Private Key Storage:

Adresses and Address Derivation Some blockchain networks make use of an address, which is a short, alphanumeric string of characters derived from the blockchain network user’s public key using a cryptographic hash function, along with some additional data (e.g., version number, checksums). Most blockchain implementations make

use of addresses as the “to” and “from” endpoints in a transaction. Addresses are shorter than the public keys and are not secret. One method to generate an address is to create a public key, applying a cryptographic hash function to it, and converting the hash to text: public key  cryptographic hash function  address Each blockchain implementation may implement a different method to derive an address. For permissionless blockchain networks, which allow anonymous account creation, a blockchain network user can generate as many asymmetric-key pairs, and therefore addresses as desired, allowing for a varying degree of pseudo-anonymity. Addresses may act as the public-facing identifier in a blockchain network for a user, and oftentimes an address will be converted into a QR code (Quick Response Code, a 2-dimensional bar code which can contain arbitrary data) for easier use with mobile devices.

Figure 2 - A QR code example which has encoded the text “NISTIR 8202 - Blockchain Technology Overview QR code example” NISTIR 8202 BLOCKCHAIN TECHNOLOGY OVERVIEW 13 This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8202 Blockchain network users may not be the only source of addresses within blockchain networks. It is necessary to provide a method of accessing a smart contract once it has been deployed within a blockchain network. For Ethereum, smart contracts are accessible via a special address called a contract account. This account address is created when a smart contract is deployed (the address for a contract account is deterministically computed from the smart contract creator’s address [11]).

This contract account allows for the contract to be executed whenever it receives a transaction, as well as create additional smart contracts in turn. 3.4.1 Private Key Storage With some blockchain networks (especially with permissionless blockchain networks), users must manage and securely store their own private keys. Instead of recording them manually, they often use software to securely store them. This software is often referred to as a wallet.

The wallet can store private keys, public keys, and associated addresses. It may also perform other functions, such as calculating the total number of digital assets a user may have. If a user loses a private key, then any digital asset associated with that key is lost, because it is computationally infeasible to regenerate the same private key. If a private key is stolen, the attacker will have full access to all digital assets controlled by that private key. The security of private keys is so important that many users use special secure hardware to store them; alternatively, users may take advantage of an emerging industry of private key escrow services.

These key escrow services can also satisfy KYC laws in addition to storing private keys as users must provide proof of their identity when creating an account. Private key storage is an extremely important aspect of blockchain technology. When it is reported in the news that “Cryptocurrency XYZ was stolen from…”, it almost certainly means some private keys were found and used to sign a transaction sending the money to a new account, not that the blockchain network itself was compromised. Note that because blockchain data cannot generally be changed, once a criminal steals a private key and publicly transfers the associated funds to another account, that transaction generally cannot be undone.

Ledgers:

A ledger is a collection of transactions. Throughout history, pen and paper ledgers have been used to keep track of the exchange of goods and services. In modern times, ledgers have been stored digitally, often in large databases owned and operated by a centralized trusted third party (i.e., the owner of the ledger) on behalf of a community of users. These ledgers with centralized ownership can be implemented in a centralized or distributed fashion (i.e., just one server or a coordinating cluster of servers). There is growing interest in exploring having distributed ownership of the ledger. Blockchain technology enables such an approach using both distributed ownership as well as a distributed physical architecture. The distributed physical architecture of blockchain networks often involve a much larger set of computers than is typical for centrally managed distributed physical architecture. The growing interest in distributed ownership of ledgers is due to possible trust, security, and reliability concerns related to ledgers with centralized ownership:

NISTIR 8202 BLOCKCHAIN TECHNOLOGY OVERVIEW 14 This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.8202 • Centrally owned ledgers may be lost or destroyed; a user must trust that the owner is properly backing up the system. o A blockchain network is distributed by design, creating many backup copies all updating and syncing to the same ledger data between peers. A key benefit to blockchain technology is that every user can maintain their own copy of the ledger. Whenever new full nodes join the blockchain network, they reach out to discover other full nodes and request a full copy of the blockchain network’s ledger, making loss or destruction of the ledger difficult. Note – certain blockchain implementations provide the capability to support concepts such as private transactions or private channels. Private transactions facilitate the delivery of information only to those nodes participating in a transaction and not the entire network. • Centrally owned ledgers may be on a homogeneous network, where all software, hardware and network infrastructure may be the same. Because of this characteristic, the overall system resiliency may be reduced since an attack on one part of the network will work on everywhere. o A blockchain network is a heterogeneous network, where the software, hardware and network infrastructure are all different. Because of the many differences between nodes on the blockchain network,

an attack on one node is not guaranteed to work on other nodes. • Centrally owned ledgers may be located entirely in specific geographic locations (e.g., all in one country). If network outages were to occur in that location, the ledger and services which depend on it may not be available. o A blockchain network can be comprised of geographically diverse nodes which may be found around the world. Because of this, and the blockchain network working in a peer-to-peer fashion, it is resilient to the loss of any node, or even an entire region of nodes. •

The transactions on a centrally owned ledger are not made transparently and may not be valid; a user must trust that the owner is validating each received transaction. o A blockchain network must check that all transactions are valid; if a malicious node was transmitting invalid transactions, others would detect and ignore them, preventing the invalid transactions from propagating throughout the blockchain network. • The transaction list on a centrally owned ledger may not be complete; a user must trust that the owner is including all valid transactions that have been received. o A blockchain network holds all accepted transactions within its distributed ledger. To build a new block, a reference must be made to a previous block – therefore building on top of it.

If a publishing node did not include a reference to the latest block, other nodes would reject it. • The transaction data on a centrally owned ledger may have been altered; a user must trust that the owner is not altering past transactions.

Blockchain Technology Overview

3.5 Comparison of Blockchain Networks and Centrally Owned Ledgers

A blockchain network is a heterogeneous environment in which the software, hardware, and network infrastructure may vary significantly between nodes. Due to these differences, an attack that succeeds against one node is not guaranteed to succeed against others. This diversity contributes to the resilience and robustness of blockchain systems.

3.5.1 Geographic Distribution and Availability

Centrally owned ledgers are often hosted in specific geographic locations, sometimes entirely within a single country. If a network outage or disaster occurs in that location, the ledger and dependent services may become unavailable.

In contrast, a blockchain network is typically composed of geographically distributed nodes located around the world. Operating in a peer-to-peer (P2P) manner, blockchain networks remain functional even if individual nodes—or entire regions of nodes—become unavailable. This distributed architecture enhances system availability and resilience.

3.5.2 Transaction Transparency and Validation

In centrally owned ledger systems, transactions are not necessarily transparent. Users must trust the ledger owner to properly validate each transaction.

Blockchain networks, however, require validation of all transactions by participating nodes. If a malicious node attempts to propagate invalid transactions, other nodes detect and reject them. This collective validation process prevents invalid transactions from being permanently recorded in the blockchain.

3.5.3 Completeness of the Transaction Record

A centrally owned ledger may not include all valid transactions, requiring users to trust that the owner has not omitted any entries.

Blockchain networks maintain a distributed ledger containing all accepted transactions. Each new block must reference the previous block by including its hash value, thereby forming a continuous chain. If a node publishes a block that does not reference the latest valid block, other nodes will reject it. This mechanism ensures continuity and completeness of the ledger.

3.5.4 Data Integrity and Tamper Resistance

In centrally controlled systems, users must trust that past transaction data has not been altered.

Blockchain networks employ cryptographic mechanisms—such as digital signatures and cryptographic hash functions—to ensure that ledgers are tamper-evident and tamper-resistant. Any modification to a past transaction would alter its hash, breaking the chain and making the tampering immediately detectable.

3.5.5 Security and Attack Resistance

A centrally owned system may suffer from security vulnerabilities if proper patching and best practices are not maintained. A breach may result in the theft of sensitive or personal information.

Blockchain networks, by design, eliminate a single centralized point of failure. Information stored on many public blockchain networks is openly viewable and typically does not provide centralized data repositories to exploit. An attacker would need to target individual users rather than the entire network. Even if one node is compromised or unpatched, the integrity of the overall system remains intact due to the presence of honest nodes.

3.6 Blocks

Blockchain network users submit candidate transactions through software applications such as desktop applications, mobile applications, digital wallets, and web services. These applications transmit transactions to one or more nodes in the blockchain network. These nodes may include non-publishing full nodes or publishing nodes.

Once submitted, transactions are propagated throughout the network. However, propagation alone does not add the transaction to the blockchain. In many blockchain implementations, pending transactions enter a queue (often called a transaction pool) and remain there until a publishing node includes them in a newly created block.

3.6.1 Block Creation and Structure

Transactions are officially recorded on the blockchain when a publishing node creates and broadcasts a new block. Each block typically consists of two primary components:

Block Header
Block Data

Block Header

The block header contains metadata about the block, which may include:

The block number (also known as the block height in some networks).
The hash value of the previous block header.
A hash representation of the block data.

Different methods may be used to generate this hash representation. For example, some blockchain implementations use a Merkle tree structure to compute and store a root hash summarizing all transactions in the block. Others may compute a hash over the entire block data directly.

Block Data

The block data contains a list of validated and authenticated transactions submitted to the blockchain network.

Before inclusion in a block, each transaction must undergo validation to ensure:

It is correctly formatted.
The providers of digital assets (identified in the transaction inputs) have cryptographically signed the transaction.

Digital signatures verify that the asset providers possessed the corresponding private keys necessary to authorize the transaction. After a publishing node broadcasts a new block, other full nodes independently verify the validity and authenticity of all included transactions. If any transaction is invalid, the entire block is rejected.

Note:
Each blockchain implementation may define its own specific data structures and fields. However, the fundamental concepts of block headers, transaction validation, cryptographic linking, and distributed verification remain central to most blockchain systems.