Bitcoin Tutorial

Based on a talk by Joseph Bonneau

Thanks to Andrew Miller, Arvind Narayanan, Jeremy Clark, Joshua Kroll, Ed Felten

CS 475 May 26, 2015

Bitcoin has many different parts!

Part I: Bitcoin in 6 easy steps

Double spending: why ecash is hard

BANK Alice

Bob SignA(Transfer X to B)

Charlie SignA(Transfer X to C)

SignZ(Transfer X to A)

Redeem X?

Redeem X?

Step 1: Make the bank a global log

SignA(Transfer X to C)

... SignA(Transfer X to B)

...

SignA(Transfer X to C)

(the block chain)

SignatureBANK

SignatureBANK

SignatureBANK

SignatureBANK

Step 2: Participants vote on blocks

SignatureA SignatureB SignatureC ...

SignatureA SignatureB SignatureC ...

SignatureA SignatureB SignatureD ...

Step 3: A random user picks

N-2

N-1

SignA(Transfer X to C)

SignatureB

SignatureA

N SignatureC

N

C

Step 4: Resolve conflicts by forking

SignA(Transfer X to B) SignatureB

SignatureA

SignA(Transfer X to C) SignatureC SignatureD

SignatureE

Step 5: Incentivise correct blocks

SignatureB

SignatureA

SignatureC SignatureD

SignatureE

Mint(X, A)

Mint(X, B)

Mint(X, D)

Mint(X, E)

Mint(X, C)

Step 6: Choose by hash power!

Mint(X, A)

Mint(X, B)

Mint(X, C)

SHA-256(BlockN-1, n) = 0x00000000000000003f89...

SHA-256(BlockN-1, n) = 0x00000000000000008c71...

Mining difficulty

Mining difficulty

Preventing double spending

SignA(Transfer X to B) SignA(Transfer X to C) SignA(Transfer X to B)

Longest chain wins

Transaction confirmation (~6 blocks)

Real time bitcoin http://www.blockchain.info

Bitcoin is transaction-based

IN: scriptSig ... scriptSig ...

OUT: scriptPub A,

5.9

...

... IN:

scriptSig A OUT:

scriptPubB, 5.0 scriptPubA,

0.9

IN: scriptSig A scriptSig A

OUT: scriptPubC,

10.0

IN: scriptSig ...

OUT: scriptPubA,

9.2

...

Bitcoin transactions specify scripts scriptPubKey: OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG

IN: scriptSig ... scriptSig ...

OUT: scriptPub A,

5.9

IN: scriptSig A

OUT: scriptPubB, 5.0 scriptPubA,

0.9

<sig> <pubKey> OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG

scriptSig: <sig> <pubKey>

Redemption script:

Bitcoin transactions specify scripts

<sig> <pubKey> OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG

<sig> ✓ <pubKey>

<pubKey>

<pubKeyHash?>

<pubKeyHash>

Bitcoin script features ●  multiple signatures ●  escrow ●  time locking ●  commitment opening ... ●  smart contracts?

Part II: Mining & Consensus

51% attacks

Goldfinger Attack?

Checkpointing

How decentralized is Bitcoin?

Selfish mining Observation: for 0.33 < x < 0.5, a fraction x of selfish miners can earn greater than a fraction x of rewards

Secret Block

Secret Block

Majority  is  not  enough:  Bitcoin  mining  is  vulnerable  I8ay  Eyal  and  Emin  Gün  Sirer.  Financial  Crypto  2014  

Mining difficulty

bitcoinwisdom.com

Difficulty adjustment

bitcoinwisdom.com

10 minutes

2 weeks

Mining rewards

Courtesy: Brian Warner

Total network capacity ●  264 hashes per block (every 10 minutes!) ●  275 hashes in 2013 o  In exchange for ~US$250M

●  Consuming > 100 MW

Bitcoin mining hardware

Should I mine bitcoins?

Chilkoot pass, Klondike 1898

Mining pools Mint(25, KPOOL)

0x00000000000000003f89...

0x000000000000490c6b00...

0x00000000000000003f89... 0x0000000000001e8709ce...

0x00000000000007313f89...

0x00000000000045a1611f...

0x000000000000a877902e...

Mining pools

Part III: Bitcoin as a currency

Why does Bitcoin have value? Consensus ●  Consensus in state (blockchain) ●  Consensus in payment ●  Consensus in rules

The  Economics  of  Bitcoin  Mining,  or  Bitcoin  in  the  Presence  of  Adversaries  Joshua  Kroll,  Ian  Davey,  Ed  Felten.  WEIS  2013  

Price during 2013

Price during 2013-2015

Black Markets

Silk Road: US$14M in Revenue in 2012 [Christin 2012] Traveling  the  Silk  Road:  A  measurement  analysis  of  a  large  anonymous  online  marketplace  Nicolas  ChrisSn, WWW  2013  

Capital controls

E-commerce

Bitcoin exchanges

Beware  the  middleman:  Empirical  analysis  of  Bitcoin-­‐exchange  risk  Tyler  Moore  and  Nicolas  ChrisSn, Financial  Crypto  2013  

Bitcoin ATMs

Bitcoin meetups

Bitcoin meetups

Part IV: Neat applications

Green Addresses (speeding up payments)

IN: scriptSig ...

OUT: scriptPub A,

10.0

IN: scriptSig A

OUT: scriptPub O,

1.0 scriptPub A, 9.0

x 6

Green Addresses (speeding up payments)

IN: scriptSig ...

OUT: scriptPub G,

10.0

IN: scriptSig A

OUT: scriptPub O,

1.0 scriptPub A, 9.0

I promise to never double-spend!

Sequential micropayments

IN: scriptSig ...

OUT: scriptPub G,

10.0

I promise to never double-spend!

IN: scriptSig A

OUT: scriptPub O,

0.1 scriptPub A, 9.9

IN: scriptSig A

OUT: scriptPub O,

0.2 scriptPub A, 9.8

IN: scriptSig A

OUT: scriptPub O,

0.3 scriptPub A, 9.7

IN: scriptSig A

OUT: scriptPub O,

0.4 scriptPub A, 9.6

Secure commitments (timestamping)

Hash Data

CommitCoin:  carbon  daSng  commitments  with  Bitcoin  Jeremy  Clark,  Aleksander  Essex.  Financial  Crypto  2012  

Randomness Beacon

Hash =

Part V: Anonymity

Tracing Bitcoin transactions

IN: scriptSig A1 scriptSig A2

OUT: scriptPub

A3, 5.9

...

... IN:

scriptSig A3 OUT:

scriptPubB, 5.0 scriptPubA4,

0.9

Joint control Change addresses

Building the transaction graph

A  FisWul  of  Bitcoins:  Characterizing  Payments  Among  Men  with  No  Names  Sarah  Meiklejohn  et  al, IMC  2013  

Bitcoins carry a transaction history

Towards  Risk  Scoring  of  Bitcoin  TransacSons  Möser,  Malte,  Rainer  Böhme,  and  Dominic  Breuker, BITCOIN  2013  

●  identification ●  censorship ●  recovery from theft ●  economic analysis

Mixes

Mixes today

Caution: Mixing services may themselves be operating with anonymity. As such, if the mixing output fails to be delivered or access to funds is denied there is no recourse. Use at your own discretion.

-The Bitcoin Wiki

An  inquiry  into  money  laundering  tools  in  the  Bitcoin  ecosystem  Möser,  Malte,  Rainer  Böhme,  and  Dominic  Breuker, ECRIME  2013  

If  v  ➡  kesc  by  tin,  but  not          v  ➡  kout  by  tout  The  client  publishes  

If  I  send  you  v  bitcoins  by  Sme  tin  Will  you  send  v  to  my  address  kout  by  Sme  tout?  

Sure!  Just  send  your  coins  kesc    Sign(v,  tin,  tout  ,kout  ,kesc}  

Anyone  can  verify  cheaSng  

(Ideally)  no  one  trusts              anymore  

Better mixes with warranties

Mixcoin:  Anonymity  for  Bitcoin  with  accountable  mixes  J.  Bonneau,  A.  Narayanan,  A.  Miller,  J.  Clark,  J.  Kroll,  E.  Felten.  Financial  Crypto  2013  

Coin Join

IN: scriptSig P scriptSig M scriptSig S

OUT:

scriptPub P’, 1.0 scriptPub M’, 1.0 scriptPub

S’, 1.0

Zerocoin Bitcoin Zerocoin

CRYPTO! Zerocoin:  Anonymous  distributed  e-­‐cash  from  bitcoin  Ian  Miers,  ChrisSna  Garman,  Ma8hew  Green,  Avi  Rubin.  IEEE  Oakland  2013  

Zerocash

“Cryptocurrencies are just a gateway drug to SNARKS”

Zerocash:  Decentralized  Anonymous  Payments  from  Bitcoin  E.  Ben-­‐Sasson,  A.  Chiesa,  C.  Garman,  M.  Green,  I.  Miers,  E.  Tromer,  M.  Virza  IEEE  Oakland  2014  

Part VI: Extensions & Altcoins

Types of changes to Bitcoin

●  overlay ●  soft fork ●  hard fork ●  alternate chain ●  alternate systems

Easy

Hard

Deploym

ent difficulty

Overlays

✓Soft fork changes

●  Pay-to-script-hash ●  Pay-to-SNARK (CoinWitness) ●  ECDSA-P256 replacements ●  Zerocoin

Hard fork changes

●  Change block size ●  Change block frequency ●  Various bug fixes ●  Restructuring the chain

Altcoins (Bitcoin-like chain)

Other altcoins

Bitcoin limitations ●  ~7 transactions per second

o  Visa: ~10k tps (peak) ●  248 currency units

o  ~32k per person on earth ●  0.0001 BTC transaction fees typical

o  ~$0.40 US ●  ~60 minutes confirmation delay

A reserve currency?

Questions