AnupamDattaCMUFall2015
¡ ArationalreconstructionofBitcoin
1. Startwithstrawmandesign
2. Identifyweaknesses
3. Augmentdesignanditerate
¡ Alice:“I,Alice,amgivingBobonecoin”¡ Alicedigitallysignsmessageandannouncesbitstoeveryone.
¡ Properties§ EstablishmentofAlice’sintent§ Limitedprotectionfromforgery
¡ Weakness§ Coinsarenotunique;canbeduplicated
¡ Alice:“I,Alice,amgivingBobonecoin,withserialnumber8740348”
¡ Alice:“I,Alice,amgivingBobonecoin,withserialnumber8770431”
¡ Bankissuescoinswithuniqueserialnumbers,keepstrackofwhoownscoins,verifiestransactions
¡ Properties§ EstablishmentofAlice’sintent§ Betterprotectionfromforgery
¡ Weaknesses§ Needtrustedbanktoissuecoins,keeptrackofwhoownscoins,
verifytransactions§ Bankcanlinktransactionstoidentity
¡ E-cashlectureonNov18§ Retainbank§ Ensurethatbankcannotlinktransactionstoidentity
§ Agentscannotdoublespendtheirelectroniccoins
¡ KeynoveltyinBitcoindesign§ Nocentralizedbank
¡ Everyonemaintainsacopyofthepublicledger(blockchain)oftransactions(keepstrackofwhoownscoins)
¡ Alice:“I,Alice,amgivingBobonecoin,withserialnumber8740348”
¡ BobuseshiscopyoftheblockchaintocheckthatthecoinisAlice’s;hebroadcastsbothAlice’smessageandhisacceptanceofthetransactiontotheentirenetwork,andeveryoneupdatestheircopyoftheblockchain.
¡ Weaknesses
§ Howtogetserialnumbers?§ Double-spending:WhatifAlicegivesthesamecointoBoband
Charlieatthesametime?
¡ BobdoesnotverifyAlice’scoinbyhimself.¡ Askseveryoneonthenetworktoverify¡ When“enough”peopleconfirmthatthecoinisindeedAlice’s,Bobacceptsandeveryoneupdatestheirblockchain
¡ Weakness:§ Sybilattack:Alicecreatesmanyfakeagentswholieforher;Alicespendsthesamecoinmanytimes
¡ Computationallycostlyfornetworkuserstovalidatetransactions
¡ Rewardnetworkusersforvalidatingtransactions
¡ Properties
§ Sybilattackwon’tworkunlessdishonestagentsputinsignificantcomputationalresources
§ Verifiersrewardedwithfixednumberofbitcoinsforabatchoftransactions(detailssoon)
§ Additionalideastoensurethatledgersuccinctlymaintainshistoryofalltransactions(detailssoon)
¡ Apeer-to-peerdigitalpaymentsystem¡ Completelydecentralizeddigitalcurrency
§ Nocentralminttoproducecurrency
§ Nocentralbanktoverifytransactions
§ Onceconfirmed,transactionsareirreversible
§ Predictable,capped,currencysupply
¡ KeyinnovationinBitcoin:coinproductionandverificationisdonebynetworkconsensus
¡ Thereisactuallynonotionofa“coin”
¡ Bitcoinsareexchangedfrom“wallet”to“wallet”¡ Transactionsareattheheartoftheprotocol¡ Walletsarerepresentedbyaddresses(e.g.,1VayNert…)§ (Anaddressisthepublickeyofthewallet)
¡ Alicewantstosend1BTCtoBob§ Shepicksatransaction(oragroupoftransactions)thatshehaspreviouslybeentherecipientofandthatcumulativelycontainatleast1BTC
§ ShethenappendsBob’swalletaddresstothetransactionanddigitallysignsit
¡ WhenBobsubsequentlywantstospendthe1BTC,allhehastodoistorepeattheoperation
¡ Bobnowhas1BTC§ HewantstosendittoCharlie…§ …whilekeepingitforhimselfatthesametime
¡ TopreventthisBob(andAlicebeforehim)hasto
broadcastthetransactiontoeverybodyintheBitcoinnetwork
¡ Thenotherpeerscanverifythatthetransactionisnotadouble-spend
¡ Oncethisisdone,thetransactionisembeddedforeverinapublicledger
SignA(TransferXtoB) SignA(TransferXtoC)SignA(TransferXtoB)
Longestchainwins
Slidecredit:JoeBonneau
IN:scriptSig...scriptSig...
OUT:scriptPub
A,5.9
...
...
IN:scriptSigA
OUT:scriptPubB,5.0
scriptPubA,0.9
IN:scriptSigAscriptSigA
OUT:
scriptPubC,10.0
IN:scriptSig...
OUT:
scriptPubA,9.2
...
Slidecredit:JoeBonneau
1. {"hash":"7c4025...",//serialnumber:hashoftransaction2. "ver":1,//protocolversion3. "vin_sz":1,//no.ofinputs4. "vout_sz":1, //no.ofoutputs5. "lock_time":0,//transactionfinalizedaftertime6. "size":224,//no.ofbytesintransaction7. "in":[//inputoftransaction7-118. {"prev_out"://inputisanoutputofaprevioustransact.9. {"hash":"2007ae...",//serialnumberofprevioustransact.10. "n":0},//outputnumberofprevioustransact.11. "scriptSig":"304502...042b2d..."}],//signatureandpubkeyofsender12. "out":[ //outputoftransaction12-1413. {"value":"0.31900000",//outputs0.319BTC14. "scriptPubKey":"OP_DUPOP_HASH160a7db6fOP_EQUALVERIFY
OP_CHECKSIG"}]}//scriptforverifyingtransaction
scriptPubKey: OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
IN:scriptSig...scriptSig...
OUT:scriptPub
A,5.9
IN:scriptSigA
OUT:scriptPubB,5.0
scriptPubA,0.9
<sig> <pubKey> OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
scriptSig: <sig> <pubKey>
Redemptionscript:
Slidecredit:JoeBonneau
<sig> <pubKey> OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG
<sig> ✓<pubKey>
<pubKey>
<pubKeyHash>
<pubKeyHash>
Slidecredit:JoeBonneau
https://en.bitcoin.it/wiki/Script
¡ Coinproductionisembeddedintheverificationprocess
¡ Verifiers(“miners”)verifybatchesoftransactionsatonce§ Inexchangeforwhichtheyareallowedtoadda“creation”transactiontothebatchandgivethemselvesafixedamountofmoney▪ 50BTCoriginally,25BTCnow,dividedbytwoeverysooften
§ Verificationiscombinedwitha“proof-of-work”schemetoensure▪ Thattransactionshavepropertimestamping▪ Thatcurrencyproductionisrate-limited
¡ Minerssolveacryptographicpuzzle:Findxs.t.H(x||l)<ywherelisthebatchoftransactions.
¡ Thereisnogoodalgorithmtosolvethis(H isacryptographicallysecurehashfunction)§ Brute-force:tryx=0, x=1, x=2, x=… § The lower y, the harder the puzzle
¡ Difficulty is tunable and is (by edict) designed to be inversely proportional to the total computational power of the network
¡ The goal is to have one block every ten minutes § Predictable supply of currency (independent of the difficulty) § But this limits how quickly transactions can be verified ▪ At least 10 minutes, usually 60 minutes is recommended
¡ Inadditiontothebonustheygetformining,minersget“transactionfees”§ Leftover“change”voluntarilyleftintransactions
¡ Becausethebonusisdecreasingovertime,theexpectationisthattransactionfeeswillincreaseovertimetomakeupforlostminingrevenue
Courtesy:BrianWarner
• 264hashesperblock(every10minutes!)• 275hashesin2013o Inexchangefor~US$250M
• Consuming>100MW
Slidecredit:JoeBonneau
¡ Becomeaminer§ Nowadaysonlyprofitableifdedicated(ASIC)hardware
¡ Buyatanexchange§ CampBX,Bitstamp,BTC-e,Coinbase…§ (Mt.Goxbeforetheywentbankrupt)§ Veryhighconcentrationonexchangesthroughwhichmoneyisexchanged▪ Exchangesfailprettyoften…
§ Increasinglyscrutinizedbyregulators¡ Buyfromindividuals
§ SatoshiSquareinNYC
¡ Asaspeculativeinstrument§ PeopleinvestinBTC,bettingonitsrisingvalue§ Dominantusethusfar
¡ Asacurrency§ Onlycurrencyacceptedonundergroundmarketplaces(SilkRoad,Evolution,…)▪ (ExceptforLiteCoin,whichisacloneofBitcoin)▪ Becauseofits“anonymityproperties”▪ Stillrelativelymodest▪ EntireSilkRoadrevenuerepresentedin1sthalfof2012about$15M/annum
§ Gambling,pokersites▪ Largenumberoftransactions,volumenotveryhigh
§ Otherusesstillintheirinfancy▪ Campaigncontributions,onlinestores(e.g.,Overstock),etc
¡ Walletsarepublic/privatekeypairs§ Cancreateasmanyasyouwant§ Thinkofthemaszero-costpseudonyms
¡ ThereisnocentralauthorityissuingBitcoinsorvettingtransactions
¡ ThismeansBitcoinisanonymous,right?NO!
¡ Anonymityhereimpliesunlinkabilityoftransactions¡ Theentireledgerofalltransactionsisavailable,forever
§ Technicallyinacompressedform,buttransactionchainscanallbereconstructed
¡ Evenifyouaddintermediarydummystepswallets,linkingthesourceandthedestinationofatransactionmaybedonebygraphanalysis…§ Somethingthatcomputerscientistsknowhowtodo!▪ Reid&Harrigan,2011▪ Shamir&Ron,2012 ▪ Meiklejohnetal.,2013
¡ Familiesofwalletscanbepooledtogetherasbelongingtothe
sameactualuser…¡ …andifsomehowyoucangettheuser’sidentity,thegameisover
¡ Mixers
¡ DidAlicegive10BTCtoCharlesorDaisy?
Mixer
Alice
Bob
Charles
Daisy
10BTC
10BTC
10BTC
10BTC
¡ Mixersinpractice
¡ Needtoalsointroducearbitrarydelays¡ Introductionofchangeaddresses,etc¡ Mixercanbedishonest!
Mixer(keeps5%)
Alice
Bob
Charles
Daisy
5BTC
10BTC
4.75BTC
9.5BTC
¡ It’sunclearhowgoodexistingBitcoinmixersare§ Keydifferencewithmessagemixing(Tor,mixnets)▪ Youcan’timplementarbitrary“padding”–moneyhastogosomewhereeventually
§ Possiblemeasure:taint▪ Amountofmoneythatcanbetracedbacktoagivensource
§ Recentresearchsuggestsexistingmixersarenoteffectiveordownrightdishonest
¡ Slides2-10,15,18,21aremine¡ ThankstoNicolasChristinforallotherslides
bitcoinwisdom.com
bitcoinwisdom.com
Slidecredit:JoeBonneau
Chilkootpass,Klondike1898
Slidecredit:JoeBonneau