Cryptocurrencies:
A Brief Introduction
Our modern economy relies heavily on digital means of payments. Trade in the form of e-commerce
for example necessitates the usage of digital tokens. In a digital currency system, the means of
payment is simply a string of bits. This poses a problem, as these strings of bits as any other
digital record can easily be copied and re-used for payment. Essentially, the digital token can be
counterfeited by using it twice which is the so-called double-spending problem.
Traditionally, this problem has been overcome by relying on a trusted third-party who manages
for a fee a centralized ledger and transfers balances by crediting and debiting buyers and sellers’
accounts. This third-party is often the issuer of the digital currency itself, one prominent example
being PayPal, and the value of the currency derives from the fact that users trust the third-party
to prohibit double-spending .
Cryptocurrencies such as Bitcoin go a step further and remove the need for a trusted third-party.
Instead, they rely on a decentralized network of (possibly anonymous) validators to maintain and
update copies of the ledgers. This necessitates that consensus between the
validators is maintained about the correct record of transactions so that the users can be sure to
receive and keep ownership of balances. But such a consensus ultimately requires that (i) users do
not double-spend the currency and (ii) that users can trust the validators to accurately update the
ledger.
How do cryptocurrencies such as Bitcoin tackle these challenges? Trust in the currency is based
on a blockchain which ensures the distributed verification, updating and storage of the record of
transaction histories.6 This is done by forming a blockchain. A block is a set of transactions
that have been conducted between the users of the cryptocurrency. A chain is created from these
blocks containing the history of past transactions that allows one to create a ledger where one
can publicly verify the amount of balances or currency a user owns. Hence, a blockchain is like a
book containing the ledger of all past transactions with a block being a new page recording all the
current transactions
the right to update the chain with a new block. This competition can take various forms. In Bitcoin,
it happens through a process called mining. Miners (i.e. transaction validators) compete to solve
a computationally costly problem which is called proof-of-work (PoW).7 The winner of this mining
process has the right to update the chain with a new block. The consensus protocol prescribes
then that the “longest” history will be accepted as the trusted public record.8 Since transaction
validation and mining are costly, a reward structure is needed for mining to take place. In Bitcoin,
for example such rewards are currently financed by the creation of new coins and transaction fees.9
The main concern for users when trusting a cryptocurrency is the double spending problem: after
having conducted a transaction, a user attempts to convince the validators (and, hence, the general
public if the blockchain is trusted) to accept an alternative history in which some payment was
not conducted.10 If this attack succeeds, this user will keep both the balances and the product
7Other consensus protocols are being explored which we briefly discuss in the Appendix.
8
In general, there is no explicit requirement to follow the consensus protocol in the sense that validators and users
can trust an alternative history or blockchain that is not the longest one. Well-designed cryptocurrency, however,
try to ensure that there are sufficient incentives to work with the longest history. For example, in Bitcoin the reward
paid to a successful miner is contained in the new block itself. Should a different chain be adopted at a later stage,
this reward will be obsolete. For a game-theoretic analysis of the incentives to build on the longest chain, see Biais
et. al. (2017).
9Huberman et al. (2017) explore the reward structure of cryptocurrencies from the perspective of the mining
game, but without modelling the double spending problem.
10While basic cryptography ensures that people cannot spend others’ balances, a miner can exclude from a block
or service he obtained while the counterparty will be left empty handed. Hence, the possibility of
such double-spending can undermine the trust in the cryptocurrency.
A blockchain based on a PoW consensus protocol naturally deals with changing transaction history
backwards. The blockchain has to be dynamically consistent in the sense that current transactions
have to be linked to transactions in all previous blocks.11 Consequently, if a person attempts to
revoke a transaction in the past, he has to propose an alternative blockchain (with that particular
transaction removed) and perform the PoW for each of the newly proposed block. Therefore, it is
very costly to rewrite the history of transactions backwards if the part of the chain that needs to
be replaced is long. Hence, the “older” transactions are, the more users can trust them.
Unfortunately, a blockchain does not automatically protect a cryptocurrency against a doublespending attack that is forward-looking. Figure 2.3 considers a spot trade between a buyer and
a seller involving a cryptocurrency. The buyer instructs the miners to transfer a payment to the
seller while the seller simultaneously delivers the goods. Notice that the buyer can always secretly
mine an alternative history (or submit to some miners a different history) in which the fund is
not transferred. The final outcome of the transaction depends on which payment instruction is
incorporated into the blockchain first. If the former payment instruction is incorporated, then the
double-spending attempt fails. The seller receives the payment and the buyer gets the goods. If
the latter is accepted instead, then the double-spending attempt succeeds. In this case, the buyer
gets the goods without paying the seller.
Such a double spending attack can be discouraged by introducing a confirmation lag into the
transactions. By waiting some blocks before completing the transaction (i.e., the seller delays the
delivery of the goods), it becomes harder to alter transactions in a sequence of new blocks. Figure
2.4 illustrates how a confirmation lag of one block confirmation raises the secret mining burden of
a double spender. The seller delivers the goods only after the payment is incorporated into the
blockchain at least in one new block. Again, the buyer can secretly mine an alternative history
in which the payment does not happen. How successful secret mining is depends on the mining
competition and the length of the confirmation lag.
some transactions that have been initiated by other people. With positive transaction fees, a miner does not have an
incentive to remove other people’s transactions and lose such fees.
11For example, if someone transfers a balance d in block T, it must be the case that the person has received
sufficient net flows from block 0 to block T − 1 so that the accumulated amount is at least d.
Suppose the buyer successfully solves the PoW for the block containing this alternative history.
Note that the buyer has an option whether to broadcast the secretly mined block immediately or
withhold it for future mining. If he decides to broadcast the block immediately, the seller will not
receive the payment, but he will also not deliver the goods as shown on the top of the figure. Hence,
the double-spending attack is not successful for the buyer.
Alternatively, the buyer can temporarily withhold the solved block and continue to secretly mine
another block (depicted on the bottom of the figure). Specifically, the buyer needs to allow other
miners to confirm the original payment to the seller, so as to induce the seller to deliver the goods.
At the same time, the buyer needs to secretly mine two blocks in a row for which the original
transaction is removed.12 If the buyer is successful in mining two blocks faster than other miners,
he can announce an alternative blockchain after the goods are delivered. In this case, the buyer
gets the goods without paying the seller. More generally, if the seller delivers the goods only after
observing N confirmations of the payment, the buyer needs to solve blocks N + 1 consecutive times
in order to double spend successfully.
To summarize, trust in a cryptocurrency system involves the interplay of three ideas: the security
of the blockchain, the health of the mining ecosystem and the value of the currency.13 As shown
in Figure 2.5, sufficient mining activities are required for ensuring the security of the blockchain,
safeguarding it against attacks and dishonest behaviors. Moreover, only when users trust the
security of system will the cryptocurrency be widely accepted and and traded at a high value.
Finally, the value of the currency supports the reward scheme to incentivize miners to engage in
costly mining activities.
Our model will capture precisely this interdependence by explicitly looking at the joint determination of mining efforts, rewards and cryptocurrency value in general equilibrium. The main features
of a cryptocurrency model in Section 3 are therefore given by
(i) a consensus protocol: miners compete to update a blockchain with the probability of winning
being proportional to the fraction of computational power owned by a miner
12Since the consensus protocol prescribes that the longest chain is accepted by the miners, the double spender
needs to mine two blocks in order to create an alternative, longer blockchain superseding the existing one which has
one block solved already.
13This has been pointed out already in the computer science literature (see for example Narayanan et al. (2016)),
but without making the connection to an equilibrium incentive problem for double spending.
(ii) settlement lags: double spending is discouraged by sellers waiting for N validations before
delivering the goods so that the buyer needs to win the mining game N + 1 times in order to
revoke a payment
(iii) a reward scheme: rewards for winning miners are financed by seigniorage (new coins) and
transaction fees.
3 The Double Spending Problem
As pointed out in the previous section, due to its digital nature, a cryptocurrency system is subject
to the double spending problem. To focus on this problem, this section develops a partial equilibrium model to study the mining and double-spending decision within one payment cycle. Taking
as given the price and quantity of balances, the terms of trade and the mining rewards, this basic
model determines the mining activities and the buyers’ incentives to double spend. In the next
section, we will incorporate this basic set-up into a general equilibrium monetary model to perform
a full analysis.
Sort: Trending