bitcoin jeff chase duke university. some sources [nbfmg15]

Bitcoin

Jeff ChaseDuke University

Some sources

[NBFMG15]

http://spectrum.ieee.org/img/06Bitcoin-1338412974774.jpg

Principles of Bitcoin

• What is Bitcoin?– A digital currency. It is money: you can buy it for USD$, spend it

for goods and services, or cash it in for USD$.

– A family of programs and protocols, running on IP-connected computers that form a P2P network to manage the currency.

• Who can join the Bitcoin network?– Anyone with an IP-connected computer: just run a program.

– You can remain anonymous, but your IP address will be seen.

• Who controls Bitcoin?– Nobody and everybody. It is a decentralized system with clever

built-in incentives to maintain a balance of power, even when some participants (“miners”) may be large and powerful.

Bitcoin matters

[NBFMG15]

The Bitcoin network

• Nodes cooperate to maintain a tamper-evident log (the “block chain”) with a history of all transfers of coin (“transactions”).

• There is no central repository for the log.

– Many nodes keep copies. Anyone can query for it.

– Nodes exchange pieces of the log (e.g., blocks of transactions) by passing them through the network in a peer-to-peer fashion.

• A Bitcoin client joins the network by querying well-known nodes (DNS seeds) for the IP addresses of other randomly selected nodes.

• Each node keeps a short list of randomly selected peers, and broadcasts the blocks and transactions it hears about to its peers.

– Soon everyone hears about everything.

• Nodes in the network play various roles ranging from simple clients (e.g., mobile) to large server clusters (miners) that build the log.

The Bitcoin network

Questions

• How can we keep money safe in a network of anonymous participants?

• How to reach consensus about who owns the money?– Every atomic currency unit (a “satoshi”) must be owned by

exactly one participant at any time.

• How to validate transactions to be sure that the spenders really own the money they are spending?

• Where does the money come from? There is no central trusted authority to mint currency (unlike “real” money).

• How to protect the network from attackers who might try to counterfeit or steal money, or disrupt the network?

Principals of Bitcoin

• Q: How to name/identify bitcoin “accounts” belonging to principal identities like Alice, Bob, etc.?

• We need an account address that enables anonymous proof of ownership.– Anyone can make up an account/address.

– Nobody knows who owns the account.

– The owner (or the owner’s software) can prove on demand that it owns the account and the $$$.

– If the owner transfers $$$ to another account, others in the network can verify the owner’s intent.

Bitcoin addresses

Bitcoin addresses

• An address names a principal: an entity that can own bitcoin.

• It is the hash of a public key.

• The account owner is anyone with the matching private key.

• The owner may spend bitcoin by publishing a signed statement granting it to another address.

#

Bitcoin transactions

• A record of a funds transfer is called a transaction.

• It specifies (at least) a source and destination address, and an amount.

• Each transaction has a globally unique ID.

• Transactions are published to a global tamper-evident log.

• They are public: anyone can see and validate the transaction.



• A transaction may have multiple inputs and outputs.

• Each output specifies an amount and a destination address.

• Inputs include a link to an earlier transaction (named by its hash), and a numbered output.

• A valid transaction must be signed under the destination address of the outputs linked to its inputs.

https://bitcointalk.org/index.php?topic=279249.0


• Actually it’s a little more complicated…

• An output specifies a script to validate the transaction that spends it.

• But the simple/common case is just a signature check…

Block chain

From Narayanan et. al.: Bitcoin and Cryptocurrency Technologies [NBFMG15]

Strawman #1: GoofyCoin

• [NBFMG15] explains bitcoin by two “straw man” designs.

• These motivate aspects of the design by illustrating problems that occur in designs that are “too simple”.

• In the first design, a central entity named “Goofy” issues special transactions to mint coins.

• The owner of coin can spend it by issuing a transaction record as described.

What could go wrong?

The rules of GoofyCoin are:

● Goofy can create new coins by simply signing a statement that he’s

making a new coin with a unique coin ID.

● Whoever owns a coin can pass it on to someone else by signing a

statement that saying, “Pass on this coin to X” (where X is specified as

a public key).

● Anyone can verify the validity of a coin by following the chain of hash

pointers back to its creation by Goofy, verifying all of the signatures

along the way.

[NBFMG15]

Strawman #1: GoofyCoin

[figure: NBFMG15]

Spending GoofyCoin

If Alice wants to transfer some coin to Bob, she just presents Bob with:1. A signed transaction record to

transfer the coin.2. A linked chain of supporting

records to prove:• The coin is real. • Alice owns it.

Of course, there’s a fundamental security problem with GoofyCoin. Let’s

say Alice passed her coin on to Bob by sending her signed statement to Bob

but didn’t tell anyone else.

She could create another signed statement that pays the very same coin to

Chuck. To Chuck, it would appear that it is perfectly valid transaction, and now

he’s the owner of the coin. Bob and Chuck would both have valid-looking

claims to be the owner of this coin.

This is called a double-spending attack — Alice is spending the same coin

twice.

[NBFMG15]

Double spending

Strawman #2: ScroogeCoin

• Partial solution: a central party verifies and publishes/signs a globally visible tamper-evident log (blockchain).

• Double spending attacks can be prevented because:– There is a single global order of all transactions.

– Everyone agrees on the global order (consensus).

– Anyone can verify that coins are not double-spent by scanning the log.

This leads us to strawman #2: “ScroogeCoin”. The central party who signs the log is this gentleman: Scrooge.

Who is Scrooge McDuck?


[NBFMG15]

Scrooge loves money, but deep down he is a good guy. We can trust him to build and publish the block chain. ?

[NBFMG15]


What if Scrooge goes rogue?

• How much damage can Scrooge do?

• Can we decentralize the functions assigned to Scrooge?

• Can we reach decentralized consensus about transaction order securely?

• Can we create coin in a decentralized way that everyone can agree is valid?

"ScroogeFirst" by Apparent scan made by the original uploader User:Wikipedical.. Licensed under Fair use via Wikipedia - https://en.wikipedia.org/wiki/File:ScroogeFirst.jpg#/media/File:ScroogeFirst.jpg

The problem here is centralization. Although Scrooge is happy with this

system, we, as users of it, might not be. While ScroogeCoin may seem like

an unrealistic proposal, much of the early research on cryptosystems

assumed there would indeed be some central trusted authority, typically

referred to as a bank. After all, most real-world currencies do have a trusted

issuer (typically a government mint) responsible for creating currency and

determining which notes are valid. However, cryptocurrencies with a central

authority largely failed to take off in practice. There are many reasons for

this, but in hindsight it appears that it’s difficult to get people to accept a

cryptocurrency with a centralized authority. [NBFMG15]


Decentralized currency?

• Bitcoin works similarly to ScroogeCoin, but without Scrooge.– Bitcoin nodes cooperate to build the block chain without any

central trusted authority.

– They agree on history (the contents of the block chain) by checking up on one another and (in essence) voting on it.

• This is a real-world example of a difficult distributed systems problem: consensus.– It is particularly difficult if there are attackers or participants who

may lie, cheat, and steal: “Byzantine” consensus.

• The Bitcoin solution is innovative and works well (so far).– Interesting features: proof-of-work puzzle for weighted random

leader selection, financial incentives for faithful behavior.

[NBFMG15]

Bitcoin: “Nakamoto consensus”

bitcoinminer.net

Miners

• Miners are nodes that hear transactions, validate them, group them into blocks, and add them to the block chain.

• They create/earn a bitcoin reward for each block published (“mined”).

• A miner must invest a large amount of compute power to solve a puzzle in order to find and publish a block.

– Miners race to solve the puzzle and obtain the reward: probabilistic proof of work

• The reward is valid and spendable only if other nodes accept the published block.

– Miners have an incentive to act faithfully and validate all transactions properly, so that other nodes “vote” to accept the block.

coincube.net

Proof of work

Image: http://www.ybrikman.com/writing/2014/04/24/bitcoin-by-analogy/

In Bitcoin, each block in the chain hashes to a value with a zero prefix. The creator of the block must find a number to add to the block to generate a conforming hash. By presenting such a block, the creator proves that it has invested a great deal of computational power to produce the block.


The miner’s puzzle

• The miner computes a secure hash over the block, and includes the hash in the block.

• The puzzle: the miner must find a nonce value to include in the block, such that the block’s hash has a prefix of N zero digits.

– N grows with time as computers get faster.

– probabilistic proof of work

• Finding a nonce such that the first hash bit is zero is like flipping a coin: the odds are 50% for any random trial.– Each added zero bit reduces odds by a factor of 2.

• A miner’s win probability is proportional to its compute power. In this way, the next miner to publish is selected “randomly”.

Forks in the block chain?

Anybody can be a miner.Anybody can produce a block, add it to the chain, and broadcast it.

Other peers check each block and “vote” on it.If block A is posted “too late” (e.g., block B is added first), or if block A is invalid, then other miners ignore it and build the chain in another direction.The longest chain wins.

When a miner links to a block B, it accepts B as the head of the valid chain. If others disagree, then the miner’s block is worthless….so miners have an incentive to get it right!

In this way Bitcoin achieves consensus on the block chain and the global history of transactions.

Some details• A participant requests a transaction by broadcasting it to

random other nodes, who pass it along by gossip.

• Eventually the miners hear the request and include it in their blocks (if the request is valid).

• The miners publish their blocks in the same way.

• Transmission is similar to “anti-entropy” or “gossip”.– Nodes exchange hashes for objects they have seen: the

recipient requests/forwards the data if it has not seen it before.

• Some nodes (including other miners) check the blocks issued by the miners.

• A transaction can be considered to be cleared when it appears in the global blockchain.

https://www.cryptocoinsnews.com/bitcoin-transaction-malleability/

[NBFMG15]

Double-spending revisited

Why does consensus work?

Majority compliance is an equilibrium with perfect information. Kroll et al. [64]

analyzed a simplified model in which miners have perfect information about all

discovered blocks (precluding any withholding). In this model, universal

compliance is a Nash Equilibrium (although not unique), implying that Bitcoin

is (weakly) stable.Stability is not known as mining rewards decline. All of these results have

used a simplified model in which each block carries a constant, fixed reward

fee. The planned transition of miner revenue from block rewards to transaction

fees will negate this assumption …

In practice, the GHash.IO mining pool exceeded 50% of the network’s…capacity for an

extended period in July 2014 and publicly promised to limit their capacity in the future in order

to avoid damaging confidence in the system.

With a majority miner, stability is not guaranteed.

It is well known that a single non-compliant miner which controls a majority of

computational power could undermine fairness by collecting all of the mining rewards,

simply by ignoring blocks found by others and building their own chain which by assumption

will grow to become the longest chain. The majority miner could separately choose to

undermine liveness by arbitrarily censoring transactions by refusing to include them and

forking if they appear in any other block. Finally, the majority miner could undermine both

convergence and eventual consensus by introducing arbitrarily long forks in the block

chain, potentially to reverse and double-spend transactions for profit.

How fragile is consensus?

How to upgrade the protocol?

• What happens if we roll out a new version of software with new features, and some nodes don’t upgrade?

• Will nodes running the new software “play nice” with nodes running the old software?

• These can result in a consensus breakdown: a “fork” in the block chain, with diverging branches.– Fork: different subsets of nodes consider different branches of

the block chain to be valid.

– Hard fork. The new software enables a behavior that the old software considers invalid.

– Soft fork. The new software restricts behavior that the old software considers valid.

Case 1: Hard fork

• If the old nodes consider the main branch to be invalid, then they will ignore it and build their own block chain.– Old nodes are ultimately cut out of the system.

• How to ensure that new nodes also ignore the “old” block chain candidates?

[NBFMG15]

Case 2: Soft fork

• Soft forks introduce stricter validation rules.

• Example: pay-to-script-hash– Looks like a valid pay-to-address transaction, but requires an

extra validation step to check that the correct redeem script is used to validate the transaction. (I think)

• Need a majority to switch, so the new rules are enforced.

bitcoin jeff chase duke university. some sources [nbfmg15]

Documents