Data Privacy and Security
Master Degree in Data Science
Sapienza University of Rome
Academic Year 2017-2018
Instructor: Daniele Venturi(Slides from a series of lectures by Stefan Dziembowski)
BitcoinData Privacy and Security
2
Part VI: Bitcoin and Beyond
History of Digital Cash
BitcoinData Privacy and Security
3
• 1990: Chaum’s anonymous eCash
– Uses sophisticated crypto to achieve security and user anonimity
withdrawal
pay
deposit
Company foundedin 1990… Went
bankrupt in 1998
History of Digital Cash
BitcoinData Privacy and Security
4
• 2008: Bitcoin announced by Satoshi Nakamoto
• 2011-2013: Popular for buying illegal goods
– E.g., Silk Road anonymous marketplace
• End of 2013: Market price skyrockets and the world notices
Main difference with eCash:
The Bitcoin Revolution
BitcoinData Privacy and Security
5
• Problems of earlier ecash systems
– Need trusted center (money does not circulate)
– High transaction fees
• Solutions in bitcoin ecosystem
– Decentralized system (money circulates)
– Variable transaction fees
Bitcoin’s Success
BitcoinData Privacy and Security
6
• Probably one of the most discussedcryptographic technologies ever!
Bitcoin
Snowden
Encryption
No Trusted Servers!
BitcoinData Privacy and Security
7
• Nobody controls the money
– The amount of money that will ever be created isfixed to around 21 mln Bitcoin (no inflation)
Exchange rate fluctuates
Next Block Halving
BitcoinData Privacy and Security
8
Really No Trusted Server?
BitcoinData Privacy and Security
9
• The client software is written by people whoare in charge to change the system
• Software contains so-called checkpoints (more on this later)
• Popular clients:
The people behindthe software are not
anonymous
Bitcoin in Context
BitcoinData Privacy and Security
10
Bitcoin:• Protocol• Client
software• Data
(blockchain)
Bitcoin Ecosystem
Financial Sector
• Banks• Fonds• Regulators• Treasury
• Exchanges• Mining pools• Remote wallets
Real Economy
• Agents• Goods• Markets (legal/illegal)• Externalities
Updates?
BitcoinData Privacy and Security
11
• How to update the protocol if there is no governing body?
• Updates take the form of Bitcoin ImprovementProposals (BIPs)
• The Bitcoin community votes on BIPs
– Weight of votes proportional to computing power
– Voting process organised centrally (via a forum)
Bitcoin ≈ Real Money?
BitcoinData Privacy and Security
12
• Bitcoin values comes from the fact that: «People expect that other people will accept itin the future.»
It’s like realmoney
It’s a ponzischeme
Enthusiasts:
Sceptics:
Some Economist Are More Positive
BitcoinData Privacy and Security
13
• Billions of VC funding, many major banks and companies are interested
While these types of innovations may pose risks related to law enforcement and
supervisory matters, there are also areas in which they may hold long-term
promise, particularly if the innovations promote a faster, more secure and more
efficient payment system
Ben Bernanke
Why Bitcoin Became So Popular?
BitcoinData Privacy and Security
14
• Ideological reasons
– Crypto anarchy (nobody controls the money)
• Good timing due to financial crisis in 2008
– No money printing in Bitcoin
• Trading of illegal goods due to seeminganonymity (pseudonimity)
• Payments can be cheap
– Almost no fees for long time (PayPal 2-10%)
• Novel technology for distributed systems
Illegal Market Places
BitcoinData Privacy and Security
15
• What is sold?
• Mostly non-professional sellers
– Most items only listed for few days
• All markets value: 600000 USD per day
Category # of items % of total
Weed 3338 13.7
Prescriptions 1784 7,3
Books 955 3,9
Cannabis 877 3,6
Cocaine 630 2,6
LSD 440 1,8
Downsides of Decentralization
BitcoinData Privacy and Security
16
• There are no regulators
– MtGox (handling 70% of all Bitcoin transactions) shut down on Feb 2014, reporting 850000 BTC (450 million USD) stolen
• Transactions cannot be reserved
– But see a later lecture for alternatives
• Software bugs immediately exploited ashackers can make money
– Ransomware
– Virus stealing bitcoins
BitcoinData Privacy and Security
17
Main Design Principles
Doublespending
BitcoinData Privacy and Security
18
• Main problem with the digital money is that itis much easier to copy than real money
– Bits are easier to copy than paper
16fab13fc6890
Bitcoin’s Idea (Simplified)
BitcoinData Privacy and Security
19
• The users emulate a public bulletin-boardcontaining a list of transactions
– A transaction if of the form: «User 𝑃1 transfers a coin #16fab13fc6890 to user 𝑃2»
16fab13fc6890
You have alreadyspent this!
Trusted Bulletin-Board Emulation
BitcoinData Privacy and Security
20
Ideal World Real World
Main difficulty:Some parties can
cheat!
An Idea
BitcoinData Privacy and Security
21
• Assume honest majority and implement the bulletin-board by voting
– Every transaction is broadcast
Transaction id Value
ddbs21239864k… 0.084 BTC
edd98763hn3nr… 1.2 BTC
mkk8765g4g2j3… 0.036 BTC
YES NO YES NO
Is this the correctbulletin-board?
In cryptocurrencies this is called
the consensus protocol
How to Implement Consensus?
BitcoinData Privacy and Security
22
• A very well-studied problem in distributedcomputing
• Idea: Use techniques from MPC
– Agreement requires honest majority
– Problem: Sybil attack
– How to define majority in a context whereeverybody can join the network?
Bitcoin’s solution
BitcoinData Privacy and Security
23
• Majority = Majority of computing power
• Now creating multiple identities does not help
How is this verified?
BitcoinData Privacy and Security
24
• Use Proofs of Work (PoW) – Dwork & Naor ‘92
• Basic idea: User solve moderately hard puzzle
• Digital puzzle: Use cryptographic hashing
– Hash function 𝐇 with running time TIME 𝐇
– Solve: Find input s.t. output starts with 𝑛 zeroes
– Verify: Compute hash
Hard to find solution Easy to verify
Simple PoW
BitcoinData Privacy and Security
25
Hash function 𝐇 with running time TIME(𝐇)
Random 𝑥
Answer 𝑠
Find 𝑠 s.t. 𝐇(𝑠||𝑥)starts with 𝑛 zeroes (time 2𝑛 ∙ TIME(𝐇))
Check that 𝐇(𝑠||𝑥)starts with 𝑛 zeroes
(time TIME(𝐇))
Setup for the Bulletin-Board
BitcoinData Privacy and Security
26
• Users maintaining the bulletin-board are called miners
• Miners maintain a chain of blocks:
Block 0 Block 1 Block 2 Block 3
Transactionsfrom period 1
Transactionsfrom period 2
Transactionsfrom period 3
The genesis block, createdby Nakamoto on 03/01/09
Block size < 1MB ≈ 7 trans./sec
Period ≈ 10 mins
Extending the Blockchain
BitcoinData Privacy and Security
27
• The chain is extended by using the PoW
• PoW challenge: 𝐇(Salt||𝐇 Block𝑖 ||TX) startswith 𝑛 zeroes (hardness parameter)
Block 0 Block 1 Block 2
Transactions Transactions
𝐇 𝐇
Salt Salt
In Bitcoin 𝐇= SHA-256
Adjusting the Hardness Parameter
BitcoinData Privacy and Security
28
• The computing power of the miners changes
• Miners should generate a new block every 10 minutes (on average)
• Thus the hardness parameter is periodicallyadjusted to the mining power
– It happens once every 2016 blocks
– Automatic process, in a way that depends on the time it took to generate the 2016 blocks
– Possible because each block contains a timestamp
Hash Rate
BitcoinData Privacy and Security
29
• September 2013: 990,986 GH/s
• September 2014: 280,257,530 GH/s
• September 2015: 385,067,688 GH/s≈ 258 H/s
How to Post on the Board
BitcoinData Privacy and Security
30
• Broadcast over the internet your transactionto the miners
• Hope they will add it to the next block
– Miners are incentivized to do so
• Miners never add invalid transactions (e.g., doublespending)
– A chain with an invalid transaction is itself notvalid, so no rational miner would do it
• When a miner finds an extension he broadcasts it to all the users
Forks
BitcoinData Privacy and Security
31
• The longest chain counts!
Block i
Block i+1
Block i+2
Block i+3
Block’ i+2
This chain is valid
Makes no sense to work on a shorter chain, as everybodyelse is working on extending
the longest one
Consequences
BitcoinData Privacy and Security
32
• The system should quickly self-stabilize
• If there is a fork, then one branch will die
– What if your transaction ends up in a deadbranch?
– Recommendation: To make sure it doesn’t happenwait 6 blocks (≈1 hour)
Can Transactions be Reversed?
BitcoinData Privacy and Security
33
• Requires a fork in the past
– Unlikely with minority computing power
– Honest miners always ahead of the adversary
Attack based on Hardness Parameter
BitcoinData Privacy and Security
34
⋯ ⋯ ⋯
⋯⋯
1) Secretly compute another chain with fake
timestamps (indicating thatit took a long time to
produce it)
2016 blocks
2) The difficulty dropsdrammatically, so can
quickly produce a chainlonger than the valid one
and publish it
The Strongest Chain
BitcoinData Privacy and Security
35
• For this reason, in Bitcoin is not the longestchain that matters, but rather the strongest
• Strength of each block is 2𝑛
• Strength of the chain is the sum of the hardnesses of all blocks
– This clearly prevents the previous attack
Joining the Network
BitcoinData Privacy and Security
36
• How to identify a user? Use a digital signaturescheme (𝐊, 𝐒, 𝐕)
– Bitcoin uses ECDSA
New user
Publish 𝑝𝑘and keep 𝑠𝑘 secret
(𝑝𝑘, 𝑠𝑘) ←$ 𝐊
Every userhas his own
key pair
Digital Signature Standard (DSS)
BitcoinData Privacy and Security
37
• Approved by US government in 1994
– Designed by NIST & NSA
– Originally using SHA-1, but now SHA-2 isrecommended
– DSS is the standard and DSA is the algorithm
• A variant of ElGamal PKE
– Security based on the hardness of DL
– Creates a 320-bit signature (vs 1024 bits with RSA)
– Most of the computation is mod a 160-bit prime
DSA Key Generation
BitcoinData Privacy and Security
38
• Shared global public values (𝑝, 𝑞, 𝛼)
– Prime 𝑝 of size 1024 bits
– Prime 𝑞 of size 160 bits (factor of 𝑝 − 1)
• Value 𝛼 ∈ ℤ𝑝∗ of order 𝑞
– Pick 𝑔 ∈ ℤ𝑝∗ and compute 𝛼 = 𝑔(𝑝−1)/𝑞mod 𝑝
– Repeat if 𝛼 = 1
• Each user generates (𝑎, 𝛽)
– Private key 𝑎 ←$ ℤ𝑞
– Public key 𝛽 = 𝛼𝑎mod 𝑝
DSA Signing
BitcoinData Privacy and Security
39
• Let 𝑥 ∈ {0,1}∗ the message to be signed
– Pick random 𝑘 ←$ ℤ𝑞
– Let 𝑟 = 𝛼𝑘 mod 𝑝 mod 𝑞
– Let 𝑠 = 𝐒𝐇𝐀𝟐 𝑥 + 𝑎 ∙ 𝑟 𝑘−1mod 𝑞
– Repeat if 𝑟 = 0 or 𝑠 = 0
• Signature is 𝑦 = (𝑟, 𝑠)
– Value 𝑘 should be destroyed and never reused
Signature Verification
BitcoinData Privacy and Security
40
• Give message 𝑥 and signature 𝑦 = (𝑟, 𝑠)
– Compute 𝑢 = 𝑠−1 ∙ 𝐒𝐇𝐀𝟐 𝑥 mod 𝑞
– Compute 𝑡 = 𝑠−1 ∙ 𝑟 mod 𝑞
– Let 𝑣 = 𝛼𝑢𝛽𝑡mod 𝑝 mod 𝑞
• Accept iff 𝑣 = 𝑟
• Correctness𝑣 = 𝛼𝑢+𝑎𝑡mod 𝑝 mod 𝑞
= 𝛼𝑠−1(𝐒𝐇𝐀𝟐 𝑥 +𝑎𝑟)mod 𝑝 mod 𝑞
= 𝛼𝑠−1𝑘𝑠mod 𝑝 mod 𝑞 = 𝑟 mod 𝑞
Remarks on DSA
BitcoinData Privacy and Security
41
• Important to check 𝑟, 𝑠 ≠ 0
– If 𝑟 = 0, then 𝑠 = 𝐒𝐇𝐀𝟐 𝑥 ∙ 𝑘−1mod 𝑞 isindependent of the secret key 𝑎
– If 𝑠 = 0, then 𝑠−1mod 𝑞 cannot be computed
– Both events very unlikely (probability ≈ 2−160)
• Operations on both sides are performed mod𝑞, only one operation is performed mod 𝑝
Elliptic Curve DSA (ECDSA)
BitcoinData Privacy and Security
42
• Variant of DSA using elliptic curve groups
• Signature is 320 bits
• All operations are mod a 160-bit prime (or slightly more)
– Minimum size 163 or 192 bits
• Security depends on hardness of solving DL in an elliptic curve group
Validating Blockchains
BitcoinData Privacy and Security
43
• What is needed in order to decide whichblockchain is valid?
• One needs to know:
– The initial rules of the game
– The genesis block
• Given many candidates pick the one that:
– Verifies correctly
– Is the longest (i.e., the strongest)
• Verification can take several hours (blockchainsize ≈ 70GB as of June 2016)
Summary of Main Features
BitcoinData Privacy and Security
44
• Extending blockchain is computationally hard
• Once a miner finds an extension he broadcaststhe new block to everybody
• Users will always accept the longest chain asthe valid one
– In practice it is a bit more complex
• How are the miners incentivized to followthese rules?
– Short answer: They are payed in bitcoins!
Where Do These Bitcoins Come From?
BitcoinData Privacy and Security
45
• A miner that solves the PoW gets a reward
– 50 BTC for the first 210000 blocks
– 25 BTC for the next 210000 blocks
– 12.5 BTC for the next 210000 blocks
– … and so on
• Note that: 210000 50 + 25 + 12.5 + ⋯ = 21000000
More in Details…
BitcoinData Privacy and Security
46
• Each block contains a transaction thattransfers the reward to the miner
– A so-called coinbase transaction
• Advantages:
– It provides an incentive to be a miner
– It makes miners interested in broadcasting the new block asap
An Important Feature
BitcoinData Privacy and Security
47
• Assuming everybody follows the protocol, the following invariant is maintained:
• Fract. of computing power ≈ fract. of revenue
• This is because 𝑃𝑖’s chances of solving the PoW are proportional to the number of times𝑃𝑖 can evaluate the hash function
Every miner 𝑃𝑖 whose computing power is a 𝛼𝑖-fraction of the total computing power mines a
𝛼𝑖-fraction of the blocks
Freshness of the Genesis Block
BitcoinData Privacy and Security
48
Genesisblock
I did not know the genesisblock before Bitcoin waslaunched (Jan 3, 2009)
Here is a heuristic proof: «The genesis block contains a hash of a title from a front page of the London Times on Jan 3, 2009.»
Why Does it Matter?
BitcoinData Privacy and Security
49
Genesisblock
• Otherwise Satoshi could «pre-mine»1) Secretely start miningin 1980 and produce a
very strong chain
3) On Jan 3, 2010 publish secret chain
2) Honest miners start working on Jan 3, 2009;
since they have lesstime after 1 year their
chain is still weaker
Checkpoints
BitcoinData Privacy and Security
50
• Old block hash hardcoded into Bitcoinsoftware
• In theory: Not needed
• Goes against the decentralized spirit of Bitcoin
• But useful in practice:
– Prevent some DoS attacks (flooding nodes with unusable chains)
– Prevent attacks involving isolating nodes and providing them fake chains
– Optimization for initial blockchain download
Protocol Updates
BitcoinData Privacy and Security
51
• The Bitcoin protocol can be updated
• Proposals can be submitted to the Bitcoinfoundation in the form of BitcoinImprovement Proposals (BIPs)
• Only the miners can vote
– Votes included in the minted blocks
– Currently, need 75% approval which roughlycorresponds to 75% of computing power
Bitcoin’s Money Mechanics
BitcoinData Privacy and Security
52
• Bitcoin is transaction based
• Technically there is no notion of coin
• Users 𝑃7 and 𝑃8 holds 5 BTC, whereas user 𝑃9
holds 40 BTC
25 BTC createdby 𝑃1
25 BTC sent to 𝑃2
5 BTC sent to 𝑃4
5 BTC sent to 𝑃3
15 BTC sent to 𝑃5
25 BTC created by 𝑃6
15 BTC from 𝑃5 + 25 BTC from 𝑃6
to 𝑃9
5 BTC sent to 𝑃7
5 BTC sent to 𝑃8
TIME
Syntax of Transactions (Simplified)
BitcoinData Privacy and Security
53
User 𝑃1 creates 25 BTC
User 𝑃1 sends 25 BTC from 𝑇1 to 𝑃2Signature of 𝑃1
on 𝑇2
User 𝑃2 sends 25 BTC from 𝑇2 to 𝑃3Signature of 𝑃2
on 𝑇3
𝑇1 =
𝑇2 =
𝑇3 =
𝑃1
𝑃2
𝑃3
During the mining process
We say 𝑇3
redeems 𝑇2
Multiple Output Transactions
BitcoinData Privacy and Security
54
User 𝑃1 sends 10 BTC from 𝑇1 to 𝑃2
User 𝑃1 sends 8 BTC from 𝑇1 to 𝑃3
User 𝑃1 sends 7 BTC from 𝑇1 to 𝑃4
Signature of 𝑃1
on 𝑇2𝑇2 =
𝑃1
𝑃2 𝑃3
10 BTC 7 BTC
𝑃4
Multiple Input Transactions
BitcoinData Privacy and Security
55
User 𝑃2 sends 10 BTC from 𝑇3 to 𝑃1
User 𝑃3 sends 8 BTC from 𝑇3 to 𝑃1
User 𝑃4 sends 7 BTC from 𝑇3 to 𝑃1
Signature of 𝑃2 on 𝑇4Signature of 𝑃3 on 𝑇4Signature of 𝑃4 on 𝑇4
𝑇4 =
𝑃1
𝑃2 𝑃3
10 BTC 7 BTC
𝑃4
All signaturesneed to be valid
Time Locks
BitcoinData Privacy and Security
56
User 𝑃1 sends 25 BTC from 𝑇1 to 𝑃2
if time 𝑡 has passedSignature of 𝑃1 on 𝑇2𝑇2 =
Transaction specifiestime 𝑡 after which it is
considered valid
Measured in blocks or real time
Generalizations
BitcoinData Privacy and Security
57
• All these features can be combined
• The total value of in-coming transactions can be larger than the total value of outgoingtransactions
– The difference is called the fee
– Goes to the miner
• The conditions for redeeming a transactioncan be more general (the so-called smartcontracts)
Block Structure in More Details
BitcoinData Privacy and Security
58
𝐇
𝐇 𝐇
𝐇 𝐇 𝐇 𝐇
𝑇𝑋1 𝑇𝑋2 𝑇𝑋3 𝑇𝑋4 𝑇𝑋5 𝑇𝑋6 𝑇𝑋7 𝑇𝑋8
ℎ00 ℎ01 ℎ10 ℎ11
ℎ1ℎ0
Prevhash
SaltTXBlock
Header
𝐇
Block
Merkle tree
How to Verify Merkle Trees
BitcoinData Privacy and Security
59
𝐇
𝐇 𝐇
𝐇 𝐇 𝐇
𝑇𝑋1 𝑇𝑋2 𝑇𝑋3 𝑇𝑋4 𝑇𝑋5 𝑇𝑋6 𝑇𝑋7 𝑇𝑋8
ℎ00 ℎ01 ℎ10 ℎ11
ℎ1ℎ0
TX
𝐇
Root
Proofs are log(depth) and verification requires log(depth) time
Why Merkle Trees?
BitcoinData Privacy and Security
60
• Merkle root always of same small size
– Easily transmittable for pooled mining
– Simplifies writing hashing algorithms in hardware
• Light clients
– No need to process the entire block
• Pruning of old spend transactions
– Old transactions are not needed in order to verifythe validity of the blockchain
BitcoinData Privacy and Security
61
Mining Pools and Attacks
Solo Mining
BitcoinData Privacy and Security
62
• Variance of income too high for solo miners
• Here is a rough estimate:
8,139,095 THash/s
7.95 THash/s≈ 1023785.5
≈ 19.4 ∙ (365 ∙ 24 ∙ 6)
• Waiting time for mining a block ≈ 19 years
Total hash rate asof 10/11/2017
ASICS Antminer R4 – 7,95 THash/s (2,000 USD)
Mining Pools
BitcoinData Privacy and Security
63
• Miners create cartels called mining pools
• Mining pools are either operated centrally or in a peer-to-peer fashion
• Some of the pools charge fees for their service
– E.g., if the operator gets 25 BTC for mining, then itwill share 25 − 𝜑 BTC (where 𝜑 is the fee)
• Expected revenue is lower on average, butvariance is significantly smaller
– Tricky bit: How to prevent cheating? How to reward the miners?
Biggest Mining Pools
BitcoinData Privacy and Security
64
As of July 13, 2017
How to Design a Mining Pool?
BitcoinData Privacy and Security
65
Nonce 𝑠𝑖
A transaction 𝑇𝑖 and a hash 𝐇(𝐵𝑖)
Tries to find 𝑠𝑖 such that𝐇(𝑠𝑖 , 𝐇 𝐵𝑖 , 𝑇𝑖) starts with 𝑛 zeroes
MinerMining Pool
Operator
Current hardnessparameter
𝑝𝑘
Includes coinbase transactiontransferring money to 𝑝𝑘
Once nonce is found by one of the pool members, each of them is rewardedproportionally to his work
But how to verifyhow much work a
miner did?
Proportional Method
BitcoinData Privacy and Security
66
Nonce 𝑠𝑖But also submit partialsolutions, i.e. values 𝑠𝑖′
such that 𝐇(𝑠𝑖 , 𝐇 𝐵𝑖 , 𝑇𝑖)starts with 𝑛′ ≪ 𝑛 zeroes
A transaction 𝑇𝑖 and a hash 𝐇(𝐵𝑖)
Tries to find 𝑠𝑖 such that𝐇(𝑠𝑖 , 𝐇 𝐵𝑖 , 𝑇𝑖) starts with 𝑛 zeroes
MinerMining Pool Operator
Current hardnessparameter
𝑝𝑘
Amount of work measured in # of partial solutions
Probability of Success
BitcoinData Privacy and Security
67
• Probability of pool winning is 𝛼1 + 𝛼2 + 𝛼3
• Reward for Alice: BTC 25 ∙𝛼1
𝛼1+𝛼2+𝛼3
≈ proportional to 𝛼1
≈ proportional to 𝛼2
≈ proportional to 𝛼3
𝛼1
𝛼2
𝛼3
time
proportion of computing power
submitted share
Expected rewardBTC 25 ∙ 𝛼1
Pool Hopping
BitcoinData Privacy and Security
68
• What if miners change pool?
– Expected revenue is 𝛼𝑖 (from new pool)
– Plus the revenue form old pool (small extra)
• It is profitable to escape from pools with lotsof share holders
– Because such pools have too many «mouths to feed»
Slush’s Method
BitcoinData Privacy and Security
69
• Solution: Use a scoring function that assigns to each share a score 𝜎
• Then assign rewards proportionally to the score 𝜎
• Slush’s scoring function: 𝜎 = 𝑒𝑇/𝑐
– 𝑇: time since beginning of this round
– 𝑐: some constant
• Intuitively this gives advantage to miners whojoined late
Other Methods
BitcoinData Privacy and Security
70
• Pay-per-share: Operator pays for each partialsolution, no matter if he mined the block
– Risky for operator (leading to higher fees)
• Score-based: Geometric method, double geometric method…
• Improved pay-per-share
• See also:
– Meni Rosenfeld, Analysis of Bitcoin Pooled MiningReward Systems, 2011
Security of Mining Pools
BitcoinData Privacy and Security
71
• Typically assume the operator is honest
– Because he has reputation
• Miners are instead untrusted
• We will describe two attacks:
– Sabotage attack
– Lie-in-wait attack
• Both attacks are based on withholding certainblocks
– Similar to selfish-mining attack (see later)
Sabotage Attack
BitcoinData Privacy and Security
72
• Based on submitting only partial solutions
• Results:
– Pool loses money
– Dishonest miner does not earn anything (actuallyit loses a little bit)
• Ultimate goal: Make the pool go bankrupt
– E.g., because it is a competing pool
Mining Pool Operator
Partial solutions
RewardComplete solution
Miner
Lie-in-Wait Attack
BitcoinData Privacy and Security
73
• Once solution is found (say for 𝑃2)
– Wait submitting it and mine for 𝑃2 only
– Send it to 𝑃2 after some time
• Intuition is that this is profitable because 𝑃2 isa very likely winner
1/3 computing power
Mining pool 𝑃1
Mining pool 𝑃2
Mining pool 𝑃3
Mine for several pools
Peer-to-Peer Mining
BitcoinData Privacy and Security
74
• General idea: Miners create a blockchain with hardness parameter 𝑛′ ≪ 𝑛 on top last block
– Every 𝐵𝑖𝑗
is a valid extension of 𝐵𝑖 (hardness 𝑛′)
– Requires to use other fields in the block
• Parameter 𝑛′ chosen in such a way that new blocks appear often (say every 30 sec)
Block 𝐵𝑖 Block 𝐵𝑖1 Block 𝐵𝑖
2 Block 𝐵𝑖3
How to Do it
BitcoinData Privacy and Security
75
𝐵𝑖:
…
…
…
𝐵𝑖2:
nonce
𝐇(𝐵𝑖)
trans.
𝐇(𝐵𝑖1)
𝐇(∙)
𝐵𝑖3:
nonce
𝐇(𝐵𝑖)
trans.
𝐇(𝐵𝑖2)
𝐇(∙)
𝐵𝑖1:
nonce
𝐇(𝐵𝑖)
trans.
𝐇(∙)
• The blocks contain extra space that can be
used to store the 𝐇(𝐵𝑖𝑗)
Reward
BitcoinData Privacy and Security
76
• Block 𝐵𝑖𝑘 enters the main blockchain as 𝐵𝑖+1
• Reward can be computed using some formula
• Each miner is incentivized to behave nicely
Block 𝐵𝑖 Block 𝐵𝑖1 Block 𝐵𝑖
2 𝐵𝑖𝑘 = 𝐵𝑖+1
…
Ends with 𝑛 zeroes
𝑃2𝑃1 𝑃𝑘
Includes a payment to 𝑃1
Includes a payment to 𝑃1, … , 𝑃𝑘−1
Possible Attack Goals
BitcoinData Privacy and Security
77
• Double spending
• Get more money from money than you should
• Short selling
– Bet that the price of BTC will drop and thendestroy the system (i.e., make the price of BTC go to zero)
• Someone (government?) interested in shutting Bitcoin down
The 51% Attack
BitcoinData Privacy and Security
78
• An adversary controlling majority of computational power cannot
– Steal money from earlier transactions (requiresforging a signature)
– Generate money without effort (still needs to solve PoW)
• However such an adversary can
– Fork the chain and doublespend
– Reject all other miners’ blocks
– Exclude certain transactions
Programming Errors
BitcoinData Privacy and Security
79
• Block 74638 (Aug 2010) contained a transaction with 2 outputs summing to over 184 billion BTC
– Integer overflow in Bitcoin software
– Solved by software update + manual fork
• Fork at block 225430 caused by an error in the software update
– Solved by reverting to older version
• Moral: Nothing can be fully decentralized
– Sometimes human intervention is needed
Transaction Malleability
BitcoinData Privacy and Security
80
• Transactions are identified by their hashes
• One can change TxId by mauling a signature
– In ECDSA if 𝜎 = (𝑟, 𝑠) is a valid signature of message 𝑚, so is 𝜎′ = (𝑟, −𝑠)
User 𝑃1 sends 1 BTC from 𝑇1 to 𝑃2Signature of 𝑃1
on 𝑇2𝑇2 =
𝐇(∙)
TxId = 𝐇(𝑇2)
How to Exploit Malleability
BitcoinData Privacy and Security
81
• As a result TxId changes!
• Often not a problem as semantically nothingchanged
• Problematic for Bitcoin contracts
Miners
Claimed Attack on MtGox
BitcoinData Privacy and Security
82
• MtGox cannot see transaction with TxId 𝐇(𝑇) in blockchain
– As if transaction did not happen
– Doublespending possible
• Decker-Wattenhofer 14: This isprobably not true
Deposit 1BTC
Withdraw 1BTC
𝐵𝑖 𝐵𝑖+1 𝐵𝑖+2 𝐵𝑖+3
«MtGox pays 1 BTC to 𝐴»
𝐴
Lack of Anonimity
BitcoinData Privacy and Security
83
• Bitcoin only guarantees pseudonymity
• Can sometimes be de-anonymized
– Meiklejohn et al.: A Fistful of Bitcoin, 2013
1 BTC 1 BTC
1 BTC
Can be linked!
Heuristic solution:
Hardware Mining
BitcoinData Privacy and Security
84
• Evolution of mining habits
– CPU -> GPU -> FPGA -> ASIC
• Several drawbacks
– Makes the whole process non-democratic
– Might be exploited by very powerful adversary
– Excludes some applications (e.g., mining asmicropayment)
• Advantages
– Security against botnets and makes minersinterested in long-term stability of the system
How long term? Hashrate can go up by 100x
in a year
Risks Associated with Pool Mining
BitcoinData Privacy and Security
85
• June 2014: The Ghash.io pool got > 50% of the total hash power
– What we were promised: A distributed currencyindependent of the central banks
– What we got (June 2014): Currency controlled by single company
• Miners lost control of which blocks they mine
– Not possible to choose Bitcoin transactions
– Common believe: 99% of the miners only care about highest possible block reward
How to Break Bitcoin?
BitcoinData Privacy and Security
86
• Start a number of mining pools with a negative fee
• Wait to get > 50% computational power
• Will the miners join?
– Well, yes if they only care about block reward
• Is Bitcoin secure?
– Need to assume that majority behaves honestlyeven if it has incentives not to do so
– Conjecture: Maybe the only reason why it is stillunbroken is that nobody really tried to break it
Majority is not Enough (Selfish Mining)
BitcoinData Privacy and Security
87
• Ittay Eyal and Emin G. Sirer: Bitcoin Mining is Vulnerable
• Basic idea: When a new block is found keep itfor yourself
• Goal: Make the honest miners waste theireffort to mine blocks that will never make it to the blockchain
• The proportion of mined blocks will be higher, yielding a revenue greater than the fair share
Bitcoin is not Incentive Compatible
BitcoinData Privacy and Security
88
• Recall with the honest strategy every minerwith 𝛼-fraction of computing power gets 𝛼-fraction of the revenue
• But if there is a strategy that is more beneficialthan the honest strategy, miners have an incentive to misbehave
– The larger 𝛼 the more beneficial the dishoneststrategy is
– Hence miners have incentive to join a large pool that uses this strategy
Simplifying Assumption (Warm-Up)
BitcoinData Privacy and Security
89
• What happens if there is a fork?
• Assume that the adversary is always first
– E.g., he puts a lots of fake nodes acting as sensors
– We will remove this assumption later
Bitcoin specification: «From twochains of equal length mine on the one that was received first.»
Selfish Mining (Basic Idea)
BitcoinData Privacy and Security
90
• Adversary finds new block and keeps it
• Two things can happen:
In this case the adversarypublishes his own block
and loses nothingPublish the chain when the public one equalizes
Towards the Full Attack
BitcoinData Privacy and Security
91
• The assumption that the adversary is alwaysfirst might look unrealistic
• Eyal and Sirer show a modification of the attack that works without this assumption
• Let 𝛾 be the probability that a honest minerwill choose to mine on the adversary’s chain
• Assume the adversary controls an 𝛼- fractionof the computing power
– The other miners hold 1 − 𝛼 -fract. for 𝛼 < 1/2
An Observation
BitcoinData Privacy and Security
92
• What is the probability that the adversary’schain is selected?
• Let 𝛿 = 𝛼 + (1 − 𝛼) ∙ 𝛾
Adversaryextends the
chain
Honest minerextends the
chain
Adversary’schain getsextended
Honest chaingets extended
State Transitions
BitcoinData Privacy and Security
93
State 0
State 1
State 0’State 2
1 − 𝛼 𝛼
1 − 𝛿
𝛿
Initial state (no forks)
Adversary findsnew block
Adversary findsanother block
Adversary’sblock winsHonest block
wins
Honest minersalso find a block
State 0
State 0
Adversarypublishes hischain ASAP
Continuing from State 2
BitcoinData Privacy and Security
94
State 3
State 2
Adversarypublishes hischain ASAP
1 − 𝛼
𝛼
State 0
Resulting State Machine
BitcoinData Privacy and Security
95
State 0 State 1 State 2 State 3 State 4
1 − 𝛼 1 − 𝛼 1 − 𝛼
𝛼 𝛼 𝛼 𝛼
…
State 0’
1 − 𝛼1
Calculating the Revenue
BitcoinData Privacy and Security
96
• The above can be analyzed using the theory of Markov chains
• To compute the revenue:
– Compute stationary distribution
– Execute one step in the Markov chain according to the transition probability
– Multiply the result with corresponding revenue
• Expected revenue exceeds honest strategy as
long as 𝛼 >1−𝛾
3−2𝛾
How to Fix it?
BitcoinData Privacy and Security
97
• One simple idea is to choose 𝛾 = 1/2
– This means choosing which fork to mine uniformlyat random
• The threshold for 𝛼 moves to ¼
– This means that with such a modification Bitcoinwould be secure as long as a ¾-fraction of computing power is honest
– Smaller than the believed ½-fraction but betterthan current reality
Summary of Other Attacks
BitcoinData Privacy and Security
98
• Whale transactions
– Make transactions with huge fees
– Incentivizes miners to mine on old blocks
– Accidentally happened in the past
• Flood attack
– Send big amount of small transactions
– Countermeasure: Increase transactions fees
• Destroy Bitcoins
– Send Bitcoins to unspendable output addresses to burn them
BitcoinData Privacy and Security
99
Consensus
Consensus Protocol
BitcoinData Privacy and Security
100
• Fundamental for cryptocurrencies
• Miners need to agree on the state of the blockchain
– What transactions are in the block
– What are the currently unspent transactions
– Which is the valid chains and which are forks
• Theoretically a very well studied problem
– The Byzantine Generals Problem (Lamport et al., 1982)
The Byzantine Generals Problem
BitcoinData Privacy and Security
101
• Generals need to decide to attack/retreat
• If some attack and some not they lose (and get killed by the Sultan)
• Main problem: Cheaters
– Can trick honest generals
• Setting: Assume the generals are connectedby point-wise bidirectional channels
• Adversary model: 𝑛 parties out of which 𝑡 are malicious
Timing Model
BitcoinData Privacy and Security
102
• Describes uncertainty of message propagation
• Synchronious: Messages arrive within knowntime ∆
– If message does not arrive, sender is malicious
• Partially synchronious: Messages willeventually arrive, but time ∆ is unknown
• Asynchronious: No time constraint on message arrival
Setup Assumptions
BitcoinData Privacy and Security
103
• Assume a PKI
• All parties know public keys of other parties
(1, 𝑝𝑘1) (2, 𝑝𝑘2) … (𝑛, 𝑝𝑘𝑛)
Problem Statement
BitcoinData Privacy and Security
104
• Total of 𝑛 parties connected by p2p network
• Maximum 𝑡 < 𝑛 parties are malicious
• Input: Each party 𝑃𝑖 inputs bit 𝑏𝑖
• Output: Each party 𝑃𝑖 outputs bit 𝑏𝑖
Input: 𝑏1
Output: 𝑏1
Input: 𝑏2
Output: 𝑏2
Input: 𝑏3
Output: 𝑏3
Security Definition
BitcoinData Privacy and Security
105
• Termination: Protocol terminates after finitelymany rounds
– Typically poly(n) (optimal is constant)
• Agreement: All honest parties agree on sameoutput
– I.e., if 𝑃𝑖 , 𝑃𝑗 are both honest we have 𝑏𝑖 = 𝑏𝑗
• Validity: If initial values of all honest playersare identical, they decide on that value
– I.e., if 𝑏𝑖 = 𝑏 for all honest 𝑃𝑖, each of them
outputs 𝑏𝑖 = 𝑏
Observations
BitcoinData Privacy and Security
106
• Trivial to achieve validity or agreement in isolation
• Agreement:
• Validity:
Output 0 Output 0
Output 0
Output 𝑏1 Output 𝑏3
Output 𝑏2
Broadcast Channel
BitcoinData Privacy and Security
107
• When a party sends a message it is receivedby all other parties
𝑣 𝑣𝑣
Broadcast versus Byzantine Agreement
BitcoinData Privacy and Security
108
• Theorem: If 𝑡 < 𝑛/2 broadcast impliesByzantine agreement
• Proof: Design protocol for Byzantineagreement
– All parties send input 𝑏𝑖
– Each party outputs majority of received values
– Agreement: All 𝑃𝑖 receive same message via broadcast channel (majority uniquely defined)
– Validity: If all honest parties start with same input 𝑏 than all honest parties output 𝑏 (as 𝑡 < 𝑛/2)
Let’s Focus on Broadcast!
BitcoinData Privacy and Security
109
• Setup: Total of 𝑛 parties with sender 𝑃𝑠 for some 𝑠 ∈ [𝑛], out of which 𝑡 < 𝑛 malicious
– Only sender has input
– Honest players decide on output 𝑏𝑖
• Termination: Protocol terminates after finitenumber of rounds
• Agreement: For all honest 𝑃𝑖 , 𝑃𝑗, then 𝑏𝑖 = 𝑏𝑗
• Validity: If 𝑃𝑠 is honest, all honest parties 𝑃𝑖
output 𝑏𝑖 = 𝑏𝑠
Dolev-Strong Protocol
BitcoinData Privacy and Security
110
• Goal: Implement broadcast using PKI
• Building block: Digital signatures
• Variables maintained by each 𝑃𝑖
– 𝐴𝐶𝐶𝑖: set of accepted values
– 𝑆𝐸𝑇𝑖,0: set of signatures received from otherparties on message 0
– 𝑆𝐸𝑇𝑖,1: set of signatures received from otherparties on message 1
• Protocol proceeds in 3 stages
Stage 1 (Round 𝑟 = 0)
BitcoinData Privacy and Security
111
• Only the sender 𝑃𝑠 is active
• All parties initialize𝐴𝐶𝐶𝑖 = 𝑆𝐸𝑇𝑖,0 = 𝑆𝐸𝑇𝑖,1 = ∅
• 𝑃𝑠 sends (𝑣, σ = 𝐒(𝑠𝑘𝑠, 𝑣)) to everybody
• Finally 𝑃𝑠 terminates and outputs 𝑣
(𝑣, 𝜎)
Stage 2 (Round 𝑟 = 1,2,3,…)
BitcoinData Privacy and Security
112
• If 𝑃𝑖 receives (𝑣′, 𝑆𝐸𝑇) from 𝑃𝑗 with 𝑣′ ∈ {0,1}
and where 𝑆𝐸𝑇 contains valid signatures on 𝑣′from at least 𝑟 parties (including 𝑃𝑠), then
– 𝐴𝐶𝐶𝑖 = 𝐴𝐶𝐶𝑖 ∪ {𝑣′}
– 𝑆𝐸𝑇𝑖,𝑣′ = 𝑆𝐸𝑇𝑖,𝑣′ ∪ 𝑆𝐸𝑇
(𝑣′, 𝑆𝐸𝑇)
𝐴𝐶𝐶2 = 𝐴𝐶𝐶2 ∪ {𝑣′}
𝑆𝐸𝑇2,𝑣′ = 𝑆𝐸𝑇2,𝑣′ ∪ 𝑆𝐸𝑇
𝐴𝐶𝐶3 = 𝐴𝐶𝐶3 ∪ {𝑣′}
𝑆𝐸𝑇3,𝑣′ = 𝑆𝐸𝑇3,𝑣′ ∪ 𝑆𝐸𝑇
Stage 2 (Round 𝑟 = 1,2,3,…)
BitcoinData Privacy and Security
113
• Each 𝑃𝑖 checks if 𝑣′ was newly added to 𝐴𝐶𝐶𝑖
during round 𝑟
• In that case, it computes 𝜎′ = 𝐒(𝑠𝑘𝑖 , 𝑣′) and sends (𝑣′, 𝑆𝐸𝑇𝑖,𝑣′ ∪ {𝜎′}) to everybody
(𝑣′, 𝑆𝐸𝑇2,𝑣′ ∪ {𝜎′})𝜎′ = 𝐒(𝑠𝑘2, 𝑣′)
(𝑣′, 𝑆𝐸𝑇2,𝑣′ ∪ {𝜎′})
Stage 3 (Final Round)
BitcoinData Privacy and Security
114
• Each 𝑃𝑖 proceeds as follows
– If 𝐴𝐶𝐶𝑖 = 1 return 1
– Else, return 0
0 1
Correctness
BitcoinData Privacy and Security
115
• Here 𝑃𝑠 is honest
• Stage 1: 𝑃𝑠 sends 𝑣, σ = 𝐒(𝑠𝑘𝑠, 𝑣)
• Stage 2:
– All honest 𝑃𝑖 add 𝑣 to 𝐴𝐶𝐶𝑖 in round 𝑟 = 1 (as 𝜎 isaccepting) and afterwards resend signatures
– Malicious parties in round 𝑟 = 1 might send𝑣′, σ = 𝐒(𝑠𝑘𝑖 , 𝑣′) for 𝑣′ ≠ 𝑣 (but never acceptedin future rounds since it does not cointainsignature from 𝑃𝑠)
• Stage 3: All parties output 𝑣
Agreement (1/3)
BitcoinData Privacy and Security
116
• Assume 𝑃𝑠 is malicious (honest is as before)
• Situation after round 𝑟 = 1(1, 𝐒(𝑠𝑘𝑠, 1))
𝐴𝐶𝐶2 = {1}
𝑆𝐸𝑇2,1 = {1, 𝐒(𝑠𝑘𝑠, 1)}
𝐴𝐶𝐶3 = {0}
𝑆𝐸𝑇3,0 = {0, 𝐒(𝑠𝑘𝑠 , 0)}
Agreement (2/3)
BitcoinData Privacy and Security
117
• Round 𝑟 = 2
• Both honest parties output 0 as𝐴𝐶𝐶2, 𝐴𝐶𝐶3 ≠ {1}
(1, 𝐒 𝑠𝑘𝑠, 1 , 𝐒 𝑠𝑘2, 1 )
(0, 𝐒 𝑠𝑘𝑠, 0 , 𝐒 𝑠𝑘3, 0 )𝐴𝐶𝐶2 = {0,1}𝐴𝐶𝐶3 = {0,1}
Agreement (3/3)
BitcoinData Privacy and Security
118
• What if 𝑃𝑠 sends message only to one party?
(1, 𝐒 𝑠𝑘𝑠, 1 ) 𝐴𝐶𝐶2 = {1}
(1, 𝐒 𝑠𝑘𝑠 , 1 , 𝐒 𝑠𝑘2, 1 )
𝑆𝐸𝑇2,1 = {1, 𝐒(𝑠𝑘𝑠 , 1)}
𝐴𝐶𝐶3 = {1}
Dolev-Strong Theorem
BitcoinData Privacy and Security
119
• Theorem: If the signature scheme isunforgeable the above protocol implementsbroadcast among 𝑛 parties, in the synchronious setting with 𝑡 < 𝑛
– Round complexity: Linear in 𝑛
– Can be improved to constant with more complexprotocol, assuming 𝑡 < 𝑛/2
• Theorem: Without PKI broadcast is impossibleiff 𝑡 < 𝑛/3
Blockchain Consensus
BitcoinData Privacy and Security
120
• Some differences:
– No setup is used
– Exact number of participants not known
– Number of participants can change (permissionless)
• Some simalarities:
– Only works under assumption that some parties are honest (measured by PoW)
– Important: Consensus only achieved over time and only with some probability