AnupamDattaCMUFall2015

¡  ArationalreconstructionofBitcoin

1.  Startwithstrawmandesign

2.  Identifyweaknesses

3.  Augmentdesignanditerate

¡  Alice:“I,Alice,amgivingBobonecoin”¡  Alicedigitallysignsmessageandannouncesbitstoeveryone.

¡  Properties§  EstablishmentofAlice’sintent§  Limitedprotectionfromforgery

¡ Weakness§  Coinsarenotunique;canbeduplicated

¡  Alice:“I,Alice,amgivingBobonecoin,withserialnumber8740348”

¡  Alice:“I,Alice,amgivingBobonecoin,withserialnumber8770431”

¡  Bankissuescoinswithuniqueserialnumbers,keepstrackofwhoownscoins,verifiestransactions

¡  Properties§  EstablishmentofAlice’sintent§  Betterprotectionfromforgery

¡  Weaknesses§  Needtrustedbanktoissuecoins,keeptrackofwhoownscoins,

verifytransactions§  Bankcanlinktransactionstoidentity

¡  E-cashlectureonNov18§  Retainbank§  Ensurethatbankcannotlinktransactionstoidentity

§  Agentscannotdoublespendtheirelectroniccoins

¡  KeynoveltyinBitcoindesign§  Nocentralizedbank

¡  Everyonemaintainsacopyofthepublicledger(blockchain)oftransactions(keepstrackofwhoownscoins)

¡  Alice:“I,Alice,amgivingBobonecoin,withserialnumber8740348”

¡  BobuseshiscopyoftheblockchaintocheckthatthecoinisAlice’s;hebroadcastsbothAlice’smessageandhisacceptanceofthetransactiontotheentirenetwork,andeveryoneupdatestheircopyoftheblockchain.

¡  Weaknesses

§  Howtogetserialnumbers?§  Double-spending:WhatifAlicegivesthesamecointoBoband

Charlieatthesametime?

¡  BobdoesnotverifyAlice’scoinbyhimself.¡  Askseveryoneonthenetworktoverify¡ When“enough”peopleconfirmthatthecoinisindeedAlice’s,Bobacceptsandeveryoneupdatestheirblockchain

¡ Weakness:§  Sybilattack:Alicecreatesmanyfakeagentswholieforher;Alicespendsthesamecoinmanytimes

¡  Computationallycostlyfornetworkuserstovalidatetransactions

¡  Rewardnetworkusersforvalidatingtransactions

¡  Properties

§  Sybilattackwon’tworkunlessdishonestagentsputinsignificantcomputationalresources

§  Verifiersrewardedwithfixednumberofbitcoinsforabatchoftransactions(detailssoon)

§  Additionalideastoensurethatledgersuccinctlymaintainshistoryofalltransactions(detailssoon)

¡  Apeer-to-peerdigitalpaymentsystem¡  Completelydecentralizeddigitalcurrency

§  Nocentralminttoproducecurrency

§  Nocentralbanktoverifytransactions

§  Onceconfirmed,transactionsareirreversible

§  Predictable,capped,currencysupply

¡  KeyinnovationinBitcoin:coinproductionandverificationisdonebynetworkconsensus

¡  Thereisactuallynonotionofa“coin”

¡  Bitcoinsareexchangedfrom“wallet”to“wallet”¡  Transactionsareattheheartoftheprotocol¡  Walletsarerepresentedbyaddresses(e.g.,1VayNert…)§  (Anaddressisthepublickeyofthewallet)

¡  Alicewantstosend1BTCtoBob§  Shepicksatransaction(oragroupoftransactions)thatshehaspreviouslybeentherecipientofandthatcumulativelycontainatleast1BTC

§  ShethenappendsBob’swalletaddresstothetransactionanddigitallysignsit

¡ WhenBobsubsequentlywantstospendthe1BTC,allhehastodoistorepeattheoperation

¡  Bobnowhas1BTC§  HewantstosendittoCharlie…§  …whilekeepingitforhimselfatthesametime

¡  TopreventthisBob(andAlicebeforehim)hasto

broadcastthetransactiontoeverybodyintheBitcoinnetwork

¡  Thenotherpeerscanverifythatthetransactionisnotadouble-spend

¡  Oncethisisdone,thetransactionisembeddedforeverinapublicledger

SignA(TransferXtoB) SignA(TransferXtoC)SignA(TransferXtoB)

Longestchainwins

Slidecredit:JoeBonneau

IN:scriptSig...scriptSig...

OUT:scriptPub

A,5.9

...

...

IN:scriptSigA

OUT:scriptPubB,5.0

scriptPubA,0.9

IN:scriptSigAscriptSigA

OUT:

scriptPubC,10.0

IN:scriptSig...

OUT:

scriptPubA,9.2

...

Slidecredit:JoeBonneau

1.  {"hash":"7c4025...",//serialnumber:hashoftransaction2.  "ver":1,//protocolversion3.  "vin_sz":1,//no.ofinputs4.  "vout_sz":1, //no.ofoutputs5.  "lock_time":0,//transactionfinalizedaftertime6.  "size":224,//no.ofbytesintransaction7.  "in":[//inputoftransaction7-118.  {"prev_out"://inputisanoutputofaprevioustransact.9.  {"hash":"2007ae...",//serialnumberofprevioustransact.10.  "n":0},//outputnumberofprevioustransact.11.  "scriptSig":"304502...042b2d..."}],//signatureandpubkeyofsender12.  "out":[ //outputoftransaction12-1413.  {"value":"0.31900000",//outputs0.319BTC14.  "scriptPubKey":"OP_DUPOP_HASH160a7db6fOP_EQUALVERIFY

OP_CHECKSIG"}]}//scriptforverifyingtransaction

scriptPubKey: OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG

IN:scriptSig...scriptSig...

OUT:scriptPub

A,5.9

IN:scriptSigA

OUT:scriptPubB,5.0

scriptPubA,0.9

<sig> <pubKey> OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG

scriptSig: <sig> <pubKey>

Redemptionscript:

Slidecredit:JoeBonneau

<sig> <pubKey> OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG

<sig> ✓<pubKey>

<pubKey>

<pubKeyHash>

<pubKeyHash>

Slidecredit:JoeBonneau

https://en.bitcoin.it/wiki/Script

¡  Coinproductionisembeddedintheverificationprocess

¡  Verifiers(“miners”)verifybatchesoftransactionsatonce§  Inexchangeforwhichtheyareallowedtoadda“creation”transactiontothebatchandgivethemselvesafixedamountofmoney▪  50BTCoriginally,25BTCnow,dividedbytwoeverysooften

§  Verificationiscombinedwitha“proof-of-work”schemetoensure▪  Thattransactionshavepropertimestamping▪  Thatcurrencyproductionisrate-limited

¡  Minerssolveacryptographicpuzzle:Findxs.t.H(x||l)<ywherelisthebatchoftransactions.

¡  Thereisnogoodalgorithmtosolvethis(H isacryptographicallysecurehashfunction)§  Brute-force:tryx=0, x=1, x=2, x=… §  The lower y, the harder the puzzle

¡  Difficulty is tunable and is (by edict) designed to be inversely proportional to the total computational power of the network

¡  The goal is to have one block every ten minutes §  Predictable supply of currency (independent of the difficulty) §  But this limits how quickly transactions can be verified ▪  At least 10 minutes, usually 60 minutes is recommended

¡  Inadditiontothebonustheygetformining,minersget“transactionfees”§  Leftover“change”voluntarilyleftintransactions

¡  Becausethebonusisdecreasingovertime,theexpectationisthattransactionfeeswillincreaseovertimetomakeupforlostminingrevenue

Courtesy:BrianWarner

•  264hashesperblock(every10minutes!)•  275hashesin2013o  Inexchangefor~US$250M

•  Consuming>100MW

Slidecredit:JoeBonneau

¡  Becomeaminer§  Nowadaysonlyprofitableifdedicated(ASIC)hardware

¡  Buyatanexchange§  CampBX,Bitstamp,BTC-e,Coinbase…§  (Mt.Goxbeforetheywentbankrupt)§  Veryhighconcentrationonexchangesthroughwhichmoneyisexchanged▪  Exchangesfailprettyoften…

§  Increasinglyscrutinizedbyregulators¡  Buyfromindividuals

§  SatoshiSquareinNYC

¡  Asaspeculativeinstrument§  PeopleinvestinBTC,bettingonitsrisingvalue§  Dominantusethusfar

¡  Asacurrency§  Onlycurrencyacceptedonundergroundmarketplaces(SilkRoad,Evolution,…)▪  (ExceptforLiteCoin,whichisacloneofBitcoin)▪  Becauseofits“anonymityproperties”▪  Stillrelativelymodest▪  EntireSilkRoadrevenuerepresentedin1sthalfof2012about$15M/annum

§  Gambling,pokersites▪  Largenumberoftransactions,volumenotveryhigh

§  Otherusesstillintheirinfancy▪  Campaigncontributions,onlinestores(e.g.,Overstock),etc

¡ Walletsarepublic/privatekeypairs§  Cancreateasmanyasyouwant§  Thinkofthemaszero-costpseudonyms

¡  ThereisnocentralauthorityissuingBitcoinsorvettingtransactions

¡  ThismeansBitcoinisanonymous,right?NO!

¡  Anonymityhereimpliesunlinkabilityoftransactions¡  Theentireledgerofalltransactionsisavailable,forever

§  Technicallyinacompressedform,buttransactionchainscanallbereconstructed

¡  Evenifyouaddintermediarydummystepswallets,linkingthesourceandthedestinationofatransactionmaybedonebygraphanalysis…§  Somethingthatcomputerscientistsknowhowtodo!▪  Reid&Harrigan,2011▪  Shamir&Ron,2012 ▪  Meiklejohnetal.,2013

¡  Familiesofwalletscanbepooledtogetherasbelongingtothe

sameactualuser…¡  …andifsomehowyoucangettheuser’sidentity,thegameisover

¡ Mixers

¡  DidAlicegive10BTCtoCharlesorDaisy?

Mixer

Alice

Bob

Charles

Daisy

10BTC

10BTC

10BTC

10BTC

¡  Mixersinpractice

¡  Needtoalsointroducearbitrarydelays¡  Introductionofchangeaddresses,etc¡  Mixercanbedishonest!

Mixer(keeps5%)

Alice

Bob

Charles

Daisy

5BTC

10BTC

4.75BTC

9.5BTC

¡  It’sunclearhowgoodexistingBitcoinmixersare§  Keydifferencewithmessagemixing(Tor,mixnets)▪  Youcan’timplementarbitrary“padding”–moneyhastogosomewhereeventually

§  Possiblemeasure:taint▪  Amountofmoneythatcanbetracedbacktoagivensource

§  Recentresearchsuggestsexistingmixersarenoteffectiveordownrightdishonest

¡  Slides2-10,15,18,21aremine¡  ThankstoNicolasChristinforallotherslides

bitcoinwisdom.com

bitcoinwisdom.com

Slidecredit:JoeBonneau

Chilkootpass,Klondike1898

Slidecredit:JoeBonneau