bitcoin tutorial - college of computing & informaticsgreenie/cs475/bitcoin tutorial...
TRANSCRIPT
Bitcoin Tutorial
Based on a talk by Joseph Bonneau
Thanks to Andrew Miller, Arvind Narayanan, Jeremy Clark, Joshua Kroll, Ed Felten
CS 475 May 26, 2015
Bitcoin has many different parts!
Part I: Bitcoin in 6 easy steps
Double spending: why ecash is hard
BANK Alice
Bob SignA(Transfer X to B)
Charlie SignA(Transfer X to C)
SignZ(Transfer X to A)
Redeem X?
Redeem X?
Step 1: Make the bank a global log
SignA(Transfer X to C)
... SignA(Transfer X to B)
...
SignA(Transfer X to C)
(the block chain)
SignatureBANK
SignatureBANK
SignatureBANK
SignatureBANK
Step 2: Participants vote on blocks
SignatureA SignatureB SignatureC ...
SignatureA SignatureB SignatureC ...
SignatureA SignatureB SignatureD ...
Step 3: A random user picks
N-2
N-1
SignA(Transfer X to C)
SignatureB
SignatureA
N SignatureC
N
C
Step 4: Resolve conflicts by forking
SignA(Transfer X to B) SignatureB
SignatureA
SignA(Transfer X to C) SignatureC SignatureD
SignatureE
Step 5: Incentivise correct blocks
SignatureB
SignatureA
SignatureC SignatureD
SignatureE
Mint(X, A)
Mint(X, B)
Mint(X, D)
Mint(X, E)
Mint(X, C)
Step 6: Choose by hash power!
Mint(X, A)
Mint(X, B)
Mint(X, C)
SHA-256(BlockN-1, n) = 0x00000000000000003f89...
SHA-256(BlockN-1, n) = 0x00000000000000008c71...
Mining difficulty
Mining difficulty
Preventing double spending
SignA(Transfer X to B) SignA(Transfer X to C) SignA(Transfer X to B)
Longest chain wins
Transaction confirmation (~6 blocks)
Real time bitcoin http://www.blockchain.info
Bitcoin is transaction-based
IN: scriptSig ... scriptSig ...
OUT: scriptPub A,
5.9
...
... IN:
scriptSig A OUT:
scriptPubB, 5.0 scriptPubA,
0.9
IN: scriptSig A scriptSig A
OUT: scriptPubC,
10.0
IN: scriptSig ...
OUT: scriptPubA,
9.2
...
Bitcoin transactions specify scripts scriptPubKey: OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
IN: scriptSig ... scriptSig ...
OUT: scriptPub A,
5.9
IN: scriptSig A
OUT: scriptPubB, 5.0 scriptPubA,
0.9
<sig> <pubKey> OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
scriptSig: <sig> <pubKey>
Redemption script:
Bitcoin transactions specify scripts
<sig> <pubKey> OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
<sig> ✓ <pubKey>
<pubKey>
<pubKeyHash?>
<pubKeyHash>
Bitcoin script features ● multiple signatures ● escrow ● time locking ● commitment opening ... ● smart contracts?
Part II: Mining & Consensus
51% attacks
Goldfinger Attack?
Checkpointing
How decentralized is Bitcoin?
Selfish mining Observation: for 0.33 < x < 0.5, a fraction x of selfish miners can earn greater than a fraction x of rewards
Secret Block
Secret Block
Majority is not enough: Bitcoin mining is vulnerable I8ay Eyal and Emin Gün Sirer. Financial Crypto 2014
Mining difficulty
bitcoinwisdom.com
Difficulty adjustment
bitcoinwisdom.com
10 minutes
2 weeks
Mining rewards
Courtesy: Brian Warner
Total network capacity ● 264 hashes per block (every 10 minutes!) ● 275 hashes in 2013 o In exchange for ~US$250M
● Consuming > 100 MW
Bitcoin mining hardware
Should I mine bitcoins?
Chilkoot pass, Klondike 1898
Mining pools Mint(25, KPOOL)
0x00000000000000003f89...
0x000000000000490c6b00...
0x00000000000000003f89... 0x0000000000001e8709ce...
0x00000000000007313f89...
0x00000000000045a1611f...
0x000000000000a877902e...
Mining pools
Part III: Bitcoin as a currency
Why does Bitcoin have value? Consensus ● Consensus in state (blockchain) ● Consensus in payment ● Consensus in rules
The Economics of Bitcoin Mining, or Bitcoin in the Presence of Adversaries Joshua Kroll, Ian Davey, Ed Felten. WEIS 2013
Price during 2013
Price during 2013-2015
Black Markets
Silk Road: US$14M in Revenue in 2012 [Christin 2012] Traveling the Silk Road: A measurement analysis of a large anonymous online marketplace Nicolas ChrisSn, WWW 2013
Capital controls
E-commerce
Bitcoin exchanges
Beware the middleman: Empirical analysis of Bitcoin-‐exchange risk Tyler Moore and Nicolas ChrisSn, Financial Crypto 2013
Bitcoin ATMs
Bitcoin meetups
Bitcoin meetups
Part IV: Neat applications
Green Addresses (speeding up payments)
IN: scriptSig ...
OUT: scriptPub A,
10.0
IN: scriptSig A
OUT: scriptPub O,
1.0 scriptPub A, 9.0
x 6
Green Addresses (speeding up payments)
IN: scriptSig ...
OUT: scriptPub G,
10.0
IN: scriptSig A
OUT: scriptPub O,
1.0 scriptPub A, 9.0
I promise to never double-spend!
Sequential micropayments
IN: scriptSig ...
OUT: scriptPub G,
10.0
I promise to never double-spend!
IN: scriptSig A
OUT: scriptPub O,
0.1 scriptPub A, 9.9
IN: scriptSig A
OUT: scriptPub O,
0.2 scriptPub A, 9.8
IN: scriptSig A
OUT: scriptPub O,
0.3 scriptPub A, 9.7
IN: scriptSig A
OUT: scriptPub O,
0.4 scriptPub A, 9.6
Secure commitments (timestamping)
Hash Data
CommitCoin: carbon daSng commitments with Bitcoin Jeremy Clark, Aleksander Essex. Financial Crypto 2012
Randomness Beacon
Hash =
Part V: Anonymity
Tracing Bitcoin transactions
IN: scriptSig A1 scriptSig A2
OUT: scriptPub
A3, 5.9
...
... IN:
scriptSig A3 OUT:
scriptPubB, 5.0 scriptPubA4,
0.9
Joint control Change addresses
Building the transaction graph
A FisWul of Bitcoins: Characterizing Payments Among Men with No Names Sarah Meiklejohn et al, IMC 2013
Bitcoins carry a transaction history
Towards Risk Scoring of Bitcoin TransacSons Möser, Malte, Rainer Böhme, and Dominic Breuker, BITCOIN 2013
● identification ● censorship ● recovery from theft ● economic analysis
Mixes
Mixes today
Caution: Mixing services may themselves be operating with anonymity. As such, if the mixing output fails to be delivered or access to funds is denied there is no recourse. Use at your own discretion.
-The Bitcoin Wiki
An inquiry into money laundering tools in the Bitcoin ecosystem Möser, Malte, Rainer Böhme, and Dominic Breuker, ECRIME 2013
If v ➡ kesc by tin, but not v ➡ kout by tout The client publishes
If I send you v bitcoins by Sme tin Will you send v to my address kout by Sme tout?
Sure! Just send your coins kesc Sign(v, tin, tout ,kout ,kesc}
Anyone can verify cheaSng
(Ideally) no one trusts anymore
Better mixes with warranties
Mixcoin: Anonymity for Bitcoin with accountable mixes J. Bonneau, A. Narayanan, A. Miller, J. Clark, J. Kroll, E. Felten. Financial Crypto 2013
Coin Join
IN: scriptSig P scriptSig M scriptSig S
OUT:
scriptPub P’, 1.0 scriptPub M’, 1.0 scriptPub
S’, 1.0
Zerocoin Bitcoin Zerocoin
CRYPTO! Zerocoin: Anonymous distributed e-‐cash from bitcoin Ian Miers, ChrisSna Garman, Ma8hew Green, Avi Rubin. IEEE Oakland 2013
Zerocash
“Cryptocurrencies are just a gateway drug to SNARKS”
Zerocash: Decentralized Anonymous Payments from Bitcoin E. Ben-‐Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, M. Virza IEEE Oakland 2014
Part VI: Extensions & Altcoins
Types of changes to Bitcoin
● overlay ● soft fork ● hard fork ● alternate chain ● alternate systems
Easy
Hard
Deploym
ent difficulty
Overlays
✓Soft fork changes
● Pay-to-script-hash ● Pay-to-SNARK (CoinWitness) ● ECDSA-P256 replacements ● Zerocoin
Hard fork changes
● Change block size ● Change block frequency ● Various bug fixes ● Restructuring the chain
Altcoins (Bitcoin-like chain)
Other altcoins
Bitcoin limitations ● ~7 transactions per second
o Visa: ~10k tps (peak) ● 248 currency units
o ~32k per person on earth ● 0.0001 BTC transaction fees typical
o ~$0.40 US ● ~60 minutes confirmation delay
A reserve currency?
Questions