cryptography lecture 12 - bitcoin and friends · cryptography lecture 12 bitcoin and friends...
TRANSCRIPT
Cryptography lecture 12Bitcoin and friends
Jonathan Jogenfors
Our money versus the Internet
Many everyday things have moved to the Internet.Communications, relations, entertainment. . . but not money.
Why do we still need these?
But what about credit cards?
Credit cards are inherently insecure.Entire model is backwards:
1. Merchant takes the customer’s CC number2. Merchant goes to the bank3. Merchant gives CC number to the customer’s bank4. Bank gives money from the customer’s account to the
merchant.
Something like this would be better:1. Customer tells bank to give money to merchant2. That’s it!
Making money digital
Why not create a currency based on cryptography?Our design goals should1 be a currency with the followingproperties:
1. Secure transfer in computer networks2. Cannot be copied and reused3. Anonymity4. Offline transactions5. Can be transferred to others6. Can be subdivided
1Okamoto and Ohta 1991.
Textbook example of digital cash
The course textbook (Ch. 11) contains an example of digitalcash (not part of the course).
Note the difference:• Digital cash: Electronic version of existing currency (USD)• Digital currency: Entirely new currency (i.e. Bitcoin)
The textbook example is a centralized system, where a bank isneeded for everything to work.
The failure of electronic cash
There have been several proposals for digital money.
Until a few years ago, all had failed.
No gain over existing systems:• Still need a central point of trust• Privacy: Who monitors the system?• Can we entrust a bank with managing an entire currency?
There is no need for centralization
With cryptography we can actually create something betterthan “electronic cash”.
This is not in the textbook; it’s too new.
A currency that is peer-to-peer.
All functions of a bank can be taken over by the network.
In essence, we create a system with distributed consensus.
Bitcoin
The Bitcoin protocol was proposed2 in 2008.
Takes care of:• Creation of new currency• Secure transactions• Protection against double-spending• Anybody can be a “merchant” or a “customer”.• Pseudo-anonymity
2Nakamoto 2008.
We will now create Bitcoin from scratch
Step by step, we create a peer-to-peer currency.
In each step we discuss strengths and weaknesses.
Let’s call one unit of currency “Southfork”.
Southfork = the protocol
southfork = the currency
Southfork version 1: Public, signed transactions
Alice publishes a signed message: “I, Alice, send one southforkto Bob”
Good stuff:• Bob can verify the signature as being from Alice.• The transaction cannot be undone
Bad stuff:• No account balances• Infinite number of southfork. Very incomplete. . .
Southfork version 2: Serial numbers
“I, Alice, send southfork no. 856034 to Bob”
Duplicate transactions are easily spotted.
How are the serial numbers created?
The (too) easy solution: Serial numbers generated by a trustedsource, like a bank.
A bank works, but. . .
This is where Nakamoto put the stroke of genius
No central point of trust, instead a blockchain
We remove the central point of trust.
Instead, we establish a list of all transactions ever made.
Computing an account balance is done by summing over allprevious transactions for that account.
This list is called the blockchain and is shared by all users.
Southfork version 3: The blockchain
Bob checks his blockchain before accepting the transaction
If he sees that the southfork in question is owned by Alice, heaccepts it.After the transaction is complete, Bob broadcasts hisacceptance.As soon as the other peers hear this broadcast, they will notallow double-spending.
Double-spending is still possible
He he
Alice can perform a double-spend before the acceptancebroadcast is heard by enough peers
To solve this problem, we make Bob ask everybody else if atransaction is valid.Double-spending will be noticed before payment is accepted.
Double-spending is still possible
He he
Alice can perform a double-spend before the acceptancebroadcast is heard by enough peers
To solve this problem, we make Bob ask everybody else if atransaction is valid.Double-spending will be noticed before payment is accepted.
Double-spending is still possible
He he
Alice can perform a double-spend before the acceptancebroadcast is heard by enough peers
To solve this problem, we make Bob ask everybody else if atransaction is valid.Double-spending will be noticed before payment is accepted.
Asking the network about the transaction
How many answers should Bob require? How can the answersbe trusted?
A “majority vote” is impossible, what if Alice spams Bob withfalse confirmations?
There is no way to perform traditional authentication.
But Southfork won’t work if transactions can’t be reliablyverified. . .
Southfork version 4 (final): Proof of work
The finished Southfork protocol uses Proof of Work (PoW).
Basic idea: We only trust solutions that are accompanied by aproof of someone having committed a large amount ofresources to a problem.
That is, we don’t authenticate a user, but we authenticate thefact that time/money/energy/etc. has been spent.
In order for Alice to make a double-spend, she first has to spendenergy before Bob trusts her.
Even better: We turn proof-of-work into a competition.
Constructing the PoW challenge
We want a problem that. . .• . . . is difficult to solve• . . . has solution(s) that are easy to verify• . . . has scalable difficulty (will be discussed later)
Remember lecture eight? A one-way hash function h(x) has thefollowing properties:
• Easy to calculate h(x) from x• Given h(x), it is hard to find x′ so that h(x′) = h(x).
Finding preimages is the perfect proof of work!
Constructing the PoW challenge
We want a problem that. . .• . . . is difficult to solve• . . . has solution(s) that are easy to verify• . . . has scalable difficulty (will be discussed later)
Remember lecture eight? A one-way hash function h(x) has thefollowing properties:
• Easy to calculate h(x) from x• Given h(x), it is hard to find x′ so that h(x′) = h(x).
Finding preimages is the perfect proof of work!
The verifications are done by miners
Alice’s transaction message m is broadcast:“I, Alice, transfer southfork no. 3869303 to Bob”.
A miner selects a random k and computes h(m + k).
If h(m + k) > T the miner chooses a new k and tries again.
After a long time we get h(m + k) < T and the minerbroadcasts k.
Bob receives k and checks that h(m + k) < T .
We will talk more about T at the end of the lecture.
A simple example of Proof of Work
Let the threshold T be so that the hash value h(m + k) needsfive leading zeros and let m =“AAA”.
m + k h(k + m)
AAA0 802dbe2e69. . .
AAA1 bbfce0d522. . .AAA2 7bb4db476f. . .. . . . . .AAA770239 00000921ac. . .
k = 770239 is a valid solution
Note that in the normal case, k is chosen randomly.There are several solutions k to the problem h(m + k) < T .
A simple example of Proof of Work
Let the threshold T be so that the hash value h(m + k) needsfive leading zeros and let m =“AAA”.
m + k h(k + m)
AAA0 802dbe2e69. . .AAA1 bbfce0d522. . .
AAA2 7bb4db476f. . .. . . . . .AAA770239 00000921ac. . .
k = 770239 is a valid solution
Note that in the normal case, k is chosen randomly.There are several solutions k to the problem h(m + k) < T .
A simple example of Proof of Work
Let the threshold T be so that the hash value h(m + k) needsfive leading zeros and let m =“AAA”.
m + k h(k + m)
AAA0 802dbe2e69. . .AAA1 bbfce0d522. . .AAA2 7bb4db476f. . .
. . . . . .AAA770239 00000921ac. . .
k = 770239 is a valid solution
Note that in the normal case, k is chosen randomly.There are several solutions k to the problem h(m + k) < T .
A simple example of Proof of Work
Let the threshold T be so that the hash value h(m + k) needsfive leading zeros and let m =“AAA”.
m + k h(k + m)
AAA0 802dbe2e69. . .AAA1 bbfce0d522. . .AAA2 7bb4db476f. . .. . . . . .AAA770239 00000921ac. . .
k = 770239 is a valid solution
Note that in the normal case, k is chosen randomly.There are several solutions k to the problem h(m + k) < T .
Mining is a competition to find a solution
Transaction
!!
19395?
5536233?
64203?
260394?
116534?
423787?
298360?
372983?
7239345?
8890153!!
372983?
7239345?
Charlie is the lucky winner
Bob can trust the acknowledgment from Charlie.
Mining is a competition to find a solution
Transaction !!
19395?
5536233?
64203?
260394?
116534?
423787?
298360?
372983?
7239345?
8890153!!
372983?
7239345?
Charlie is the lucky winner
Bob can trust the acknowledgment from Charlie.
Mining is a competition to find a solution
Transaction !!
19395?
5536233?
64203?
260394?
116534?
423787?
298360?
372983?
7239345?
8890153!!
372983?
7239345?
Charlie is the lucky winner
Bob can trust the acknowledgment from Charlie.
Mining is a competition to find a solution
Transaction !!
19395?
5536233?
64203?
260394?
116534?
423787?
298360?
372983?
7239345?
8890153!!
372983?
7239345?
Charlie is the lucky winner
Bob can trust the acknowledgment from Charlie.
Mining is a competition to find a solution
Transaction !!
19395?
5536233?
64203?
260394?
116534?
423787?
298360?
372983?
7239345?
8890153!!
372983?
7239345?
Charlie is the lucky winner
Bob can trust the acknowledgment from Charlie.
Mining is a competition to find a solution
Transaction !!
19395?
5536233?
64203?
260394?
116534?
423787?
298360?
372983?
7239345?
8890153!!
372983?
7239345?
Bob can trust the acknowledgment from Charlie.
A block is a large number of transactions
Alice 1 southfork to BobCharlie 500 southfork to MalloryAlice 50 southfork to MalloryVictor 4 southfork to TrentPeggy 7000 southfork to VictorEve 15 southfork to AliceBob 100 southfork to Peggy
2015-10-14 13:44:17
Previous hash value Nonce k
Block #236434
A block is only valid if its hash value is less than T .
A block is a large number of transactions
Alice 1 southfork to BobCharlie 500 southfork to MalloryAlice 50 southfork to MalloryVictor 4 southfork to TrentPeggy 7000 southfork to VictorEve 15 southfork to AliceBob 100 southfork to Peggy
2015-10-14 13:44:17
Previous hash value Nonce k
Block #236434
A block is only valid if its hash value is less than T .
A block is a large number of transactions
Alice 1 southfork to BobCharlie 500 southfork to MalloryAlice 50 southfork to MalloryVictor 4 southfork to TrentPeggy 7000 southfork to VictorEve 15 southfork to AliceBob 100 southfork to Peggy
2015-10-14 13:44:17
Previous hash value Nonce k
Block #236434
A block is only valid if its hash value is less than T .
A block is a large number of transactions
Alice 1 southfork to BobCharlie 500 southfork to MalloryAlice 50 southfork to MalloryVictor 4 southfork to TrentPeggy 7000 southfork to VictorEve 15 southfork to AliceBob 100 southfork to Peggy
2015-10-14 13:44:17
Previous hash value
Nonce k
Block #236434
A block is only valid if its hash value is less than T .
A block is a large number of transactions
Alice 1 southfork to BobCharlie 500 southfork to MalloryAlice 50 southfork to MalloryVictor 4 southfork to TrentPeggy 7000 southfork to VictorEve 15 southfork to AliceBob 100 southfork to Peggy
2015-10-14 13:44:17
Previous hash value Nonce k
Block #236434
A block is only valid if its hash value is less than T .
A block is a large number of transactions
Alice 1 southfork to BobCharlie 500 southfork to MalloryAlice 50 southfork to MalloryVictor 4 southfork to TrentPeggy 7000 southfork to VictorEve 15 southfork to AliceBob 100 southfork to Peggy
2015-10-14 13:44:17
Previous hash value Nonce k
Block #236434
A block is only valid if its hash value is less than T .
Transactions are verified by miners
The process of turning transactions into blocks is mining.
The blocks are numbered and form a long chain, blockchain.
(abandoned)
If two miners find a valid block simultaneously, the resolutionstrategy is to randomize and then work on the longest chain.
Transactions are verified by miners
The process of turning transactions into blocks is mining.
The blocks are numbered and form a long chain, blockchain.
(abandoned)
If two miners find a valid block simultaneously, the resolutionstrategy is to randomize and then work on the longest chain.
Transactions are verified by miners
The process of turning transactions into blocks is mining.
The blocks are numbered and form a long chain, blockchain.
(abandoned)
If two miners find a valid block simultaneously, the resolutionstrategy is to randomize and then work on the longest chain.
Transactions are verified by miners
The process of turning transactions into blocks is mining.
The blocks are numbered and form a long chain, blockchain.
(abandoned)
If two miners find a valid block simultaneously, the resolutionstrategy is to randomize and then work on the longest chain.
Transactions are verified by miners
The process of turning transactions into blocks is mining.
The blocks are numbered and form a long chain, blockchain.
(abandoned)
If two miners find a valid block simultaneously, the resolutionstrategy is to randomize and then work on the longest chain.
Transactions are verified by miners
The process of turning transactions into blocks is mining.
The blocks are numbered and form a long chain, blockchain.
(abandoned)
If two miners find a valid block simultaneously, the resolutionstrategy is to randomize and then work on the longest chain.
Each block gives security to the previous ones
Hash
TX Hash
TX Hash
TX Hash
TX Hash
Bob waits a number of blocks before accepting Alice’stransaction.
This is how Bitcoin works!
Southfork now essentialy works like Bitcoin.
Digital signatures initiate the transaction
Miners verify the transactions
Bob accepts the transaction after six successive blocks (takesone hour).
New currency is created by rewarding miners.
Everybody has the blockchain
All transactions are in the blockchain.
Anybody can see all transactions
Today, the blockchain takes up more than 135 gigabyte.
Security analysis
The only way for Alice to cheat is the following:1. Buy a supercomputer2. Save up money for the electric bill3. Broadcast an invalid transaction m to Bob4. Let the supercomputer search for a block containing m.5. The computer must be faster than everybody else’s,
combined.6. Even if she manages to solve an “illegal” block, no other
miner will accept it.Alice has a hard time cheating Bob.Even if she has 1 % of the hashing power, the chance of miningsix blocks in a row is (0.01)6 = 1 × 10−12.
Sending and receiving bitcoin
Private key:E9873D79C6D87DC0FB6A5778633389F4453213303DA61F20BD67FC233AA33262
ECDSA
RIPEMD-160
base58
Address:3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
Sending and receiving bitcoin
Private key:E9873D79C6D87DC0FB6A5778633389F4453213303DA61F20BD67FC233AA33262
ECDSA
RIPEMD-160
base58
Address:3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
Sending and receiving bitcoin
Private key:E9873D79C6D87DC0FB6A5778633389F4453213303DA61F20BD67FC233AA33262
ECDSA
RIPEMD-160
base58
Address:3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
Sending and receiving bitcoin
Private key:E9873D79C6D87DC0FB6A5778633389F4453213303DA61F20BD67FC233AA33262
ECDSA
RIPEMD-160
base58
Address:3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
Sending and receiving bitcoin
Private key:E9873D79C6D87DC0FB6A5778633389F4453213303DA61F20BD67FC233AA33262
ECDSA
RIPEMD-160
base58
Address:3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
Detailed view of a transaction
Sending and receiving bitcoin
A bitcoin wallet
Bitcoin trading
Today: 1 B ≈ 42 000 SEK.Bitcoin can be bought and sold like any other currency.Bitcoin ATM in Stockholm.
Volatility is a big problem
Adresses are global and fast
A bitcoin address: 12bs44bxxe2k3ax2c9pQHtodUhPSrbJqbeBuilt-in check code.Fits well with QR codes:
Only an address is needed
This sign was shown on ESPN, giving 24 000 USD
Only an address is needed
This sign was shown on ESPN, giving 24 000 USD
Bitcoin for merchants
Bitcoin and trust
In Bitcoin, the users only need to trust the algorithm, nothingelse.
In contrast, with traditional currency trust in the central bank,The Bitcoin protocol is a system without inherent trust.
You don’t even need to trust the initial creator, Nakamoto.
Bitcoin mining is big business
Whenever a miner finds a valid block, he or she is rewarded.
Industrial-scale mining. Photo from KnC Miner
Bitcoin mining has scalable difficulty
Bitcon dynamically scales the mining difficulty.
The goal is one mined block per 10 minutes, globally.
Smaller T gives higher difficulty.
Currently, you need hash values beginning with ≥ 20 (!) zeros.
000000000000000000af0d5752187e109c477ea70bb96c5c5aa8f92c6a6c8b02
Extreme competition in bitcoin mining
Note the logarithmic scale!Today: Hash rate is more than 7 × 1018 hash/s.
Specialized ASIC miners are expensive
The Swedish miner KnC Neptune costs thousands of dollars andperforms 3 × 106 hashes per second.
Bitcoin 2.0: Digital contracts
A Bitcoin transaction between two parties; a “digital contract”.
Digital contracts can do much more than just money.
Currently in development: Ethereum.
Turing-complete money!
• Contract for difference• Multisignature escrows• Peer to peer gambling
Simple example of a digital contract
Alice sets up a savings account.
She is quite lazy, so she hire Bob to manage her money.
Bob and Alice don’t fully trust each other.
They establish a contract with the following rules:1. Alice alone can withdraw 1 % per day.2. Bob alone can withdraw 0.05 % per day.3. Alice and Bob together can withdraw all the money right
away.
The savings account
Alice only needs small amounts of money every day.
If she needs more, she can ask Bob for permission.
If Bob turns out to be evil, Alice can withdraw money 20 timesas fast.
If Alice’s key is compromised, she can run to Bob and theymove the money to a new contract.
If Alice loses her key, Bob can eventually help her get hermoney back.
Digital contracts: Beyond currencies
A digital contract has a life on its ownAn autonomous agent that enforces the rules in the network.Similar to secret sharing, but better.Digital contracts are even beyond currencies:
• Distributed, incentivized Dropbox storage• Anonymous, encrypted message distribution• Web of trust• . . .
Digital contracts: Very new and paving way for new, previouslyunthinkable innovations.
More reading if you are interested
After this course you have the neccessary background tounderstand Bitcoin.
The Bitcoin whitepaper: Read it!https://bitcoin.org/bitcoin.pdf
How the Bitcoin protocol actually works:http://www.michaelnielsen.org/ddi/how-the-bitcoin-protocol-actually-works/
More detailed explanation of transaction and keys:http://www.righto.com/2014/02/bitcoins-hard-way-using-raw-bitcoin.html
(These slides will be on the homepage shortly)
Quantum Bitcoin
Jonathan Jogenfors (2016). “Quantum Bitcoin: An Anonymousand Distributed Currency Secured by the No-Cloning Theoremof Quantum Mechanics”. arXiv: 1604.01383 [quant-ph].url: http://arxiv.org/abs/1604.01383.
Another selfless plug
November 17th 2017: My PhD defense.• Ada Lovelace, 13:00• Hacking quantum cryptography• Arguing with fellow scientists, trying to make them
understand their QKD protocol is broken.• Quantum Bitcoin
• Smorgastarta is served afterwards
Another selfless plug
November 17th 2017: My PhD defense.• Ada Lovelace, 13:00• Hacking quantum cryptography• Arguing with fellow scientists, trying to make them
understand their QKD protocol is broken.• Quantum Bitcoin• Smorgastarta is served afterwards
Summary of methods
Transactions are signed with digital signatures: ECDSA
The elliptic curve used in Bitcoin is secp256k1.
E : y2 = x3 + 7 mod p
where
p = 2256 − 232 − 29 − 28 − 27 − 26 − 24 − 1.
Transactions are verified collectively by finding preimages ofhash functions.
The challenges
As a currency, bitcoin is very young.
Transactions are safe, storage is not.
If Alice loses her key, she loses her money.
If Eve finds Alice’s key, she can take her money and gets awaywith it.
Many questions remain: Taxation? Volatility? Illicit trade?
Summary
Bitcoin: Peer-to-peer, decentralized.
Ethereum: Digital, autonomous contracts
Extreme development, stay tuned!
Jonathan Jogenfors, [email protected]