits resources influencethe mining difficultycalculation process

constraint tolerance ranges [87]network time protocol (NTP) ortime sampling on the values re-ceived from trusted peers [88]

DDoS [89] [90] a collaborative attack toexhaust network resources

Bitcoin networkbusinesses min-ers and users

deny services to honestusersminers isolate ordrive away the miners

Proof-of-Activity (PoA)protocol [91] fast verificationsignature based authentication

Sybil [23] adversary creates multiplevirtual identities

Bitcoin networkminers users

facilitates time jackingDDoS and doublespending attacks

threatens user privacy

Xim (a two-party mixing proto-col) [92]

Eclipse or netsplit [3] adversary monopolizes allincoming and outgoingconnections of victim

miners users

inconsistent view of thenetwork and blockchain

enable double spendswith more than one

confirmation

use whitelists disabling incomingconnections [3]

Tampering [43] delay the propagation oftransactions and blocks tospecific nodes

miners users

mount DoS attackswrongfully increase

mining advantage doublespend

improve block request managementsystem [43]

Routing attacks [5] isolate a set of nodes fromthe Bitcoin network de-laying block propagation

miners users

denial of service attackincreases possibility of0-confirmation doublespends increases forkrate waste the mining

power of the pools

increase the diversity of node con-nections monitor round-trip timeuse gateways in different ASes [5]

Deanonymization [93] [94] linking IP addresses witha Bitcoin wallet

users user privacy violation mixing services [95]CoinJoin [96] CoinShuffle [97]

RIPEMD160 SHA256 and ECDSA techniques are vulnerableto various security threats such as collision attacks [103]The authors in [102] found that the main vectors of attackon bitcoins involve collisions on the main hash or attackingthe signature scheme which directly enables coin stealingHowever a break of the address hash has minimal impact asaddresses do not meaningfully protect the privacy of a user

Unlike most of the online payment systems that rely onlogin details consisting of the password and other confidentialdetails for user authentication Bitcoin relies on public keycryptography This raises the issues of the secure storage andmanagement of the user keys Over the years various typeof wallet implementations are researched to obtain securestorage of the user keys it includes software online or hostedhardware or offline paper and brain wallets Table III shows anumber of popular wallets and their main features Coinbase(coinbasecom) an online wallet is most popular due to itsdesirable features which it provides to the clients that include(i) a web interface using which the wallet can be assessedwith a browser and Internet connection (ii) a mobile appthat allows access to wallet through mobile devices (iii) anaccess to Coinbase do not require a client software and it isindependent in nature due to which the wallet providers doesnot have any control over the funds stored in a clientrsquos walletand (iv) a moderate level of security and privacy The Copaywallet allows multiple users to be associated with the samewallet while the Armory wallet works in online as well as inoffline mode The wallet providers have to find an adequatetrade-off between usability and security while introducing anew wallet into the market For instance an online wallet ismore susceptible to thefts compared to hardware wallets [84]as later are not connected to the Internet but at the same timehardware wallets lacks usability If done right there exist moreadvanced and secure ways to store the user keys called paperand brain wallets As their name indicates in the paper walletthe keys are written on a document which is stored at somephysical location analogizes the cash money storage systemwhile in brain wallet the keys are stored in the clients mind inthe form of a small passphrase The passphrase if memorizedcorrectly is then used to generate the correct private key

To avoid the aforementioned risks such as managing cryp-tographic keys [104] lost or stolen devices equipment failureBitcoin-specific malware [105] to name a few that are asso-ciated while storing the bitcoins in a wallet many users mightprefer to keep their coins with online exchanges Howeverstoring the holdings with an exchange makes the users vulner-able to the exchange systems For instance one of the mostnotorious events in the Bitcoin history is the breakdown andongoing bankruptcy of the oldest and largest exchange calledMt Gox which lost over 450 millions of dollars Moreovera few other exchanges have lost their customers bitcoinsand declared bankruptcy due to external or internal theft ortechnical mistakes [106] Although the vulnerability of anexchange system to the disastrous losses can never be fullyavoided or mitigated therefore the authors in [107] presentsProvisions which is a privacy-preserving proof of solvencyfor Bitcoin exchanges Provision is a sensible safeguard thatrequires the periodic demonstrations from the exchanges to

show that they control enough bitcoins to settle all of itscustomers accounts

D Bitcoin Network Attacks

In this section we will discuss those attacks in the Bitcointhat exploits the existing vulnerabilities in the implementationand design of the Bitcoin protocols and its peer-to-peer com-munication networking protocols We will start our discussionwith the most common networking attack called DistributedDenial-of-Service (DDoS) which targets Bitcoin currency ex-changes mining pools eWallets and other financial servicesin Bitcoin Due to the distributed nature of Bitcoin networkand its consensus protocol launching a DoS attack has noor minimal adverse effect on network functionalities henceattackers have to lunch a powerful DDoS to disturb the net-working tasks Unlike DoS attack in which a single attackercarried out the attack in DDoS multiple attackers launchthe attack simultaneously DDoS attacks are inexpensive tocarry out yet quite disruptive in nature Malicious miners canperform a DDoS (by having access to a distributed Botnet) oncompeting miners effectively taking the competing miners outof the network and increasing the malicious miners effectivehashrate In these attacks the adversary exhausts the networkresources in order to disrupt their access to genuine users Forexample an honest miner is congested with the requests (suchas fake transactions) from a large number of clients actingunder the control of an adversary After a while the minerwill likely to start discarding all the incoming inputsrequestsincluding requests from honest clients In [89] authors providea comprehensive empirical analysis of DDoS attacks in theBitcoin by documenting the following main facts 142 uniqueDDoS attacks on 40 Bitcoin services and 7 of all knownoperators were victims of these attacks The paper also statesthat the majority of DDoS attack targets the exchange servicesand large mining pools because a successful attack on thesewill earn huge revenue for the adversary as compared toattacking an individual or small mining pools

In [90] authors explore the trade-off between the two min-ing pool related strategies using a series of game-theoreticalmodels The first strategy called construction in which amining pool invests in increasing its mining capacity in orderto increase the likelihood of winning the next race While inthe second strategy called destruction in which the miningpool launches a costly DDoS attack to lower the expectedsuccess rate of the competing mining pools The majority ofthe DDoS attacks target large organizations due to bulk ransommotives Companies like CoinWallet and BitQuick were forcedto shut down only after few months of their launch due tothe effects of continuous DDoS attacks As stated above thatDDoS attack take various forms one of which is to discouragea miner so that it will withdraw itself from the mining processFor instance an attacker displays to a colleague miner that it ismore powerful and it can snatch the reward of mining and itis the obvious winner of the mining process An honest minerbackoffs since its chances of winning is less In this way anadversary will be successful in removing individual miners aswell as small pools from the mining network thus imposing a

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

Challengesbull High energy consumption Bitcoinrsquos blockchain uses

PoW model to achieve distributed consensus in thenetwork Although the use of PoW makes the miningprocess more resistant to various security threats suchas sybil and double spending it consumes a ridicu-lous amount of energy and computing resources [47]In particular processing a bitcoin transaction consumesmore than 5000 times as much energy as using a Visacredit card hence innovative technologies that reduce thisenergy consumption are required to ensure a sustainablefuture for Bitcoin Furthermore due to the continuousincrease in network load and energy consumption thetime required for transaction processing is increasing

bull Wallets can be lost Since there is no trusted third partyif a uses lost the private key associated with her walletdue to a hard drive crash or a virus corrupts data or lostthe device carrying the key all the bitcoins in the wallethas been considered lost for forever There is nothingthat can be done to recover the bitcoins and these willbe forever orphaned in the system This can bankrupt awealthy Bitcoin investor within seconds

bull (Facilitate) Criminal activity The considerable amountof anonymity provided by the Bitcoin system helps thewould-be cyber criminals to perform various illicit activ-ities such as ransomware [48] tax evasion undergroundmarket and money laundering

According to [49] the risk is the exposure to the level ofdanger associated with Bitcoin technology in fact the samecan be applied to any such digital cryptocurrency The majorrisks that threaten the wide usability of the Bitcoin paymentsystems are as followbull Social risks it includes bubble formation (ie risk of

socio-economic relationship such as what people talk andgossip) cool factor (ie entering the networking withoutknowing the ill effects) construction of chain (ie riskrelated with the blockchain formation like hashing andmining rewards) and new coins release (ie on whatbasis the new coins to be generated is there a need etc)

bull Legal risks Bitcoin technology opposes rules and regula-tions and hence it finds opposition from the governmentThis risk also includes law enforcement towards handlingfinancial operational customer protection and securitybreaches that arise due to Bitcoin system

bull Economic risks deflation volatility and timing issues infinding a block which might lead the users to migratetowards other currencies that offer faster services

bull Technological risks this includes the following net-work equipment and its loss network with which thepeers are connected and its associated parameters threatvulnerabilities on the system hash functions with itsassociated robustness factor and software associated risksthat Bitcoin system demands

bull Security risks security is a major issue in Bitcoin systemwe will discuss risks associated due to various securitythreats in detail in Section III

In [50] authors perform a survey on the peoplersquos opinion

about bitcoins usage Participants argue that the greatest barrierto the usage of bitcoins is the lack of support by higherauthorities (ie government) Participants felt that bitcoinsmust be accepted as legitimate and reputable currency Ad-ditionally the participants expressed that the system mustprovide support towards transacting fearlessly without criminalexploitation Furthermore the Bitcoin is mainly dependent onthe socio-technical actors and the impact of their opinion onthe public Few among participants have suggested that theblockchain construction is the major cause of disruption dueto its tendency to get manipulated by adversaries

In [51] it was stated that many Bitcoin users already losttheir money due to poor usability of key management andsecurity breaches such as malicious exchanges and walletsAround 225 of the participants reported having lost theirbitcoins due to security breaches Also many participantsstated that for a fast flow of bitcoins in the user communitysimple and impressive user interface are even more importantthan security In addition participants highlighted that the poorusability and lack of knowledge regarding the Bitcoin usageare the major contributors to the security failures

III SECURITY ATTACKS ON BITCOIN SYSTEMS

Bitcoin is the most popular cryptocurrency4 and has stoodfirst in the market capital investment from day one Since itis a decentralized model with an uncontrollable environmenthackers and thieves find cryptocurrency system an easy wayto fraud the transactions In this section we discuss existingsecurity threats and their countermeasures for Bitcoin andits underlying technologies We provide a detailed discussionof potential vulnerabilities that can be found in the Bitcoinprotocols as well as in the Bitcoin network this will bedone by taking a close look at the broad attack vector andtheir impact on the particular components in the BitcoinApart from double spending which is and will always bepossible in Bitcoin the attack space includes a range of walletattacks (ie client-side security) network attacks (such asDDoS sybil and eclipse) and mining attacks (such as 50block withholding and bribery) Tables I and II provides acomprehensive overview of the potential security threats alongwith their impacts on various entities in Bitcoin and theirpossible solutions that exist in literature so far

A Double Spending

A client in the Bitcoin network achieves a double spend(ie send two conflicting transactions in rapid succession) ifshe is able to simultaneously spend the same set of bitcoinsin two different transactions [2] For instance a dishonestclient (Cd) creates a transaction TCd

V at time t using a setof bitcoins (Bc) with a recipient address of a vendor (V ) topurchase some product from V Cd broadcast TCd

V in theBitcoin network At time tprime where tprime asymp t Cd create andbroadcast another transaction TCd

Cdusing the same coins (ie

Bc) with the recipient address of Cd or a wallet which isunder the control of Cd In the above scenario the double

4wwwcryptocoinsnewscom

TABLE IMAJOR ATTACKS ON BITCOIN SYSTEM AND ITS POW BASED CONSENSUS PROTOCOL

Attack Description Primary targets Adverse effects Possible countermeasures

Double spending or Raceattack [2] spent the same bitcoins

in multiple transactionssend two conflicting trans-actions in rapid succession

sellers or mer-chants

sellers lose theirproducts drive away the

honest users createblockchain forks

inserting observers in network [2]communicating double spendingalerts among peers [2] nearbypeers should notify the merchantabout an ongoing double spend assoon as possible [52] merchantsshould disable the direct incomingconnections [53] [54]

Finney attack [55] dishonest miner broad-casts a pre-mined blockfor the purpose of dou-ble spending as soon asit receives product from amerchant

sellers or mer-chants

facilitates doublespending wait for multi-confirmations for

transactions

Brute force attack [56] privately mining onblockchain fork toperform double spending

sellers or mer-chants

facilitates doublespending creates largesize blockchain forks

inserting observers in the net-work [2] notify the merchant aboutan ongoing double spend [53]

Vector 76 orone-confirmation

attack [57]combination of the doublespending and the finneyattack

Bitcoin exchangeservices

facilitates doublespending of largernumber of bitcoins

wait for multi-confirmations fortransactions

gt 50 hashpower orGoldfinger [45] adversary controls more

than gt 50 HashrateBitcoin networkminers Bitcoinexchange centersand users

drive away the minersworking alone or within

small mining poolsweakens consensus

protocol DoS

inserting observers in thenetwork [2] communicatingdouble spending alerts amongpeers [2] disincentivizelarge mining pools [58] [59]TwinsCoin [60] PieceWork [61]

Blockdiscarding [62] [54] or

Selfish mining [6]abuses Bitcoin forkingfeature to derive an unfairreward

honest miners (ormining pools)

introduce race conditionsby forking waste the

computational power ofhonest miners withgt 50 it leads toGoldfinger attack

ZeroBlock technique [63] [64]timestamp based techniquessuch as freshness preferred [65]DECOR+ protocol [66]

Blockwithholding [29] [67] miner in a pool sub-

mits only PPoWs but notFPoWs

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueinclude only known and trustedminers in pool dissolve and closea pool when revenue drops fromexpected [62] cryptographic com-mitment schemes [67]

fork after withholding(FAW) attack [68] improves on adverse ef-

fects of selfish mining andblock withholding attack

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueno practical defense reported so far

spending attack performed by Cd is successful if Cd tricksthe V to accept TCd

V (ie V deliver the purchased productsto Cd) but V will not be able to redeem subsequently InBitcoin the network of miners verify and process all thetransactions and they ensure that only the unspent coinsthat are specified in previous transaction outputs can be usedas input for a follow-up transaction This rule is enforceddynamically at run-time to protect against the possible doublespending in the network The distributed time-stamping andPoW-based consensus protocol is used for orderly storage ofthe transactions in the blockchain For example when a minerreceives TCd

V and TCd

Cdtransactions it will be able to identify

that both the transactions are trying to use the same inputs

during the transaction propagation and mining thus it onlyprocess one of the transaction and reject the other Figure 5shows the working methodology of a double spending attackdepicting the above explanation

Despite the use of strict ordering of transactions in theblockchain PoW scheme distributed time-stamping [69] andconsensus protocol [70] [71] double spending is still possiblein Bitcoin To perform a successful double spending attackfollowing requirements need to be fulfilled (i) part of thenetwork miners accept the transaction TCd

V and the vendor(V ) receives the confirmation from these miners thus releasesthe product to dishonest client (Cd) (ii) at the same time otherpart of the network miners accept the transaction TCd

Cd hence

Fig 5 Double Spending Attack

lead to blockchain forks in the network (iii) the vendor re-ceives the confirmation of transaction TCd

Cdafter accepting the

transaction TCd

V thus losses the product and (iv) a majorityof miners mine on top of the blockchain which contains TCd

Cd

as a valid transaction If the aforementioned steps took placein the given order then the dishonest client is able to performa successful double spend In the rest of this section we willdiscuss the variants of double spending attack that are used inorder to realize the aforementioned double spend requirementswith varying difficulties and complexities

A form of double spending called Finney attack [55] herea dishonest client (Cd) pre-mines (ie privately) a blockwhich contains the transaction TCd

Cd and then it creates a

transaction TCd

V using the same bitcoins for a vendor (V )The mined block is not informed to the network and the Cd

waits until the transaction TCd

V is accepted by the V On theother hand V only accept TCd

V when it receives a confirmationfrom miners indicating that TCd

V is valid and included in theexisting blockchain Once Cd receives the product from V theattacker releases the pre-mined block into the network thuscreates a blockchain fork (say Bprimefork) of equal length to theexisting fork (say Bfork) Now if the next mined block in thenetwork extends Bprimefork blockchain instead of Bfork then asper the Bitcoin protocol rules all the miners in the networkwill build on top of Bprimefork As the blockchain Bprimefork becomesthe longest chain in the network all the miners ignore Bforkhence the top block on Bfork which contains the transactionTCd

V becomes invalid This makes the transaction TCd

V invalidthe client will get back her coins through transaction TCd

Cd

but resulting the V losing the product However with Finneyattack an adversary can only perform double spending in thepresence of one-confirmation vendors

To avoid the Finney attack the vendor should wait formultiple confirmations before releasing the product to theclient The waiting for multiple confirmations will only makethe double spend for the attacker harder but the possibilityof the double spend remains An advancement of the Finneyattack is called Brute-force attack [56] in which a resourcefulattacker has control over n nodes in the network and these

nodes collectively work on a private mining scheme withthe motive of double spend An attacker introduces a doublespend transaction in a block as in the previous case whilecontinuously works on the extension of a private blockchain(ie Bprimefork) Suppose a vendor waits for x confirmationsbefore accepting a transaction and it sends the product to theclient once it receives the x confirmations Later the attackeris able to mine the x number of blocks ahead (ie privately)then she can release these blocks in the network and dueto its higher length than Bfork blockchain Bprimefork will beextended by all the miners in the network This causes thesame after effects as Finney attack thus causing a successfuldouble spending attack

Another attack that uses the privately mined block toperform a new form of double spending attack on Bitcoin ex-change networks is popularly known as Vector 76 attack [57]A Bitcoin exchange is a digital marketplace where traderscan buy sell or exchange bitcoins for other assets such asfiat currencies or altcoins In this a dishonest client (Cd)withholds a pre-mined block which consists of a transactionthat implements a specific deposit (ie deposit coins in aBitcoin exchange) The attacker (Cd) waits for the next blockannouncement and quickly sends the pre-mined block alongwith the recently mined block directly to the Bitcoin exchangeor towards its nearby peers with hope that the exchangeand probably some of the nearby miners will consider theblockchain containing the pre-mined block (ie Bprimefork) as themain chain The attacker quickly sends another transaction thatrequests a withdrawal from the exchange of the same coins thatwas deposited by the attacker in its previous transaction Atthis point of time if the other fork (ie Bfork) which does notcontain the transaction that is used by the attacker to depositthe coins survives the deposit will become invalidated but theattacker has already performed a withdrawal by now thus theexchanges losses the coins

Recently authors in [72] proposes a new attack againstthe PoW-based consensus mechanism in Bitcoin called theBalance attack The attack consists of delaying networkcommunications between multiple subgroups of miners withbalanced hash power The theoretical analysis provides theprecise trade-off between the Bitcoin network communicationdelay and the mining power of the attacker(s) needed to doublespend in Ethereum [73] with high probability

Based on the above discussion on double spending attackand its variants one main point that emerges is that if aminer (or mining pool) is able to mine blocks with a fasterrate than the rest of the Bitcoin network the possibility ofa successful double spending attack is high The rate ofmining a block depends upon solving the associated proof-of-work this again depends on the computing power of aminer Apart from the computing resources the success ofdouble spending attack depends on other factors as wellwhich includes network propagation delay vendor client andBitcoin exchange services connectivity or positioning in theBitcoin network and the number of honest miners Clearlyas the number of confirmations for transaction increases thepossibility that it will become invalid at a later stage decreasesthus decreases the possibility of a double spend On the other

hand with the increase in the computing resources of a minerthe probability of the success of a double spend increases Thisleads to a variant of double spend attack called gt 50 attackor Goldfinger attack [45] in which more than 50 computingresources of the network are under the control of a single miner(or mining pool) The gt 50 attack is considered the worst-case scenario in the Bitcoin network because it has the powerto destroy the stability of the whole network by introducing theactions such as claim all the block intensives perform doublespending reject or include transactions as preferred and playwith the Bitcoin exchange rates The instability in the networkonce started it will further strengths the attackerrsquos position asmore and more honest miners will start leaving the network

From the above discussion on the different type of doublespending attacks we can safely conclude that one can alwaysperform a double spend or it is not possible to entirelyeliminate the risk of double spending in Bitcoin Howeverperforming double spending comes with a certain level ofrisk for instance the attacker might lose the reward forthe withheld block if it is not included in the final publicblockchain Therefore it is necessary to set a lower bound onthe number of double spend bitcoins and this number shouldcompensate the risk of unsuccessful attempts of double spendAdditionally the double spends could be recognized with thecareful analysis and traversing of the blockchain thus it mightlead to blacklisting the detected peer In Section IV-A we willdiscuss in detail the existing solutions and their effectivenessfor detecting and preventing the double spending attacks

B Mining Pool Attacks

Mining pools are created in order to increase the computingpower which directly affects the verification time of a blockhence it increases the chances of winning the mining rewardFor this purpose in recent years a large number of miningpools have been created and the research in the field ofminer strategies is also evolved Generally mining pools aregoverned by pool managers which forwards unsolved workunits to pool members (ie miners) The miners generate par-tial proofs-of-work (PPoWs) and full proofs-of-work (FPoWs)and submit them to the manager as shares Once a minerdiscovers a new block it is submitted to the manager alongwith the FPoW The manager broadcasts the block in theBitcoin network in order to receive the mining reward Themanager distributes the reward to participating miners basedon the fraction of shares contributed when compared with theother miners in the pool Thus participants are rewarded basedon PPoWs which have absolutely no value in the Bitcoinsystem The Bitcoin network currently consists of solo minersopen pools that allow any miner to join and closed (private)pools that require a private relationship to join

In recent years the attack vector that exploits the vulnerabil-ities in pool based mining also increases For instance a groupof dishonest miners could perform a set of internal and externalattacks on a mining pool Internal attacks are those in whichminers act maliciously within the pool to collect more thantheir fair share of collective reward or disrupt the functionalityof the pool to distant it from the successful mining attempts In

external attacks miners could use their higher hash power toperform attacks such as double spending Figure 6 shows themarket share till December 2017 of the most popular miningpools In this section we will discuss a set of popular internaland external attacks on the mining pools

Fig 6 Bitcoin Hashrate Distribution in Present Market

In a mining pool the pool manager determines the amountof work done by individual pool members by using thenumber of shares a member find and submit while tryingto discover a new block The shares consist of a number ofhashes of a block which are low enough to have discovereda block if the difficulty was 1 To be considered as a shareeach hash has a probability of 1232 Assuming correctness ofthe hash function used it is impossible to find shares withoutdoing the work required to discover new blocks or to lookfor blocks without finding shares along the way Due to thisthe number of shares determined by a miner is proportionalon average to the number of hashes the miner calculatedwhile attempting to discover a new block for the mining poolAdditionally in [29] the author discusses the possibility ofusing variable block rewards and difficulty shares as rewardmethods in a pool This variability is introduced due to thefollowing reasons bitcoins generation per block is cut in halfevery 210000 blocks and the transaction fees vary rapidlybased on the currently available transactions in the network Asmost of the mining pools allow any miner to join them using apublic Internet interface such pools are susceptible to varioussecurity threats The adversaries believe that it is profitable tocannibalize pools than mine honestly Letrsquos understand it withan example suppose that an adversary has 30 of hashrate(HR) and 1 BTC is the block mining reward (MR) If themining pool is sharing the reward based on the invested HRthen the adversary will receive 03 BTC for each mined blockNow adversary purchases more mining equipment worth 1of current HR With standard mining strategy the adversarywill gain an additional revenue of 00069 BTC for the 1added HR By performing pool cannibalizing (ie distributeyour 1 equally among all other pools and also withholdthe valid blocks) the attacker will still receive the rewardsfrom its pool but it might also receive additional rewards

from the other pools to which she is sharing its 1 HRThis misbehavior will remain undetectable unless the changein reward is statistically significant

Fig 7 Selfish Mining

In [62] authors use a game theoretic approach to show thatthe miners could have a specific sort of subversive miningstrategy called selfish mining [6] or also popularly known asblock discarding attack [54] [62] In truth all the miners inthe Bitcoin are selfish as they are mining for the reward thatis associated with each block but these miners are also honestand fair with respect to the rest of miners while the selfishmining here refers to the malicious miners only In the selfishmining the dishonest miner(s) perform information hiding(ie withhold a mined block) as well as perform its revealingin a very selective way with a two-fold motive (i) obtain anunfair reward which is bigger than their share of computingpower spent and (ii) confuse other miners and lead them towaste their resources in a wrong direction As it can be seen inFigure 7 that by keeping the mined block(s) the selfish minersintentionally fork the blockchain The selfish pool keeps onmining on top of their private chain (Bprimefork) while the honestminers are mining on the public chain (Bfork) If the selfishminers are able to take a greater lead on Bprimefork and they areable to keep the lead for a longer time period their chancesof gaining more reward coins as well as the wastage of honestminers resources increases To avoid any losses as soon asthe Bfork reaches to the length of Bprimefork the selfish minerspublish their mined blocks All the miners need to adopt toBprimefork which now becomes Bfork as per the longest lengthrule of Bitcoin protocol The honest miners will lose theirrewards for the blocks that they have mined and added to theprevious public chain The analysis in [6] shows that usingthe selfish mining the poolrsquos reward exceed its share of thenetworkrsquos mining power The statement still holds in caseswhere the network found their new block before the adversarycould find a new second block Because in such case the minerwill make use of the race to propagate ie on average theattacker manages to tell 50 of the network about her blockfirst Additionally the analysis reveals that the wastage ofcomputing resources and rewards lure honest miners toward

the selfish mining pools hence it further strengthens the attackThis continuous increase in the selfish poolrsquos size might leadto gt 50 attack and at that point the effect of selfish miningwill be disastrous

Another attack much similar to the selfish mining that couldbe performed on a mining pool is known as Block withholding(BWH) [29] [67] in which a pool member never publishes amined block in order to sabotage the pool revenue howeversubmit shares consists of PPoWs but not FPoWs In particularin [29] two types of block withholding scenarios are presentedcalled ldquoSabotagerdquo and ldquoLie in waitrdquo In the first scenario theadversary does not gain any bitcoins but it just makes otherpool members lose while in the second scenario the adversaryperforms a complex block concealing attack similar to the onedescribed in the selfish mining attack In [29] authors discussa generalized version of the ldquoSabotagerdquo attack which showsthat with slight modification it is possible for the maliciousminer to also earn an additional profit in this scenario Authorsin [33] present a game-theoretic approach to analyzing effectsof block withholding attack on mining pools The analysisshows that the attack is always well-incentivized in the long-run but may not be so for a short duration This impliesthat existing pool protocols are insecure and if the attack isconducted systematically Bitcoin pools could lose millions ofdollars worth in just a few months

To analyze the effects of BWH on mining pools authorsin [9] presents The Miners Dilemma which uses an iterativegame to model attack decisions The game is played betweentwo pools say pool A and pool B and each iteration of thegame is a case of the Prisoners Dilemma ie choose betweenattacking or not attacking If pool A chooses to attack pool Apool A gains revenue pool A loses revenue but pool B canlatter retaliate by attacking pool A and gaining more revenueThus attacking is the dominant strategy in each iterationhence if both pool A and pool B attack each other they will beat a Nash Equilibrium This implies that if both will earn lessthan they would have if neither of them attacked However ifnone of the other pools attack a pool can increase its revenueby attacking the others Recently authors in [68] propose anovel attack called a fork after withholding (FAW) attackAuthors show that the BWH attackers reward is the lowerbound of the FAW attackers and it is usable up to four timesmore often per pool than in BWH attack Moreover the extrareward for a FAW attack when operating on multiple miningpools is around 56 higher than BWH attack Furthermorethe miners dilemma may not hold under certain circumstanceseg when two pools execute FAW attack the larger pool canconsistently win More importantly unlike selfish mining anFAW attack is more practical to execute while using intentionalforks

The Pool Hopping attack presented in [29] [74] uses theinformation about the number of submitted shares in themining pool to perform the selfish mining In this attackthe adversary performs continuous analysis of the number ofshares submitted by fellow miners to the pool manager in orderto discover a new block The idea is that if already a largenumber of shares have been submitted and no new block hasbeen found so far the adversary will be getting a very small

share from the reward because it will be distributed based onthe shares submitted Therefore at some point in time it mightbe more profitable for the adversary to switch to another poolor mine independently

Recently the Bribery attack is described in [75] In thisan attacker might obtain the majority of computing resourcesfor a short duration via bribery Authors discuss three ways tointroduce bribery in the network (i) Out-of-Band Paymentin which the adversary pays directly to the owner of thecomputing resources and these owners then mine blocksassigned by the adversary (ii) Negative-Fee Mining Pool inwhich the attacker forms a pool by paying higher returnand (iii) In-Band Payment via Forking in which the attackerattempts to bribe through Bitcoin itself by creating a forkcontaining bribe money freely available to any miner adoptingthe fork By having the majority of the hash power the attackercould launch different attacks such as double spending andDistributed Denial-of-Service (DDoS) [76] The miners thattook the bribes will get benefits which will be short-lived butthese short-lived benefits might be undermined by the lossesin the long run due to the presence of DDoS and Goldfingerattacks or via an exchange rate crash

Fig 8 Blacklisting via Punitive Forking

An adversary with gt 50 hashrate could perform a suc-cessful selective blacklisting via punitive forking The objec-tive of punitive forking is to censor the Bitcoin addressesowned by certain people say Alice and prevent them fromspending any of their bitcoins The strategy to perform theblacklisting (please refer to Figure 8) is as follows (i) theadversary with gt 50 network hashrate announces to theBitcion network that she will not extend on the blockchaincontaining transactions spending from Alicersquos Bitcoin address(ii) if some other miner include a transaction from Alice ina block the adversary will fork and create a longer proofof work blockchain (iii) Block containing Alicersquos transactionnow invalidated and it can never be published also the minerwho added the block with Alicersquos transaction will lose its blockreward However a weak adversary that has lower hashrate canstill cause delays and inconveniences for Alicersquos transaction

Punitive forking doesnrsquot work unless you have gt 50 ofhashrate However there is another strategy to achieve theblacklisting as presented in [77] In particular authors presenta malicious mining strategy called feather forking in whichan attacker announces that she will attempt to fork if she seesa block containing Alicersquos transaction in the blockchain butshe will give up after a while This is the adversary forks asper its convenience she will continue to extend its fork untilwins (ie outraces the main chain) but she gives up (iediscard its private fork and continue to extend the main chain)after block with Alicersquos transaction contains k confirmations

An adversary with total hash power less than 50 might withhigh probability lose rewards but it will be able to block theblacklisted transaction with positive probability Moreover ifthe adversary can show that she is determined to block theselected transaction and will perform the retaliatory forking ifrequired then the rest of the miners will also be motivated toblock the blacklisted transactions to avoid the losses in case ifthe attacker retaliates and wins If this is the case an attackermight be able to enforce the selective blacklisting with noreal cost because other miners are convinced that the attackerwill perform a costly feather forking attack if provoked Anattacker performing feather forking can also use it to blackmaila client by threatening that all her transactions will be put onthe blacklist until the client pays the asked ransom coins

C Client-side Security Threats

The huge increase in the popularity of bitcoins encouraged alarge number of new users to join the network Each Bitcoinclient posses a set of private-public keys in order to accessits account or wallet Hence it is desirable to have the keymanagement techniques that are secure yet usable This is dueto the fact that unlike many other applications of cryptographyif the keys of a client are lost or compromised the client willsuffer immediate and irrevocable monetary losses To use thebitcoins a user needs to install a wallet on her desktop ormobile device The wallet stores the set of private-public keysassociated with the owner of the wallet thus it is essential totake protective actions to secure the wallet The wallet theftsare mainly performed using mechanisms that include systemhacking installation of buggy software and incorrect usage ofthe wallet

Bitcoin protocol relies heavily on elliptic curve cryptog-raphy [98] for securing the transactions In particular Bitcoinuses elliptic curve digital signature algorithm (ECDSA) whichis standardized by NIST [99] for signing the transactionsFor instance consider the standard ldquoPay-to-PubKeyHashrdquo(P2PKH) transaction script in which the user needs to provideher public key and the signature (using her private key) toprove the ownership To generate a signature the user choosesa per-signature random value For security reason this valuemust be kept secret and it should be different for every othertransaction Repeating per-signature value risks the privatekey computation as it has been shown in [100] that evenpartially bit-wise equal random values suffice to derive a userrsquosprivate key Therefore it is essential for increasing the securityof ECDSA to use highly random and distinct per-signaturevalues for every transaction signature The inspection of theblockchain for instances in which the same public key usesthe same signature nonces for multiple times has been reportedby the authors in [101] In particular the authors report thatthere are 158 public keys which have reused the signaturenonce in more than one transaction signature thus making itpossible to derive userrsquos private key Recently authors in [102]present a systematic analysis of the effects of broken primitiveson Bitcoin Authors highlight the fact that in the currentBitcoin system has no migration plans in-place for both thebroken hash and the broken signature scheme ie the Bitcoins

TABLE IIMISBEHAVIOR ATTACKS TARGETING BITCOIN NETWORK AND ENTITIES

Attack Description Primary targets Adverse effects Possible countermeasures

Bribery attacks [75] adversary bribe miners tomine on her behalf

miners and mer-chants

increases probability of adouble spend or block

withholdingincrease the rewards for honestminers make aware the miners tothe long-term losses of bribery [75]

Refund attacks [78] adversary exploits the re-fund policies of existingpayment processors

sellers or mer-chants users

merchant losses moneywhile honest users might

lose their reputationpublicly verifiable evidence [78]

Punitive and Featherforking [77] [79] dishonest miners blacklist

transactions of specific ad-dress

users freeze the bitcoins of userfor forever remains an open challenge

Transactionmalleability [80] [4] adversary change the

TXID without invalidatingthe transaction

Bitcoin exchangecenters

exchanges loss funds dueto increase in double

deposit or doublewithdrawal instances

multiple metrics for transactionverification [81] malleability-resilient ldquorefundrdquo transaction [80]

Wallet theft [21] adversary stole or destroyprivate key of users

individual usersor businesses

bitcoins in the wallet arelost threshold signature based

two-factor security [82] [83]hardware wallets [84] TrustZone-backed Bitcoin wallet [85]Password-Protected Secret Sharing(PPSS) [86]

Time jacking [87] adversary speed-up themajority of minerrsquos clock

miners

isolate a miner and wasteits resources influencethe mining difficultycalculation process

constraint tolerance ranges [87]network time protocol (NTP) ortime sampling on the values re-ceived from trusted peers [88]

DDoS [89] [90] a collaborative attack toexhaust network resources

Bitcoin networkbusinesses min-ers and users

deny services to honestusersminers isolate ordrive away the miners

Proof-of-Activity (PoA)protocol [91] fast verificationsignature based authentication

Sybil [23] adversary creates multiplevirtual identities

Bitcoin networkminers users

facilitates time jackingDDoS and doublespending attacks

threatens user privacy

Xim (a two-party mixing proto-col) [92]

Eclipse or netsplit [3] adversary monopolizes allincoming and outgoingconnections of victim

miners users

inconsistent view of thenetwork and blockchain

enable double spendswith more than one

confirmation

use whitelists disabling incomingconnections [3]

Tampering [43] delay the propagation oftransactions and blocks tospecific nodes

miners users

mount DoS attackswrongfully increase

mining advantage doublespend

improve block request managementsystem [43]

Routing attacks [5] isolate a set of nodes fromthe Bitcoin network de-laying block propagation

miners users

denial of service attackincreases possibility of0-confirmation doublespends increases forkrate waste the mining

power of the pools

increase the diversity of node con-nections monitor round-trip timeuse gateways in different ASes [5]

Deanonymization [93] [94] linking IP addresses witha Bitcoin wallet

users user privacy violation mixing services [95]CoinJoin [96] CoinShuffle [97]

RIPEMD160 SHA256 and ECDSA techniques are vulnerableto various security threats such as collision attacks [103]The authors in [102] found that the main vectors of attackon bitcoins involve collisions on the main hash or attackingthe signature scheme which directly enables coin stealingHowever a break of the address hash has minimal impact asaddresses do not meaningfully protect the privacy of a user

Unlike most of the online payment systems that rely onlogin details consisting of the password and other confidentialdetails for user authentication Bitcoin relies on public keycryptography This raises the issues of the secure storage andmanagement of the user keys Over the years various typeof wallet implementations are researched to obtain securestorage of the user keys it includes software online or hostedhardware or offline paper and brain wallets Table III shows anumber of popular wallets and their main features Coinbase(coinbasecom) an online wallet is most popular due to itsdesirable features which it provides to the clients that include(i) a web interface using which the wallet can be assessedwith a browser and Internet connection (ii) a mobile appthat allows access to wallet through mobile devices (iii) anaccess to Coinbase do not require a client software and it isindependent in nature due to which the wallet providers doesnot have any control over the funds stored in a clientrsquos walletand (iv) a moderate level of security and privacy The Copaywallet allows multiple users to be associated with the samewallet while the Armory wallet works in online as well as inoffline mode The wallet providers have to find an adequatetrade-off between usability and security while introducing anew wallet into the market For instance an online wallet ismore susceptible to thefts compared to hardware wallets [84]as later are not connected to the Internet but at the same timehardware wallets lacks usability If done right there exist moreadvanced and secure ways to store the user keys called paperand brain wallets As their name indicates in the paper walletthe keys are written on a document which is stored at somephysical location analogizes the cash money storage systemwhile in brain wallet the keys are stored in the clients mind inthe form of a small passphrase The passphrase if memorizedcorrectly is then used to generate the correct private key

To avoid the aforementioned risks such as managing cryp-tographic keys [104] lost or stolen devices equipment failureBitcoin-specific malware [105] to name a few that are asso-ciated while storing the bitcoins in a wallet many users mightprefer to keep their coins with online exchanges Howeverstoring the holdings with an exchange makes the users vulner-able to the exchange systems For instance one of the mostnotorious events in the Bitcoin history is the breakdown andongoing bankruptcy of the oldest and largest exchange calledMt Gox which lost over 450 millions of dollars Moreovera few other exchanges have lost their customers bitcoinsand declared bankruptcy due to external or internal theft ortechnical mistakes [106] Although the vulnerability of anexchange system to the disastrous losses can never be fullyavoided or mitigated therefore the authors in [107] presentsProvisions which is a privacy-preserving proof of solvencyfor Bitcoin exchanges Provision is a sensible safeguard thatrequires the periodic demonstrations from the exchanges to

show that they control enough bitcoins to settle all of itscustomers accounts

D Bitcoin Network Attacks

In this section we will discuss those attacks in the Bitcointhat exploits the existing vulnerabilities in the implementationand design of the Bitcoin protocols and its peer-to-peer com-munication networking protocols We will start our discussionwith the most common networking attack called DistributedDenial-of-Service (DDoS) which targets Bitcoin currency ex-changes mining pools eWallets and other financial servicesin Bitcoin Due to the distributed nature of Bitcoin networkand its consensus protocol launching a DoS attack has noor minimal adverse effect on network functionalities henceattackers have to lunch a powerful DDoS to disturb the net-working tasks Unlike DoS attack in which a single attackercarried out the attack in DDoS multiple attackers launchthe attack simultaneously DDoS attacks are inexpensive tocarry out yet quite disruptive in nature Malicious miners canperform a DDoS (by having access to a distributed Botnet) oncompeting miners effectively taking the competing miners outof the network and increasing the malicious miners effectivehashrate In these attacks the adversary exhausts the networkresources in order to disrupt their access to genuine users Forexample an honest miner is congested with the requests (suchas fake transactions) from a large number of clients actingunder the control of an adversary After a while the minerwill likely to start discarding all the incoming inputsrequestsincluding requests from honest clients In [89] authors providea comprehensive empirical analysis of DDoS attacks in theBitcoin by documenting the following main facts 142 uniqueDDoS attacks on 40 Bitcoin services and 7 of all knownoperators were victims of these attacks The paper also statesthat the majority of DDoS attack targets the exchange servicesand large mining pools because a successful attack on thesewill earn huge revenue for the adversary as compared toattacking an individual or small mining pools

In [90] authors explore the trade-off between the two min-ing pool related strategies using a series of game-theoreticalmodels The first strategy called construction in which amining pool invests in increasing its mining capacity in orderto increase the likelihood of winning the next race While inthe second strategy called destruction in which the miningpool launches a costly DDoS attack to lower the expectedsuccess rate of the competing mining pools The majority ofthe DDoS attacks target large organizations due to bulk ransommotives Companies like CoinWallet and BitQuick were forcedto shut down only after few months of their launch due tothe effects of continuous DDoS attacks As stated above thatDDoS attack take various forms one of which is to discouragea miner so that it will withdraw itself from the mining processFor instance an attacker displays to a colleague miner that it ismore powerful and it can snatch the reward of mining and itis the obvious winner of the mining process An honest minerbackoffs since its chances of winning is less In this way anadversary will be successful in removing individual miners aswell as small pools from the mining network thus imposing a

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

TABLE IMAJOR ATTACKS ON BITCOIN SYSTEM AND ITS POW BASED CONSENSUS PROTOCOL

Attack Description Primary targets Adverse effects Possible countermeasures

Double spending or Raceattack [2] spent the same bitcoins

in multiple transactionssend two conflicting trans-actions in rapid succession

sellers or mer-chants

sellers lose theirproducts drive away the

honest users createblockchain forks

inserting observers in network [2]communicating double spendingalerts among peers [2] nearbypeers should notify the merchantabout an ongoing double spend assoon as possible [52] merchantsshould disable the direct incomingconnections [53] [54]

Finney attack [55] dishonest miner broad-casts a pre-mined blockfor the purpose of dou-ble spending as soon asit receives product from amerchant

sellers or mer-chants

facilitates doublespending wait for multi-confirmations for

transactions

Brute force attack [56] privately mining onblockchain fork toperform double spending

sellers or mer-chants

facilitates doublespending creates largesize blockchain forks

inserting observers in the net-work [2] notify the merchant aboutan ongoing double spend [53]

Vector 76 orone-confirmation

attack [57]combination of the doublespending and the finneyattack

Bitcoin exchangeservices

facilitates doublespending of largernumber of bitcoins

wait for multi-confirmations fortransactions

gt 50 hashpower orGoldfinger [45] adversary controls more

than gt 50 HashrateBitcoin networkminers Bitcoinexchange centersand users

drive away the minersworking alone or within

small mining poolsweakens consensus

protocol DoS

inserting observers in thenetwork [2] communicatingdouble spending alerts amongpeers [2] disincentivizelarge mining pools [58] [59]TwinsCoin [60] PieceWork [61]

Blockdiscarding [62] [54] or

Selfish mining [6]abuses Bitcoin forkingfeature to derive an unfairreward

honest miners (ormining pools)

introduce race conditionsby forking waste the

computational power ofhonest miners withgt 50 it leads toGoldfinger attack

ZeroBlock technique [63] [64]timestamp based techniquessuch as freshness preferred [65]DECOR+ protocol [66]

Blockwithholding [29] [67] miner in a pool sub-

mits only PPoWs but notFPoWs

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueinclude only known and trustedminers in pool dissolve and closea pool when revenue drops fromexpected [62] cryptographic com-mitment schemes [67]

fork after withholding(FAW) attack [68] improves on adverse ef-

fects of selfish mining andblock withholding attack

honest miners (ormining pools)

waste resources of fellowminers and decreases the

pool revenueno practical defense reported so far

spending attack performed by Cd is successful if Cd tricksthe V to accept TCd

V (ie V deliver the purchased productsto Cd) but V will not be able to redeem subsequently InBitcoin the network of miners verify and process all thetransactions and they ensure that only the unspent coinsthat are specified in previous transaction outputs can be usedas input for a follow-up transaction This rule is enforceddynamically at run-time to protect against the possible doublespending in the network The distributed time-stamping andPoW-based consensus protocol is used for orderly storage ofthe transactions in the blockchain For example when a minerreceives TCd

V and TCd

Cdtransactions it will be able to identify

that both the transactions are trying to use the same inputs

during the transaction propagation and mining thus it onlyprocess one of the transaction and reject the other Figure 5shows the working methodology of a double spending attackdepicting the above explanation

Despite the use of strict ordering of transactions in theblockchain PoW scheme distributed time-stamping [69] andconsensus protocol [70] [71] double spending is still possiblein Bitcoin To perform a successful double spending attackfollowing requirements need to be fulfilled (i) part of thenetwork miners accept the transaction TCd

V and the vendor(V ) receives the confirmation from these miners thus releasesthe product to dishonest client (Cd) (ii) at the same time otherpart of the network miners accept the transaction TCd

Cd hence

Fig 5 Double Spending Attack

lead to blockchain forks in the network (iii) the vendor re-ceives the confirmation of transaction TCd

Cdafter accepting the

transaction TCd

V thus losses the product and (iv) a majorityof miners mine on top of the blockchain which contains TCd

Cd

as a valid transaction If the aforementioned steps took placein the given order then the dishonest client is able to performa successful double spend In the rest of this section we willdiscuss the variants of double spending attack that are used inorder to realize the aforementioned double spend requirementswith varying difficulties and complexities

A form of double spending called Finney attack [55] herea dishonest client (Cd) pre-mines (ie privately) a blockwhich contains the transaction TCd

Cd and then it creates a

transaction TCd

V using the same bitcoins for a vendor (V )The mined block is not informed to the network and the Cd

waits until the transaction TCd

V is accepted by the V On theother hand V only accept TCd

V when it receives a confirmationfrom miners indicating that TCd

V is valid and included in theexisting blockchain Once Cd receives the product from V theattacker releases the pre-mined block into the network thuscreates a blockchain fork (say Bprimefork) of equal length to theexisting fork (say Bfork) Now if the next mined block in thenetwork extends Bprimefork blockchain instead of Bfork then asper the Bitcoin protocol rules all the miners in the networkwill build on top of Bprimefork As the blockchain Bprimefork becomesthe longest chain in the network all the miners ignore Bforkhence the top block on Bfork which contains the transactionTCd

V becomes invalid This makes the transaction TCd

V invalidthe client will get back her coins through transaction TCd

Cd

but resulting the V losing the product However with Finneyattack an adversary can only perform double spending in thepresence of one-confirmation vendors

To avoid the Finney attack the vendor should wait formultiple confirmations before releasing the product to theclient The waiting for multiple confirmations will only makethe double spend for the attacker harder but the possibilityof the double spend remains An advancement of the Finneyattack is called Brute-force attack [56] in which a resourcefulattacker has control over n nodes in the network and these

nodes collectively work on a private mining scheme withthe motive of double spend An attacker introduces a doublespend transaction in a block as in the previous case whilecontinuously works on the extension of a private blockchain(ie Bprimefork) Suppose a vendor waits for x confirmationsbefore accepting a transaction and it sends the product to theclient once it receives the x confirmations Later the attackeris able to mine the x number of blocks ahead (ie privately)then she can release these blocks in the network and dueto its higher length than Bfork blockchain Bprimefork will beextended by all the miners in the network This causes thesame after effects as Finney attack thus causing a successfuldouble spending attack

Another attack that uses the privately mined block toperform a new form of double spending attack on Bitcoin ex-change networks is popularly known as Vector 76 attack [57]A Bitcoin exchange is a digital marketplace where traderscan buy sell or exchange bitcoins for other assets such asfiat currencies or altcoins In this a dishonest client (Cd)withholds a pre-mined block which consists of a transactionthat implements a specific deposit (ie deposit coins in aBitcoin exchange) The attacker (Cd) waits for the next blockannouncement and quickly sends the pre-mined block alongwith the recently mined block directly to the Bitcoin exchangeor towards its nearby peers with hope that the exchangeand probably some of the nearby miners will consider theblockchain containing the pre-mined block (ie Bprimefork) as themain chain The attacker quickly sends another transaction thatrequests a withdrawal from the exchange of the same coins thatwas deposited by the attacker in its previous transaction Atthis point of time if the other fork (ie Bfork) which does notcontain the transaction that is used by the attacker to depositthe coins survives the deposit will become invalidated but theattacker has already performed a withdrawal by now thus theexchanges losses the coins

Recently authors in [72] proposes a new attack againstthe PoW-based consensus mechanism in Bitcoin called theBalance attack The attack consists of delaying networkcommunications between multiple subgroups of miners withbalanced hash power The theoretical analysis provides theprecise trade-off between the Bitcoin network communicationdelay and the mining power of the attacker(s) needed to doublespend in Ethereum [73] with high probability

Based on the above discussion on double spending attackand its variants one main point that emerges is that if aminer (or mining pool) is able to mine blocks with a fasterrate than the rest of the Bitcoin network the possibility ofa successful double spending attack is high The rate ofmining a block depends upon solving the associated proof-of-work this again depends on the computing power of aminer Apart from the computing resources the success ofdouble spending attack depends on other factors as wellwhich includes network propagation delay vendor client andBitcoin exchange services connectivity or positioning in theBitcoin network and the number of honest miners Clearlyas the number of confirmations for transaction increases thepossibility that it will become invalid at a later stage decreasesthus decreases the possibility of a double spend On the other

hand with the increase in the computing resources of a minerthe probability of the success of a double spend increases Thisleads to a variant of double spend attack called gt 50 attackor Goldfinger attack [45] in which more than 50 computingresources of the network are under the control of a single miner(or mining pool) The gt 50 attack is considered the worst-case scenario in the Bitcoin network because it has the powerto destroy the stability of the whole network by introducing theactions such as claim all the block intensives perform doublespending reject or include transactions as preferred and playwith the Bitcoin exchange rates The instability in the networkonce started it will further strengths the attackerrsquos position asmore and more honest miners will start leaving the network

From the above discussion on the different type of doublespending attacks we can safely conclude that one can alwaysperform a double spend or it is not possible to entirelyeliminate the risk of double spending in Bitcoin Howeverperforming double spending comes with a certain level ofrisk for instance the attacker might lose the reward forthe withheld block if it is not included in the final publicblockchain Therefore it is necessary to set a lower bound onthe number of double spend bitcoins and this number shouldcompensate the risk of unsuccessful attempts of double spendAdditionally the double spends could be recognized with thecareful analysis and traversing of the blockchain thus it mightlead to blacklisting the detected peer In Section IV-A we willdiscuss in detail the existing solutions and their effectivenessfor detecting and preventing the double spending attacks

B Mining Pool Attacks

Mining pools are created in order to increase the computingpower which directly affects the verification time of a blockhence it increases the chances of winning the mining rewardFor this purpose in recent years a large number of miningpools have been created and the research in the field ofminer strategies is also evolved Generally mining pools aregoverned by pool managers which forwards unsolved workunits to pool members (ie miners) The miners generate par-tial proofs-of-work (PPoWs) and full proofs-of-work (FPoWs)and submit them to the manager as shares Once a minerdiscovers a new block it is submitted to the manager alongwith the FPoW The manager broadcasts the block in theBitcoin network in order to receive the mining reward Themanager distributes the reward to participating miners basedon the fraction of shares contributed when compared with theother miners in the pool Thus participants are rewarded basedon PPoWs which have absolutely no value in the Bitcoinsystem The Bitcoin network currently consists of solo minersopen pools that allow any miner to join and closed (private)pools that require a private relationship to join

In recent years the attack vector that exploits the vulnerabil-ities in pool based mining also increases For instance a groupof dishonest miners could perform a set of internal and externalattacks on a mining pool Internal attacks are those in whichminers act maliciously within the pool to collect more thantheir fair share of collective reward or disrupt the functionalityof the pool to distant it from the successful mining attempts In

external attacks miners could use their higher hash power toperform attacks such as double spending Figure 6 shows themarket share till December 2017 of the most popular miningpools In this section we will discuss a set of popular internaland external attacks on the mining pools

Fig 6 Bitcoin Hashrate Distribution in Present Market

In a mining pool the pool manager determines the amountof work done by individual pool members by using thenumber of shares a member find and submit while tryingto discover a new block The shares consist of a number ofhashes of a block which are low enough to have discovereda block if the difficulty was 1 To be considered as a shareeach hash has a probability of 1232 Assuming correctness ofthe hash function used it is impossible to find shares withoutdoing the work required to discover new blocks or to lookfor blocks without finding shares along the way Due to thisthe number of shares determined by a miner is proportionalon average to the number of hashes the miner calculatedwhile attempting to discover a new block for the mining poolAdditionally in [29] the author discusses the possibility ofusing variable block rewards and difficulty shares as rewardmethods in a pool This variability is introduced due to thefollowing reasons bitcoins generation per block is cut in halfevery 210000 blocks and the transaction fees vary rapidlybased on the currently available transactions in the network Asmost of the mining pools allow any miner to join them using apublic Internet interface such pools are susceptible to varioussecurity threats The adversaries believe that it is profitable tocannibalize pools than mine honestly Letrsquos understand it withan example suppose that an adversary has 30 of hashrate(HR) and 1 BTC is the block mining reward (MR) If themining pool is sharing the reward based on the invested HRthen the adversary will receive 03 BTC for each mined blockNow adversary purchases more mining equipment worth 1of current HR With standard mining strategy the adversarywill gain an additional revenue of 00069 BTC for the 1added HR By performing pool cannibalizing (ie distributeyour 1 equally among all other pools and also withholdthe valid blocks) the attacker will still receive the rewardsfrom its pool but it might also receive additional rewards

from the other pools to which she is sharing its 1 HRThis misbehavior will remain undetectable unless the changein reward is statistically significant

Fig 7 Selfish Mining

In [62] authors use a game theoretic approach to show thatthe miners could have a specific sort of subversive miningstrategy called selfish mining [6] or also popularly known asblock discarding attack [54] [62] In truth all the miners inthe Bitcoin are selfish as they are mining for the reward thatis associated with each block but these miners are also honestand fair with respect to the rest of miners while the selfishmining here refers to the malicious miners only In the selfishmining the dishonest miner(s) perform information hiding(ie withhold a mined block) as well as perform its revealingin a very selective way with a two-fold motive (i) obtain anunfair reward which is bigger than their share of computingpower spent and (ii) confuse other miners and lead them towaste their resources in a wrong direction As it can be seen inFigure 7 that by keeping the mined block(s) the selfish minersintentionally fork the blockchain The selfish pool keeps onmining on top of their private chain (Bprimefork) while the honestminers are mining on the public chain (Bfork) If the selfishminers are able to take a greater lead on Bprimefork and they areable to keep the lead for a longer time period their chancesof gaining more reward coins as well as the wastage of honestminers resources increases To avoid any losses as soon asthe Bfork reaches to the length of Bprimefork the selfish minerspublish their mined blocks All the miners need to adopt toBprimefork which now becomes Bfork as per the longest lengthrule of Bitcoin protocol The honest miners will lose theirrewards for the blocks that they have mined and added to theprevious public chain The analysis in [6] shows that usingthe selfish mining the poolrsquos reward exceed its share of thenetworkrsquos mining power The statement still holds in caseswhere the network found their new block before the adversarycould find a new second block Because in such case the minerwill make use of the race to propagate ie on average theattacker manages to tell 50 of the network about her blockfirst Additionally the analysis reveals that the wastage ofcomputing resources and rewards lure honest miners toward

the selfish mining pools hence it further strengthens the attackThis continuous increase in the selfish poolrsquos size might leadto gt 50 attack and at that point the effect of selfish miningwill be disastrous

Another attack much similar to the selfish mining that couldbe performed on a mining pool is known as Block withholding(BWH) [29] [67] in which a pool member never publishes amined block in order to sabotage the pool revenue howeversubmit shares consists of PPoWs but not FPoWs In particularin [29] two types of block withholding scenarios are presentedcalled ldquoSabotagerdquo and ldquoLie in waitrdquo In the first scenario theadversary does not gain any bitcoins but it just makes otherpool members lose while in the second scenario the adversaryperforms a complex block concealing attack similar to the onedescribed in the selfish mining attack In [29] authors discussa generalized version of the ldquoSabotagerdquo attack which showsthat with slight modification it is possible for the maliciousminer to also earn an additional profit in this scenario Authorsin [33] present a game-theoretic approach to analyzing effectsof block withholding attack on mining pools The analysisshows that the attack is always well-incentivized in the long-run but may not be so for a short duration This impliesthat existing pool protocols are insecure and if the attack isconducted systematically Bitcoin pools could lose millions ofdollars worth in just a few months

To analyze the effects of BWH on mining pools authorsin [9] presents The Miners Dilemma which uses an iterativegame to model attack decisions The game is played betweentwo pools say pool A and pool B and each iteration of thegame is a case of the Prisoners Dilemma ie choose betweenattacking or not attacking If pool A chooses to attack pool Apool A gains revenue pool A loses revenue but pool B canlatter retaliate by attacking pool A and gaining more revenueThus attacking is the dominant strategy in each iterationhence if both pool A and pool B attack each other they will beat a Nash Equilibrium This implies that if both will earn lessthan they would have if neither of them attacked However ifnone of the other pools attack a pool can increase its revenueby attacking the others Recently authors in [68] propose anovel attack called a fork after withholding (FAW) attackAuthors show that the BWH attackers reward is the lowerbound of the FAW attackers and it is usable up to four timesmore often per pool than in BWH attack Moreover the extrareward for a FAW attack when operating on multiple miningpools is around 56 higher than BWH attack Furthermorethe miners dilemma may not hold under certain circumstanceseg when two pools execute FAW attack the larger pool canconsistently win More importantly unlike selfish mining anFAW attack is more practical to execute while using intentionalforks

The Pool Hopping attack presented in [29] [74] uses theinformation about the number of submitted shares in themining pool to perform the selfish mining In this attackthe adversary performs continuous analysis of the number ofshares submitted by fellow miners to the pool manager in orderto discover a new block The idea is that if already a largenumber of shares have been submitted and no new block hasbeen found so far the adversary will be getting a very small

share from the reward because it will be distributed based onthe shares submitted Therefore at some point in time it mightbe more profitable for the adversary to switch to another poolor mine independently

Recently the Bribery attack is described in [75] In thisan attacker might obtain the majority of computing resourcesfor a short duration via bribery Authors discuss three ways tointroduce bribery in the network (i) Out-of-Band Paymentin which the adversary pays directly to the owner of thecomputing resources and these owners then mine blocksassigned by the adversary (ii) Negative-Fee Mining Pool inwhich the attacker forms a pool by paying higher returnand (iii) In-Band Payment via Forking in which the attackerattempts to bribe through Bitcoin itself by creating a forkcontaining bribe money freely available to any miner adoptingthe fork By having the majority of the hash power the attackercould launch different attacks such as double spending andDistributed Denial-of-Service (DDoS) [76] The miners thattook the bribes will get benefits which will be short-lived butthese short-lived benefits might be undermined by the lossesin the long run due to the presence of DDoS and Goldfingerattacks or via an exchange rate crash

Fig 8 Blacklisting via Punitive Forking

An adversary with gt 50 hashrate could perform a suc-cessful selective blacklisting via punitive forking The objec-tive of punitive forking is to censor the Bitcoin addressesowned by certain people say Alice and prevent them fromspending any of their bitcoins The strategy to perform theblacklisting (please refer to Figure 8) is as follows (i) theadversary with gt 50 network hashrate announces to theBitcion network that she will not extend on the blockchaincontaining transactions spending from Alicersquos Bitcoin address(ii) if some other miner include a transaction from Alice ina block the adversary will fork and create a longer proofof work blockchain (iii) Block containing Alicersquos transactionnow invalidated and it can never be published also the minerwho added the block with Alicersquos transaction will lose its blockreward However a weak adversary that has lower hashrate canstill cause delays and inconveniences for Alicersquos transaction

Punitive forking doesnrsquot work unless you have gt 50 ofhashrate However there is another strategy to achieve theblacklisting as presented in [77] In particular authors presenta malicious mining strategy called feather forking in whichan attacker announces that she will attempt to fork if she seesa block containing Alicersquos transaction in the blockchain butshe will give up after a while This is the adversary forks asper its convenience she will continue to extend its fork untilwins (ie outraces the main chain) but she gives up (iediscard its private fork and continue to extend the main chain)after block with Alicersquos transaction contains k confirmations

An adversary with total hash power less than 50 might withhigh probability lose rewards but it will be able to block theblacklisted transaction with positive probability Moreover ifthe adversary can show that she is determined to block theselected transaction and will perform the retaliatory forking ifrequired then the rest of the miners will also be motivated toblock the blacklisted transactions to avoid the losses in case ifthe attacker retaliates and wins If this is the case an attackermight be able to enforce the selective blacklisting with noreal cost because other miners are convinced that the attackerwill perform a costly feather forking attack if provoked Anattacker performing feather forking can also use it to blackmaila client by threatening that all her transactions will be put onthe blacklist until the client pays the asked ransom coins

C Client-side Security Threats

The huge increase in the popularity of bitcoins encouraged alarge number of new users to join the network Each Bitcoinclient posses a set of private-public keys in order to accessits account or wallet Hence it is desirable to have the keymanagement techniques that are secure yet usable This is dueto the fact that unlike many other applications of cryptographyif the keys of a client are lost or compromised the client willsuffer immediate and irrevocable monetary losses To use thebitcoins a user needs to install a wallet on her desktop ormobile device The wallet stores the set of private-public keysassociated with the owner of the wallet thus it is essential totake protective actions to secure the wallet The wallet theftsare mainly performed using mechanisms that include systemhacking installation of buggy software and incorrect usage ofthe wallet

Bitcoin protocol relies heavily on elliptic curve cryptog-raphy [98] for securing the transactions In particular Bitcoinuses elliptic curve digital signature algorithm (ECDSA) whichis standardized by NIST [99] for signing the transactionsFor instance consider the standard ldquoPay-to-PubKeyHashrdquo(P2PKH) transaction script in which the user needs to provideher public key and the signature (using her private key) toprove the ownership To generate a signature the user choosesa per-signature random value For security reason this valuemust be kept secret and it should be different for every othertransaction Repeating per-signature value risks the privatekey computation as it has been shown in [100] that evenpartially bit-wise equal random values suffice to derive a userrsquosprivate key Therefore it is essential for increasing the securityof ECDSA to use highly random and distinct per-signaturevalues for every transaction signature The inspection of theblockchain for instances in which the same public key usesthe same signature nonces for multiple times has been reportedby the authors in [101] In particular the authors report thatthere are 158 public keys which have reused the signaturenonce in more than one transaction signature thus making itpossible to derive userrsquos private key Recently authors in [102]present a systematic analysis of the effects of broken primitiveson Bitcoin Authors highlight the fact that in the currentBitcoin system has no migration plans in-place for both thebroken hash and the broken signature scheme ie the Bitcoins

TABLE IIMISBEHAVIOR ATTACKS TARGETING BITCOIN NETWORK AND ENTITIES

Attack Description Primary targets Adverse effects Possible countermeasures

Bribery attacks [75] adversary bribe miners tomine on her behalf

miners and mer-chants

increases probability of adouble spend or block

withholdingincrease the rewards for honestminers make aware the miners tothe long-term losses of bribery [75]

Refund attacks [78] adversary exploits the re-fund policies of existingpayment processors

sellers or mer-chants users

merchant losses moneywhile honest users might

lose their reputationpublicly verifiable evidence [78]

Punitive and Featherforking [77] [79] dishonest miners blacklist

transactions of specific ad-dress

users freeze the bitcoins of userfor forever remains an open challenge

Transactionmalleability [80] [4] adversary change the

TXID without invalidatingthe transaction

Bitcoin exchangecenters

exchanges loss funds dueto increase in double

deposit or doublewithdrawal instances

multiple metrics for transactionverification [81] malleability-resilient ldquorefundrdquo transaction [80]

Wallet theft [21] adversary stole or destroyprivate key of users

individual usersor businesses

bitcoins in the wallet arelost threshold signature based

two-factor security [82] [83]hardware wallets [84] TrustZone-backed Bitcoin wallet [85]Password-Protected Secret Sharing(PPSS) [86]

Time jacking [87] adversary speed-up themajority of minerrsquos clock

miners

isolate a miner and wasteits resources influencethe mining difficultycalculation process

constraint tolerance ranges [87]network time protocol (NTP) ortime sampling on the values re-ceived from trusted peers [88]

DDoS [89] [90] a collaborative attack toexhaust network resources

Bitcoin networkbusinesses min-ers and users

deny services to honestusersminers isolate ordrive away the miners

Proof-of-Activity (PoA)protocol [91] fast verificationsignature based authentication

Sybil [23] adversary creates multiplevirtual identities

Bitcoin networkminers users

facilitates time jackingDDoS and doublespending attacks

threatens user privacy

Xim (a two-party mixing proto-col) [92]

Eclipse or netsplit [3] adversary monopolizes allincoming and outgoingconnections of victim

miners users

inconsistent view of thenetwork and blockchain

enable double spendswith more than one

confirmation

use whitelists disabling incomingconnections [3]

Tampering [43] delay the propagation oftransactions and blocks tospecific nodes

miners users

mount DoS attackswrongfully increase

mining advantage doublespend

improve block request managementsystem [43]

Routing attacks [5] isolate a set of nodes fromthe Bitcoin network de-laying block propagation

miners users

denial of service attackincreases possibility of0-confirmation doublespends increases forkrate waste the mining

power of the pools

increase the diversity of node con-nections monitor round-trip timeuse gateways in different ASes [5]

Deanonymization [93] [94] linking IP addresses witha Bitcoin wallet

users user privacy violation mixing services [95]CoinJoin [96] CoinShuffle [97]

RIPEMD160 SHA256 and ECDSA techniques are vulnerableto various security threats such as collision attacks [103]The authors in [102] found that the main vectors of attackon bitcoins involve collisions on the main hash or attackingthe signature scheme which directly enables coin stealingHowever a break of the address hash has minimal impact asaddresses do not meaningfully protect the privacy of a user

Unlike most of the online payment systems that rely onlogin details consisting of the password and other confidentialdetails for user authentication Bitcoin relies on public keycryptography This raises the issues of the secure storage andmanagement of the user keys Over the years various typeof wallet implementations are researched to obtain securestorage of the user keys it includes software online or hostedhardware or offline paper and brain wallets Table III shows anumber of popular wallets and their main features Coinbase(coinbasecom) an online wallet is most popular due to itsdesirable features which it provides to the clients that include(i) a web interface using which the wallet can be assessedwith a browser and Internet connection (ii) a mobile appthat allows access to wallet through mobile devices (iii) anaccess to Coinbase do not require a client software and it isindependent in nature due to which the wallet providers doesnot have any control over the funds stored in a clientrsquos walletand (iv) a moderate level of security and privacy The Copaywallet allows multiple users to be associated with the samewallet while the Armory wallet works in online as well as inoffline mode The wallet providers have to find an adequatetrade-off between usability and security while introducing anew wallet into the market For instance an online wallet ismore susceptible to thefts compared to hardware wallets [84]as later are not connected to the Internet but at the same timehardware wallets lacks usability If done right there exist moreadvanced and secure ways to store the user keys called paperand brain wallets As their name indicates in the paper walletthe keys are written on a document which is stored at somephysical location analogizes the cash money storage systemwhile in brain wallet the keys are stored in the clients mind inthe form of a small passphrase The passphrase if memorizedcorrectly is then used to generate the correct private key

To avoid the aforementioned risks such as managing cryp-tographic keys [104] lost or stolen devices equipment failureBitcoin-specific malware [105] to name a few that are asso-ciated while storing the bitcoins in a wallet many users mightprefer to keep their coins with online exchanges Howeverstoring the holdings with an exchange makes the users vulner-able to the exchange systems For instance one of the mostnotorious events in the Bitcoin history is the breakdown andongoing bankruptcy of the oldest and largest exchange calledMt Gox which lost over 450 millions of dollars Moreovera few other exchanges have lost their customers bitcoinsand declared bankruptcy due to external or internal theft ortechnical mistakes [106] Although the vulnerability of anexchange system to the disastrous losses can never be fullyavoided or mitigated therefore the authors in [107] presentsProvisions which is a privacy-preserving proof of solvencyfor Bitcoin exchanges Provision is a sensible safeguard thatrequires the periodic demonstrations from the exchanges to

show that they control enough bitcoins to settle all of itscustomers accounts

D Bitcoin Network Attacks

In this section we will discuss those attacks in the Bitcointhat exploits the existing vulnerabilities in the implementationand design of the Bitcoin protocols and its peer-to-peer com-munication networking protocols We will start our discussionwith the most common networking attack called DistributedDenial-of-Service (DDoS) which targets Bitcoin currency ex-changes mining pools eWallets and other financial servicesin Bitcoin Due to the distributed nature of Bitcoin networkand its consensus protocol launching a DoS attack has noor minimal adverse effect on network functionalities henceattackers have to lunch a powerful DDoS to disturb the net-working tasks Unlike DoS attack in which a single attackercarried out the attack in DDoS multiple attackers launchthe attack simultaneously DDoS attacks are inexpensive tocarry out yet quite disruptive in nature Malicious miners canperform a DDoS (by having access to a distributed Botnet) oncompeting miners effectively taking the competing miners outof the network and increasing the malicious miners effectivehashrate In these attacks the adversary exhausts the networkresources in order to disrupt their access to genuine users Forexample an honest miner is congested with the requests (suchas fake transactions) from a large number of clients actingunder the control of an adversary After a while the minerwill likely to start discarding all the incoming inputsrequestsincluding requests from honest clients In [89] authors providea comprehensive empirical analysis of DDoS attacks in theBitcoin by documenting the following main facts 142 uniqueDDoS attacks on 40 Bitcoin services and 7 of all knownoperators were victims of these attacks The paper also statesthat the majority of DDoS attack targets the exchange servicesand large mining pools because a successful attack on thesewill earn huge revenue for the adversary as compared toattacking an individual or small mining pools

In [90] authors explore the trade-off between the two min-ing pool related strategies using a series of game-theoreticalmodels The first strategy called construction in which amining pool invests in increasing its mining capacity in orderto increase the likelihood of winning the next race While inthe second strategy called destruction in which the miningpool launches a costly DDoS attack to lower the expectedsuccess rate of the competing mining pools The majority ofthe DDoS attacks target large organizations due to bulk ransommotives Companies like CoinWallet and BitQuick were forcedto shut down only after few months of their launch due tothe effects of continuous DDoS attacks As stated above thatDDoS attack take various forms one of which is to discouragea miner so that it will withdraw itself from the mining processFor instance an attacker displays to a colleague miner that it ismore powerful and it can snatch the reward of mining and itis the obvious winner of the mining process An honest minerbackoffs since its chances of winning is less In this way anadversary will be successful in removing individual miners aswell as small pools from the mining network thus imposing a

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

Fig 5 Double Spending Attack

lead to blockchain forks in the network (iii) the vendor re-ceives the confirmation of transaction TCd

Cdafter accepting the

transaction TCd

V thus losses the product and (iv) a majorityof miners mine on top of the blockchain which contains TCd

Cd

as a valid transaction If the aforementioned steps took placein the given order then the dishonest client is able to performa successful double spend In the rest of this section we willdiscuss the variants of double spending attack that are used inorder to realize the aforementioned double spend requirementswith varying difficulties and complexities

A form of double spending called Finney attack [55] herea dishonest client (Cd) pre-mines (ie privately) a blockwhich contains the transaction TCd

Cd and then it creates a

transaction TCd

V using the same bitcoins for a vendor (V )The mined block is not informed to the network and the Cd

waits until the transaction TCd

V is accepted by the V On theother hand V only accept TCd

V when it receives a confirmationfrom miners indicating that TCd

V is valid and included in theexisting blockchain Once Cd receives the product from V theattacker releases the pre-mined block into the network thuscreates a blockchain fork (say Bprimefork) of equal length to theexisting fork (say Bfork) Now if the next mined block in thenetwork extends Bprimefork blockchain instead of Bfork then asper the Bitcoin protocol rules all the miners in the networkwill build on top of Bprimefork As the blockchain Bprimefork becomesthe longest chain in the network all the miners ignore Bforkhence the top block on Bfork which contains the transactionTCd

V becomes invalid This makes the transaction TCd

V invalidthe client will get back her coins through transaction TCd

Cd

but resulting the V losing the product However with Finneyattack an adversary can only perform double spending in thepresence of one-confirmation vendors

To avoid the Finney attack the vendor should wait formultiple confirmations before releasing the product to theclient The waiting for multiple confirmations will only makethe double spend for the attacker harder but the possibilityof the double spend remains An advancement of the Finneyattack is called Brute-force attack [56] in which a resourcefulattacker has control over n nodes in the network and these

nodes collectively work on a private mining scheme withthe motive of double spend An attacker introduces a doublespend transaction in a block as in the previous case whilecontinuously works on the extension of a private blockchain(ie Bprimefork) Suppose a vendor waits for x confirmationsbefore accepting a transaction and it sends the product to theclient once it receives the x confirmations Later the attackeris able to mine the x number of blocks ahead (ie privately)then she can release these blocks in the network and dueto its higher length than Bfork blockchain Bprimefork will beextended by all the miners in the network This causes thesame after effects as Finney attack thus causing a successfuldouble spending attack

Another attack that uses the privately mined block toperform a new form of double spending attack on Bitcoin ex-change networks is popularly known as Vector 76 attack [57]A Bitcoin exchange is a digital marketplace where traderscan buy sell or exchange bitcoins for other assets such asfiat currencies or altcoins In this a dishonest client (Cd)withholds a pre-mined block which consists of a transactionthat implements a specific deposit (ie deposit coins in aBitcoin exchange) The attacker (Cd) waits for the next blockannouncement and quickly sends the pre-mined block alongwith the recently mined block directly to the Bitcoin exchangeor towards its nearby peers with hope that the exchangeand probably some of the nearby miners will consider theblockchain containing the pre-mined block (ie Bprimefork) as themain chain The attacker quickly sends another transaction thatrequests a withdrawal from the exchange of the same coins thatwas deposited by the attacker in its previous transaction Atthis point of time if the other fork (ie Bfork) which does notcontain the transaction that is used by the attacker to depositthe coins survives the deposit will become invalidated but theattacker has already performed a withdrawal by now thus theexchanges losses the coins

Recently authors in [72] proposes a new attack againstthe PoW-based consensus mechanism in Bitcoin called theBalance attack The attack consists of delaying networkcommunications between multiple subgroups of miners withbalanced hash power The theoretical analysis provides theprecise trade-off between the Bitcoin network communicationdelay and the mining power of the attacker(s) needed to doublespend in Ethereum [73] with high probability

Based on the above discussion on double spending attackand its variants one main point that emerges is that if aminer (or mining pool) is able to mine blocks with a fasterrate than the rest of the Bitcoin network the possibility ofa successful double spending attack is high The rate ofmining a block depends upon solving the associated proof-of-work this again depends on the computing power of aminer Apart from the computing resources the success ofdouble spending attack depends on other factors as wellwhich includes network propagation delay vendor client andBitcoin exchange services connectivity or positioning in theBitcoin network and the number of honest miners Clearlyas the number of confirmations for transaction increases thepossibility that it will become invalid at a later stage decreasesthus decreases the possibility of a double spend On the other

hand with the increase in the computing resources of a minerthe probability of the success of a double spend increases Thisleads to a variant of double spend attack called gt 50 attackor Goldfinger attack [45] in which more than 50 computingresources of the network are under the control of a single miner(or mining pool) The gt 50 attack is considered the worst-case scenario in the Bitcoin network because it has the powerto destroy the stability of the whole network by introducing theactions such as claim all the block intensives perform doublespending reject or include transactions as preferred and playwith the Bitcoin exchange rates The instability in the networkonce started it will further strengths the attackerrsquos position asmore and more honest miners will start leaving the network

From the above discussion on the different type of doublespending attacks we can safely conclude that one can alwaysperform a double spend or it is not possible to entirelyeliminate the risk of double spending in Bitcoin Howeverperforming double spending comes with a certain level ofrisk for instance the attacker might lose the reward forthe withheld block if it is not included in the final publicblockchain Therefore it is necessary to set a lower bound onthe number of double spend bitcoins and this number shouldcompensate the risk of unsuccessful attempts of double spendAdditionally the double spends could be recognized with thecareful analysis and traversing of the blockchain thus it mightlead to blacklisting the detected peer In Section IV-A we willdiscuss in detail the existing solutions and their effectivenessfor detecting and preventing the double spending attacks

B Mining Pool Attacks

Mining pools are created in order to increase the computingpower which directly affects the verification time of a blockhence it increases the chances of winning the mining rewardFor this purpose in recent years a large number of miningpools have been created and the research in the field ofminer strategies is also evolved Generally mining pools aregoverned by pool managers which forwards unsolved workunits to pool members (ie miners) The miners generate par-tial proofs-of-work (PPoWs) and full proofs-of-work (FPoWs)and submit them to the manager as shares Once a minerdiscovers a new block it is submitted to the manager alongwith the FPoW The manager broadcasts the block in theBitcoin network in order to receive the mining reward Themanager distributes the reward to participating miners basedon the fraction of shares contributed when compared with theother miners in the pool Thus participants are rewarded basedon PPoWs which have absolutely no value in the Bitcoinsystem The Bitcoin network currently consists of solo minersopen pools that allow any miner to join and closed (private)pools that require a private relationship to join

In recent years the attack vector that exploits the vulnerabil-ities in pool based mining also increases For instance a groupof dishonest miners could perform a set of internal and externalattacks on a mining pool Internal attacks are those in whichminers act maliciously within the pool to collect more thantheir fair share of collective reward or disrupt the functionalityof the pool to distant it from the successful mining attempts In

external attacks miners could use their higher hash power toperform attacks such as double spending Figure 6 shows themarket share till December 2017 of the most popular miningpools In this section we will discuss a set of popular internaland external attacks on the mining pools

Fig 6 Bitcoin Hashrate Distribution in Present Market

In a mining pool the pool manager determines the amountof work done by individual pool members by using thenumber of shares a member find and submit while tryingto discover a new block The shares consist of a number ofhashes of a block which are low enough to have discovereda block if the difficulty was 1 To be considered as a shareeach hash has a probability of 1232 Assuming correctness ofthe hash function used it is impossible to find shares withoutdoing the work required to discover new blocks or to lookfor blocks without finding shares along the way Due to thisthe number of shares determined by a miner is proportionalon average to the number of hashes the miner calculatedwhile attempting to discover a new block for the mining poolAdditionally in [29] the author discusses the possibility ofusing variable block rewards and difficulty shares as rewardmethods in a pool This variability is introduced due to thefollowing reasons bitcoins generation per block is cut in halfevery 210000 blocks and the transaction fees vary rapidlybased on the currently available transactions in the network Asmost of the mining pools allow any miner to join them using apublic Internet interface such pools are susceptible to varioussecurity threats The adversaries believe that it is profitable tocannibalize pools than mine honestly Letrsquos understand it withan example suppose that an adversary has 30 of hashrate(HR) and 1 BTC is the block mining reward (MR) If themining pool is sharing the reward based on the invested HRthen the adversary will receive 03 BTC for each mined blockNow adversary purchases more mining equipment worth 1of current HR With standard mining strategy the adversarywill gain an additional revenue of 00069 BTC for the 1added HR By performing pool cannibalizing (ie distributeyour 1 equally among all other pools and also withholdthe valid blocks) the attacker will still receive the rewardsfrom its pool but it might also receive additional rewards

from the other pools to which she is sharing its 1 HRThis misbehavior will remain undetectable unless the changein reward is statistically significant

Fig 7 Selfish Mining

In [62] authors use a game theoretic approach to show thatthe miners could have a specific sort of subversive miningstrategy called selfish mining [6] or also popularly known asblock discarding attack [54] [62] In truth all the miners inthe Bitcoin are selfish as they are mining for the reward thatis associated with each block but these miners are also honestand fair with respect to the rest of miners while the selfishmining here refers to the malicious miners only In the selfishmining the dishonest miner(s) perform information hiding(ie withhold a mined block) as well as perform its revealingin a very selective way with a two-fold motive (i) obtain anunfair reward which is bigger than their share of computingpower spent and (ii) confuse other miners and lead them towaste their resources in a wrong direction As it can be seen inFigure 7 that by keeping the mined block(s) the selfish minersintentionally fork the blockchain The selfish pool keeps onmining on top of their private chain (Bprimefork) while the honestminers are mining on the public chain (Bfork) If the selfishminers are able to take a greater lead on Bprimefork and they areable to keep the lead for a longer time period their chancesof gaining more reward coins as well as the wastage of honestminers resources increases To avoid any losses as soon asthe Bfork reaches to the length of Bprimefork the selfish minerspublish their mined blocks All the miners need to adopt toBprimefork which now becomes Bfork as per the longest lengthrule of Bitcoin protocol The honest miners will lose theirrewards for the blocks that they have mined and added to theprevious public chain The analysis in [6] shows that usingthe selfish mining the poolrsquos reward exceed its share of thenetworkrsquos mining power The statement still holds in caseswhere the network found their new block before the adversarycould find a new second block Because in such case the minerwill make use of the race to propagate ie on average theattacker manages to tell 50 of the network about her blockfirst Additionally the analysis reveals that the wastage ofcomputing resources and rewards lure honest miners toward

the selfish mining pools hence it further strengthens the attackThis continuous increase in the selfish poolrsquos size might leadto gt 50 attack and at that point the effect of selfish miningwill be disastrous

Another attack much similar to the selfish mining that couldbe performed on a mining pool is known as Block withholding(BWH) [29] [67] in which a pool member never publishes amined block in order to sabotage the pool revenue howeversubmit shares consists of PPoWs but not FPoWs In particularin [29] two types of block withholding scenarios are presentedcalled ldquoSabotagerdquo and ldquoLie in waitrdquo In the first scenario theadversary does not gain any bitcoins but it just makes otherpool members lose while in the second scenario the adversaryperforms a complex block concealing attack similar to the onedescribed in the selfish mining attack In [29] authors discussa generalized version of the ldquoSabotagerdquo attack which showsthat with slight modification it is possible for the maliciousminer to also earn an additional profit in this scenario Authorsin [33] present a game-theoretic approach to analyzing effectsof block withholding attack on mining pools The analysisshows that the attack is always well-incentivized in the long-run but may not be so for a short duration This impliesthat existing pool protocols are insecure and if the attack isconducted systematically Bitcoin pools could lose millions ofdollars worth in just a few months

To analyze the effects of BWH on mining pools authorsin [9] presents The Miners Dilemma which uses an iterativegame to model attack decisions The game is played betweentwo pools say pool A and pool B and each iteration of thegame is a case of the Prisoners Dilemma ie choose betweenattacking or not attacking If pool A chooses to attack pool Apool A gains revenue pool A loses revenue but pool B canlatter retaliate by attacking pool A and gaining more revenueThus attacking is the dominant strategy in each iterationhence if both pool A and pool B attack each other they will beat a Nash Equilibrium This implies that if both will earn lessthan they would have if neither of them attacked However ifnone of the other pools attack a pool can increase its revenueby attacking the others Recently authors in [68] propose anovel attack called a fork after withholding (FAW) attackAuthors show that the BWH attackers reward is the lowerbound of the FAW attackers and it is usable up to four timesmore often per pool than in BWH attack Moreover the extrareward for a FAW attack when operating on multiple miningpools is around 56 higher than BWH attack Furthermorethe miners dilemma may not hold under certain circumstanceseg when two pools execute FAW attack the larger pool canconsistently win More importantly unlike selfish mining anFAW attack is more practical to execute while using intentionalforks

The Pool Hopping attack presented in [29] [74] uses theinformation about the number of submitted shares in themining pool to perform the selfish mining In this attackthe adversary performs continuous analysis of the number ofshares submitted by fellow miners to the pool manager in orderto discover a new block The idea is that if already a largenumber of shares have been submitted and no new block hasbeen found so far the adversary will be getting a very small

share from the reward because it will be distributed based onthe shares submitted Therefore at some point in time it mightbe more profitable for the adversary to switch to another poolor mine independently

Recently the Bribery attack is described in [75] In thisan attacker might obtain the majority of computing resourcesfor a short duration via bribery Authors discuss three ways tointroduce bribery in the network (i) Out-of-Band Paymentin which the adversary pays directly to the owner of thecomputing resources and these owners then mine blocksassigned by the adversary (ii) Negative-Fee Mining Pool inwhich the attacker forms a pool by paying higher returnand (iii) In-Band Payment via Forking in which the attackerattempts to bribe through Bitcoin itself by creating a forkcontaining bribe money freely available to any miner adoptingthe fork By having the majority of the hash power the attackercould launch different attacks such as double spending andDistributed Denial-of-Service (DDoS) [76] The miners thattook the bribes will get benefits which will be short-lived butthese short-lived benefits might be undermined by the lossesin the long run due to the presence of DDoS and Goldfingerattacks or via an exchange rate crash

Fig 8 Blacklisting via Punitive Forking

An adversary with gt 50 hashrate could perform a suc-cessful selective blacklisting via punitive forking The objec-tive of punitive forking is to censor the Bitcoin addressesowned by certain people say Alice and prevent them fromspending any of their bitcoins The strategy to perform theblacklisting (please refer to Figure 8) is as follows (i) theadversary with gt 50 network hashrate announces to theBitcion network that she will not extend on the blockchaincontaining transactions spending from Alicersquos Bitcoin address(ii) if some other miner include a transaction from Alice ina block the adversary will fork and create a longer proofof work blockchain (iii) Block containing Alicersquos transactionnow invalidated and it can never be published also the minerwho added the block with Alicersquos transaction will lose its blockreward However a weak adversary that has lower hashrate canstill cause delays and inconveniences for Alicersquos transaction

Punitive forking doesnrsquot work unless you have gt 50 ofhashrate However there is another strategy to achieve theblacklisting as presented in [77] In particular authors presenta malicious mining strategy called feather forking in whichan attacker announces that she will attempt to fork if she seesa block containing Alicersquos transaction in the blockchain butshe will give up after a while This is the adversary forks asper its convenience she will continue to extend its fork untilwins (ie outraces the main chain) but she gives up (iediscard its private fork and continue to extend the main chain)after block with Alicersquos transaction contains k confirmations

An adversary with total hash power less than 50 might withhigh probability lose rewards but it will be able to block theblacklisted transaction with positive probability Moreover ifthe adversary can show that she is determined to block theselected transaction and will perform the retaliatory forking ifrequired then the rest of the miners will also be motivated toblock the blacklisted transactions to avoid the losses in case ifthe attacker retaliates and wins If this is the case an attackermight be able to enforce the selective blacklisting with noreal cost because other miners are convinced that the attackerwill perform a costly feather forking attack if provoked Anattacker performing feather forking can also use it to blackmaila client by threatening that all her transactions will be put onthe blacklist until the client pays the asked ransom coins

C Client-side Security Threats

The huge increase in the popularity of bitcoins encouraged alarge number of new users to join the network Each Bitcoinclient posses a set of private-public keys in order to accessits account or wallet Hence it is desirable to have the keymanagement techniques that are secure yet usable This is dueto the fact that unlike many other applications of cryptographyif the keys of a client are lost or compromised the client willsuffer immediate and irrevocable monetary losses To use thebitcoins a user needs to install a wallet on her desktop ormobile device The wallet stores the set of private-public keysassociated with the owner of the wallet thus it is essential totake protective actions to secure the wallet The wallet theftsare mainly performed using mechanisms that include systemhacking installation of buggy software and incorrect usage ofthe wallet

Bitcoin protocol relies heavily on elliptic curve cryptog-raphy [98] for securing the transactions In particular Bitcoinuses elliptic curve digital signature algorithm (ECDSA) whichis standardized by NIST [99] for signing the transactionsFor instance consider the standard ldquoPay-to-PubKeyHashrdquo(P2PKH) transaction script in which the user needs to provideher public key and the signature (using her private key) toprove the ownership To generate a signature the user choosesa per-signature random value For security reason this valuemust be kept secret and it should be different for every othertransaction Repeating per-signature value risks the privatekey computation as it has been shown in [100] that evenpartially bit-wise equal random values suffice to derive a userrsquosprivate key Therefore it is essential for increasing the securityof ECDSA to use highly random and distinct per-signaturevalues for every transaction signature The inspection of theblockchain for instances in which the same public key usesthe same signature nonces for multiple times has been reportedby the authors in [101] In particular the authors report thatthere are 158 public keys which have reused the signaturenonce in more than one transaction signature thus making itpossible to derive userrsquos private key Recently authors in [102]present a systematic analysis of the effects of broken primitiveson Bitcoin Authors highlight the fact that in the currentBitcoin system has no migration plans in-place for both thebroken hash and the broken signature scheme ie the Bitcoins

TABLE IIMISBEHAVIOR ATTACKS TARGETING BITCOIN NETWORK AND ENTITIES

Attack Description Primary targets Adverse effects Possible countermeasures

Bribery attacks [75] adversary bribe miners tomine on her behalf

miners and mer-chants

increases probability of adouble spend or block

withholdingincrease the rewards for honestminers make aware the miners tothe long-term losses of bribery [75]

Refund attacks [78] adversary exploits the re-fund policies of existingpayment processors

sellers or mer-chants users

merchant losses moneywhile honest users might

lose their reputationpublicly verifiable evidence [78]

Punitive and Featherforking [77] [79] dishonest miners blacklist

transactions of specific ad-dress

users freeze the bitcoins of userfor forever remains an open challenge

Transactionmalleability [80] [4] adversary change the

TXID without invalidatingthe transaction

Bitcoin exchangecenters

exchanges loss funds dueto increase in double

deposit or doublewithdrawal instances

multiple metrics for transactionverification [81] malleability-resilient ldquorefundrdquo transaction [80]

Wallet theft [21] adversary stole or destroyprivate key of users

individual usersor businesses

bitcoins in the wallet arelost threshold signature based

two-factor security [82] [83]hardware wallets [84] TrustZone-backed Bitcoin wallet [85]Password-Protected Secret Sharing(PPSS) [86]

Time jacking [87] adversary speed-up themajority of minerrsquos clock

miners

isolate a miner and wasteits resources influencethe mining difficultycalculation process

constraint tolerance ranges [87]network time protocol (NTP) ortime sampling on the values re-ceived from trusted peers [88]

DDoS [89] [90] a collaborative attack toexhaust network resources

Bitcoin networkbusinesses min-ers and users

deny services to honestusersminers isolate ordrive away the miners

Proof-of-Activity (PoA)protocol [91] fast verificationsignature based authentication

Sybil [23] adversary creates multiplevirtual identities

Bitcoin networkminers users

facilitates time jackingDDoS and doublespending attacks

threatens user privacy

Xim (a two-party mixing proto-col) [92]

Eclipse or netsplit [3] adversary monopolizes allincoming and outgoingconnections of victim

miners users

inconsistent view of thenetwork and blockchain

enable double spendswith more than one

confirmation

use whitelists disabling incomingconnections [3]

Tampering [43] delay the propagation oftransactions and blocks tospecific nodes

miners users

mount DoS attackswrongfully increase

mining advantage doublespend

improve block request managementsystem [43]

Routing attacks [5] isolate a set of nodes fromthe Bitcoin network de-laying block propagation

miners users

denial of service attackincreases possibility of0-confirmation doublespends increases forkrate waste the mining

power of the pools

increase the diversity of node con-nections monitor round-trip timeuse gateways in different ASes [5]

Deanonymization [93] [94] linking IP addresses witha Bitcoin wallet

users user privacy violation mixing services [95]CoinJoin [96] CoinShuffle [97]

RIPEMD160 SHA256 and ECDSA techniques are vulnerableto various security threats such as collision attacks [103]The authors in [102] found that the main vectors of attackon bitcoins involve collisions on the main hash or attackingthe signature scheme which directly enables coin stealingHowever a break of the address hash has minimal impact asaddresses do not meaningfully protect the privacy of a user

Unlike most of the online payment systems that rely onlogin details consisting of the password and other confidentialdetails for user authentication Bitcoin relies on public keycryptography This raises the issues of the secure storage andmanagement of the user keys Over the years various typeof wallet implementations are researched to obtain securestorage of the user keys it includes software online or hostedhardware or offline paper and brain wallets Table III shows anumber of popular wallets and their main features Coinbase(coinbasecom) an online wallet is most popular due to itsdesirable features which it provides to the clients that include(i) a web interface using which the wallet can be assessedwith a browser and Internet connection (ii) a mobile appthat allows access to wallet through mobile devices (iii) anaccess to Coinbase do not require a client software and it isindependent in nature due to which the wallet providers doesnot have any control over the funds stored in a clientrsquos walletand (iv) a moderate level of security and privacy The Copaywallet allows multiple users to be associated with the samewallet while the Armory wallet works in online as well as inoffline mode The wallet providers have to find an adequatetrade-off between usability and security while introducing anew wallet into the market For instance an online wallet ismore susceptible to thefts compared to hardware wallets [84]as later are not connected to the Internet but at the same timehardware wallets lacks usability If done right there exist moreadvanced and secure ways to store the user keys called paperand brain wallets As their name indicates in the paper walletthe keys are written on a document which is stored at somephysical location analogizes the cash money storage systemwhile in brain wallet the keys are stored in the clients mind inthe form of a small passphrase The passphrase if memorizedcorrectly is then used to generate the correct private key

To avoid the aforementioned risks such as managing cryp-tographic keys [104] lost or stolen devices equipment failureBitcoin-specific malware [105] to name a few that are asso-ciated while storing the bitcoins in a wallet many users mightprefer to keep their coins with online exchanges Howeverstoring the holdings with an exchange makes the users vulner-able to the exchange systems For instance one of the mostnotorious events in the Bitcoin history is the breakdown andongoing bankruptcy of the oldest and largest exchange calledMt Gox which lost over 450 millions of dollars Moreovera few other exchanges have lost their customers bitcoinsand declared bankruptcy due to external or internal theft ortechnical mistakes [106] Although the vulnerability of anexchange system to the disastrous losses can never be fullyavoided or mitigated therefore the authors in [107] presentsProvisions which is a privacy-preserving proof of solvencyfor Bitcoin exchanges Provision is a sensible safeguard thatrequires the periodic demonstrations from the exchanges to

show that they control enough bitcoins to settle all of itscustomers accounts

D Bitcoin Network Attacks

In this section we will discuss those attacks in the Bitcointhat exploits the existing vulnerabilities in the implementationand design of the Bitcoin protocols and its peer-to-peer com-munication networking protocols We will start our discussionwith the most common networking attack called DistributedDenial-of-Service (DDoS) which targets Bitcoin currency ex-changes mining pools eWallets and other financial servicesin Bitcoin Due to the distributed nature of Bitcoin networkand its consensus protocol launching a DoS attack has noor minimal adverse effect on network functionalities henceattackers have to lunch a powerful DDoS to disturb the net-working tasks Unlike DoS attack in which a single attackercarried out the attack in DDoS multiple attackers launchthe attack simultaneously DDoS attacks are inexpensive tocarry out yet quite disruptive in nature Malicious miners canperform a DDoS (by having access to a distributed Botnet) oncompeting miners effectively taking the competing miners outof the network and increasing the malicious miners effectivehashrate In these attacks the adversary exhausts the networkresources in order to disrupt their access to genuine users Forexample an honest miner is congested with the requests (suchas fake transactions) from a large number of clients actingunder the control of an adversary After a while the minerwill likely to start discarding all the incoming inputsrequestsincluding requests from honest clients In [89] authors providea comprehensive empirical analysis of DDoS attacks in theBitcoin by documenting the following main facts 142 uniqueDDoS attacks on 40 Bitcoin services and 7 of all knownoperators were victims of these attacks The paper also statesthat the majority of DDoS attack targets the exchange servicesand large mining pools because a successful attack on thesewill earn huge revenue for the adversary as compared toattacking an individual or small mining pools

In [90] authors explore the trade-off between the two min-ing pool related strategies using a series of game-theoreticalmodels The first strategy called construction in which amining pool invests in increasing its mining capacity in orderto increase the likelihood of winning the next race While inthe second strategy called destruction in which the miningpool launches a costly DDoS attack to lower the expectedsuccess rate of the competing mining pools The majority ofthe DDoS attacks target large organizations due to bulk ransommotives Companies like CoinWallet and BitQuick were forcedto shut down only after few months of their launch due tothe effects of continuous DDoS attacks As stated above thatDDoS attack take various forms one of which is to discouragea miner so that it will withdraw itself from the mining processFor instance an attacker displays to a colleague miner that it ismore powerful and it can snatch the reward of mining and itis the obvious winner of the mining process An honest minerbackoffs since its chances of winning is less In this way anadversary will be successful in removing individual miners aswell as small pools from the mining network thus imposing a

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

hand with the increase in the computing resources of a minerthe probability of the success of a double spend increases Thisleads to a variant of double spend attack called gt 50 attackor Goldfinger attack [45] in which more than 50 computingresources of the network are under the control of a single miner(or mining pool) The gt 50 attack is considered the worst-case scenario in the Bitcoin network because it has the powerto destroy the stability of the whole network by introducing theactions such as claim all the block intensives perform doublespending reject or include transactions as preferred and playwith the Bitcoin exchange rates The instability in the networkonce started it will further strengths the attackerrsquos position asmore and more honest miners will start leaving the network

From the above discussion on the different type of doublespending attacks we can safely conclude that one can alwaysperform a double spend or it is not possible to entirelyeliminate the risk of double spending in Bitcoin Howeverperforming double spending comes with a certain level ofrisk for instance the attacker might lose the reward forthe withheld block if it is not included in the final publicblockchain Therefore it is necessary to set a lower bound onthe number of double spend bitcoins and this number shouldcompensate the risk of unsuccessful attempts of double spendAdditionally the double spends could be recognized with thecareful analysis and traversing of the blockchain thus it mightlead to blacklisting the detected peer In Section IV-A we willdiscuss in detail the existing solutions and their effectivenessfor detecting and preventing the double spending attacks

B Mining Pool Attacks

Mining pools are created in order to increase the computingpower which directly affects the verification time of a blockhence it increases the chances of winning the mining rewardFor this purpose in recent years a large number of miningpools have been created and the research in the field ofminer strategies is also evolved Generally mining pools aregoverned by pool managers which forwards unsolved workunits to pool members (ie miners) The miners generate par-tial proofs-of-work (PPoWs) and full proofs-of-work (FPoWs)and submit them to the manager as shares Once a minerdiscovers a new block it is submitted to the manager alongwith the FPoW The manager broadcasts the block in theBitcoin network in order to receive the mining reward Themanager distributes the reward to participating miners basedon the fraction of shares contributed when compared with theother miners in the pool Thus participants are rewarded basedon PPoWs which have absolutely no value in the Bitcoinsystem The Bitcoin network currently consists of solo minersopen pools that allow any miner to join and closed (private)pools that require a private relationship to join

In recent years the attack vector that exploits the vulnerabil-ities in pool based mining also increases For instance a groupof dishonest miners could perform a set of internal and externalattacks on a mining pool Internal attacks are those in whichminers act maliciously within the pool to collect more thantheir fair share of collective reward or disrupt the functionalityof the pool to distant it from the successful mining attempts In

external attacks miners could use their higher hash power toperform attacks such as double spending Figure 6 shows themarket share till December 2017 of the most popular miningpools In this section we will discuss a set of popular internaland external attacks on the mining pools

Fig 6 Bitcoin Hashrate Distribution in Present Market

In a mining pool the pool manager determines the amountof work done by individual pool members by using thenumber of shares a member find and submit while tryingto discover a new block The shares consist of a number ofhashes of a block which are low enough to have discovereda block if the difficulty was 1 To be considered as a shareeach hash has a probability of 1232 Assuming correctness ofthe hash function used it is impossible to find shares withoutdoing the work required to discover new blocks or to lookfor blocks without finding shares along the way Due to thisthe number of shares determined by a miner is proportionalon average to the number of hashes the miner calculatedwhile attempting to discover a new block for the mining poolAdditionally in [29] the author discusses the possibility ofusing variable block rewards and difficulty shares as rewardmethods in a pool This variability is introduced due to thefollowing reasons bitcoins generation per block is cut in halfevery 210000 blocks and the transaction fees vary rapidlybased on the currently available transactions in the network Asmost of the mining pools allow any miner to join them using apublic Internet interface such pools are susceptible to varioussecurity threats The adversaries believe that it is profitable tocannibalize pools than mine honestly Letrsquos understand it withan example suppose that an adversary has 30 of hashrate(HR) and 1 BTC is the block mining reward (MR) If themining pool is sharing the reward based on the invested HRthen the adversary will receive 03 BTC for each mined blockNow adversary purchases more mining equipment worth 1of current HR With standard mining strategy the adversarywill gain an additional revenue of 00069 BTC for the 1added HR By performing pool cannibalizing (ie distributeyour 1 equally among all other pools and also withholdthe valid blocks) the attacker will still receive the rewardsfrom its pool but it might also receive additional rewards

from the other pools to which she is sharing its 1 HRThis misbehavior will remain undetectable unless the changein reward is statistically significant

Fig 7 Selfish Mining

In [62] authors use a game theoretic approach to show thatthe miners could have a specific sort of subversive miningstrategy called selfish mining [6] or also popularly known asblock discarding attack [54] [62] In truth all the miners inthe Bitcoin are selfish as they are mining for the reward thatis associated with each block but these miners are also honestand fair with respect to the rest of miners while the selfishmining here refers to the malicious miners only In the selfishmining the dishonest miner(s) perform information hiding(ie withhold a mined block) as well as perform its revealingin a very selective way with a two-fold motive (i) obtain anunfair reward which is bigger than their share of computingpower spent and (ii) confuse other miners and lead them towaste their resources in a wrong direction As it can be seen inFigure 7 that by keeping the mined block(s) the selfish minersintentionally fork the blockchain The selfish pool keeps onmining on top of their private chain (Bprimefork) while the honestminers are mining on the public chain (Bfork) If the selfishminers are able to take a greater lead on Bprimefork and they areable to keep the lead for a longer time period their chancesof gaining more reward coins as well as the wastage of honestminers resources increases To avoid any losses as soon asthe Bfork reaches to the length of Bprimefork the selfish minerspublish their mined blocks All the miners need to adopt toBprimefork which now becomes Bfork as per the longest lengthrule of Bitcoin protocol The honest miners will lose theirrewards for the blocks that they have mined and added to theprevious public chain The analysis in [6] shows that usingthe selfish mining the poolrsquos reward exceed its share of thenetworkrsquos mining power The statement still holds in caseswhere the network found their new block before the adversarycould find a new second block Because in such case the minerwill make use of the race to propagate ie on average theattacker manages to tell 50 of the network about her blockfirst Additionally the analysis reveals that the wastage ofcomputing resources and rewards lure honest miners toward

the selfish mining pools hence it further strengthens the attackThis continuous increase in the selfish poolrsquos size might leadto gt 50 attack and at that point the effect of selfish miningwill be disastrous

Another attack much similar to the selfish mining that couldbe performed on a mining pool is known as Block withholding(BWH) [29] [67] in which a pool member never publishes amined block in order to sabotage the pool revenue howeversubmit shares consists of PPoWs but not FPoWs In particularin [29] two types of block withholding scenarios are presentedcalled ldquoSabotagerdquo and ldquoLie in waitrdquo In the first scenario theadversary does not gain any bitcoins but it just makes otherpool members lose while in the second scenario the adversaryperforms a complex block concealing attack similar to the onedescribed in the selfish mining attack In [29] authors discussa generalized version of the ldquoSabotagerdquo attack which showsthat with slight modification it is possible for the maliciousminer to also earn an additional profit in this scenario Authorsin [33] present a game-theoretic approach to analyzing effectsof block withholding attack on mining pools The analysisshows that the attack is always well-incentivized in the long-run but may not be so for a short duration This impliesthat existing pool protocols are insecure and if the attack isconducted systematically Bitcoin pools could lose millions ofdollars worth in just a few months

To analyze the effects of BWH on mining pools authorsin [9] presents The Miners Dilemma which uses an iterativegame to model attack decisions The game is played betweentwo pools say pool A and pool B and each iteration of thegame is a case of the Prisoners Dilemma ie choose betweenattacking or not attacking If pool A chooses to attack pool Apool A gains revenue pool A loses revenue but pool B canlatter retaliate by attacking pool A and gaining more revenueThus attacking is the dominant strategy in each iterationhence if both pool A and pool B attack each other they will beat a Nash Equilibrium This implies that if both will earn lessthan they would have if neither of them attacked However ifnone of the other pools attack a pool can increase its revenueby attacking the others Recently authors in [68] propose anovel attack called a fork after withholding (FAW) attackAuthors show that the BWH attackers reward is the lowerbound of the FAW attackers and it is usable up to four timesmore often per pool than in BWH attack Moreover the extrareward for a FAW attack when operating on multiple miningpools is around 56 higher than BWH attack Furthermorethe miners dilemma may not hold under certain circumstanceseg when two pools execute FAW attack the larger pool canconsistently win More importantly unlike selfish mining anFAW attack is more practical to execute while using intentionalforks

The Pool Hopping attack presented in [29] [74] uses theinformation about the number of submitted shares in themining pool to perform the selfish mining In this attackthe adversary performs continuous analysis of the number ofshares submitted by fellow miners to the pool manager in orderto discover a new block The idea is that if already a largenumber of shares have been submitted and no new block hasbeen found so far the adversary will be getting a very small

share from the reward because it will be distributed based onthe shares submitted Therefore at some point in time it mightbe more profitable for the adversary to switch to another poolor mine independently

Recently the Bribery attack is described in [75] In thisan attacker might obtain the majority of computing resourcesfor a short duration via bribery Authors discuss three ways tointroduce bribery in the network (i) Out-of-Band Paymentin which the adversary pays directly to the owner of thecomputing resources and these owners then mine blocksassigned by the adversary (ii) Negative-Fee Mining Pool inwhich the attacker forms a pool by paying higher returnand (iii) In-Band Payment via Forking in which the attackerattempts to bribe through Bitcoin itself by creating a forkcontaining bribe money freely available to any miner adoptingthe fork By having the majority of the hash power the attackercould launch different attacks such as double spending andDistributed Denial-of-Service (DDoS) [76] The miners thattook the bribes will get benefits which will be short-lived butthese short-lived benefits might be undermined by the lossesin the long run due to the presence of DDoS and Goldfingerattacks or via an exchange rate crash

Fig 8 Blacklisting via Punitive Forking

An adversary with gt 50 hashrate could perform a suc-cessful selective blacklisting via punitive forking The objec-tive of punitive forking is to censor the Bitcoin addressesowned by certain people say Alice and prevent them fromspending any of their bitcoins The strategy to perform theblacklisting (please refer to Figure 8) is as follows (i) theadversary with gt 50 network hashrate announces to theBitcion network that she will not extend on the blockchaincontaining transactions spending from Alicersquos Bitcoin address(ii) if some other miner include a transaction from Alice ina block the adversary will fork and create a longer proofof work blockchain (iii) Block containing Alicersquos transactionnow invalidated and it can never be published also the minerwho added the block with Alicersquos transaction will lose its blockreward However a weak adversary that has lower hashrate canstill cause delays and inconveniences for Alicersquos transaction

Punitive forking doesnrsquot work unless you have gt 50 ofhashrate However there is another strategy to achieve theblacklisting as presented in [77] In particular authors presenta malicious mining strategy called feather forking in whichan attacker announces that she will attempt to fork if she seesa block containing Alicersquos transaction in the blockchain butshe will give up after a while This is the adversary forks asper its convenience she will continue to extend its fork untilwins (ie outraces the main chain) but she gives up (iediscard its private fork and continue to extend the main chain)after block with Alicersquos transaction contains k confirmations

An adversary with total hash power less than 50 might withhigh probability lose rewards but it will be able to block theblacklisted transaction with positive probability Moreover ifthe adversary can show that she is determined to block theselected transaction and will perform the retaliatory forking ifrequired then the rest of the miners will also be motivated toblock the blacklisted transactions to avoid the losses in case ifthe attacker retaliates and wins If this is the case an attackermight be able to enforce the selective blacklisting with noreal cost because other miners are convinced that the attackerwill perform a costly feather forking attack if provoked Anattacker performing feather forking can also use it to blackmaila client by threatening that all her transactions will be put onthe blacklist until the client pays the asked ransom coins

C Client-side Security Threats

The huge increase in the popularity of bitcoins encouraged alarge number of new users to join the network Each Bitcoinclient posses a set of private-public keys in order to accessits account or wallet Hence it is desirable to have the keymanagement techniques that are secure yet usable This is dueto the fact that unlike many other applications of cryptographyif the keys of a client are lost or compromised the client willsuffer immediate and irrevocable monetary losses To use thebitcoins a user needs to install a wallet on her desktop ormobile device The wallet stores the set of private-public keysassociated with the owner of the wallet thus it is essential totake protective actions to secure the wallet The wallet theftsare mainly performed using mechanisms that include systemhacking installation of buggy software and incorrect usage ofthe wallet

Bitcoin protocol relies heavily on elliptic curve cryptog-raphy [98] for securing the transactions In particular Bitcoinuses elliptic curve digital signature algorithm (ECDSA) whichis standardized by NIST [99] for signing the transactionsFor instance consider the standard ldquoPay-to-PubKeyHashrdquo(P2PKH) transaction script in which the user needs to provideher public key and the signature (using her private key) toprove the ownership To generate a signature the user choosesa per-signature random value For security reason this valuemust be kept secret and it should be different for every othertransaction Repeating per-signature value risks the privatekey computation as it has been shown in [100] that evenpartially bit-wise equal random values suffice to derive a userrsquosprivate key Therefore it is essential for increasing the securityof ECDSA to use highly random and distinct per-signaturevalues for every transaction signature The inspection of theblockchain for instances in which the same public key usesthe same signature nonces for multiple times has been reportedby the authors in [101] In particular the authors report thatthere are 158 public keys which have reused the signaturenonce in more than one transaction signature thus making itpossible to derive userrsquos private key Recently authors in [102]present a systematic analysis of the effects of broken primitiveson Bitcoin Authors highlight the fact that in the currentBitcoin system has no migration plans in-place for both thebroken hash and the broken signature scheme ie the Bitcoins

TABLE IIMISBEHAVIOR ATTACKS TARGETING BITCOIN NETWORK AND ENTITIES

Attack Description Primary targets Adverse effects Possible countermeasures

Bribery attacks [75] adversary bribe miners tomine on her behalf

miners and mer-chants

increases probability of adouble spend or block

withholdingincrease the rewards for honestminers make aware the miners tothe long-term losses of bribery [75]

Refund attacks [78] adversary exploits the re-fund policies of existingpayment processors

sellers or mer-chants users

merchant losses moneywhile honest users might

lose their reputationpublicly verifiable evidence [78]

Punitive and Featherforking [77] [79] dishonest miners blacklist

transactions of specific ad-dress

users freeze the bitcoins of userfor forever remains an open challenge

Transactionmalleability [80] [4] adversary change the

TXID without invalidatingthe transaction

Bitcoin exchangecenters

exchanges loss funds dueto increase in double

deposit or doublewithdrawal instances

multiple metrics for transactionverification [81] malleability-resilient ldquorefundrdquo transaction [80]

Wallet theft [21] adversary stole or destroyprivate key of users

individual usersor businesses

bitcoins in the wallet arelost threshold signature based

two-factor security [82] [83]hardware wallets [84] TrustZone-backed Bitcoin wallet [85]Password-Protected Secret Sharing(PPSS) [86]

Time jacking [87] adversary speed-up themajority of minerrsquos clock

miners

isolate a miner and wasteits resources influencethe mining difficultycalculation process

constraint tolerance ranges [87]network time protocol (NTP) ortime sampling on the values re-ceived from trusted peers [88]

DDoS [89] [90] a collaborative attack toexhaust network resources

Bitcoin networkbusinesses min-ers and users

deny services to honestusersminers isolate ordrive away the miners

Proof-of-Activity (PoA)protocol [91] fast verificationsignature based authentication

Sybil [23] adversary creates multiplevirtual identities

Bitcoin networkminers users

facilitates time jackingDDoS and doublespending attacks

threatens user privacy

Xim (a two-party mixing proto-col) [92]

Eclipse or netsplit [3] adversary monopolizes allincoming and outgoingconnections of victim

miners users

inconsistent view of thenetwork and blockchain

enable double spendswith more than one

confirmation

use whitelists disabling incomingconnections [3]

Tampering [43] delay the propagation oftransactions and blocks tospecific nodes

miners users

mount DoS attackswrongfully increase

mining advantage doublespend

improve block request managementsystem [43]

Routing attacks [5] isolate a set of nodes fromthe Bitcoin network de-laying block propagation

miners users

denial of service attackincreases possibility of0-confirmation doublespends increases forkrate waste the mining

power of the pools

increase the diversity of node con-nections monitor round-trip timeuse gateways in different ASes [5]

Deanonymization [93] [94] linking IP addresses witha Bitcoin wallet

users user privacy violation mixing services [95]CoinJoin [96] CoinShuffle [97]

RIPEMD160 SHA256 and ECDSA techniques are vulnerableto various security threats such as collision attacks [103]The authors in [102] found that the main vectors of attackon bitcoins involve collisions on the main hash or attackingthe signature scheme which directly enables coin stealingHowever a break of the address hash has minimal impact asaddresses do not meaningfully protect the privacy of a user

Unlike most of the online payment systems that rely onlogin details consisting of the password and other confidentialdetails for user authentication Bitcoin relies on public keycryptography This raises the issues of the secure storage andmanagement of the user keys Over the years various typeof wallet implementations are researched to obtain securestorage of the user keys it includes software online or hostedhardware or offline paper and brain wallets Table III shows anumber of popular wallets and their main features Coinbase(coinbasecom) an online wallet is most popular due to itsdesirable features which it provides to the clients that include(i) a web interface using which the wallet can be assessedwith a browser and Internet connection (ii) a mobile appthat allows access to wallet through mobile devices (iii) anaccess to Coinbase do not require a client software and it isindependent in nature due to which the wallet providers doesnot have any control over the funds stored in a clientrsquos walletand (iv) a moderate level of security and privacy The Copaywallet allows multiple users to be associated with the samewallet while the Armory wallet works in online as well as inoffline mode The wallet providers have to find an adequatetrade-off between usability and security while introducing anew wallet into the market For instance an online wallet ismore susceptible to thefts compared to hardware wallets [84]as later are not connected to the Internet but at the same timehardware wallets lacks usability If done right there exist moreadvanced and secure ways to store the user keys called paperand brain wallets As their name indicates in the paper walletthe keys are written on a document which is stored at somephysical location analogizes the cash money storage systemwhile in brain wallet the keys are stored in the clients mind inthe form of a small passphrase The passphrase if memorizedcorrectly is then used to generate the correct private key

To avoid the aforementioned risks such as managing cryp-tographic keys [104] lost or stolen devices equipment failureBitcoin-specific malware [105] to name a few that are asso-ciated while storing the bitcoins in a wallet many users mightprefer to keep their coins with online exchanges Howeverstoring the holdings with an exchange makes the users vulner-able to the exchange systems For instance one of the mostnotorious events in the Bitcoin history is the breakdown andongoing bankruptcy of the oldest and largest exchange calledMt Gox which lost over 450 millions of dollars Moreovera few other exchanges have lost their customers bitcoinsand declared bankruptcy due to external or internal theft ortechnical mistakes [106] Although the vulnerability of anexchange system to the disastrous losses can never be fullyavoided or mitigated therefore the authors in [107] presentsProvisions which is a privacy-preserving proof of solvencyfor Bitcoin exchanges Provision is a sensible safeguard thatrequires the periodic demonstrations from the exchanges to

show that they control enough bitcoins to settle all of itscustomers accounts

D Bitcoin Network Attacks

In this section we will discuss those attacks in the Bitcointhat exploits the existing vulnerabilities in the implementationand design of the Bitcoin protocols and its peer-to-peer com-munication networking protocols We will start our discussionwith the most common networking attack called DistributedDenial-of-Service (DDoS) which targets Bitcoin currency ex-changes mining pools eWallets and other financial servicesin Bitcoin Due to the distributed nature of Bitcoin networkand its consensus protocol launching a DoS attack has noor minimal adverse effect on network functionalities henceattackers have to lunch a powerful DDoS to disturb the net-working tasks Unlike DoS attack in which a single attackercarried out the attack in DDoS multiple attackers launchthe attack simultaneously DDoS attacks are inexpensive tocarry out yet quite disruptive in nature Malicious miners canperform a DDoS (by having access to a distributed Botnet) oncompeting miners effectively taking the competing miners outof the network and increasing the malicious miners effectivehashrate In these attacks the adversary exhausts the networkresources in order to disrupt their access to genuine users Forexample an honest miner is congested with the requests (suchas fake transactions) from a large number of clients actingunder the control of an adversary After a while the minerwill likely to start discarding all the incoming inputsrequestsincluding requests from honest clients In [89] authors providea comprehensive empirical analysis of DDoS attacks in theBitcoin by documenting the following main facts 142 uniqueDDoS attacks on 40 Bitcoin services and 7 of all knownoperators were victims of these attacks The paper also statesthat the majority of DDoS attack targets the exchange servicesand large mining pools because a successful attack on thesewill earn huge revenue for the adversary as compared toattacking an individual or small mining pools

In [90] authors explore the trade-off between the two min-ing pool related strategies using a series of game-theoreticalmodels The first strategy called construction in which amining pool invests in increasing its mining capacity in orderto increase the likelihood of winning the next race While inthe second strategy called destruction in which the miningpool launches a costly DDoS attack to lower the expectedsuccess rate of the competing mining pools The majority ofthe DDoS attacks target large organizations due to bulk ransommotives Companies like CoinWallet and BitQuick were forcedto shut down only after few months of their launch due tothe effects of continuous DDoS attacks As stated above thatDDoS attack take various forms one of which is to discouragea miner so that it will withdraw itself from the mining processFor instance an attacker displays to a colleague miner that it ismore powerful and it can snatch the reward of mining and itis the obvious winner of the mining process An honest minerbackoffs since its chances of winning is less In this way anadversary will be successful in removing individual miners aswell as small pools from the mining network thus imposing a

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

from the other pools to which she is sharing its 1 HRThis misbehavior will remain undetectable unless the changein reward is statistically significant

Fig 7 Selfish Mining

In [62] authors use a game theoretic approach to show thatthe miners could have a specific sort of subversive miningstrategy called selfish mining [6] or also popularly known asblock discarding attack [54] [62] In truth all the miners inthe Bitcoin are selfish as they are mining for the reward thatis associated with each block but these miners are also honestand fair with respect to the rest of miners while the selfishmining here refers to the malicious miners only In the selfishmining the dishonest miner(s) perform information hiding(ie withhold a mined block) as well as perform its revealingin a very selective way with a two-fold motive (i) obtain anunfair reward which is bigger than their share of computingpower spent and (ii) confuse other miners and lead them towaste their resources in a wrong direction As it can be seen inFigure 7 that by keeping the mined block(s) the selfish minersintentionally fork the blockchain The selfish pool keeps onmining on top of their private chain (Bprimefork) while the honestminers are mining on the public chain (Bfork) If the selfishminers are able to take a greater lead on Bprimefork and they areable to keep the lead for a longer time period their chancesof gaining more reward coins as well as the wastage of honestminers resources increases To avoid any losses as soon asthe Bfork reaches to the length of Bprimefork the selfish minerspublish their mined blocks All the miners need to adopt toBprimefork which now becomes Bfork as per the longest lengthrule of Bitcoin protocol The honest miners will lose theirrewards for the blocks that they have mined and added to theprevious public chain The analysis in [6] shows that usingthe selfish mining the poolrsquos reward exceed its share of thenetworkrsquos mining power The statement still holds in caseswhere the network found their new block before the adversarycould find a new second block Because in such case the minerwill make use of the race to propagate ie on average theattacker manages to tell 50 of the network about her blockfirst Additionally the analysis reveals that the wastage ofcomputing resources and rewards lure honest miners toward

the selfish mining pools hence it further strengthens the attackThis continuous increase in the selfish poolrsquos size might leadto gt 50 attack and at that point the effect of selfish miningwill be disastrous

Another attack much similar to the selfish mining that couldbe performed on a mining pool is known as Block withholding(BWH) [29] [67] in which a pool member never publishes amined block in order to sabotage the pool revenue howeversubmit shares consists of PPoWs but not FPoWs In particularin [29] two types of block withholding scenarios are presentedcalled ldquoSabotagerdquo and ldquoLie in waitrdquo In the first scenario theadversary does not gain any bitcoins but it just makes otherpool members lose while in the second scenario the adversaryperforms a complex block concealing attack similar to the onedescribed in the selfish mining attack In [29] authors discussa generalized version of the ldquoSabotagerdquo attack which showsthat with slight modification it is possible for the maliciousminer to also earn an additional profit in this scenario Authorsin [33] present a game-theoretic approach to analyzing effectsof block withholding attack on mining pools The analysisshows that the attack is always well-incentivized in the long-run but may not be so for a short duration This impliesthat existing pool protocols are insecure and if the attack isconducted systematically Bitcoin pools could lose millions ofdollars worth in just a few months

To analyze the effects of BWH on mining pools authorsin [9] presents The Miners Dilemma which uses an iterativegame to model attack decisions The game is played betweentwo pools say pool A and pool B and each iteration of thegame is a case of the Prisoners Dilemma ie choose betweenattacking or not attacking If pool A chooses to attack pool Apool A gains revenue pool A loses revenue but pool B canlatter retaliate by attacking pool A and gaining more revenueThus attacking is the dominant strategy in each iterationhence if both pool A and pool B attack each other they will beat a Nash Equilibrium This implies that if both will earn lessthan they would have if neither of them attacked However ifnone of the other pools attack a pool can increase its revenueby attacking the others Recently authors in [68] propose anovel attack called a fork after withholding (FAW) attackAuthors show that the BWH attackers reward is the lowerbound of the FAW attackers and it is usable up to four timesmore often per pool than in BWH attack Moreover the extrareward for a FAW attack when operating on multiple miningpools is around 56 higher than BWH attack Furthermorethe miners dilemma may not hold under certain circumstanceseg when two pools execute FAW attack the larger pool canconsistently win More importantly unlike selfish mining anFAW attack is more practical to execute while using intentionalforks

The Pool Hopping attack presented in [29] [74] uses theinformation about the number of submitted shares in themining pool to perform the selfish mining In this attackthe adversary performs continuous analysis of the number ofshares submitted by fellow miners to the pool manager in orderto discover a new block The idea is that if already a largenumber of shares have been submitted and no new block hasbeen found so far the adversary will be getting a very small

share from the reward because it will be distributed based onthe shares submitted Therefore at some point in time it mightbe more profitable for the adversary to switch to another poolor mine independently

Recently the Bribery attack is described in [75] In thisan attacker might obtain the majority of computing resourcesfor a short duration via bribery Authors discuss three ways tointroduce bribery in the network (i) Out-of-Band Paymentin which the adversary pays directly to the owner of thecomputing resources and these owners then mine blocksassigned by the adversary (ii) Negative-Fee Mining Pool inwhich the attacker forms a pool by paying higher returnand (iii) In-Band Payment via Forking in which the attackerattempts to bribe through Bitcoin itself by creating a forkcontaining bribe money freely available to any miner adoptingthe fork By having the majority of the hash power the attackercould launch different attacks such as double spending andDistributed Denial-of-Service (DDoS) [76] The miners thattook the bribes will get benefits which will be short-lived butthese short-lived benefits might be undermined by the lossesin the long run due to the presence of DDoS and Goldfingerattacks or via an exchange rate crash

Fig 8 Blacklisting via Punitive Forking

An adversary with gt 50 hashrate could perform a suc-cessful selective blacklisting via punitive forking The objec-tive of punitive forking is to censor the Bitcoin addressesowned by certain people say Alice and prevent them fromspending any of their bitcoins The strategy to perform theblacklisting (please refer to Figure 8) is as follows (i) theadversary with gt 50 network hashrate announces to theBitcion network that she will not extend on the blockchaincontaining transactions spending from Alicersquos Bitcoin address(ii) if some other miner include a transaction from Alice ina block the adversary will fork and create a longer proofof work blockchain (iii) Block containing Alicersquos transactionnow invalidated and it can never be published also the minerwho added the block with Alicersquos transaction will lose its blockreward However a weak adversary that has lower hashrate canstill cause delays and inconveniences for Alicersquos transaction

Punitive forking doesnrsquot work unless you have gt 50 ofhashrate However there is another strategy to achieve theblacklisting as presented in [77] In particular authors presenta malicious mining strategy called feather forking in whichan attacker announces that she will attempt to fork if she seesa block containing Alicersquos transaction in the blockchain butshe will give up after a while This is the adversary forks asper its convenience she will continue to extend its fork untilwins (ie outraces the main chain) but she gives up (iediscard its private fork and continue to extend the main chain)after block with Alicersquos transaction contains k confirmations

An adversary with total hash power less than 50 might withhigh probability lose rewards but it will be able to block theblacklisted transaction with positive probability Moreover ifthe adversary can show that she is determined to block theselected transaction and will perform the retaliatory forking ifrequired then the rest of the miners will also be motivated toblock the blacklisted transactions to avoid the losses in case ifthe attacker retaliates and wins If this is the case an attackermight be able to enforce the selective blacklisting with noreal cost because other miners are convinced that the attackerwill perform a costly feather forking attack if provoked Anattacker performing feather forking can also use it to blackmaila client by threatening that all her transactions will be put onthe blacklist until the client pays the asked ransom coins

C Client-side Security Threats

The huge increase in the popularity of bitcoins encouraged alarge number of new users to join the network Each Bitcoinclient posses a set of private-public keys in order to accessits account or wallet Hence it is desirable to have the keymanagement techniques that are secure yet usable This is dueto the fact that unlike many other applications of cryptographyif the keys of a client are lost or compromised the client willsuffer immediate and irrevocable monetary losses To use thebitcoins a user needs to install a wallet on her desktop ormobile device The wallet stores the set of private-public keysassociated with the owner of the wallet thus it is essential totake protective actions to secure the wallet The wallet theftsare mainly performed using mechanisms that include systemhacking installation of buggy software and incorrect usage ofthe wallet

Bitcoin protocol relies heavily on elliptic curve cryptog-raphy [98] for securing the transactions In particular Bitcoinuses elliptic curve digital signature algorithm (ECDSA) whichis standardized by NIST [99] for signing the transactionsFor instance consider the standard ldquoPay-to-PubKeyHashrdquo(P2PKH) transaction script in which the user needs to provideher public key and the signature (using her private key) toprove the ownership To generate a signature the user choosesa per-signature random value For security reason this valuemust be kept secret and it should be different for every othertransaction Repeating per-signature value risks the privatekey computation as it has been shown in [100] that evenpartially bit-wise equal random values suffice to derive a userrsquosprivate key Therefore it is essential for increasing the securityof ECDSA to use highly random and distinct per-signaturevalues for every transaction signature The inspection of theblockchain for instances in which the same public key usesthe same signature nonces for multiple times has been reportedby the authors in [101] In particular the authors report thatthere are 158 public keys which have reused the signaturenonce in more than one transaction signature thus making itpossible to derive userrsquos private key Recently authors in [102]present a systematic analysis of the effects of broken primitiveson Bitcoin Authors highlight the fact that in the currentBitcoin system has no migration plans in-place for both thebroken hash and the broken signature scheme ie the Bitcoins

TABLE IIMISBEHAVIOR ATTACKS TARGETING BITCOIN NETWORK AND ENTITIES

Attack Description Primary targets Adverse effects Possible countermeasures

Bribery attacks [75] adversary bribe miners tomine on her behalf

miners and mer-chants

increases probability of adouble spend or block

withholdingincrease the rewards for honestminers make aware the miners tothe long-term losses of bribery [75]

Refund attacks [78] adversary exploits the re-fund policies of existingpayment processors

sellers or mer-chants users

merchant losses moneywhile honest users might

lose their reputationpublicly verifiable evidence [78]

Punitive and Featherforking [77] [79] dishonest miners blacklist

transactions of specific ad-dress

users freeze the bitcoins of userfor forever remains an open challenge

Transactionmalleability [80] [4] adversary change the

TXID without invalidatingthe transaction

Bitcoin exchangecenters

exchanges loss funds dueto increase in double

deposit or doublewithdrawal instances

multiple metrics for transactionverification [81] malleability-resilient ldquorefundrdquo transaction [80]

Wallet theft [21] adversary stole or destroyprivate key of users

individual usersor businesses

bitcoins in the wallet arelost threshold signature based

two-factor security [82] [83]hardware wallets [84] TrustZone-backed Bitcoin wallet [85]Password-Protected Secret Sharing(PPSS) [86]

Time jacking [87] adversary speed-up themajority of minerrsquos clock

miners

isolate a miner and wasteits resources influencethe mining difficultycalculation process

constraint tolerance ranges [87]network time protocol (NTP) ortime sampling on the values re-ceived from trusted peers [88]

DDoS [89] [90] a collaborative attack toexhaust network resources

Bitcoin networkbusinesses min-ers and users

deny services to honestusersminers isolate ordrive away the miners

Proof-of-Activity (PoA)protocol [91] fast verificationsignature based authentication

Sybil [23] adversary creates multiplevirtual identities

Bitcoin networkminers users

facilitates time jackingDDoS and doublespending attacks

threatens user privacy

Xim (a two-party mixing proto-col) [92]

Eclipse or netsplit [3] adversary monopolizes allincoming and outgoingconnections of victim

miners users

inconsistent view of thenetwork and blockchain

enable double spendswith more than one

confirmation

use whitelists disabling incomingconnections [3]

Tampering [43] delay the propagation oftransactions and blocks tospecific nodes

miners users

mount DoS attackswrongfully increase

mining advantage doublespend

improve block request managementsystem [43]

Routing attacks [5] isolate a set of nodes fromthe Bitcoin network de-laying block propagation

miners users

denial of service attackincreases possibility of0-confirmation doublespends increases forkrate waste the mining

power of the pools

increase the diversity of node con-nections monitor round-trip timeuse gateways in different ASes [5]

Deanonymization [93] [94] linking IP addresses witha Bitcoin wallet

users user privacy violation mixing services [95]CoinJoin [96] CoinShuffle [97]

RIPEMD160 SHA256 and ECDSA techniques are vulnerableto various security threats such as collision attacks [103]The authors in [102] found that the main vectors of attackon bitcoins involve collisions on the main hash or attackingthe signature scheme which directly enables coin stealingHowever a break of the address hash has minimal impact asaddresses do not meaningfully protect the privacy of a user

Unlike most of the online payment systems that rely onlogin details consisting of the password and other confidentialdetails for user authentication Bitcoin relies on public keycryptography This raises the issues of the secure storage andmanagement of the user keys Over the years various typeof wallet implementations are researched to obtain securestorage of the user keys it includes software online or hostedhardware or offline paper and brain wallets Table III shows anumber of popular wallets and their main features Coinbase(coinbasecom) an online wallet is most popular due to itsdesirable features which it provides to the clients that include(i) a web interface using which the wallet can be assessedwith a browser and Internet connection (ii) a mobile appthat allows access to wallet through mobile devices (iii) anaccess to Coinbase do not require a client software and it isindependent in nature due to which the wallet providers doesnot have any control over the funds stored in a clientrsquos walletand (iv) a moderate level of security and privacy The Copaywallet allows multiple users to be associated with the samewallet while the Armory wallet works in online as well as inoffline mode The wallet providers have to find an adequatetrade-off between usability and security while introducing anew wallet into the market For instance an online wallet ismore susceptible to thefts compared to hardware wallets [84]as later are not connected to the Internet but at the same timehardware wallets lacks usability If done right there exist moreadvanced and secure ways to store the user keys called paperand brain wallets As their name indicates in the paper walletthe keys are written on a document which is stored at somephysical location analogizes the cash money storage systemwhile in brain wallet the keys are stored in the clients mind inthe form of a small passphrase The passphrase if memorizedcorrectly is then used to generate the correct private key

To avoid the aforementioned risks such as managing cryp-tographic keys [104] lost or stolen devices equipment failureBitcoin-specific malware [105] to name a few that are asso-ciated while storing the bitcoins in a wallet many users mightprefer to keep their coins with online exchanges Howeverstoring the holdings with an exchange makes the users vulner-able to the exchange systems For instance one of the mostnotorious events in the Bitcoin history is the breakdown andongoing bankruptcy of the oldest and largest exchange calledMt Gox which lost over 450 millions of dollars Moreovera few other exchanges have lost their customers bitcoinsand declared bankruptcy due to external or internal theft ortechnical mistakes [106] Although the vulnerability of anexchange system to the disastrous losses can never be fullyavoided or mitigated therefore the authors in [107] presentsProvisions which is a privacy-preserving proof of solvencyfor Bitcoin exchanges Provision is a sensible safeguard thatrequires the periodic demonstrations from the exchanges to

show that they control enough bitcoins to settle all of itscustomers accounts

D Bitcoin Network Attacks

In this section we will discuss those attacks in the Bitcointhat exploits the existing vulnerabilities in the implementationand design of the Bitcoin protocols and its peer-to-peer com-munication networking protocols We will start our discussionwith the most common networking attack called DistributedDenial-of-Service (DDoS) which targets Bitcoin currency ex-changes mining pools eWallets and other financial servicesin Bitcoin Due to the distributed nature of Bitcoin networkand its consensus protocol launching a DoS attack has noor minimal adverse effect on network functionalities henceattackers have to lunch a powerful DDoS to disturb the net-working tasks Unlike DoS attack in which a single attackercarried out the attack in DDoS multiple attackers launchthe attack simultaneously DDoS attacks are inexpensive tocarry out yet quite disruptive in nature Malicious miners canperform a DDoS (by having access to a distributed Botnet) oncompeting miners effectively taking the competing miners outof the network and increasing the malicious miners effectivehashrate In these attacks the adversary exhausts the networkresources in order to disrupt their access to genuine users Forexample an honest miner is congested with the requests (suchas fake transactions) from a large number of clients actingunder the control of an adversary After a while the minerwill likely to start discarding all the incoming inputsrequestsincluding requests from honest clients In [89] authors providea comprehensive empirical analysis of DDoS attacks in theBitcoin by documenting the following main facts 142 uniqueDDoS attacks on 40 Bitcoin services and 7 of all knownoperators were victims of these attacks The paper also statesthat the majority of DDoS attack targets the exchange servicesand large mining pools because a successful attack on thesewill earn huge revenue for the adversary as compared toattacking an individual or small mining pools

In [90] authors explore the trade-off between the two min-ing pool related strategies using a series of game-theoreticalmodels The first strategy called construction in which amining pool invests in increasing its mining capacity in orderto increase the likelihood of winning the next race While inthe second strategy called destruction in which the miningpool launches a costly DDoS attack to lower the expectedsuccess rate of the competing mining pools The majority ofthe DDoS attacks target large organizations due to bulk ransommotives Companies like CoinWallet and BitQuick were forcedto shut down only after few months of their launch due tothe effects of continuous DDoS attacks As stated above thatDDoS attack take various forms one of which is to discouragea miner so that it will withdraw itself from the mining processFor instance an attacker displays to a colleague miner that it ismore powerful and it can snatch the reward of mining and itis the obvious winner of the mining process An honest minerbackoffs since its chances of winning is less In this way anadversary will be successful in removing individual miners aswell as small pools from the mining network thus imposing a

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

share from the reward because it will be distributed based onthe shares submitted Therefore at some point in time it mightbe more profitable for the adversary to switch to another poolor mine independently

Recently the Bribery attack is described in [75] In thisan attacker might obtain the majority of computing resourcesfor a short duration via bribery Authors discuss three ways tointroduce bribery in the network (i) Out-of-Band Paymentin which the adversary pays directly to the owner of thecomputing resources and these owners then mine blocksassigned by the adversary (ii) Negative-Fee Mining Pool inwhich the attacker forms a pool by paying higher returnand (iii) In-Band Payment via Forking in which the attackerattempts to bribe through Bitcoin itself by creating a forkcontaining bribe money freely available to any miner adoptingthe fork By having the majority of the hash power the attackercould launch different attacks such as double spending andDistributed Denial-of-Service (DDoS) [76] The miners thattook the bribes will get benefits which will be short-lived butthese short-lived benefits might be undermined by the lossesin the long run due to the presence of DDoS and Goldfingerattacks or via an exchange rate crash

Fig 8 Blacklisting via Punitive Forking

An adversary with gt 50 hashrate could perform a suc-cessful selective blacklisting via punitive forking The objec-tive of punitive forking is to censor the Bitcoin addressesowned by certain people say Alice and prevent them fromspending any of their bitcoins The strategy to perform theblacklisting (please refer to Figure 8) is as follows (i) theadversary with gt 50 network hashrate announces to theBitcion network that she will not extend on the blockchaincontaining transactions spending from Alicersquos Bitcoin address(ii) if some other miner include a transaction from Alice ina block the adversary will fork and create a longer proofof work blockchain (iii) Block containing Alicersquos transactionnow invalidated and it can never be published also the minerwho added the block with Alicersquos transaction will lose its blockreward However a weak adversary that has lower hashrate canstill cause delays and inconveniences for Alicersquos transaction

Punitive forking doesnrsquot work unless you have gt 50 ofhashrate However there is another strategy to achieve theblacklisting as presented in [77] In particular authors presenta malicious mining strategy called feather forking in whichan attacker announces that she will attempt to fork if she seesa block containing Alicersquos transaction in the blockchain butshe will give up after a while This is the adversary forks asper its convenience she will continue to extend its fork untilwins (ie outraces the main chain) but she gives up (iediscard its private fork and continue to extend the main chain)after block with Alicersquos transaction contains k confirmations

An adversary with total hash power less than 50 might withhigh probability lose rewards but it will be able to block theblacklisted transaction with positive probability Moreover ifthe adversary can show that she is determined to block theselected transaction and will perform the retaliatory forking ifrequired then the rest of the miners will also be motivated toblock the blacklisted transactions to avoid the losses in case ifthe attacker retaliates and wins If this is the case an attackermight be able to enforce the selective blacklisting with noreal cost because other miners are convinced that the attackerwill perform a costly feather forking attack if provoked Anattacker performing feather forking can also use it to blackmaila client by threatening that all her transactions will be put onthe blacklist until the client pays the asked ransom coins

C Client-side Security Threats

The huge increase in the popularity of bitcoins encouraged alarge number of new users to join the network Each Bitcoinclient posses a set of private-public keys in order to accessits account or wallet Hence it is desirable to have the keymanagement techniques that are secure yet usable This is dueto the fact that unlike many other applications of cryptographyif the keys of a client are lost or compromised the client willsuffer immediate and irrevocable monetary losses To use thebitcoins a user needs to install a wallet on her desktop ormobile device The wallet stores the set of private-public keysassociated with the owner of the wallet thus it is essential totake protective actions to secure the wallet The wallet theftsare mainly performed using mechanisms that include systemhacking installation of buggy software and incorrect usage ofthe wallet

Bitcoin protocol relies heavily on elliptic curve cryptog-raphy [98] for securing the transactions In particular Bitcoinuses elliptic curve digital signature algorithm (ECDSA) whichis standardized by NIST [99] for signing the transactionsFor instance consider the standard ldquoPay-to-PubKeyHashrdquo(P2PKH) transaction script in which the user needs to provideher public key and the signature (using her private key) toprove the ownership To generate a signature the user choosesa per-signature random value For security reason this valuemust be kept secret and it should be different for every othertransaction Repeating per-signature value risks the privatekey computation as it has been shown in [100] that evenpartially bit-wise equal random values suffice to derive a userrsquosprivate key Therefore it is essential for increasing the securityof ECDSA to use highly random and distinct per-signaturevalues for every transaction signature The inspection of theblockchain for instances in which the same public key usesthe same signature nonces for multiple times has been reportedby the authors in [101] In particular the authors report thatthere are 158 public keys which have reused the signaturenonce in more than one transaction signature thus making itpossible to derive userrsquos private key Recently authors in [102]present a systematic analysis of the effects of broken primitiveson Bitcoin Authors highlight the fact that in the currentBitcoin system has no migration plans in-place for both thebroken hash and the broken signature scheme ie the Bitcoins

TABLE IIMISBEHAVIOR ATTACKS TARGETING BITCOIN NETWORK AND ENTITIES

Attack Description Primary targets Adverse effects Possible countermeasures

Bribery attacks [75] adversary bribe miners tomine on her behalf

miners and mer-chants

increases probability of adouble spend or block

withholdingincrease the rewards for honestminers make aware the miners tothe long-term losses of bribery [75]

Refund attacks [78] adversary exploits the re-fund policies of existingpayment processors

sellers or mer-chants users

merchant losses moneywhile honest users might

lose their reputationpublicly verifiable evidence [78]

Punitive and Featherforking [77] [79] dishonest miners blacklist

transactions of specific ad-dress

users freeze the bitcoins of userfor forever remains an open challenge

Transactionmalleability [80] [4] adversary change the

TXID without invalidatingthe transaction

Bitcoin exchangecenters

exchanges loss funds dueto increase in double

deposit or doublewithdrawal instances

multiple metrics for transactionverification [81] malleability-resilient ldquorefundrdquo transaction [80]

Wallet theft [21] adversary stole or destroyprivate key of users

individual usersor businesses

bitcoins in the wallet arelost threshold signature based

two-factor security [82] [83]hardware wallets [84] TrustZone-backed Bitcoin wallet [85]Password-Protected Secret Sharing(PPSS) [86]

Time jacking [87] adversary speed-up themajority of minerrsquos clock

miners

isolate a miner and wasteits resources influencethe mining difficultycalculation process

constraint tolerance ranges [87]network time protocol (NTP) ortime sampling on the values re-ceived from trusted peers [88]

DDoS [89] [90] a collaborative attack toexhaust network resources

Bitcoin networkbusinesses min-ers and users

deny services to honestusersminers isolate ordrive away the miners

Proof-of-Activity (PoA)protocol [91] fast verificationsignature based authentication

Sybil [23] adversary creates multiplevirtual identities

Bitcoin networkminers users

facilitates time jackingDDoS and doublespending attacks

threatens user privacy

Xim (a two-party mixing proto-col) [92]

Eclipse or netsplit [3] adversary monopolizes allincoming and outgoingconnections of victim

miners users

inconsistent view of thenetwork and blockchain

enable double spendswith more than one

confirmation

use whitelists disabling incomingconnections [3]

Tampering [43] delay the propagation oftransactions and blocks tospecific nodes

miners users

mount DoS attackswrongfully increase

mining advantage doublespend

improve block request managementsystem [43]

Routing attacks [5] isolate a set of nodes fromthe Bitcoin network de-laying block propagation

miners users

denial of service attackincreases possibility of0-confirmation doublespends increases forkrate waste the mining

power of the pools

increase the diversity of node con-nections monitor round-trip timeuse gateways in different ASes [5]

Deanonymization [93] [94] linking IP addresses witha Bitcoin wallet

users user privacy violation mixing services [95]CoinJoin [96] CoinShuffle [97]

RIPEMD160 SHA256 and ECDSA techniques are vulnerableto various security threats such as collision attacks [103]The authors in [102] found that the main vectors of attackon bitcoins involve collisions on the main hash or attackingthe signature scheme which directly enables coin stealingHowever a break of the address hash has minimal impact asaddresses do not meaningfully protect the privacy of a user

Unlike most of the online payment systems that rely onlogin details consisting of the password and other confidentialdetails for user authentication Bitcoin relies on public keycryptography This raises the issues of the secure storage andmanagement of the user keys Over the years various typeof wallet implementations are researched to obtain securestorage of the user keys it includes software online or hostedhardware or offline paper and brain wallets Table III shows anumber of popular wallets and their main features Coinbase(coinbasecom) an online wallet is most popular due to itsdesirable features which it provides to the clients that include(i) a web interface using which the wallet can be assessedwith a browser and Internet connection (ii) a mobile appthat allows access to wallet through mobile devices (iii) anaccess to Coinbase do not require a client software and it isindependent in nature due to which the wallet providers doesnot have any control over the funds stored in a clientrsquos walletand (iv) a moderate level of security and privacy The Copaywallet allows multiple users to be associated with the samewallet while the Armory wallet works in online as well as inoffline mode The wallet providers have to find an adequatetrade-off between usability and security while introducing anew wallet into the market For instance an online wallet ismore susceptible to thefts compared to hardware wallets [84]as later are not connected to the Internet but at the same timehardware wallets lacks usability If done right there exist moreadvanced and secure ways to store the user keys called paperand brain wallets As their name indicates in the paper walletthe keys are written on a document which is stored at somephysical location analogizes the cash money storage systemwhile in brain wallet the keys are stored in the clients mind inthe form of a small passphrase The passphrase if memorizedcorrectly is then used to generate the correct private key

To avoid the aforementioned risks such as managing cryp-tographic keys [104] lost or stolen devices equipment failureBitcoin-specific malware [105] to name a few that are asso-ciated while storing the bitcoins in a wallet many users mightprefer to keep their coins with online exchanges Howeverstoring the holdings with an exchange makes the users vulner-able to the exchange systems For instance one of the mostnotorious events in the Bitcoin history is the breakdown andongoing bankruptcy of the oldest and largest exchange calledMt Gox which lost over 450 millions of dollars Moreovera few other exchanges have lost their customers bitcoinsand declared bankruptcy due to external or internal theft ortechnical mistakes [106] Although the vulnerability of anexchange system to the disastrous losses can never be fullyavoided or mitigated therefore the authors in [107] presentsProvisions which is a privacy-preserving proof of solvencyfor Bitcoin exchanges Provision is a sensible safeguard thatrequires the periodic demonstrations from the exchanges to

show that they control enough bitcoins to settle all of itscustomers accounts

D Bitcoin Network Attacks

In this section we will discuss those attacks in the Bitcointhat exploits the existing vulnerabilities in the implementationand design of the Bitcoin protocols and its peer-to-peer com-munication networking protocols We will start our discussionwith the most common networking attack called DistributedDenial-of-Service (DDoS) which targets Bitcoin currency ex-changes mining pools eWallets and other financial servicesin Bitcoin Due to the distributed nature of Bitcoin networkand its consensus protocol launching a DoS attack has noor minimal adverse effect on network functionalities henceattackers have to lunch a powerful DDoS to disturb the net-working tasks Unlike DoS attack in which a single attackercarried out the attack in DDoS multiple attackers launchthe attack simultaneously DDoS attacks are inexpensive tocarry out yet quite disruptive in nature Malicious miners canperform a DDoS (by having access to a distributed Botnet) oncompeting miners effectively taking the competing miners outof the network and increasing the malicious miners effectivehashrate In these attacks the adversary exhausts the networkresources in order to disrupt their access to genuine users Forexample an honest miner is congested with the requests (suchas fake transactions) from a large number of clients actingunder the control of an adversary After a while the minerwill likely to start discarding all the incoming inputsrequestsincluding requests from honest clients In [89] authors providea comprehensive empirical analysis of DDoS attacks in theBitcoin by documenting the following main facts 142 uniqueDDoS attacks on 40 Bitcoin services and 7 of all knownoperators were victims of these attacks The paper also statesthat the majority of DDoS attack targets the exchange servicesand large mining pools because a successful attack on thesewill earn huge revenue for the adversary as compared toattacking an individual or small mining pools

In [90] authors explore the trade-off between the two min-ing pool related strategies using a series of game-theoreticalmodels The first strategy called construction in which amining pool invests in increasing its mining capacity in orderto increase the likelihood of winning the next race While inthe second strategy called destruction in which the miningpool launches a costly DDoS attack to lower the expectedsuccess rate of the competing mining pools The majority ofthe DDoS attacks target large organizations due to bulk ransommotives Companies like CoinWallet and BitQuick were forcedto shut down only after few months of their launch due tothe effects of continuous DDoS attacks As stated above thatDDoS attack take various forms one of which is to discouragea miner so that it will withdraw itself from the mining processFor instance an attacker displays to a colleague miner that it ismore powerful and it can snatch the reward of mining and itis the obvious winner of the mining process An honest minerbackoffs since its chances of winning is less In this way anadversary will be successful in removing individual miners aswell as small pools from the mining network thus imposing a

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

TABLE IIMISBEHAVIOR ATTACKS TARGETING BITCOIN NETWORK AND ENTITIES

Attack Description Primary targets Adverse effects Possible countermeasures

Bribery attacks [75] adversary bribe miners tomine on her behalf

miners and mer-chants

increases probability of adouble spend or block

withholdingincrease the rewards for honestminers make aware the miners tothe long-term losses of bribery [75]

Refund attacks [78] adversary exploits the re-fund policies of existingpayment processors

sellers or mer-chants users

merchant losses moneywhile honest users might

lose their reputationpublicly verifiable evidence [78]

Punitive and Featherforking [77] [79] dishonest miners blacklist

transactions of specific ad-dress

users freeze the bitcoins of userfor forever remains an open challenge

Transactionmalleability [80] [4] adversary change the

TXID without invalidatingthe transaction

Bitcoin exchangecenters

exchanges loss funds dueto increase in double

deposit or doublewithdrawal instances

multiple metrics for transactionverification [81] malleability-resilient ldquorefundrdquo transaction [80]

Wallet theft [21] adversary stole or destroyprivate key of users

individual usersor businesses

bitcoins in the wallet arelost threshold signature based

two-factor security [82] [83]hardware wallets [84] TrustZone-backed Bitcoin wallet [85]Password-Protected Secret Sharing(PPSS) [86]

Time jacking [87] adversary speed-up themajority of minerrsquos clock

miners

isolate a miner and wasteits resources influencethe mining difficultycalculation process

constraint tolerance ranges [87]network time protocol (NTP) ortime sampling on the values re-ceived from trusted peers [88]

DDoS [89] [90] a collaborative attack toexhaust network resources

Bitcoin networkbusinesses min-ers and users

deny services to honestusersminers isolate ordrive away the miners

Proof-of-Activity (PoA)protocol [91] fast verificationsignature based authentication

Sybil [23] adversary creates multiplevirtual identities

Bitcoin networkminers users

facilitates time jackingDDoS and doublespending attacks

threatens user privacy

Xim (a two-party mixing proto-col) [92]

Eclipse or netsplit [3] adversary monopolizes allincoming and outgoingconnections of victim

miners users

inconsistent view of thenetwork and blockchain

enable double spendswith more than one

confirmation

use whitelists disabling incomingconnections [3]

Tampering [43] delay the propagation oftransactions and blocks tospecific nodes

miners users

mount DoS attackswrongfully increase

mining advantage doublespend

improve block request managementsystem [43]

Routing attacks [5] isolate a set of nodes fromthe Bitcoin network de-laying block propagation

miners users

denial of service attackincreases possibility of0-confirmation doublespends increases forkrate waste the mining

power of the pools

increase the diversity of node con-nections monitor round-trip timeuse gateways in different ASes [5]

Deanonymization [93] [94] linking IP addresses witha Bitcoin wallet

users user privacy violation mixing services [95]CoinJoin [96] CoinShuffle [97]

RIPEMD160 SHA256 and ECDSA techniques are vulnerableto various security threats such as collision attacks [103]The authors in [102] found that the main vectors of attackon bitcoins involve collisions on the main hash or attackingthe signature scheme which directly enables coin stealingHowever a break of the address hash has minimal impact asaddresses do not meaningfully protect the privacy of a user

Unlike most of the online payment systems that rely onlogin details consisting of the password and other confidentialdetails for user authentication Bitcoin relies on public keycryptography This raises the issues of the secure storage andmanagement of the user keys Over the years various typeof wallet implementations are researched to obtain securestorage of the user keys it includes software online or hostedhardware or offline paper and brain wallets Table III shows anumber of popular wallets and their main features Coinbase(coinbasecom) an online wallet is most popular due to itsdesirable features which it provides to the clients that include(i) a web interface using which the wallet can be assessedwith a browser and Internet connection (ii) a mobile appthat allows access to wallet through mobile devices (iii) anaccess to Coinbase do not require a client software and it isindependent in nature due to which the wallet providers doesnot have any control over the funds stored in a clientrsquos walletand (iv) a moderate level of security and privacy The Copaywallet allows multiple users to be associated with the samewallet while the Armory wallet works in online as well as inoffline mode The wallet providers have to find an adequatetrade-off between usability and security while introducing anew wallet into the market For instance an online wallet ismore susceptible to thefts compared to hardware wallets [84]as later are not connected to the Internet but at the same timehardware wallets lacks usability If done right there exist moreadvanced and secure ways to store the user keys called paperand brain wallets As their name indicates in the paper walletthe keys are written on a document which is stored at somephysical location analogizes the cash money storage systemwhile in brain wallet the keys are stored in the clients mind inthe form of a small passphrase The passphrase if memorizedcorrectly is then used to generate the correct private key

To avoid the aforementioned risks such as managing cryp-tographic keys [104] lost or stolen devices equipment failureBitcoin-specific malware [105] to name a few that are asso-ciated while storing the bitcoins in a wallet many users mightprefer to keep their coins with online exchanges Howeverstoring the holdings with an exchange makes the users vulner-able to the exchange systems For instance one of the mostnotorious events in the Bitcoin history is the breakdown andongoing bankruptcy of the oldest and largest exchange calledMt Gox which lost over 450 millions of dollars Moreovera few other exchanges have lost their customers bitcoinsand declared bankruptcy due to external or internal theft ortechnical mistakes [106] Although the vulnerability of anexchange system to the disastrous losses can never be fullyavoided or mitigated therefore the authors in [107] presentsProvisions which is a privacy-preserving proof of solvencyfor Bitcoin exchanges Provision is a sensible safeguard thatrequires the periodic demonstrations from the exchanges to

show that they control enough bitcoins to settle all of itscustomers accounts

D Bitcoin Network Attacks

In this section we will discuss those attacks in the Bitcointhat exploits the existing vulnerabilities in the implementationand design of the Bitcoin protocols and its peer-to-peer com-munication networking protocols We will start our discussionwith the most common networking attack called DistributedDenial-of-Service (DDoS) which targets Bitcoin currency ex-changes mining pools eWallets and other financial servicesin Bitcoin Due to the distributed nature of Bitcoin networkand its consensus protocol launching a DoS attack has noor minimal adverse effect on network functionalities henceattackers have to lunch a powerful DDoS to disturb the net-working tasks Unlike DoS attack in which a single attackercarried out the attack in DDoS multiple attackers launchthe attack simultaneously DDoS attacks are inexpensive tocarry out yet quite disruptive in nature Malicious miners canperform a DDoS (by having access to a distributed Botnet) oncompeting miners effectively taking the competing miners outof the network and increasing the malicious miners effectivehashrate In these attacks the adversary exhausts the networkresources in order to disrupt their access to genuine users Forexample an honest miner is congested with the requests (suchas fake transactions) from a large number of clients actingunder the control of an adversary After a while the minerwill likely to start discarding all the incoming inputsrequestsincluding requests from honest clients In [89] authors providea comprehensive empirical analysis of DDoS attacks in theBitcoin by documenting the following main facts 142 uniqueDDoS attacks on 40 Bitcoin services and 7 of all knownoperators were victims of these attacks The paper also statesthat the majority of DDoS attack targets the exchange servicesand large mining pools because a successful attack on thesewill earn huge revenue for the adversary as compared toattacking an individual or small mining pools

In [90] authors explore the trade-off between the two min-ing pool related strategies using a series of game-theoreticalmodels The first strategy called construction in which amining pool invests in increasing its mining capacity in orderto increase the likelihood of winning the next race While inthe second strategy called destruction in which the miningpool launches a costly DDoS attack to lower the expectedsuccess rate of the competing mining pools The majority ofthe DDoS attacks target large organizations due to bulk ransommotives Companies like CoinWallet and BitQuick were forcedto shut down only after few months of their launch due tothe effects of continuous DDoS attacks As stated above thatDDoS attack take various forms one of which is to discouragea miner so that it will withdraw itself from the mining processFor instance an attacker displays to a colleague miner that it ismore powerful and it can snatch the reward of mining and itis the obvious winner of the mining process An honest minerbackoffs since its chances of winning is less In this way anadversary will be successful in removing individual miners aswell as small pools from the mining network thus imposing a

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

RIPEMD160 SHA256 and ECDSA techniques are vulnerableto various security threats such as collision attacks [103]The authors in [102] found that the main vectors of attackon bitcoins involve collisions on the main hash or attackingthe signature scheme which directly enables coin stealingHowever a break of the address hash has minimal impact asaddresses do not meaningfully protect the privacy of a user

Unlike most of the online payment systems that rely onlogin details consisting of the password and other confidentialdetails for user authentication Bitcoin relies on public keycryptography This raises the issues of the secure storage andmanagement of the user keys Over the years various typeof wallet implementations are researched to obtain securestorage of the user keys it includes software online or hostedhardware or offline paper and brain wallets Table III shows anumber of popular wallets and their main features Coinbase(coinbasecom) an online wallet is most popular due to itsdesirable features which it provides to the clients that include(i) a web interface using which the wallet can be assessedwith a browser and Internet connection (ii) a mobile appthat allows access to wallet through mobile devices (iii) anaccess to Coinbase do not require a client software and it isindependent in nature due to which the wallet providers doesnot have any control over the funds stored in a clientrsquos walletand (iv) a moderate level of security and privacy The Copaywallet allows multiple users to be associated with the samewallet while the Armory wallet works in online as well as inoffline mode The wallet providers have to find an adequatetrade-off between usability and security while introducing anew wallet into the market For instance an online wallet ismore susceptible to thefts compared to hardware wallets [84]as later are not connected to the Internet but at the same timehardware wallets lacks usability If done right there exist moreadvanced and secure ways to store the user keys called paperand brain wallets As their name indicates in the paper walletthe keys are written on a document which is stored at somephysical location analogizes the cash money storage systemwhile in brain wallet the keys are stored in the clients mind inthe form of a small passphrase The passphrase if memorizedcorrectly is then used to generate the correct private key

To avoid the aforementioned risks such as managing cryp-tographic keys [104] lost or stolen devices equipment failureBitcoin-specific malware [105] to name a few that are asso-ciated while storing the bitcoins in a wallet many users mightprefer to keep their coins with online exchanges Howeverstoring the holdings with an exchange makes the users vulner-able to the exchange systems For instance one of the mostnotorious events in the Bitcoin history is the breakdown andongoing bankruptcy of the oldest and largest exchange calledMt Gox which lost over 450 millions of dollars Moreovera few other exchanges have lost their customers bitcoinsand declared bankruptcy due to external or internal theft ortechnical mistakes [106] Although the vulnerability of anexchange system to the disastrous losses can never be fullyavoided or mitigated therefore the authors in [107] presentsProvisions which is a privacy-preserving proof of solvencyfor Bitcoin exchanges Provision is a sensible safeguard thatrequires the periodic demonstrations from the exchanges to

show that they control enough bitcoins to settle all of itscustomers accounts

D Bitcoin Network Attacks

In this section we will discuss those attacks in the Bitcointhat exploits the existing vulnerabilities in the implementationand design of the Bitcoin protocols and its peer-to-peer com-munication networking protocols We will start our discussionwith the most common networking attack called DistributedDenial-of-Service (DDoS) which targets Bitcoin currency ex-changes mining pools eWallets and other financial servicesin Bitcoin Due to the distributed nature of Bitcoin networkand its consensus protocol launching a DoS attack has noor minimal adverse effect on network functionalities henceattackers have to lunch a powerful DDoS to disturb the net-working tasks Unlike DoS attack in which a single attackercarried out the attack in DDoS multiple attackers launchthe attack simultaneously DDoS attacks are inexpensive tocarry out yet quite disruptive in nature Malicious miners canperform a DDoS (by having access to a distributed Botnet) oncompeting miners effectively taking the competing miners outof the network and increasing the malicious miners effectivehashrate In these attacks the adversary exhausts the networkresources in order to disrupt their access to genuine users Forexample an honest miner is congested with the requests (suchas fake transactions) from a large number of clients actingunder the control of an adversary After a while the minerwill likely to start discarding all the incoming inputsrequestsincluding requests from honest clients In [89] authors providea comprehensive empirical analysis of DDoS attacks in theBitcoin by documenting the following main facts 142 uniqueDDoS attacks on 40 Bitcoin services and 7 of all knownoperators were victims of these attacks The paper also statesthat the majority of DDoS attack targets the exchange servicesand large mining pools because a successful attack on thesewill earn huge revenue for the adversary as compared toattacking an individual or small mining pools

In [90] authors explore the trade-off between the two min-ing pool related strategies using a series of game-theoreticalmodels The first strategy called construction in which amining pool invests in increasing its mining capacity in orderto increase the likelihood of winning the next race While inthe second strategy called destruction in which the miningpool launches a costly DDoS attack to lower the expectedsuccess rate of the competing mining pools The majority ofthe DDoS attacks target large organizations due to bulk ransommotives Companies like CoinWallet and BitQuick were forcedto shut down only after few months of their launch due tothe effects of continuous DDoS attacks As stated above thatDDoS attack take various forms one of which is to discouragea miner so that it will withdraw itself from the mining processFor instance an attacker displays to a colleague miner that it ismore powerful and it can snatch the reward of mining and itis the obvious winner of the mining process An honest minerbackoffs since its chances of winning is less In this way anadversary will be successful in removing individual miners aswell as small pools from the mining network thus imposing a

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

TABLE IIIBITCOIN WALLETS

Coinbase Blockchain TREZOR Exodus MyCelium BitcoinCore

MultiBitHD

Electrum Copay Armory

Wallet type Hot wallet Hot wallet Hardwarewallet

Hot wallet Hot wallet Hot wallet Hot wallet Hot wallet Multisig Varies

Web interface Yes Yes Yes No No No No No Yes NoMobile app Yes Yes No No Yes No No No Yes No

Desktop client No No No Yes No Yes Yes Yes Yes YesIndependent

wallet No No Yes Yes Yes Yes Yes Yes Yes Yes

Privacy Moderate Weak Variable Good Good Good Moderate Good Good GoodSecurity Good Good Good Good Good Good Good Moderate Good GoodModerate

DDoS attack on the network [90] Moreover in [108] authorspropose network partitioning in Bitcoin hence isolating thehonest nodes from the network by reducing their reputation

Now we discuss the so-called Malleability attacks [4]which also facilitates the DDoS attacks in Bitcoin For in-stance by using a Malleability attack an adversary clogs thetransaction queue [109] This queue consists of all the pendingtransactions which are about to be serviced in the networkMeanwhile an adversary puts in bogus transactions with thehigh priority depicting itself to be highest incentive payer forthe miners When the miners try to verify these transactionsthey will find that these are the false transaction and but bythis time they have already spent a considerable amount oftime in verifying these false transactions This attack wastesthe time and resources of the miners and the network [110]Malleability is defined in terms of cryptography by [4] Acryptographic primitive is considered malleable if its outputY can be ldquomauledrdquo to some ldquosimilarrdquo value Y prime by an adversarywho is unaware of the cryptographic secrets that were used todevelop Y

In [80] another form of malleability attack called trans-action malleability is introduced Suppose that a transactionTnArarrB which transfers n bitcoins from Aprimes wallet to Bprimes

wallet With transaction malleability it is possible to createanother T prime that is syntactically different (ie Tn

ArarrB and T prime

has different transaction hash ID T idx ) from Tn

ArarrB althoughsemantically it is identical (ie T prime also transfers n coinsfrom wallet A to B) An adversary can perform transactionmalleability without even knowing the private key of A Ona high level transaction malleability refers to a bug in theoriginal Bitcoin protocol which allows the aforementionedbehavior in the network possible The main reason of thesuccess of this attack is that in Bitcoin each transaction isuniquely identified by its T id

x hence in some cases T prime will beconsidered a different transaction than Tn

ArarrB In Bitcoin certainly the transaction malleability is not

desirable but it does not cause any damage to the system untilan adversary exploits its behavior and make someone believethat a transaction has been failed However after a while thesame transaction gets published in the global blockchain Thismight lead to a possible double spend but it is particularlymore relevant while targeting the Bitcoin exchanges whichholds a significant amount of coins This is because it allowsthe users to buy and sell bitcoins in exchange for cashmoney or altcoins The Bitcoins reference implementation is

immune to the transaction malleability because it uses previoustransactionrsquos outputs as an indication for the successfullyissued transactions However few exchanges use a customimplementation and were apparently vulnerable For instanceMt Gox (a popular exchange) issued a statement in the earlydays of Bitcoin that they were attacked due to transactionmalleability therefore they are forced to halt withdrawals andfreezing clients account The attack that MtGox claimed tobe the victim proceeds as follows (i) an dishonest clientCd deposits n coins in his MtGox account (ii) Cd sends atransaction T to MtGox asking to transfer her n coins back(iii) MtGox issues a transaction T prime which transfers n coins toCd (iv) Cd performs the malleability attack obtaining T prime thatis semantically equivalent to T but has a different T id

x nowassume that T prime gets included into the blockchain instead ofT (v) Cd complains to MtGox that the transaction T was notsuccessful (vi) MtGox performs an internal check and it willnot found a successful transaction with the T id

x thus MtGoxcredits the money back to the userrsquos wallet Hence effectivelyCd is able to withdraw her coins twice The whole problemis in the above Step (vi) where MtGox should have searchednot for the transaction with T id

x of T but for any transactionsemantically equivalent to T

For the first time authors in [5] present the impact of routingattacks on Bitcoin network by considering both small andlarge scale attacks The paper shows that two key properties ofBitcoin networks which includes the ease of routing manipu-lation and the rapidly increasing centralization of Bitcoin interms of mining power and routing makes the routing attackspractical More specifically the key observations suggest thatany adversary with few (lt 100) hijacked BGP prefixes couldpartition nearly 50 of the mining power even when consid-ering that mining pools are heavily multi-homed The researchalso shows that attackers on acting as intermediate nodescan considerably slow down block propagation by interferingwith few key Bitcoin messages Authors back their claimsby demonstrating the feasibility of each attack against thedeployed Bitcoin software and quantify their effect on thecurrent Bitcoin topology using data collected from a Bitcoinsupernode combined with BGP routing data Furthermore toprevent the effect of aforementioned attacks in practice bothshort and long-term countermeasures some of which can bedeployed immediately are suggested

Due to the vulnerabilities that exist in the refund policiesof the current Bitcoin payment protocol a malicious user

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

can perform the so-called Refund attacks In [78] authorspresent the successful implementation of the refund attackson BIP70 payment protocol BIP70 is a Bitcoin community-accepted standard payment protocol that governs how vendorsand customers perform payments in Bitcoin Most of the majorwallets use BIP70 for bitcoins exchange and the two dominantPayment Processors called Coinbase and BitPay who usesBIP70 and collectively they provide the infrastructure foraccepting bitcoins as a form of payment to more than 100000vendors The authors propose two types of refund attackscalled Silkroad Trader attack which highlights an authenti-cation vulnerability in the BIP70 and Marketplace Traderattack which exploits the refund policies of existing paymentprocessors The brief description of both these refund attacksis as follows

bull In Silkroad attack a customer is under the control ofan ill trader When a customer starts trading with themerchant its address is revealed to the ill trader When thetransaction is finished the adversary initiates the attackby inserting the customersrsquo address as the refund addressand send a refund request to the merchant The merchantsends the amount to the ill merchant thus gets cheatedwithout receiving a refund from the other side Duringthis whole process of refund between the merchant andthe ill trader the customer is not at all aware of the fraudthat is happening in her name

bull The Marketplace trader attack is a typical case of theman-in-the-middle attack In this the adversary setupan attractive webpage where she attracts the customerwho falls victim in the later stages The attacker depictsherself as a trusted party by making payments throughtrust-able merchants like CeX When a customer clicksthe webpage accidentally reveals her address among theother identities that are sufficient to perform malpracticeby the rogue trader with the false webpage When cus-tomer purchase products a payment page is sent whichis a legitimate payment exchange merchant The endmerchant is connected to the adversaryrsquos webpage andmeanwhile the details of the customer would have beenalready revealed to the attacker through an external emailcommunication according to the Bitcoin refund policiesAfter the transaction the middle adversary claims arefund on behalf of the customer and the refund amountwill be sent to the rogue adversaryrsquos account Hence thelegitimate customer will not be aware of the fraud processbut the merchant loses his bitcoins [78]

Later both these attacks have been acknowledged by Coinbaseand Bitpay with temporary mitigation measures put in placeHowever the authors claim that to fully address the identifiedissues will require revising the BIP70 standard

Yet another attack on the Bitcoin networks is called Timejacking attack [87] In Bitcoin network all the participatingnodes internally maintain a time counter that represents thenetwork time The value of the time counter is based onthe median time of a nodersquos peers and it is sent in theversion message when peers first connect However if themedian time differs by more than 70 minutes from the system

time the network time counter reverts to the system timeAn adversary could plant multiple fake peers in the networkand all these peers will report inaccurate timestamps henceit can potentially slow down or speed up a nodersquos networktime counter An advanced form of this attack would involvespeeding up the clocks of a majority of the miners whileslowing down the targetrsquos clock Since the time value can beskewed by at most 70 minutes the difference between thenodes time would be 140 minutes [87] Furthermore by an-nouncing inaccurate timestamps an attacker can alter a nodersquosnetwork time counter and deceive it into accepting an alternateblockchain because the creation of new blocks heavily dependson network time counters This attack significantly increasesthe possibility of the following misbehaviors a successfuldouble spending attack exhaust computational resources ofminers and slow down the transaction confirmation rate

Fig 9 Eclipse attack

Apart from the aforementioned major attacks on Bitcoinprotocol and network there are few other minor attacks thatwe have summarized belowbull Sybil Attack A type of attack where attacker installs

dummy helper nodes and tries to compromise a part ofthe Bitcoin network A sybil attack [23] is a collaborativeattack performed by a group of compromised nodes Alsoan attacker may change its identity and may launch acollusion attack with the helper nodes An attacker triesto isolate the user and disconnect the transactions initiatedby the user or a user will be made to choose only thoseblocks that are governed by the attacker If no nodes inthe network confirm a transaction that input can be usedfor double spending attack An intruder with her helpernodes can perform a collaborated timing attack henceit can hamper a low latency encryption associated withthe network The other version of this attack where theattacker tries to track back the nodes and wallets involvedin the transaction is discussed in [92]

bull Eclipse attack In this attack [3] an adversary manip-ulates a victim peer and it force network partition (asshown in Figure 9) between the public network and aspecific miner (victim) The IP addresses to which thevictim user connects are blocked or diverted towards anadversary [3] In addition an attacker can hold multipleIP addresses to spoof the victims from the network Anattacker may deploy helpers and launch other attacks onthe network such as Nminusconfirmation double spendingand selfish mining The attack could be of two type (i)Infrastructure attacks where attack is on the ISP (Inter-

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

net Service Provider) which holds numerous contiguousaddresses hence it can manipulate multiple addressesthat connect peer-to-peer in the network and (ii) botnetattacks where an adversary can manipulate addresses ina particular range especially in small companies whichown their private set of IP addresses In both the casesan adversary can manipulate the peers in the Bitcoinnetwork

bull Tampering In a Bitcoin network after mining a blockthe miners broadcast the information about newly minedblocks New transactions will be broadcast from timeto time in the network The network assumes that themessages will reach to the other nodes in the networkwith a good speed However authors in [43] ground thisassumption and proved that the adversary can inducedelays in the broadcast packets by introducing congestionin the network or making a victim node busy by sendingrequests to all its ports Such type of tampering canbecome a root cause for other types of attacks in thenetwork

E Practical attack incidents on Bitcoin

In this section we briefly present the existing real-worldsecurity breachesincidents that have affected adversely toBitcoin and its associated technologies such as blockchainand PoW based consensus protocol From the start bitcoinfans occasionally mentioned about different security typicallydiscussing things like the 51 attack quantum computerstrikes or an extreme denial of service onslaught from somecentral bank or government entity However these days theword attack is used a bit more loosely than ever as the scalingdebate has made people believe almost everything is a Bitcoinnetwork invasion

One of the biggest attacks in the history of Bitcoin havetargeted Mt Gox the largest Bitcoin exchange in which ayearrsquos long hacking effort to get into Mt Gox culminatedin the loss of 744408 bitcoins However the legitimacy ofattack was not completely confirmed but it was enough tomake Mt Gox to shut down and the value of bitcoins toslide to a three-month low In 2013 another attack called SilkRoad the worlds largest online anonymous market famousfor its wide collection of illicit drugs and its use of Tor andBitcoin to protect its userrsquos privacy reports that it is currentlybeing subjected to what may be the most powerful distributeddenial-of-service attack against the site to date In the officialstatement from the company the following was stated ldquoTheinitial investigations indicate that a vendor exploited a recentlydiscovered vulnerability in the Bitcoin protocol known astransaction malleability to repeatedly withdraw coins from oursystem until it was completely emptyrdquo Although transactionmalleability is now being addressed by segwit the loss itcaused was far too small with the main issue seemingly beingat a human level rather than protocol level In the same yearSheep Marketplace one of the leading anonymous websitesalso announces that they have been hacked by an anonymousvendor EBOOK101 who stole 5400 bitcoins However in allthe aforementioned it remains unclear that whether there is

any hacked happened or it is just a fraud by the owners tostole the bitcoins

Bitstamp an alternative to MT Gox increasing its market-share while Gox went under were hacked out of around 5million dollars in 2015 The theft seems to have been asophisticated attack with phishing emails targeting bitstampspersonnel However as the theft was limited to just hot walletsthey were able to fully cover it leading to no direct customerlosses Poloniex is one of the biggest altcoin exchange withtrading volumes of 100000 BTC or more per day lost their123 of bitcoins in March 2014 The hack was executedby just clicking withdrawal more than once As it can beconcluded from the above discussion that the attackers alwaystarget the popular exchanges to increase their profit Howeverit does not implies that individual users are not targeted itrsquosjust that the small attacks go unnoticed Recently in August2016 BitFinex which a popular cryptocurrency exchangesuffered a hack due to their wallet vulnerability and as a resultaround 120000 bitcoins were stolen

From the nature of the aforementioned attacks it canbe concluded that security is a vital concern and biggestweakness for cryptocurrency marketplaces and exchanges Inparticular as the number of bitcoins stored and their valuehas skyrocketed over the last year bitcoins digital walletshave increasingly become a target for hackers At the sociallevel what is obvious and does not need mentioning (althoughsome amazingly dispute it) is that individuals who handle ourbitcoins should be public figures with their full background ondisplay for otherwise they cannot be held accountable Lackingsuch accountability hundreds of millions understandably isfar too tempting as we have often seen An equally importantpoint is that bitcoin security is very hard Exchanges inparticular require highly experienced developers who arefully familiar with the bitcoin protocol the many aspectsof exchange coding and how to secure hard digital assetsfor to truly secure bitcoin exchanges need layers and layersamounting to metaphorical armed guards defending iron gateswith vaults deep underground behind a thousand doors

IV SECURITY COUNTERMEASURES FOR BITCOINATTACKS

In this section we discuss the state-of-the-art securitysolutions that provides possible countermeasures for the arrayof attacks (please refer to Section III) on Bitcoin and itsunderlying technologies

A No more double spending

The transaction propagation and mining processes in Bitcoinprovide an inherently high level of protection against doublespending This is achieved by enforcing a simple rule that onlyunspent outputs from the previous transaction may be used inthe input of a next transaction and the order of transactionsis specified by their chronological order in the blockchainwhich is enforced using strong cryptography techniques Thisboils down to a distributed consensus algorithm and time-stamping In particular the default solution that provides

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

resistance to double spending in Bitcoin is its use of Proof-of-work (PoW) based consensus algorithm which limits thecapabilities of an adversary in terms of the computationalresources available to an adversary and the percentage ofhonest miners in the network More specifically the purposeof the PoW is to reach consensus in the network regarding theblockchain history thereby synchronizing the transactions orblocks and making the users secure against double-spendingattacks Moreover the concept of PoW protect the networkagainst being vulnerable to sybil attack because a successfulsybil attack could sabotage the functionality of consensusalgorithm and leads to possible double spending attack

In general double spending could be dealt in two possiblesways (i) detect a double spending instance by monitoring theblockchain progress and once detected identify the adversaryand take adequate actions or (ii) use preventive measuresThe former approach works well in the traditional centralizedonline banking system but in Bitcoin itrsquos not suitable dueto the use of continuously varying Bitcoin address thus itprovides anonymity to users and the lack of transaction roll-back scheme once it is successfully added in the blockchainTherefore the latter approach ie prevent double spend isdesirable in Bitcoin

The most effective yet simple way to prevent a double spendis to wait for a multiple numbers of confirmations beforedelivering goods or services to the payee In particular the pos-sibility of a successful double spend decreases with increasein the number of confirmations received Of course the longerback transactions lie in the blockchain the more blocks needto be caught up until a malicious chain gets accepted in thenetwork This limits attacker from possible revise the historyof transactions in the chain For instance unconfirmed bitcointransaction (zero block transaction) has a high risk of doublespend while a transaction with atleast one confirmation hasstatically zero risks of double spend and a transaction with sixconfirmations are commonly considered steady hence has zerorisks of double spend In Bitcoin the classic bitcoin client willshow a transaction as not unconfirmed until the transactionis six blocks deep5 in the blockchain However waiting ofsix transactions (about one hour) might not be suitable forvarious applications such as fast payment systems eg Aliceis very hungry and she wants to buy a snack with bitcoinsThere is nothing special about the choice of the default safeconfirmation value ie six confirmations Its choice is basedon the assumption that an adversary is unlikely to control morethan 10 of the mining power and that a negligible risk lowerthan 01 is acceptable This means that on one hand the sixconfirmations are overkill for casual attackers while at thesame time it is powerless against more dedicated attackerswith much more than 10 mining power

Authors in [2] evaluate three techniques that can be usedto detect a possible double spending in fast payment systemsThe three techniques are as follow listening period insertingobservers and forwarding double spending attempts In thefirst technique the vendor associates a listening period with

5Each new block that will be put on top of a block containing the desiredtransaction will result in the generation of a confirmation for the desiredtransaction

each received transaction and it monitors all the receivingtransactions during this period The vendor only delivers theproduct if it does not see any attempt of double spendingduring its listening period The inserting observers techniquenaturally extends the first technique based on the adoption of alistening period would be for the vendor to insert a set of nodes(ie ldquoobserversrdquo) under its control within the Bitcoin networkThese observers will directly relay all the transactions to thevendor that they receive from the network In this way with thehelp of the observers the vendor is able to see more numberof transactions in the network during its listening period thusincreases the chances of detecting a double spend The thirdtechnique (ie forwarding double spending attempts) requireseach Bitcoin peer to forward all transactions that attempt todouble spend instead of discarding them so that the vendor canreceive such a transactions on time (ie before releasing theproduct) With this approach whenever a peer receives a newtransaction it checks whether the transaction is an attempt todouble spend if so then peer forward the transaction to theirneighbors (without adding it to their memory pools)

Recently the hash power of a pool called GHashIOreached 54 for a day (ie it exceeds the theoretical attackthreshold of 51) Although the GHashIO remained honestby transferring a part of its mining power to other poolsHowever the incentives that motivate an adversary to createlarge pools remains in the network always looking for achance to wrongful gain and disrupt the network Thereforea method to prevent the formation of large pools called Twophase Proof-of-Work (2P-PoW) has been proposed in [59]The authors propose a second proof-of-work (say Y ) on topof the traditional proof-of-work (say X) of the block headerY signs the produced header with the private key controllingthe payout address Similar to existing hashing procedures thissignature must meet a target set by the network hence the useof Y forces pool managers to distribute their private key totheir clients if the manager wants to retain the same level ofdecentralization However if a manager would naively shareits private key all clients would be authorized to move fundsfrom the payout address to any destination Pool managersunwilling to share their private key needs to install miningequipment required to solve Y in a timely manner It isestimated that GHashIO owns only a small percentage of thenetworkrsquos computing power in terms of hardware as the poolshrank significantly after public outrage Depending on thedifficulty of Y primes cryptographic puzzle this would only allowa certain number of untrusted individuals to join In this wayas GHashIO is a public pool severely limit its size

Authors in [111] propose the use of decentralized non-equivocation contracts to detect the double spending and pe-nalize the malicious payer The basic idea of non-equivocationcontracts is that the payer locks some bitcoins in a depositwhen he initiates a transaction with the payee If the payerdouble spends a cryptographic primitive called accountableassertions can be used to reveal his Bitcoin credentials forthe deposit Thus the malicious payer could be penalized bythe loss of deposit coins However such decentralized non-equivocation contracts are subjected to collusion attacks wherethe payer colludes with the beneficiary of the deposit and

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

transfers the Bitcoin deposit back to himself when he doublespends resulting in no penalties On the other hand even if thebeneficiary behaves honestly the victim payee cannot get anycompensation directly from the deposit in the original designTo prevent such collusion attacks authors in [112] design fairdeposits for Bitcoin transactions to defend against double-spending The fair deposits ensure that the payer will bepenalized by the loss of his deposit coins if he double spendsand the victim payees loss will be compensated The proposedprotocol uses the assertion scheme from [111] In particularthe beneficiary can recover the payers secret key if the payerdouble spends However to ensure that the payees loss canbe compensated if the payer double spends in addition toa signature generated with the payers secret key a signaturegenerated with the payees secret key is required for the releaseof the compensation locked in the deposit Meanwhile theincentive for the beneficiary is also guaranteed in the deposit

Another solution to control double spending was proposedin [113] where all the participating users deposit a safetyamount similar to an agreement If an attacker tries to doublespend and it is detected the deposit amount will be deductedand it is given to the victim who encountered the loss Dueto the punishing attribute of the network the attack can becontrolled In [54] authors suggest a countermeasure by pro-hibiting the merchant to accept incoming connections thus anadversary cannot directly send a transaction to the merchantThis forces the adversary to broadcast the transaction over theBitcoin network and this ensures that the transaction will endup in the local view of all the miners that forwards it Laterif the adversary tries to double spend the miners will knowabout it and take primitive actions in future

Solution for 50 attack is presented in [54] The authorsprovide countermeasures for two variants of 50 attacknamely block discarding attack and difficulty rising attackIn block discarding attack an adversary has control over a setof nodes in the network called supporters The adversary andher supporters purposefully add a delay in the propagation ofthe legitimately discovered blocks and the attacker advertisesher block selfishly Hence the advertiserrsquos blockchain will in-crease and the other blocks due to delay get less attention Thedelay becomes worse as the number of supporter increasesThe solution for this attack is fixing the punishment for theadvertisers or the misbehaving miners Every node is askedto pay a deposit amount and the nodes who misbehave arepunished by dissolving the deposit amount of the concernedThis amount is distributed among the nodes who informs aboutthe misbehaving node in the network While in difficulty risingattack the attacker manipulates the network and slowly raisesthe difficulty level for the miners An attacker poses a threatto the network by controlling high hash-power compared withother nodes in the network The solution to this attack is sameas that of block discarding attack In [114] authors propose amethod called ldquoproof-of-reputationrdquo where the honest minerswill get a token based on the current market value The numberof tokens issued can vary with the market value If the minerhas the token he will be reputed in the mining market poolThe token has a value and according to which the coins aredeposited from all the miners from time to time and is fixed by

the network More the reputation of the minerrsquos chain morethe other blocks merge with that chain

For now it is safe to conclude that there is no solution avail-able in the literature that guarantees the complete protectionfrom double spending in Bitcoin The existing solutions onlymake the attack more difficult for adversaries In particulardouble spending is an attack that is well discussed in theBitcoin community but very few solutions exist so far andit remains an open challenge for the researchers The easiestyet most powerful way for a vendor to avoid a double spend isto wait for more number of confirmations before accepting atransaction Therefore each vendor or merchant of the deals inbitcoins has to set a trade-off between the risk and the productdelivery time caused while waiting for an appropriate numberof confirmations Similar to the honest Bitcoin users there isalso a trade-off for the adversary as she needs to consider theexpenses (ie the loss of computing resources and rewardsfor the pre-mined blocks) if the attack fails

B Countermeasures for Private Forking and Pool Attacks

When a dishonest miner intentionally forks the blockchainby privately mining a set of blocks it makes the Bitcoinnetwork vulnerable to a wide range of attacks such as selfishmining block-discarding attack block withholding attackbribery attack to name a few The aim of these attacks isto cheat the mining incentive system of Bitcoin Thereforeat any point in time detecting and mitigating the faulty forksfrom the set of available forks poses a major challenge forBitcoin protocol developers The simplest solution to handlethe selfish mining is suggested in [6] The authors propose asimple backward-compatible change to the Bitcoin protocolIn particular when a miner encounters the presence of multipleforks of the same length it will forward this information to allits peers and it randomly chooses one fork to extend Henceeach miner implementing the above approach by selecting arandom fork to extend This approach will decrease the selfishpoolrsquos ability to increase the probability that other miners willextend their fork

To further extend the countermeasure presented in [6]authors in [65] introduce the concept of Freshness Preferred(FP) which places the unforgeable timestamps in blocks andprefer blocks with recent timestamps This approach usesRandom Beacons [115] in order to stop miners from usingtimestamps from the future As the selfish mining uses strate-gic block withholding technique the proposed strategy willdecrease the incentives for selfish mining because withheldblocks will lose block races against newly minted or freshblocks A similar but a more robust solution for selfishmining that requires no changes in existing Bitcoin protocol isproposed in [63] The authors suggest a fork-resolving policythat selectively neglects blocks that are not published in timeand it appreciates blocks that include a pointer to competingblocks of their predecessors Therefore if the secretly minedblock is not published in the network until a competing blockis published it will contribute to neither or both brancheshence it will not get benefits in winning the fork race Authorsin [116] proposes another defense against selfish mining in

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

which miners need to publish intermediate blocks (or in-blocks) These blocks although are valid with lower puzzledifficulty but confer no mining reward onto the miner whodiscovers one When a fork happens miners adopt the branchwith the largest total amount of work rather than the longestchain

Unlike most of the aforementioned solutions against ma-licious forking authors in [64] propose a timestamp-freeprevention of block withholding attack called ZeroBlock InZeroBlock if a selfish miner keeps a mined block privatemore than a specified interval called mat than later whenthis block is published on the network it will be rejectedby the honest miners The key idea is that each consecutiveblock must be published in the network and it should bereceived by honest miners within a predefined maximumacceptable time for receiving a new block (ie mat interval)In particular an honest miner either receives or publishes thenext block in the network within the mat interval Otherwiseto prevent the block withholding the miner itself generates aspecific dummy block called Zeroblock These signed dummyZeroblocks will accompany the solved blocks to prove that theblock is witnessed by the network and that a competing blockis absent before miners are able to work on it For forkingattacks that are internal to a pool authors in [62] suggest thatthe only viable option to countermeasure a block withholdingattack launched within a pool is that the pool managers shouldinvolve ONLY miners which are personally known to themhence they can be trusted The pool manager should simplydissolve and close a pool as soon as the earning of the poolgoes lower than expected from its computational effort

In [75] bribery attack is discussed along with its coun-termeasure In bribery an attacker bribe a miner to renther computing resources thus it increases the attackers hashpower that it could use to launch various attacks in thenetwork As a countermeasure authors suggest the use ofanti-payment (ie counter-bribing) to pool miners which havevalue more than what attackers are paying to these minersto perform a malicious behavior However the drawback isthat a legitimate pool manager has to spend a lot to takeminers toward the normal mining routine In addition as thenumber of bribing node or a nodersquos bribe amount increasesthe capital requirements for the manager also increases andas the crypt math becomes more and more difficult the bribeamount increases hence makes it difficult for the manager tokeep the process of counter-bribing active for longer periods

C Securing Bitcoin wallets

A wallet contains private keys one for each account [104]These private keys are encrypted using the master key whichis a random key and it is encrypted using AES-256-CBCwith a key derived from a passphrase using SHA-512 andOpenSSLs EVP BytesToKey [117] Private key combinedwith the public key generates a digital signature which is usedto transact from peer-to-peer Bitcoin uses ECDSA (EllipticCurve Digital Signature Algorithm) algorithm for encryptionand it is modified in [101] for secret sharing and thresholdcryptography

A manual method of wallet protection was proposedby [118] called ldquocold walletrdquo A cold wallet is another accountthat holds the excess of an amount by the user This methoduses two computers (the second computer has to be discon-nected from the Internet) and using the Bitcoin wallet softwarea new private key is generated The excess amount is sent tothis new wallet using the private key of a user Authors in [118]claim that if the computer is not connected to the Internet thehackers will not get to know the keys hence the wallet safetycan be achieved Securing wallets with new cryptographicalgorithms apart from ECDSA is still an open issue and achallenge In [119] an article states that US government havelaunched their own Bitcoin networks with multi-factor securitywhich incorporates fingerprint biometrics for wallet protectionA device is a standalone tool same as the size of a creditcard In [84] authors propose BlueWallet a proof-of-conceptbased hardware token for the authorization of transactionsin order to protect the private keys The concept is similarto the use of the ldquocold walletrdquo that is it uses a dedicatedhardware not connected to the Internet to store the privatekeys The hardware token communicates with the computer (orany other device) that creates the transaction using BluetoothLow Energy (BLE) and it can review the transaction beforesigning it The securely stored private key never leaves theBlueWallet and is only unlocked if the user correctly enters herPIN BlueWallet provides the desired security at the expense ofthe usability as the users have to invest and keep an additionaldevice while making a transaction

Bitcoin already has a built-in function to increase thesecurity of its wallets called ldquomulti-signaturerdquo which tightensthe security by employing the splitting control technique Forinstance BitGo - an online wallet which provides 2-of-3 multi-signature transactions to its clients However the drawbackof using the multi-signature transactions is that it greatlycompromises the privacy and anonymity of the user Authorsin [82] propose an efficient and optimal threshold DigitalSignature Algorithm (DSA) scheme for securing private keysThe main idea behind the use of threshold signatures proposedin [82] is derived from secret sharing [120] in which theprivate key is split into shares Any subset of the sharesthat is equal to or greater than a predefined threshold isable to reconstruct the private key but any subset that issmaller will gain no information about the key The mainproperty of threshold signatures [83] is that the key is neverrevealed because the participants directly construct a signatureRecently authors in [85] present a TrustZone6 based Bitcoinwallet and shows that it is more resilient to the dictionary andside-channel attacks Although the use of TrustZone makesuse of the encrypted storage hence the writing and readingoperations become slower

D Securing Bitcoin Networks

In this section we will discuss various existing counter-measures proposed for securing the Bitcoinrsquos core protocolsand its peer-to-peer networking infrastructure functionalities

6TrustZone is a technology that is used as an extension of processors andsystem architectures to increase their security

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

against an array of security threats some of which we havediscussed in Section III-D

1) DDoS Attacks In [90] authors propose a game theoreticapproach for analyzing the DDoS attacks The game assumesthat the pools are in competition with each other becausethe larger pools are always weighted more than the smallerpools The game exists between the pools and each pooltries to increase their computational cost over others and thenit imposes a DDoS attack on the other pools In this wayauthors draw an equilibrium condition between the playersand concludes that the larger pools will have more incentivesagainst the smaller pools In [9] authors propose a ldquominerrsquosdilemmardquo again a game theoretical approach to model thebehavior of miners similar to repetitive prisonerrsquos dilemmaThere exist a game between the pools The longest chaindominates over the smaller chains and grabs the rewards bybehaving selfishly in the network Game theory concludes thatby performing attacks the pools actually lose the bitcoinsthat they are supposed to get when compared it with the casewithout attacking each other In particular this kind of gametheory problems is called ldquoTragedy of Commonsrdquo where thepeers turn out to be rational selfish and harm other peers fortheir benefits

In [91] authors propose Proof-of-Activity (PoA) protocolwhich is robust against a DDoS attack that could be launchedby broadcasting a large number of invalid blocks in thenetwork In PoA each block header is stored with a cryptvalue and the user that stores the first transaction places thisvalue These users are called ldquostakeholdersrdquo in the networkand they are assumed to be honest Any subsequent storage oftransactions in this block is done if there are valid stakeholdersassociated with the block Storage of crypt value is randomand more transactions are stored only if more stake users areassociated with the chain If the length of the chain is moretrustworthiness among other peers increases and more minersget attracted towards the chain Hence an adversary cannotplace a malicious block or transaction since all the nodes inthe network are governed by stakeholders

One possible way to mitigate DDoS attacks is to use thetechnique discussed in [121] which suggests the continuousmonitoring of network traffic by using browsers like Toror any user-defined web service Applying machine-learningtechniques like SVM and clustering will identify which partof the network is behaving ill Hence that part can be isolatedfrom the network until debugged Other possible methodsto protect against DDoS attacks include (i) configure thenetwork in a way that malicious packets and requests fromunnecessary ports will be prohibited (ii) implement a thirdparty DoS protection scheme which carefully monitors thenetwork and identify variations in the pattern We believe thatsimilar approaches could also be implemented in future inBitcoin networks to countermeasure DoS attacks

2) Time Jacking and Eclipse Attack In this attack anadversary alters the node time therefore the dependency of anode on network time can be replaced by a hardware orientedsystem time The accept time window for transactions at anode has to be reduced making the node recover quickerfrom the attacks Time jacking is a dreaded attack that might

split the network into multiple parts hence it can isolate thevictim node A set of techniques is suggested in [87] to avoidtime jacking that includes use of the system time instead ofnetwork time to determine the upper limit of block timestampstighten the acceptable time ranges and use only trusted peersEven a node can be designed to hold multiple timestampsassuming that the attacker may not alter all the timestampsFurthermore node timestamps can be made dependent on theblockchain timestamps [87]

In [3] authors provide techniques to combat eclipse attackwhich uses an additional procedure to store the IP addressesthat are trustworthy If the users are connected to other peersin the network these peers are stored in ldquotriedrdquo variable Theconnection of the user with the peers is dependent on thethreshold of the trust factor which varies from time to timeThe users can have special intrusion detection system to checkthe misbehaving nodes in the network The addresses whichmisbehave in the network could be banned from connectionsThese features can prevent the users from an eclipse attackIn particular having a check on the incoming and outgoingconnections from the node can reduce the effect of an eclipseattack

3) Refund Attacks and Transaction Malleability In [78]modifications are proposed in the Payment Request messageby adding information about the customer such as registerede-mail address delivery address and product information Thepayment address should be unique with each Payment RequestEach request is associated with a key and the same key is usedfor a refund However the use of the additional informationposes a threat to the customer privacy The customer is nolonger involved in the information broadcast about the trans-action but the responsibility is to handover the refund to themerchant Hence all the nodes will learn about the transactionduring verification phase and can identify the attacker easily Inparticular the idea is to provide the merchant a set of publiclyverifiable evidence which can cryptographically prove that therefund address received during the protocol belongs to thesame pseudonymous customer who authorized the payment

In [122] authors propose a manual intervention processthat checks the withdrawal transactions to detect a possiblemalleability attack Any suspicious pending transactions in theblocks can be seen as a sign of the attack In addition all thetransactions in the Bitcoin network should have confirmationsIn [80] authors show a case of malleability attack on ldquode-posit protocolrdquo and provides a solution namely new depositprotocol Finally the new Segregated Witness 7 (SegWit)proposal stores transaction signatures in a separate merkletree prevent unintended transaction malleability moreover itfurther enables advanced second-layer protocols such as theLightning Network MAST atomic swaps and more Recentlythe SegWit soft fork has been activated on the Bitcoin networkMore specifically the SegWit activation means that Bitcoinsblock size limit is replaced by a block ldquoweightrdquo limit whichallows for blocks to the size of 4 MB instead of 1 MB

4) Reducing Delays in Processing and Propagation ofTransactions In practice the transactions with a large number

7https enbitcoinitwikiSegregatedW itness

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

of bitcoins are not usually carried out due to the risk of losingit or fear of fraudulent activities Such transactions are brokeninto a set of smaller transactions However this eventuallyincreases the delay in completing the transaction because thenetwork has to validate more number of transactions There-fore to reduce this delay authors in [123] suggest performingthe payments offline through a separate type of transactionscalled ldquomicropaymentsrdquo [124] and via a separate channelcalled micropayment channel This channel is not a separatenetwork but part of Bitcoin network itself In a traditionalBitcoin network users broadcast their transaction and theminers verify it This happens for all the transactions and thenetwork might get clogged at places where a large numberof transaction exists Also in such situations the networkgives preference to transactions with large denomination andtransaction fees as compared to the smaller ones Hence byestablishing micropayment channels the separate dedicatedchannel is allocated for the counter-parties to perform thetransaction The basic idea is that the transaction is notrevealed until both the parties trust each other on their balancesand transactions that they wants to perform If either of theones misbehaves then the transaction is broadcasted for theverification in the Bitcoin network The channels obey theBitcoin protocols and they are established like any othernaive network routing techniques Hence these micro paymentchannels constitute a ldquolightning networkrdquo within the Bitcoinnetwork The advantages of using such a lightning networkare as follows

bull The technique provides high-speed payments eliminatesthe dependency on the third party to validate reducedload on the Bitcoin network channels can stay openindefinitely for the transactions counter-parties can moveout of the agreement whenever they want parties can signusing multiple keys

bull Parties can broadcast their information when they wantfor seeking the interference of the other miners to solvethe discrepancies

bull Parties can send their transaction over the channel withoutrevealing their identities to the network and the nodeshelping in routing

Transactions propagation delay in Bitcoin network facil-itates the double spending attack Hence accelerating thetransaction propagation will help to reduce the probabilityof performing a successful double spending attack Authorsin [125] propose a Bitcoin Clustering Based Ping Time proto-col (BCBPT) to reduce the transaction propagation delay byusing the proximity information (eg ping latencies) whileconnecting to peers Moreover in the context of the selfishmining attack authors in [126] study the effect of communi-cation delay on the evolution of the Bitcoin blockchain

In [43] authorrsquos provide solutions for tampering attacks Anode can announce the time it takes to mine a block togetherwith the advertisement of a new block This makes anotherpeer in the network to approximately estimate the average timeneeded to mine a block and hence no one can spoof by addingunnecessary delays or tampering timestamps Instead of statictimeouts dynamic timeouts can make more sense since mining

time can vary from node to node All the senders buffer the IPaddresses to which it is connecting every time and this avoidsthe IP sending same advertise messages again and again tothe same peer A track of all the nodes has to be recorded atevery sender and pattern can be analyzed If a transaction isnot replied by a node in a time window then the sender couldask other nodes to confirm the transaction

Despite all the security threats and their solutions that wehave discussed the number of honest miners in the networkis a factor of consideration More the miners more peopleto verify the transactions hence faster the block validationprocess and more efficient and secure the consensus processAs the miners are incentive driven the reward bitcoins canpull more miners into the process but at the same time thereward reduces half for every four years hence the minersmight migrate towards other cryptocurrencies which offerthem higher rewards

The security issues in Bitcoin are closely linked with thetransaction privacy and user anonymity In Bitcoin right nowthe users are not really anonymous The systematic monitoringof the Bitcoinrsquos unencrypted peer-to-peer network and analysisof the public blockchain can reveal a lot of information suchas who is using Bitcoin and for what purposes Additionallythe use of Know Your Customer (KYC) policies and Anti-Money Laundering (AML) regulation with network trafficand blockchain analysis techniques could further enhance thequality of the extracted information From privacy as well asbusiness perspectives this is not good For instance usersmight not necessarily want the world to know where theyspend their bitcoins how much they own or earn Similarlythe businesses may not want to leak transaction details totheir competitors Furthermore the fact that the transactionhistory of each bitcoin is traceable puts the fungibility of allbitcoins at risk To this end we discuss the threats and theirexisting countermeasures for enabling privacy and enhancinganonymity for Bitcoin users in the following section

Fig 10 Blockchain analysis - Transaction graph

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

Fig 11 Blockchain analysis - Address graph

Fig 12 Blockchain analysis - EntityUser graph

V PRIVACY AND ANONYMITY IN BITCOIN

The traditional banking system achieves a level of privacyby limiting access to transactions information to the entitiesinvolved and the trusted third party While in Bitcoin thepublic blockchain reveals all the transaction data to any userconnected to the network However the privacy can still bemaintained upto certain level by breaking the flow of infor-mation somewhere in the Bitcoin transaction processing chainBitcoin achieves it by keeping public keys anonymous ie thepublic can see that someone is sending an amount to someoneelse but without information linking the transaction to anyoneTo further enhance the user privacy it is advised to use anew key pair for each transaction to keep them from beinglinked to a particular user However linking is still possiblein multi-input transactions which necessarily reveal that theirinputs were owned by the same owner Also if the owner of akey is revealed there is a risk that linking could reveal othertransactions belonging to the same user In particular Bitcoinoffers a partial unlinkability (ie pseudonymity) and thus itis possible to link a number of transactions to an individualuser by tracing the flow of money through a robust blockchain

analysis procedure Bitcoin technology upholds itself whenit comes to the privacy but the only privacy that exists inBitcoin comes from pseudonymous addresses (public keysor their hashes) which are fragile and easily compromisedthrough different techniques such as Bitcoin address reuseldquotaintrdquo analysis and tracking payments via blockchain analysismethods IP address monitoring nodes web-spidering to namea few Once broken this privacy is difficult and sometimescostly to recover In [93] authors highlight the fact that theBitcoin does not have any directory to maintain the log andother transaction-related information However an adversarycan associate the offline data such as emails and shippingaddresses with the online information and it can get theprivate information about the peers In this section we discussthe various security threats to privacy and anonymity of theBitcoin users and the corresponding state-of-the-art solutionsthat are proposed to enhance the same

A Blockchain Analysis and Deanonymization

A complete anonymity in Bitcoin is a complicated issueTo enforce anonymity in transactions the Bitcoin allows usersto generate multiple Bitcoin addresses and it only stores themapping information of a user to her Bitcoin addresses on theuserrsquos device As a user can have multiple addresses hencean adversary who is trying to deanonymize needs to constructa one-to-many mapping between the user and its associatedaddresses In particular the Bitcoin users can be linked toa set of public addresses by using a detailed blockchainanalysis procedure [127] Authors in [93] show that the twonon-trivial networking topologies called transaction networkand user network which provides reciprocal views of theBitcoin network and have possible adverse implications foruser anonymity Similar to the work done in [93] authorsin [128] presents an evaluation for privacy concerns in Bitcoinby analyzing the public blockchain The analysis of blockchainrequires three pre-processing steps which includesbull Transaction graph The whole blockchain could be

viewed as an acyclic transaction graph Gt = TEwhere T is a set of transactions stored in the blockchainand E is the set of unidirectional edges between thesetransactions A Gt represents the flow of bitcoins betweentransactions in the blockchain over time The set of inputand output bitcoins in a transaction can be viewed as theweights on the edges in a Gt In particular each incomingedge e isin E in a transaction carries a timestamp andthe number of bitcoins (Ci) that forms an input for thattransaction Figure 10 shows an instance of transactiongraph for a set of transactions stored in the blockchain

bull Address graph By traversing the transaction graph wecan easily infer the relationship between various inputand output Bitcoin addresses and using these relationswe can generate an address graph Ga = PEprime whereP is the set of Bitcoin addresses and Eprime are the edgesconnecting these addresses Figure 11 shows an addressgraph derived from Figure 11

bull Userentity graph By using the address graph along witha number of heuristics which are derived from Bitcoin

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

protocols the next step is to create an entity graph bygrouping addresses that seem to be belonging to the sameuser The entity graph Ge = UEprimeprime where U is adisjoint subset of public keys (p) such that p isin P and Eprimeprime

are the edges connecting different U primes to show a directedconnectivity between them Figure 12 shows the entitygraph derived from Figure 11 based on a set of heuristics

In [128] authors introduce two heuristics that are deriveddirectly from Bitcoin protocols or its common practices Thefirst is the most widely used heuristic that provides an adequatelevel of linkability and it heavily depends on the implementa-tion details of Bitcoin protocols and are termed as idiomsof use as mentioned in [129] The idioms of use assumesthat all the inputs in a transaction are generated by the sameuser because in practice different users rarely contribute in asingle collaborative transaction This heuristic also supportsthe fact that transitive closure can be applied to the transactiongraph to yield clusters of Bitcoin addresses For instance byapplying the above heuristic along with its transitive propertyon Figure 10 one can assume that transactions Tx2 andTx3 are initiated by the same user as both shares a commoninput p5 hence the addresses ranging from p3 to p6 couldbelong to the same user The second heuristic links the inputaddresses of a transaction to its output addresses by assumingthat these outputs as change addresses if an output addressis completely new (ie the address has never appeared inthe past and it will not be seen in the blockchain to be re-used to receive payments) In Figure 11 the addresses p14and p18 satisfy the second heuristic and thus these addressescan be clustered with their inputs as shown in the Figure 12Authors in [129] argued that the aforementioned heuristicsare prone to errors in cases where the implementation ofBitcoin protocols change with time and the traditional Bitcoinnetwork also changes which now consists of more number ofmining pools instead of single users Due to these facts it ispossible that the entity graph might contain a large numberof false positives in the clustering process hence it leads tothe further refinements in the above heuristics To reduce thefalse positives authors in [129] suggest the manual inspectionprocess to identify the usage patterns induced by Bitcoin ser-vices (such as SatoshiDice) For instance SatoshiDice requiresthat the payouts use the same address therefore if a userspent coins using a change address the address would receiveanother input which invalidates the one-time receive propertyof a change address Furthermore in [117] authors exploitthe multi-signature addressing technique for the purpose ofadverse effect on the user privacy Authors conclude that evenif the Bitcoin addresses are changed the structure of thechange address in a multi-signature transaction can be matchedto its input addresses

Apart from using the adaptable and refined heuristics tomatch with the constantly changing blockchain usage patternsand Bitcoin services the adversary needs to take further stepsto link the address clusters with the real-world identities oncean entity graph with low false positives is created Authorsin [129] perform with high precision the linking of clusterswith the online wallets vendors and other service providers

as one can do several interactions with these entities andlearn at least one associated address However identifyingregular users is difficult with the same approach but theauthors also suggest that authorities with subpoena powermight even be able to identify individual users since most ofthe transaction flow passes through their centralized serversThese servers usually require keeping records for customeridentities Furthermore the use of side-channel informationis considered helpful in mapping the addresses For instanceWikiLeaks Silk Road to name a few uses publicly knownaddresses and many service providers such as online sellersor exchange services require the user identity before providinga service One can also make use of the web crawlers (such asbitcointalkorg) that searches the social networks for Bitcoinaddresses [130] [131]

A commercial approach for blockchain analysis could beto use the software BitIodine [132] that offers an automatedblockchain analysis framework Due to its rapid growth insuch a short span of time the Bitcoin networks has becomeof great interest to governments and law enforcement agenciesall over the world to track down the illicit transactions Bypredicting that there is a huge market potential for Bitcoinvarious companies such as Elliptic Chainalysis NumisightSkry to name a few are specializing in ldquobitcoin blockchainanalysisrdquo models These companies provide a set of tools toanalyze the blockchain to identify illicit activities and evenhelp to identify the Bitcoin users in the process Authorsin [133] propose BitConeView a graphical tool for the visualanalysis of bitcoins flow in a blockchain BitConeView allowsto graphically track how bitcoins from the given sources(ie transaction inputs) are spent over time by means oftransactions and are eventually stored at multiple destinations(ie unspent transaction outputs)

Recently authors in [134] analyze the impact of onlinetracking on the privacy of Bitcoin users The paper showsthat if a user purchases by paying with cryptocurrency suchas bitcoins an adversary can uniquely identify the transactionon the blockchain by making use of the third-party trackerswhich typically possess enough information about the pur-chase Latter these transactions could be linked to the usercookies and then with the real identity of a user and userrsquospurchase history is revealed Furthermore if the tracker is ableto link the two purchases of the same user to the blockchainin this manner it can identify the userrsquos entire cluster ofBitcoin addresses and transactions on the blockchain throughthe use of standard tracking software and blockchain analysistechniques The authors show that these attacks are resilientagainst the existing blockchain anonymity techniques such asCoinJoin [96] Also these attacks are passive hence can beretroactively applied to past purchases as well

Finally network de-anonymization could be used to link anIP address to a user in the Bitcoinrsquos P2P network because whilebroadcasting a transaction the node leaks its IP address Sameas the blockchain analysis a rigorous way to link IP addressesto hosts is by exploiting the network related information thatcan be collected by just observing the network Over theyears multiple deanonymization attacks in which an adversaryuses a ldquosupernoderdquo that connects with the active peers and

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

listen to the transaction traffic relayed by honest nodes inthe network [94] [135] [93] are proposed By exploiting thesymmetric diffusion of transactions over the network it ispossible to link the Bitcoin usersrsquo public keys to their IPaddresses with an accuracy of nearly 30 [94] Moreoverthe use of ldquosupernoderdquo for linking is trivial hence it exploitsonly minimal knowledge of the P2P graph structure andthe structured randomness of diffusion Therefore we canhypothesize that even higher accuracies could be achieved byusing more sophisticated network traffic analyzing techniques

B Proposals for enabling privacy and improving anonymity

Privacy is not defined as an inherent property inBitcoin initial design but it is strongly associatedwith the system Therefore in recent years an arrayof academic research [128] [144] [145] [132] whichshows various privacy-related weaknesses in thecurrent Bitcoin protocol(s) has been surfaced Thisresearch triggered a large set of privacy-enhancingtechnologies [144] [146] [92] [141] [143] [147] [136] [140]aiming at strengthening privacy and improving anonymitywithout breaking Bitcoin fundamental design principles Inthis section we discuss these state-of-the-art protocols whichwork toward the enhancement of privacy and anonymity inBitcoin

Based on the aforementioned discussion in Section V itis evident that the public nature of the blockchain posesa significant threat to the privacy of Bitcoin users Evenworse since funds can be tracked and tainted no two coinsare equal and fungibility a fundamental property requiredin every currency is at risk With these threats in mindseveral privacy-enhancing technologies have been proposedto improve transaction privacy in Bitcoin The state-of-the-art proposals (refer tables IV and V) for enabling privacyin cryptocurrencies can be broadly classified into three majorcategories namely Peer-to-peer mixing protocols Distributedmixing networks and Altcoins

1) Peer-to-peer mixing protocols Mixers are anonymousservice providers that uses mixing protocols to confuse thetrails of transactions In mixing process the clientrsquos funds aredivided into smaller parts These parts are mixed at randomwith similar random parts of other clients and you end up withcompletely new coins This helps to break any link between theuser and the coins she purchased However mixers are not anintegral part of Bitcoin but various mixing services are heavilyused to enhance the anonymity and unlinkability in the systemIn peer-to-peer (P2P) mixing protocols [148] [139] [97] aset of untrusted Bitcoin users simultaneously broadcast theirmessages to create a series of transactions without requiringany trusted third party The main feature of a P2P mixingprotocol is to ensure sender anonymity within the set ofparticipants by permuting ownership of their coins The goal isto prevent an attacker which controls a part of the network orsome of the participating users to associate a transaction to itscorresponding honest sender The degree of anonymity in P2Pprotocols depends on the number of users in the anonymityset

Table IV shows a range of P2P mixing protocols along withtheir brief description advantages and disadvantages in termsof user anonymity and transaction security CoinJoin [96]a straightforward protocol for implementing P2P mixing itaims to enhance privacy and securely prevent thefts Figure 13shows CoinJoin basic idea with an example in which twotransactions (ie tx1 and tx2) are joined into one whileinputs and outputs are unchanged In CoinJoin a set of userswith agreed (via their primary signatures) inputs and outputscreate a standard Bitcoin transaction such that no externaladversary knows which output links with which input henceit ensures external unlinkability To prevent theft a user onlysigns a transaction if its desired output appears in the outputaddresses of the transaction In this way CoinJoin makesthe multiple inputs of a transaction independent from eachother thus it breaks the basic heuristic from Section V-A (ieinputs of a transaction belong to the same user) HoweverCoinJoin has few major drawbacks which includes limitedscalability and privacy leakage due to the need of managingsignatures of the involved participants in the mixing set therequirement of signing a transaction by all its participantsmake CoinJoin vulnerable to DoS attacks and to create amix each participant has to share their signature and outputaddresses within the participating set which causes internalunlinkability To address the internal unlinkability issue andto increase the robustness to DoS attacks authors in [97]propose CoinShuffle a decentralized protocol that coordinatesCoinJoin transactions using a cryptographic mixing techniqueLater an array of protocols [136] [137] [139] are built on theconcept of either CoinJoin or CoinShuffle that enhances theP2P mixing by providing various improvements that includesresistance to DoS sybil and intersection attacks plausibledeniability low mixing time and scalability of the mixinggroups

2) Distributed mixing networks Authors in [141] proposeMixCoin a third-party mixing protocol to facilitate anony-mous payments in Bitcoin and similar cryptocurrencies TheMixCoin uses the emergent phenomenon of currency mixesin which a user shares a number of coins with a third-partymix using a standard-sized transaction and it receives backthe same number of coins from the mix that is submittedby some other user hence it provides strong anonymityfrom external entries MixCoin uses a reputation-based crypto-graphic accountability technique to prevent other users withinthe mix from theft and disrupting the protocol Howevermixes might steal the user coins at any time or become athreat to the user anonymity because the mix will know theinternal mapping between the users and outputs To provideinternal unlinkability (ie preventing the mix from learninginput-output linking) in MixCoin authors in [142] proposesBlindCoin which extends the MixCoin protocol by using blindsignatures to create user inputs and cryptographically blindedoutputs called blinded tokens However to achieve this internalunlinkability BlindCoin requires two extra transactions topublish and redeem the blinded tokens and the threat of theftfrom the mix is still present

Recently in [143] authors propose TumbleBit a Bitcoin-compatible unidirectional unlinkable payment hub that allows

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

Fig 13 Example CoinJoin basic idea

peers to make fast off-blockchain payments anonymouslythrough an untrusted intermediary called Tumbler Similar toChaumian original eCash protocol [149] TumbleBit enforcesanonymity in the mixing by ensuring that no one not eventhe Tumbler can link a transaction of its sender to its receiverThe mixing of payments from 800 users shows that TumbleBitprovides strong anonymity and theft resistance and it isscalable

3) Bitcoin extensions or Altcoins Bitcoin has not just beena most popular cryptocurrency in todayrsquos market but it ushersa wave of other cryptocurrencies that are built on decentralizedpeer-to-peer networks In fact the Bitcoin has become thede facto standard for the other cryptocurrencies The othercurrencies which are inspired by Bitcoin are collectivelyknown as altcoins Instead of proposing techniques (such asmixing and shuffling) to increase transaction anonymity anduser privacy the altcoins work as an extension to Bitcoin ora full-fledged currency The popular altcoins along with theirbrief description have been shown in Table V Some of thesecurrencies are easier to mine than Bitcoin however there aretradeoffs including greater risk brought on by lesser liquidityacceptance and value retention

Authors in [150] propose ZeroCoin a cryptographic ex-tension to Bitcoin which provides anonymity by design byapplying zero-knowledge proofs which allow fully encryptedtransactions to be confirmed as valid It is believed that thisnew property could enable entirely new classes of blockchainapplications to be built In ZeroCoin a user can simply washthe linkability traces from its coins by exchanging them foran equal value of ZeroCoins But unlike the aforementionedmixing approaches the user should not have to ask for theexchange to a mixing set instead the user can itself generatethe ZeroCoins by proving that she owns the equal value ofbitcoins via the Zerocoin protocol For instance Alice canprove to others that she owns a bitcoin and is thus eligible tospend any other bitcoin For this purpose first she produces asecure commitment ie the zerocoin which is recorded in theblockchain so that others can validate it In order to spend abitcoin she broadcasts a zero-knowledge proof for the respec-

tive zerocoin together with a transaction The zero-knowledgecryptography protects Alice from linking the zerocoin to herStill the other participants can verify the transaction andthe proof Instead of a linked list of Bitcoin transactionsZerocoin introduces intermediate steps In this way the use ofzero-knowledge proofs prevent the transaction graph analysesUnfortunately even though Zerocoins properties may seemappealing it is computationally complex bloats the blockchainand requires protocol modifications However it demonstratesan alternative privacy-aware approach Currently ZeroCoinderives both its anonymity and security against counterfeitingfrom strong cryptographic assumptions at the cost of substan-tially increased computational complexity and size

An extension of ZeroCoin called ZeroCash (also know asZcash) is presented by [146] ZeroCash uses an improvedversion of zero-knowledge proof (in terms of functionalityand efficiency) called zk-SNARKs which hides additionalinformation about transactions such as the amount and recip-ient addresses to achieve strong privacy guarantees HoweverZeroCash relies on a trusted setup for generation of secretparameters required for SNARKs implementation it requiresprotocol modifications and the blockchain pruning is notpossible Recently authors in [152] propose MimbleWimblean altcoin that supports confidential transactions (CT) TheCTs can be aggregated non-interactively and even acrossblocks thus greatly increases the scalability of the underlyingblockchain However such aggregation alone does not ensureinput-output unlinkability against parties who perform theaggregation eg the miners Additionally Mimblewimble isnot compatible with smart contracts due to the lack of scriptsupport

Beyond Bitcoin the so-called second generation of cryp-tocurrencies such as Ethereum (Ether) Mastercoin (MSC)Counterparty (XCP) are introduced in the market Thesecryptocurrencies implement a new transaction syntax with afully-fledged scripting language written in Turing completelanguage Furthermore these cryptocurrencies understood thedigital assets in terms of smart contracts and colored coinsUnlike Bitcoin Ethereum was designed to be much more than

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

TABLE IVTECHNIQUES FOR IMPROVING PRIVACY AND ANONYMITY IN BITCOIN

Proposals TypeClass Distinct features and properties Advantages DisadvantagesCoinJoin [96] P2P uses multi-signature transactions to

enhance privacyprevent thefts lower per-transaction fee

anonymity level depends on thenumber of participants vulnerableto DoS (by stalling joint transac-tions) sybil and intersection at-tacks prevents plausible deniabil-ity

CoinShuffle [97] P2P decentralized protocol forcoordinating CoinJoin transactionsthrough a cryptographic mixingprotocol

internal unlinkability robust toDoS attacks theft resistance

lower anonymity level and deni-ability prone to intersection andsybil attacks

Xim [92] P2P anonymously partnering and multi-round mixing

distributed pairing internal unlink-ability thwarts sybil and DoS at-tacks

higher mixing time

CoinShuffle++ DiceMix [136]

P2P based on CoinJoin concept optimalP2P mixing solution to improveanonymity in crypto-currencies

low mixing time (8 secsfor 50 peers) resistant todeanonymization attack ensuressender anonymity and termination

vulnerable to DoS and sybil at-tacks limited scalability no sup-port for Confidential Transactions(CT)

ValueShuffle [137] P2P based on CoinShuffle++ conceptuses Confidential Transactionsmixing approach to achievecomprehensive transaction privacy

unlinkability CT compatibility andtheft resistance normal paymentusing ValueShuffle needs only onetransaction

vulnerable to DoS and sybil at-tacks limited scalability

Dandelion [138] P2P networking policy toprevent network-facilitateddeanonymization of Bitcoinusers

provides strong anonymity even inthe presence of multiple adver-saries

vulnerable to DoS and sybil attacks

SecureCoin [139] P2P based on CoinParty concept anefficient and secure protocol foranonymous and unlinkable Bitcointransactions

protect against sabotage attacks at-tempted by any number of partic-ipating saboteurs low mixing feedeniability

vulnerable to DoS attacks limitedscalability

CoinParty [140] partiallyP2P

based on CoinJoin concept usesthreshold ECDSA and decryptionmixnets to combine pros of central-ized and decentralized mixes in asingle system

improves on robustnessanonymity scalability anddeniability no mixing fee

partially prone to coin theft andDoS attack high mixing time re-quires separate honest mixing peers

MixCoin [141] Distributed third-party mixing with account-ability

DoS and sybil resistance partial internal unlinkability andtheft resistance

BlindCoin [142] Distributed based on MixCoin concept usesblind signature scheme to ensureanonymity

internal unlinkability DoS andsybil resistance

partial theft resistance additionalcosts and delays in mixing process

TumbleBit [143] Distributed undirectional unlinkable paymenthub that uses an untrusted interme-diary

prevents theft anonymous resistsintersection sybil and DoS scal-able (implemented with 800 users)

normal payment using TumbleBitneeds at least two sequential trans-actions

a payment system In particular it is a decentralized platformthat runs smart contracts which are the applications that runexactly as programmed without any possibility of downtimecensorship fraud or third-party interference This impliesthat these digital assets can be used to realize sophisticatedfinancial instruments such as stocks with automatic dividendpayouts or to manage and trade physical properties such asa house Most of these next-generation coins work on top ofBitcoins blockchain and are therefore also known as on-chaincurrencies Since they encode their transactions into Bitcoinstransactions they lack the validation of transactions by minersbecause Bitcoin miners do not understand the new transactiontypes For this purpose a new protocol layer is built uponBitcoins strong foundation and its security Furthermore it isseen as an increase in Bitcoins value from which both willprofit As a detailed discussion on the altcoins is out of thescope of our work we direct interested readers to the existingliterature such as [20] and [157]

As a summary in this section the Bitcoinrsquos privacy andanonymity concerns have been discussed It is observed thatBitcoin is pseudo-anonymous as the account is tied to the ran-dom and multiple Bitcoin addresses and not to the individualusers With the rapidly increasing popularity of bitcoins theneed for privacy and anonymity protection also increases andit must be ensured that the users will receive a satisfactorylevel of service in terms of privacy security and anonymity

VI SUMMARY OF OBSERVATIONS AND FUTURE RESEARCHDIRECTIONS

After our comprehensive survey on the security and privacyaspects of Bitcoin and its major related techniques we nowsummarize our lessons learned before presenting the possiblefuture challenges and research directions Some of these arealready discussed in previous sections However remainingchallenges and open research issues are dealt in brief in thissection

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

TABLE VSUMMARY OF ALTCOINS

Proposals Distinct features and properties Advantages DisadvantagesZeroCoin ZeroCash Zcash [150] [146]

a cryptographic extension to Bit-coin unlinkable and untraceabletransactions by using zero knowl-edge proofs

provides internal unlinkabilitytheft and DoS resistance

relies on a trusted setup and non-falsifiable cryptographic assump-tions blockchain pruning is notpossible

CryptoNote [151] relies on ring signatures to provideanonymity

provides strong privacy andanonymity guarantees

higher computational complexitynot compatible with pruning

MimbleWimble [152][153]

a design for a cryptocurrency withconfidential transactions

CT compatibility improve privacyfungibility and scalability

vulnerable to DoS attacks notcompatible with smart contracts

ByzCoin [154] Bitcoin-like cryptocurrency withstrong consistency via collectivesigning

lower consensus latency and hightransaction throughput resistanceto selfish and stubborn mining [8]eclipse and delivery-tampering anddouble-spending attacks

vulnerable to slow down or tempo-rary DoS attack and 51 attack

Ethereum(ETH) [155]

uses proof-of-stake open-endeddecentralized software platformthat enables Smart Contracts andDistributed Applications

run without any downtime fraudcontrol or interference from a thirdparty support developers to buildand publish distributed applications

scalability issues (uses complexnetwork) running untrusted codelimited (ie non-turing-complete)scripting language

Mastercoin (orOmni) [156]

uses enhanced Bitcoin Core adProof of Authenticity Coloredcoins Exodus address

Easy to use secure web walletsavailable Escrow fund (insuranceagainst panic) Duress protectionusing a trusted entity

wallets handling the transactionsshould aware of the concept of col-ored coins possibility to acciden-tally uncolor colored coin assetsexists

Litecoin (LTC lite-coinorg)

uses Segwit which allows tech-nologies like Lightning Network

scalable low transaction miningtime anonymous and cheaper

very few stores accept payment inLitecoins high power consumption

Dash (DASH dash-payio)

uses Proof of Service implementsnative CoinJoin like transactions

higher privacy (mixes transactionsusing master nodes) InstantX pro-vides faster transaction processing

less liquidtechnology is too youngdoes not yet have a critical mass ofmerchants or users

Ripple (XRP rip-plecom)

implements a novel low-latencyconsensus algorithm based onbyzantine agreement protocol

fast transaction validation lessenergy-intensive no 51 attack

not fully decentralized vulnera-ble to attacks such as consensussplit transaction flood and softwarebackdoor

Monero (XMR get-moneroorg)

based on the CryptoNote protocol improves user privacy by using ringsignatures lower transaction pro-cessing time (average every 2 min-utes)

transaction linkability could beachieved by leveraging the ring sig-nature size of zero output mergingtemporal analysis

Counterparty (XCPcounterpartyio)

created and distributed by destroy-ing bitcoins in a process known asproof of burn

same as bitcoins same as bitcoins

With the use of proof-of-work based consensus algorithmand a secure timestamping service Bitcoin provides a prac-tical solution to the Byzantine Generals problem Howeverto achieve distributed consensus Bitcoin exposes itself toa number of security threats The main threat is doublespending (or race attacks) which will always be possiblein the Bitcoin The transparency in the system is providedby using an unforgeable distributed ledger (ie blockchain)which holds all the transactions ever processed in such a waythat anyone can verify their integrity and authenticity Butat the same time this transparency introduces a ubiquitousglobal attacker model Hence we can be deduced from thediscussion presented in Section V that Bitcoin is anythingbut private Nevertheless Bitcoin provides pseudonymity byhiding identities and the research community is putting a lot ofefforts to further strengthen this property For instance use ofcommitment schemes such as zero-knowledge proofs greatlyimproves unlinkability and untraceability in transactions

One of the major contribution of Bitcoin is the degreeof transparency and decentralization that it provides alongwith the adequate level of security and privacy which was

previously deemed impossible The original concept of miningwhich could be based on proof of work proof of stakeproof of burns or some other scheme not only secures theblockchain but it eventually achieves the distributed consensusIn particular the most important steps that make the wholeprocess so cohesive includes the way these schemes bindsthe votes to something valuable give rewards in exchangeto pay for these valuables and at the same time controlsthe supply of the cryptocurrencies in the system Withoutthese mining schemes the fake identities would be able toeasily disturb (through sybil attack) the consensus process anddestroy the system Due to this ie availability of a miningbased consensus protocol we can safely conclude that 51attacks are the worst case scenario for Bitcoin However therapidly increasing mining pools threatens the decentralizationof Bitcoin

In the near future it is hard to comment on the survivabilityof the Bitcoin ie whether Bitcoin can and will stay as robustas it is today In particular the scalability of the networkthe continuously decreasing rewards increasing transactionfee and the security and privacy threats are the pressing

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

issues which needs to be addressed The peer-to-peer networkalready seems to be having the symptoms of degradationwhich can be seen in terms of propagation delay for both thenew transaction generated by a user and the newly validatedblock by a miner This network propagation delay becomesparticularly a major issue because the Bitcoins security as-sumptions heavily rely on the fast propagation of transactionsand blocks Therefore it is very important that the Bitcoinnetwork is easy to scale to more participants and it is able tohandle higher transaction rates In case of the subsiding miningrewards the research community is unsure whether this posesa real problem or if fees are able to provide the necessaryincentive So far various improvements and altcoins have beenimplemented to resolve the aforementioned issues (please referto tables IV and V However it remains unclear which of thealternative approaches are most promising in terms of practicalimplementation that will actually improve Bitcoin

From the improvement perspective Bitcoin can considerall the altcoins as a huge testing environment from whichit can borrow novel techniques and functionalities to addressits weaknesses At least in the recent future the Bitcoin willbe constantly evolving and will be in the under developmentphase hence we now present few research directions that couldbe exploited in this direction

bull Game theory and stability Recall that mining poolsconsist of individual miners who pool their hashingpower as well as their incentives Miners can behaveselfishly by holding on to their blocks and releasing itwhenever they want This kind of selfish behavior maypose a game theoretic problem between the selfish minersand the network Since all the miners perform with anotion of increasing their incentives a game theoreticapproach is well suited for achieving Nash equilibriumamong miners (ie players) [158] Attackers may try tocontribute to an increase of their chain length compared tohonest chain in the network This poses a game betweenthe honest chain miners and the malicious miners thusachieving equilibrium to bring stability in the networkis a possible research direction There are numerousproposals [158] [159] [160] which shows that the use ofthe game-theoretic approaches provide useful informationabout the effects of selfish mining block withholdingand discarding attacks and the incentive distributionproblem in the mining pools Therefore we believe thatthis approach could be effectively used for modeling thevarious issues and providing adequate solutions for theidentified issues related to the mining pools

bull Cryptographic and keying techniques The Simpli-fied Payment Verification (SPV) protocol which is alightweight protocol used for the verification of the trans-action sent from a user [161] and it is often vulnerableto attacks like sybil and double spending A more robustverification protocol is a current requirement For the keymanipulations and calculations a distributed approachis always preferred more than the centralized one Thisis to avoid the point of failure or the central serverunder the risk of an attack Hence in this direction the

innovative means of key computation and storage of thebitcoins in a distributed fashion is a possible researchdirection Additionally the Bitcoin protocols use EDCSAand hash functions like SHA-256 which creates anotherresearch scope as there is always an adequate requirementto improve these algorithms or implement novel keyingand hashing techniques We have seen the use of clusteror group keys which are based on some threshold inorder to solve various attacks For instance fix a grouphead and get an additional signature or authenticationon every transaction [144] Another approach is to useldquotrusted pathsrdquo which is based on hardware that allowsusers to read and write a few cryptographic data [144]Finally there are few techniques which use Bloom filtersfor securing wallets Nevertheless filters might lead tofalse positives and false negatives that will consume thenetwork bandwidth thus reducing it can be a potentialresearch directive

bull Improving blockchain protocol Blockchain provides forthe first time a probabilistic solution to the ByzantineGenerals problem [162] where consensus is reachedover time (after confirmations) and makes use of eco-nomic incentives to secure the functionality of the overallinfrastructure The blockchain technology promises torevolutionize the way we conduct business For instanceblockchain startups have received more than one bil-lion dollars [163] of venture capital money to exploitthis technology for applications such as voting recordkeeping contracts to name a few Despite its potentialblockchain protocol faces significant concerns in terms ofits privacy [164] and scalability [32] [165] The append-only nature of the blockchain is essential to the securityof the Bitcoin ecosystem as transactions are stored in theledger forever and are immutable However an immutableledger is not appropriate for all new applications thatare being envisaged for the blockchain Recently authorsin [166] present modification in blockchain techniquesthat allows operation such as re-writing one or moreblocks compressing any number of blocks into a smallernumber of blocks and inserting one or more blocks

bull Fastness Bitcoinrsquos proof of work is designed to val-idate a new block on average every 10 minutes andit is recommended to wait for six confirmations beforeaccepting a transaction [167] which makes it impracticalfor many real-world applications (eg a point of salepayments) Faster mining with the same robustness suchas one proposed in [154] is a future requirement Recentlyauthors in [168] present Proof of Luck an efficientblockchain consensus protocol to achieve low-latencytransaction validation deterministic confirmation timenegligible energy consumption and equitably distributedmining

bull Incentives for miners In general incentives can be eitherfixed or variable depending on the complexity of the puz-zle that miners solve A variable incentive may increasethe competition between the miners and help to solvepuzzles that are challenging The miners who inform themalfunctions and other illegal behavior in the network

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

can be awarded additional coins as a reward This act willincrease the number of honest nodes in the network Inthe world of growing demand for the cryptocurrenciesthere is a lot of competition for bitcoins or any otherdigital currency to retain its popularity in the marketAdditionally miners may migrate by looking at therewards given by the other competitors or by the fact thatfor every four years the incentives are halved Thereforeessential questions that need addressing includes how tomake the miners fix to a currency in such a competitiveenvironment and what are the other incentives the Bitcoinsystem can think of to attract the miners

bull Smart contracts and preventing backtracks Smart con-tract refers to the computer programs that embody aself-executing and self-enforcing contract to which usersmay become a party by interacting with it electronicallyThese contracts are of particular interest to those in thefinancial sector However the concept of smart contract isnot a new one but the advent of blockchain technologyspurred interest in it because the blockchain eliminatesthe need to rely on a trusted third party to ldquoexecuterdquo thecontract and enables to use of cryptocurrency as ldquopro-grammable moneyrdquo Bitcoins support for smart contractsis extremely limited Recently authors in [169] proposeHawk which uses a blockchain model of cryptographyto generate privacy-preserving smart contracts Similarto Bitcoin authors in [170] proposes Enigma a decen-tralized computation platform which provides a highlyoptimized version of secure multi-party computation withguaranteed privacy to effectively execute smart contracts

VII CONCLUSIONS

Bitcoin has already evinced a popular digital currency in themarket However the fame of Bitcoin has attracted antagoniststo use Bitcoin network for their selfish motives and benefitsToday we have approximately 1146 different cryptocurrenciesin action out of which many are a recent introduction to themarket From all these fiat-currencies the outstanding popu-larity and high market capital of bitcoins make it attractivefor adversaries to launch various security threats Accordingto our survey even though the construction of the Bitcoinprotocols with proof-of-work and consensus to protect the useractions are the robust features in Bitcoin these itself becominga point of manipulation for cyber thieves Starting from packetsniffing to the double spending the Bitcoin is dreaded withvarious attacks Though literature provides solutions againstfew of these attacks the robust and effective security solutionsthat can ensure proper functioning of Bitcoin in the futureare still absent Together with security the distributed natureof Bitcoin blockchain has lead glitches in the privacy andanonymity requirements of the users In summary this paperis a sole attempt towards highlighting the security and privacyissues in different fields of Bitcoin Once presenting themajor components of Bitcoin its basic characteristics andrelated concepts in brief our survey mainly focuses on thesecurity and privacy aspects that can be found at variousstages in the Bitcoin system starting from transaction creation

to its successful addition in the blockchain We studied andemphasize the issue of user privacy and anonymity in thisrapidly growing e-commerce industry With the set of futureresearch directions and open questions that we have raised wehope that our work will motivate fledgling researchers towardstackling the security and privacy issues of Bitcoin systems

REFERENCES

[1] S Nakamoto ldquoBitcoin A peer-to-peer electronic cash systemrdquo Avail-able httpbitcoinorgbitcoinpdf 2008

[2] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 New YorkNY USA ACM 2012 pp 906ndash917

[3] E Heilman A Kendler A Zohar and S Goldberg ldquoEclipse attackson bitcoinrsquos peer-to-peer networkrdquo in Proceedings of the 24th USENIXConference on Security Symposium ser SECrsquo15 USENIX Associa-tion 2015 pp 129ndash144

[4] C Decker and R Wattenhofer ldquoBitcoin transaction malleability andmtgoxrdquo in ESORICS 2014 19th European Symposium on Researchin Computer Security Springer International Publishing 2014 pp313ndash326

[5] A Maria Z Aviv and V Laurent ldquoHijacking bitcoin Routing attackson cryptocurrenciesrdquo in Security and Privacy (SP) 2017 IEEE Sym-posium on IEEE 2017

[6] I Eyal and E G Sirer ldquoMajority is not enough Bitcoin miningis vulnerablerdquo in Financial Cryptography and Data Security 18thInternational Conference Springer Berlin Heidelberg 2014 pp 436ndash454

[7] A Sapirshtein Y Sompolinsky and A Zohar ldquoOptimal selfish miningstrategies in bitcoinrdquo in Financial Cryptography and Data Security20th International Conference FC 2016 Christ Church BarbadosFebruary 22ndash26 2016 Springer Berlin Heidelberg 2017 pp 515ndash532

[8] K Nayak S Kumar A Miller and E Shi ldquoStubborn miningGeneralizing selfish mining and combining with an eclipse attackrdquoin 2016 IEEE European Symposium on Security and Privacy (EuroSP) 2016 pp 305ndash320

[9] I Eyal ldquoThe minerrsquos dilemmardquo in Proceedings of the 2015 IEEESymposium on Security and Privacy ser SP rsquo15 Washington DCUSA IEEE Computer Society 2015 pp 89ndash103

[10] J Bonneau A Miller J Clark A Narayanan J A Kroll and E WFelten ldquoSok Research perspectives and challenges for bitcoin andcryptocurrenciesrdquo in 2015 IEEE Symposium on Security and PrivacyMay 2015 pp 104ndash121

[11] WikiLeaks ldquoDonation request via cyrptocurrienciesrdquo Available https shopwikileaksorgdonate

[12] W F Slater ldquoBitcoin A current look at the worlds most popularenigmatic and controversial digital cryptocurrencyrdquo in A Presentationfor Forensecure 2014 April 2014

[13] ldquoStatus about bitcoin technoogy was obtained from- what 2016holds for bitcoin businessrdquo Available httpwwwcoindeskcomwhat-2016-holds-for-bitcoin-businesses

[14] M T Alam H Li and A Patidar ldquoBitcoin for smart trading insmart gridrdquo in The 21st IEEE International Workshop on Local andMetropolitan Area Networks April 2015 pp 1ndash2

[15] Y Zhang and J Wen ldquoAn iot electric business model based onthe protocol of bitcoinrdquo in 2015 18th International Conference onIntelligence in Next Generation Networks Feb 2015 pp 184ndash191

[16] S Huckle R Bhattacharya M White and N Beloff ldquoInternet ofthings blockchain and shared economy applicationsrdquo Procedia Com-put Sci vol 98 pp 461ndash466 Oct 2016

[17] A Lei H Cruickshank Y Cao P Asuquo C P A Ogah and Z SunldquoBlockchain-based dynamic key management for heterogeneous intel-ligent transportation systemsrdquo IEEE Internet of Things Journal no 992017

[18] M Mettler ldquoBlockchain technology in healthcare The revolutionstarts hererdquo in 2016 IEEE 18th International Conference on e-HealthNetworking Applications and Services (Healthcom) Sept 2016 pp1ndash3

[19] K Biswas and V Muthukkumarasamy ldquoSecuring smart cities us-ing blockchain technologyrdquo in 2016 IEEE 18th International Con-ference on High Performance Computing and Communications(HPCCSmartCityDSS) Dec 2016 pp 1392ndash1393

[20] F Tschorsch and B Scheuermann ldquoBitcoin and beyond A technicalsurvey on decentralized digital currenciesrdquo IEEE CommunicationsSurveys Tutorials vol 18 no 3 pp 2084ndash2123 2016

[21] S your wallet ldquoThe bitcoin wikirdquo Available httpsenbitcoinitwikiSecuring your wallet Mar 2014

[22] G Andresen ldquoBip 16 Pay to script hashrdquo Available httpsgithubcombitcoinbipsblobmasterbip-0016mediawik Jan 2012

[23] J R Douceur ldquoThe sybil attackrdquo in the First International Workshopon Peer-to-Peer Systems ser IPTPS rsquo01 London UK Springer-Verlag 2002 pp 251ndash260

[24] A Back ldquoHashcash - a denial of service counter-measurerdquo Availablehttpwwwhashcashorgpapershashcashpdf 2002

[25] D E III and T Hansen ldquoUS secure hash algorithms (sha and sha-based hmac and hkdf)rdquo Available httpwwwietforgrfcrfc6234txt2011

[26] K Kaskaloglu ldquoNear zero bitcoin transaction fees cannot last foreverrdquo2014 pp 91ndash99

[27] D Kraft ldquoDifficulty control for blockchain-based consensus systemsrdquovol 9 no 2 2016 pp 397ndash413

[28] R C Merkle ldquoA digital signature based on a conventional encryptionfunctionrdquo in Advances in Cryptology mdash CRYPTO rsquo87 ProceedingsSpringer Berlin Heidelberg 1988 pp 369ndash378

[29] M Rosenfeld ldquoAnalysis of bitcoin pooled mining reward systemsrdquoCoRR vol abs11124980 2011

[30] A Laszka B Johnson and J Grossklags ldquoWhen bitcoin mining poolsrun dryrdquo in Financial Cryptography and Data Security FC 2015International Workshops BITCOIN WAHC and Wearable San JuanPuerto Rico January 30 2015 Springer Berlin Heidelberg 2015pp 63ndash77

[31] O Schrijvers J Bonneau D Boneh and T Roughgarden IncentiveCompatibility of Bitcoin Mining Pool Reward Functions SpringerBerlin Heidelberg 2017 pp 477ndash498

[32] Y Sompolinsky and A Zohar ldquoSecure high-rate transaction processingin bitcoinrdquo in Financial Cryptography and Data Security 19th Inter-national Conference Springer Berlin Heidelberg 2015 pp 507ndash527

[33] L Luu R Saha I Parameshwaran P Saxena and A Hobor ldquoOnpower splitting games in distributed computation The case of bitcoinpooled miningrdquo in 2015 IEEE 28th Computer Security FoundationsSymposium July 2015 pp 397ndash411

[34] S King and S Nadal ldquoPpcoin peer-to-peer crypto-currencywith proof-of-stakerdquo Available httppeercoinnetassetspaperpeercoin-paperpdf Tech Rep Aug 2012

[35] M Castro and B Liskov ldquoPractical byzantine fault tolerance andproactive recoveryrdquo ACM Trans Comput Syst vol 20 no 4 Nov2002

[36] A Miller A Juels E Shi B Parno and J Katz ldquoPermacoin Repur-posing bitcoin work for data preservationrdquo in 2014 IEEE Symposiumon Security and Privacy May 2014 pp 475ndash490

[37] B Sengupta S Bag S Ruj and K Sakurai ldquoRetricoin Bitcoinbased on compact proofs of retrievabilityrdquo in Proceedings of the 17thInternational Conference on Distributed Computing and Networkingser ICDCN rsquo16 ACM 2016 pp 141ndash1410

[38] I Bentov A Gabizon and A Mizrahi Cryptocurrencies Without Proofof Work Springer Berlin Heidelberg 2016 pp 142ndash157

[39] J Garay A Kiayias and N Leonardos ldquoThe bitcoin backboneprotocol with chains of variable difficultyrdquo in Advances in Cryptologyndash CRYPTO 2017 37th Annual International Cryptology ConferenceSanta Barbara CA USA Springer International Publishing 2017pp 291ndash323

[40] X Min Q Li L Liu and L Cui ldquoA permissioned blockchainframework for supporting instant transaction and dynamic block sizerdquoin 2016 IEEE TrustcomBigDataSEISPA Aug 2016 pp 90ndash96

[41] S Bano A Sonnino M Al-Bassam S Azouvi P McCorry S Meik-lejohn and G Danezis ldquoConsensus in the age of blockchainsrdquo CoRRvol abs171103936 2017

[42] A Miller and R Jansen ldquoShadow-bitcoin Scalable simulation viadirect execution of multi-threaded applicationsrdquo in 8th Workshop onCyber Security Experimentation and Test (CSET 15) WashingtonDC USENIX Association 2015 [Online] Available httpswwwusenixorgconferencecset15workshop-programpresentationmiller

[43] A Gervais H Ritzdorf G O Karame and S Capkun ldquoTamperingwith the delivery of blocks and transactions in bitcoinrdquo in Proceedingsof the 22Nd ACM SIGSAC Conference on Computer and Communica-tions Security ser CCS rsquo15 ACM 2015 pp 692ndash705

[44] N T Courtois P Emirdag and D A Nagy ldquoCould bitcoin transactionsbe 100x fasterrdquo in 2014 11th International Conference on Security andCryptography (SECRYPT) Aug 2014 pp 1ndash6

[45] J A Kroll I C Davey and E W Felten ldquoThe economics of bitcoinmining or bitcoin in the presence of adversariesrdquo 2013

[46] A Gervais G O Karame V Capkun and S Capkun ldquoIs bitcoin adecentralized currencyrdquo IEEE Security Privacy vol 12 no 3 pp54ndash60 May 2014

[47] P Fairley ldquoBlockchain world - feeding the blockchain beast if bitcoinever does go mainstream the electricity needed to sustain it will beenormousrdquo IEEE Spectrum vol 54 no 10 pp 36ndash59 October 2017

[48] K Liao Z Zhao A Doupe and G J Ahn ldquoBehind closed doorsmeasurement and analysis of cryptolocker ransoms in bitcoinrdquo in 2016APWG Symposium on Electronic Crime Research (eCrime) June 2016pp 1ndash13

[49] M Kiran and M Stannett ldquoBitcoin risk analysisrdquo Availablehttpwwwnemodeacukwp-contentuploads2015022015-Bit-Coin-risk-analysispdf Dec 2014

[50] B Masooda S Beth and B Jeremiah ldquoWhat motivates people to usebitcoinrdquo in Social Informatics 8th International Conference SocInfo2016 Springer International Publishing 2016 pp 347ndash367

[51] K Krombholz A Judmayer M Gusenbauer and E Weippl ldquoTheother side of the coin User experiences with bitcoin security andprivacyrdquo in Financial Cryptography and Data Security 20th Inter-national Conference FC 2016 Christ Church Barbados SpringerBerlin Heidelberg 2017 pp 555ndash580

[52] G O Karame E Androulaki M Roeschlin A Gervais andS Capkun ldquoMisbehavior in bitcoin A study of double-spending andaccountabilityrdquo ACM Trans Inf Syst Secur vol 18 no 1 May 2015

[53] T Bamert C Decker L Elsen R Wattenhofer and S Welten ldquoHavea snack pay with bitcoinsrdquo in IEEE P2P 2013 Proceedings Sept 2013pp 1ndash5

[54] L Bahack ldquoTheoretical bitcoin attacks with less than half of thecomputational power (draft)rdquo CoRR vol abs13127013 2013

[55] H Finney ldquoBest practice for fast transaction acceptancehow highis the riskrdquo Available httpsbitcointalkorg indexphptopic=3441msg48384msg48384 2011

[56] J Heusser ldquoSat solvingan alternative to brute force bitcoin miningrdquoAvailable https jheussergithubio20130203satcoinhtml 2013

[57] Vector67 ldquoFake bitcoinsrdquo Available httpsbitcointalkorg indexphptopic=36788msg463391msg463391 2011

[58] I Eyal and E G Sirer ldquoHow to disincentivize large bitcoinmining poolsrdquo Available httphackingdistributedcom20140618how-to-disincentivize-large-bitcoin-mining-pools 2014

[59] M Bastiaan ldquoPreventing the 51-attack a stochastic analysis of twophase proof of work in bitcoinrdquo Jan 2015

[60] A Chepurnoy T Duong L Fan and H-S Zhou ldquoTwinscoin Acryptocurrency via proof-of-work and proof-of-stakerdquo 2017 httpeprintiacrorg2017232

[61] P Daian I Eyal A Juels and G Sirer ldquoPiecework Generalizedoutsourcing control for proofs of workrdquo 2017

[62] N T Courtois and L Bahack ldquoOn subversive miner strategies andblock withholding attack in bitcoin digital currencyrdquo CoRR volabs14021718 2014

[63] R Zhang and B Preneel ldquoPublish or perish A backward-compatibledefense against selfish mining in bitcoinrdquo in Topics in Cryptologyndash CT-RSA 2017 The Cryptographersrsquo Track at the RSA Conference2017 San Francisco CA USA February 14ndash17 2017 ProceedingsSpringer International Publishing 2017 pp 277ndash292

[64] S Solat and M Potop-Butucaru ldquoBrief announcement ZeroblockTimestamp-free prevention of block-withholding attack in bitcoinrdquoin Stabilization Safety and Security of Distributed Systems 19thInternational Symposium Springer International Publishing 2017pp 356ndash360

[65] E Heilman ldquoOne weird trick to stop selfish miners Fresh bitcoins asolution for the honest minerrdquo 2014

[66] S D Lerner ldquoDecor+rdquo Available httpsbitslogwordpresscom20140507decor-2 2014

[67] S Bag S Ruj and K Sakurai ldquoBitcoin block withholding attack Analysis and mitigationrdquo IEEE Transactions on Information Forensicsand Security vol PP no 99 pp 1ndash12 2016

[68] Y Kwon D Kim Y Son E Vasserman and Y Kim ldquoBe selfish andavoid dilemmas Fork after withholding (faw) attacks on bitcoinrdquo inProceedings of the 2017 ACM SIGSAC Conference on Computer andCommunications Security ser CCS rsquo17 ACM 2017 pp 195ndash209

[69] S Haber and W S Stornetta ldquoHow to time-stamp a digital documentrdquovol 3 no 2 1991 pp 99ndash111

[70] D Malkhi ldquoByzantine quorum systemsrdquo Distrib Comput vol 4 p203213 Jan 2012

[71] N Szabo ldquoSecure property titles with owner authorityrdquo Available httpnakamotoinstituteorgsecure-property-titles 1988

[72] C Natoli and V Gramoli ldquoThe balance attack against proof-of-work blockchains The R3 testbed as an examplerdquo CoRR volabs161209426 2016

[73] G Wood ldquoEthereum A secure decentralised generalised transaction-ledgerrdquo yellow paper 2015

[74] M Rosenfeld ldquoMining pools reward methodsrdquo Presentation at Bitcoin2013 Conference 2013

[75] B J ldquoWhy buy when you can rentrdquo Financial Cryptography andData Security FC 2016 Lecture Notes in Computer Science vol 9604Springer Berlin Heidelberg 2016

[76] A F Neil Gandal Tyler Moore and J Hamrick ldquoThe impact of ddosand other security shocks on bitcoin currency exchanges Evidencefrom mt goxrdquo The 15th Annual Workshop on the Economics ofInformation Security vol abs14117099 June 13-14 2016

[77] A Narayanan J Bonneau E Felten A Miller and S Goldfeder ldquoBit-coin and cryptocurrency technologies A comprehensive introductionrdquoPrinceton NJ USA Princeton University Press 2016

[78] P McCorry S F Shahandashti and F Hao ldquoRefund attacks onbitcoinrsquos payment protocolrdquo in Financial Cryptography and DataSecurity 20th International Conference Springer Berlin Heidelberg2017 pp 581ndash599

[79] A Miller ldquoFeather-forks enforcing a blacklist with sub-50 hashpowerrdquo Available httpsbitcointalkorg indexphptopic=31266802013

[80] M Andrychowicz S Dziembowski D Malinowski and Ł MazurekldquoOn the malleability of bitcoin transactionsrdquo in Financial Cryptogra-phy and Data Security FC 2015 International Workshops BITCOINWAHC and Wearable Springer Berlin Heidelberg 2015 pp 1ndash18

[81] P Wuille ldquoBip 62 Dealing with malleabilityrdquo Available httpsgithubcombitcoinbipsblobmasterbip-0062mediawiki Mar 2014

[82] R Gennaro S Goldfeder and A Narayanan ldquoThreshold-optimaldsaecdsa signatures and an application to bitcoin wallet securityrdquoin Applied Cryptography and Network Security 14th InternationalConference ACNS 2016 Springer International Publishing 2016pp 156ndash174

[83] S Goldfeder J Bonneau E W Felten J A Kroll and A NarayananldquoSecuring bitcoin wallets via threshold signaturesrdquo Available httpwwwcsprincetonedustevenagbitcoin threshold signaturespdf 2014

[84] T Bamert C Decker R Wattenhofer and S Welten ldquoBluewalletThe secure bitcoin walletrdquo Security and Trust Management 10thInternational Workshop STM 2014 pp 65ndash80 2014

[85] M Gentilal P Martins and L Sousa ldquoTrustzone-backed bitcoinwalletrdquo in Proceedings of the Fourth Workshop on Cryptography andSecurity in Computing Systems ser CS2 rsquo17 New York NY USAACM 2017 pp 25ndash28

[86] S Jarecki A Kiayias H Krawczyk and J Xu ldquoHighly-efficient andcomposable password-protected secret sharing (or How to protect yourbitcoin wallet online)rdquo in 2016 IEEE European Symposium on Securityand Privacy (EuroS P) March 2016 pp 276ndash291

[87] corbixgwelt ldquoTimejacking and bitcoinrdquo Available httpculubasblogspotde201105 timejacking-bitcoin 802html Mar 2011

[88] D Mills J Martin J Burbank and W Kasch ldquoNetwork time protocolversion 4 Protocol and algorithms specification rfc 5905 internetengineering task forcerdquo Available httpwwwietforgrfcrfc5905txtMar 2011

[89] M Vasek M Thornton and T Moore ldquoEmpirical analysis of denial-of-service attacks in the bitcoin ecosystemrdquo in Financial Cryptographyand Data Security FC 2014 Workshops BITCOIN and WAHC 2014Springer Berlin Heidelberg 2014 pp 57ndash71

[90] B Johnson A Laszka J Grossklags M Vasek and T MooreldquoGame-theoretic analysis of ddos attacks against bitcoin mining poolsrdquoin Financial Cryptography and Data Security FC 2014 WorkshopsBITCOIN and WAHC 2014 Springer Berlin Heidelberg 2014 pp72ndash86

[91] I Bentov C Lee A Mizrahi and M Rosenfeld ldquoProof of activityExtending bitcoinrsquos proof of work via proof of stake [extended ab-stract]yrdquo SIGMETRICS Perform Eval Rev vol 42 no 3 pp 34ndash37Dec 2014

[92] G Bissias A P Ozisik B N Levine and M Liberatore ldquoSybil-resistant mixing for bitcoinrdquo in Proceedings of the 13th Workshop onPrivacy in the Electronic Society ser WPES rsquo14 ACM 2014 pp149ndash158

[93] P Koshy D Koshy and P McDaniel ldquoAn analysis of anonymity inbitcoin using p2p network trafficrdquo in Financial Cryptography and Data

Security 18th International Conference FC 2014 Springer BerlinHeidelberg 2014 pp 469ndash485

[94] A Biryukov D Khovratovich and I Pustogarov ldquoDeanonymisationof clients in bitcoin p2p networkrdquo in Proceedings of the 2014 ACMSIGSAC Conference on Computer and Communications Security serCCS rsquo14 ACM 2014 pp 15ndash29

[95] G Danezis R Dingledine and N Mathewson ldquoMixminion designof a type iii anonymous remailer protocolrdquo in 2003 Symposium onSecurity and Privacy 2003 May 2003 pp 2ndash15

[96] G Maxwell ldquoCoinjoin Bitcoin privacy for the real worldrdquo Availablehttpsbitcointalkorg indexphptopic=2792490 Mar 2013

[97] T Ruffing P Moreno-Sanchez and A Kate ldquoCoinshuffle Practical de-centralized coin mixing for bitcoinrdquo in ESORICS 2014 19th EuropeanSymposium on Research in Computer Security Springer InternationalPublishing 2014 pp 345ndash364

[98] V S Miller ldquoUse of elliptic curves in cryptographyrdquo in Lecture Notesin Computer Sciences 218 on Advances in cryptologymdashCRYPTO 85Springer-Verlag New York Inc 1986 pp 417ndash426

[99] P Gallagher and C Kerry ldquoFederal information processingstandards (fips) publication 186-4 Digital signature standard(dss)rdquo Available httpnvlpubsnistgovnistpubsFIPSNISTFIPS186-4pdf July 2013

[100] N A Howgrave-Graham and N P Smart ldquoLattice attacks on digitalsignature schemesrdquo vol 23 no 3 2001 pp 283ndash290

[101] J W Bos J A Halderman N Heninger J Moore M Naehrigand E Wustrow ldquoElliptic curve cryptography in practicerdquo in 18thInternational Conference FC 2014 Springer Berlin Heidelberg2014 pp 157ndash175

[102] I Giechaskiel C Cremers and K B Rasmussen ldquoOn bitcoin securityin the presence of broken cryptographic primitivesrdquo in ComputerSecurity ndash ESORICS 2016 21st European Symposium on Researchin Computer Security Heraklion Greece Springer InternationalPublishing 2016 pp 201ndash222

[103] J J Hoch and A Shamir ldquoOn the strength of the concatenatedhash combiner when all the hash functions are weakrdquo in AutomataLanguages and Programming 35th International Colloquium ICALP2008 Reykjavik Iceland Springer Berlin Heidelberg 2008 pp 616ndash630

[104] S Eskandari D Barrera E Stobert and J Clark ldquoA First Look atthe Usability of Bitcoin Key Managementrdquo Proceedings of the NDSSWorkshop on Usable Security (USEC) 2015

[105] P Litke and J Stewart ldquoCryptocurrency-stealing malware landscaperdquo2014

[106] T Moore and N Christin ldquoBeware the middleman Empirical anal-ysis of bitcoin-exchange riskrdquo in Financial Cryptography and DataSecurity 17th International Conference Springer Berlin Heidelberg2013 pp 25ndash33

[107] G G Dagher B Bunz J Bonneau J Clark and D Boneh ldquoProvi-sions Privacy-preserving proofs of solvency for bitcoin exchangesrdquo inProceedings of the 22Nd ACM SIGSAC Conference on Computer andCommunications Security ser CCS rsquo15 ACM 2015 pp 720ndash731

[108] T Neudecker P Andelfinger and H Hartenstein ldquoA simulationmodel for analysis of attacks on the bitcoin peer-to-peer networkrdquoin 2015 IFIPIEEE International Symposium on Integrated NetworkManagement (IM) May 2015 pp 1327ndash1332

[109] ldquoMalleability attack a nuisance but bitcoin not broken pundits sayrdquoAvailable httpwwwfinancemagnatescomcryptocurrencynewsmalleability-attack-a-nuisance-but-bitcoin-not-broken-pundits-say

[110] ldquoThe bitcoin malleability attack how can it undermine the blockchainscredibilityrdquo Available httpwwwcoinwriteorg 2017

[111] T Ruffing A Kate and D Schroder ldquoLiar liar coins on firePenalizing equivocation by loss of bitcoinsrdquo in Proceedings of the22Nd ACM SIGSAC Conference on Computer and CommunicationsSecurity ser CCS rsquo15 ACM 2015 pp 219ndash230

[112] X Yu M T Shiwen Y Li and R D Huijie ldquoFair deposits againstdouble-spending for bitcoin transactionsrdquo in 2017 IEEE Conference onDependable and Secure Computing Aug 2017 pp 44ndash51

[113] G O Karame E Androulaki and S Capkun ldquoDouble-spending fastpayments in bitcoinrdquo in Proceedings of the 2012 ACM Conference onComputer and Communications Security ser CCS rsquo12 ACM 2012pp 906ndash917

[114] ldquoSolution to sybil attacks and 51Avail-able https letstalkbitcoincomblogpostsolution-to-sybil-attacks-and-51-attacks-in-decentralized-networks2014

[115] M O Rabin ldquoTransaction protection by beaconsrdquo vol 27 no 2 1983pp 256 ndash 267

[116] R Zhang ldquoBroadcasting intermediate blocks as a defense mechanismagainst selfish-mine in bitcoinrdquo IACR Cryptology ePrint Archive vol2015 p 518 2015

[117] S Goldfeder R Gennaro H Kalodner J Bonneau J A KrollE W Felten and A Narayanan ldquoSecuring bitcoin wallets via anew dsa-ecdsa threshold signature schemerdquo Available httpswwwcsprincetonedusteve-nag thresholdsigspdf 2016

[118] M Draupnir ldquoBitcoin cold storage guiderdquo Available httpswwwweusecoinscombitcoin-cold-storage-guide Mar 2016

[119] ldquoBiometric tech secures bitcoin walletrdquo no 6 2015[120] A Shamir ldquoHow to share a secretrdquo Commun ACM vol 22 no 11

pp 612ndash613 Nov 1979[121] P Camelo J Moura and L Krippahl ldquoCONDENSER A graph-based

approachfor detecting botnetsrdquo CoRR vol abs14108747 2014[122] Mate ldquoHow to identify transaction malleability attacksrdquo Available

httpsnewsbitcoincom identify-transaction-malleability-attacks 2015

[123] C Decker and R Wattenhofer ldquoA fast and scalable payment networkwith bitcoin duplex micropayment channelsrdquo in Stabilization Safetyand Security of Distributed Systems 17th International SymposiumSSS 2015 Springer International Publishing 2015

[124] B Rosenberg ldquoMicropayment systems handbook of financial cryptog-raphy and securityrdquo 2010

[125] M F sallal G Owenson and M Adda ldquoProximity awarenessapproach to enhance propagation delay on the bitcoin peer-to-peernetworkrdquo in 2017 IEEE 37th International Conference on DistributedComputing Systems (ICDCS) June 2017 pp 2411ndash2416

[126] J Gobel H Keeler A Krzesinski and P Taylor ldquoBitcoin blockchain-dynamics The selfish-mine strategy in the presence of propagationdelayrdquo vol 104 no Supplement C 2016 pp 23 ndash 41

[127] D Ron and A Shamir ldquoQuantitative analysis of the full bitcointransaction graphrdquo in Financial Cryptography and Data Security 17thInternational Conference FC 2013 Springer Berlin Heidelberg 2013pp 6ndash24

[128] E Androulaki G O Karame M Roeschlin T Scherer and S CapkunldquoEvaluating user privacy in bitcoinrdquo in Financial Cryptography andData Security 17th International Conference FC 2013 SpringerBerlin Heidelberg 2013 pp 34ndash51

[129] S Meiklejohn M Pomarole G Jordan K Levchenko D McCoyG M Voelker and S Savage ldquoA fistful of bitcoins Characterizingpayments among men with no namesrdquo in Proceedings of the 2013Conference on Internet Measurement Conference ser IMC rsquo13 ACM2013 pp 127ndash140

[130] M Fleder M S Kester and S Pillai ldquoBitcoin transaction graphanalysisrdquo CoRR vol abs150201657 2015

[131] F Reid and M Harrigan ldquoAn analysis of anonymity in the bitcoinsystemrdquo Springer New York 2013 pp 197ndash223

[132] M Spagnuolo F Maggi and S Zanero ldquoBitiodine Extracting intelli-gence from the bitcoin networkrdquo in Financial Cryptography and DataSecurity 18th International Conference FC 2014 Springer BerlinHeidelberg 2014 pp 457ndash468

[133] G D Battista V D Donato M Patrignani M Pizzonia V Roselliand R Tamassia ldquoBitconeview visualization of flows in the bitcointransaction graphrdquo in IEEE Symposium on Visualization for CyberSecurity (VizSec) Oct 2015 pp 1ndash8

[134] S Goldfeder H A Kalodner D Reisman and A Narayanan ldquoWhenthe cookie meets the blockchain Privacy risks of web payments viacryptocurrenciesrdquo CoRR 2017

[135] A Biryukov and I Pustogarov ldquoBitcoin over tor isnrsquot a good ideardquoin 2015 IEEE Symposium on Security and Privacy May 2015 pp122ndash134

[136] T Ruffing P Moreno-Sanchez and A Kate ldquoP2p mixing and unlink-able bitcoin transactionsrdquo 2017

[137] T Ruffing and P Moreno-Sanchez ldquoValueshuffle Mixing confiden-tial transactions for comprehensive transaction privacy inbitcoinrdquo inFinancial Cryptography and Data Security FC 2017 InternationalWorkshops WAHC BITCOIN VOTING WTSC and TA Sliema MaltaApril 7 2017 Springer International Publishing 2017 pp 133ndash154

[138] S Bojja Venkatakrishnan G Fanti and P Viswanath ldquoDandelionRedesigning the bitcoin network for anonymityrdquo Proc ACM MeasAnal Comput Syst vol 1 pp 221ndash2234 Jun 2017

[139] M H Ibrahim ldquoSecurecoin A robust secure and efficient protocolfor anonymous bitcoin ecosystemrdquo I J Network Security vol 19 pp295ndash312 2017

[140] J H Ziegeldorf F Grossmann M Henze N Inden and K WehrleldquoCoinparty Secure multi-party mixing of bitcoinsrdquo in Proceedings

of the 5th ACM Conference on Data and Application Security andPrivacy ser CODASPY rsquo15 ACM 2015 pp 75ndash86

[141] J Bonneau A Narayanan A Miller J Clark J A Kroll and E WFelten ldquoMixcoin Anonymity for bitcoin with accountable mixesrdquo in18th International Conference FC 2014 Springer Berlin Heidelberg2014 pp 486ndash504

[142] L Valenta and B Rowan ldquoBlindcoin Blinded accountable mixes forbitcoinrdquo in Financial Cryptography Workshops 2015

[143] E Heilman L Alshenibr F Baldimtsi A Scafuro and S GoldbergldquoTumblebit An untrusted bitcoin-compatible anonymous paymenthubrdquo 2016 httpeprintiacrorg2016575

[144] S Barber X Boyen E Shi and E Uzun ldquoBitter to better mdash how tomake bitcoin a better currencyrdquo in Financial Cryptography and DataSecurity 16th International Conference FC 2012 Springer BerlinHeidelberg 2012 pp 399ndash414

[145] S Meiklejohn and C Orlandi ldquoPrivacy-enhancing overlays in bitcoinrdquoin Financial Cryptography and Data Security FC 2015 InternationalWorkshops BITCOIN WAHC and Wearable San Juan Puerto RicoJanuary 30 2015 Springer Berlin Heidelberg 2015 pp 127ndash141

[146] E B Sasson A Chiesa C Garman M Green I Miers E Tromerand M Virza ldquoZerocash Decentralized anonymous payments frombitcoinrdquo in 2014 IEEE Symposium on Security and Privacy May 2014pp 459ndash474

[147] E Heilman F Baldimtsi and S Goldberg ldquoBlindly signed contractsAnonymous on-blockchain and off-blockchain bitcoin transactionsrdquo inFinancial Cryptography and Data Security FC 2016 InternationalWorkshops BITCOINrsquo16 Springer Berlin Heidelberg 2016 pp 43ndash60

[148] H Corrigan-Gibbs and B Ford ldquoDissent Accountable anonymousgroup messagingrdquo in Proceedings of the 17th ACM Conference onComputer and Communications Security ser CCSrsquo10 ACM 2010pp 340ndash350

[149] D Chaum ldquoBlind signatures for untraceable paymentsrdquo in Advancesin Cryptology Proceedings of Crypto 82 Springer US 1983 pp199ndash203

[150] I Miers C Garman M Green and A D Rubin ldquoZerocoin Anony-mous distributed e-cash from bitcoinrdquo in 2013 IEEE Symposium onSecurity and Privacy May 2013 pp 397ndash411

[151] N van Saberhagen ldquoCryptonoterdquo 2013 httpscryptonoteorgwhitepaper

[152] T Jedusor ldquoMimblewimblerdquo 2016 httpsscalingbitcoinorgpapersmimblewimbletxt

[153] A Poelstra ldquoMimblewimblerdquo 2016 httpdiyhpluswikitranscriptsscalingbitcoinmilanmimblewimble

[154] E K Kogias P Jovanovic N Gailly I Khoffi L Gasser and B FordldquoEnhancing bitcoin security and performance with strong consistencyvia collective signingrdquo in 25th USENIX Security Symposium (USENIXSecurity 16) Austin TX 2016 pp 279ndash296

[155] G Wood ldquoETHEREUM A secure decentralised generalised trans-action ledgerrdquo Available httpgavwoodcomPaperpdf Tech Rep2014

[156] J R Willett ldquoThe second bitcoinrdquo Availablehttpssitesgooglecomsite2ndbtcwpaper 2ndBitcoinWhitepaperpdf

[157] U Mukhopadhyay A Skjellum O Hambolu J Oakley L Yu andR Brooks ldquoA brief survey of cryptocurrency systemsrdquo in 2016 14thAnnual Conference on Privacy Security and Trust (PST) Dec 2016pp 745ndash752

[158] A Kiayias E Koutsoupias M Kyropoulou and Y TselekounisldquoBlockchain mining gamesrdquo in Proceedings of the 2016 ACM Con-ference on Economics and Computation ser EC rsquo16 ACM 2016pp 365ndash382

[159] Y Lewenberg Y Bachrach Y Sompolinsky A Zohar and J S Rosen-schein ldquoBitcoin mining pools A cooperative game theoretic analysisrdquoin Proceedings of the 2015 International Conference on AutonomousAgents and Multiagent Systems ser AAMAS rsquo15 InternationalFoundation for Autonomous Agents and Multiagent Systems 2015pp 919ndash927

[160] B Fisch R Pass and A Shelat ldquoSocially optimal mining poolsrdquoin Web and Internet Economics 13th International ConferenceWINE 2017 Bangalore India December 17ndash20 2017 ProceedingsN R Devanur and P Lu Eds Cham Springer InternationalPublishing 2017 pp 205ndash218

[161] A Kiayias N Lamprou and A-P Stouka ldquoProofs of proofs ofwork with sublinear complexityrdquo in Financial Cryptography and DataSecurity FC 2016 International Workshops BITCOIN VOTING andWAHC Springer Berlin Heidelberg 2016 pp 61ndash78

[162] L Lamport R Shostak and M Pease ldquoThe byzantine generalsproblemrdquo ACM Trans Program Lang Syst vol 4 no 3 pp 382ndash401Jul 1982

[163] ldquoCoindesk bitcoin venture capitalrdquo Available httpwwwcoindeskcombitcoin-venture-capital

[164] J Herrera-Joancomartı and C Perez-Sola ldquoPrivacy in bitcoin transac-tions New challenges from blockchain scalability solutionsrdquo in Model-ing Decisions for Artificial Intelligence 13th International ConferenceMDAI 2016 Springer International Publishing 2016 pp 26ndash44

[165] Y Lewenberg Y Sompolinsky and A Zohar ldquoInclusive block chainprotocolsrdquo in Financial Cryptography and Data Security 19th Inter-national Conference FC 2015 Springer Berlin Heidelberg 2015 pp528ndash547

[166] G Ateniese B Magri D Venturi and E Andrade ldquoRedactableblockchain ndash or ndash rewriting history in bitcoin and friendsrdquo 2016

httpeprintiacrorg2016757[167] M Rosenfeld ldquoAnalysis of hashrate-based double spendingrdquo CoRR

vol abs14022009 2014[168] M Milutinovic W He H Wu and M Kanwal ldquoProof of luck An

efficient blockchain consensus protocolrdquo in Proceedings of the 1stWorkshop on System Software for Trusted Execution ser SysTEX rsquo16ACM 2016

[169] A Kosba A Miller E Shi Z Wen and C Papamanthou ldquoHawkThe blockchain model of cryptography and privacy-preserving smartcontractsrdquo in IEEE Symposium on Security and Privacy May 2016pp 839ndash858

[170] G Zyskind O Nathan and A Pentland ldquoDecentralizing privacyUsing blockchain to protect personal datardquo in 2015 IEEE Security andPrivacy Workshops May 2015 pp 180ndash184