sending BTC - Complexity and Algorithms Group

Report
IS THERE A THEORY BEHIND
BITCOIN?
Thomas Holenstein
ITS Science Colloquium, Nov 6, 2014
Goal of this Talk
Part I: What is Bitcoin?
Approach: technical
 Requires digital signatures and random
oracles.

Goal of this Talk
Part II: Bitcoin research
What are researchers doing?
 What are the open problems?

Disclaimer: I own some
bitcoin.
Part I: What is Bitcoin?
What is Bitcoin?



Analogies don’t help…
Instead, we focus on the system: we
explain how Bitcoin works.
This means: we explain the protocol.
Basics: Digital Signatures
Digital Signature
Key Generation
Signing
Verification
Bob
Alice
Alice
(Public)
Alice
(Secret)
Digital Signature
Key Generation
Bob
Alice
Signing
Alice
(Public)
Verification
Alice
(Secret)
Digital Signature
Key Generation
Signing
Goal: Bob should be sure
that the message
originates from Alice.
Verification
Alice
(Public)
Bob
Message
Alice
Alice
(Public)
A
Alice
(Secret)
Digital Signature
Key Generation
Secret
Key
Public Key
Secret
Key
Message
Signing
Message
A
Public Key
A
Verification
Security (informal): You cannot produce
valid signatures without the secret key.
Attempt #1
We now try to build bitcoin…
… but we will fail.
Goals

We want some kind of “digital money”.

Everyone can participate.

No central instance – no bank.
Setting


A network of computers.
Every computer can send messages to some
other computers.
Basic idea


Every computer maintains a
table: “who owns what?”
We will need: all
computers have the same
table.
Remark: The public keys are
just bit strings.
Alice
(Public)
10 BTC
Bob
(Public)
0.2 BTC
Charlie
(Public)
17 BTC
Dora
(Public)
0.001 BTC
Eliza
(Public)
2 BTC
Sending Bitcoins
To send money, we use transactions. These are
messages like this:
Transfer
0.1 BTC
from
Alice
(Public)
to
Bob
(Public)
A
In “short”, transactions
look like this:
$ F
T
Sending Bitcoins
I’LL send 0.1
Bitcoin to Bob.
$
F
T
Alice
Protocol: sending BTC
1.
2.
Craft a transaction.
Give it to your
computer.
Protocol: participating
On valid transactions:
1. Update ledger
2. Relay transaction
Double Spending
Thank
s!
I can exploit this!
Bob
Black Hat
These transactions
spend previously Thank
s!
spent bitcoins!
Black Hat prepares
two transactions:
Alice
: Give BTC from Black Hat to Alice
: Give BTC from Black Hat to Bob
Double Spending


The bad guy spends the same Bitcoins with two
different transactions
and
.
Computers receiving transaction
will have a
different ledger than computers receiving
transaction
.
Consensus Protocols




We need a protocol to agree on a transaction.
“Consensus protocols”. Studied since 1980, starting
with Pease, Shostak, Lamport.
Huge literature!
Main idea for protocols:
What transaction
are you using?
Protocols work if
(say) > 70% of the
computers follow the
protocol.
This solution does not help us!
Design goal:

Everyone can participate.
By running a special program,
a bad guy controls many
I will gladly participate…
With 1 000 virtual machines! virtual computers.
Like this, he can make
different participants believe
different things.
Basics: Random Hashfunctions
Random Hash Functions
(Random Oracles)
A random hash function is
RH: TextFile → {0, … , 2 − 1}
where all outputs are chosen uniformly at random,
RH
independent of each other.
Example:
 ≔ RH "text"
// x = 44709335
my friends //
computer
in the US:
 ≔ RH On
"next"
x = 53639915
≔ RH "text"
// x = 44709335
 ≔ RH "text"
// x = 44709335
Random Hash Function
In practice, we hope that SHA256 behaves “like a
random oracle”.
SHA256: TextFiles → 0, … , 2256 − 1
Calculation: If we made all computers on the world
compute SHA256…
It takes ~“40 × 14 ⋅ 109 years” to find 1 ≠ 2 s.t.
SHA256 1 = SHA256 2 .
Bitcoin’s consensus protocol
Step 1: How does the protocol look like?
Step 2: What happens if people cheat?
Blocks
A block  contains
 RH(′) for another block ′,
 a list of transactions,
 and an arbitrary number
“nonce”.
Block  is valid if the
first  = 5 digits of the
hash of  are all zero.
0000031105830
8046465385222
RH
0000077326777
Blocks
If we have a block, we can
find a “next block”:
Take RH(′) from the previous
block ′. Add transactions.
=
Try different values for this
string until the hash starts with
 zeros.
Blocks
If we have a block, we can
find a “next block”:
Take RH(′) from the previous
block ′. Add transactions.
=
Try different values for this
string until the hash starts with
 zeros.
Bitcoin chooses  such that this
takes ~10 minutes.
A Tree of Blocks
=
If we have a block, with a
bit of work, we can find a
“next block”…
...and yet another “next
block”…
…or a block which
continues here…
… and so on.
A Tree of Blocks
In general, we can build a tree
of blocks like this.
But only ever downwards!
The Protocol for Finding Blocks
Protocol: finding blocks
1.
2.
3.
4.
Take the longest chain you
can find.
Collect transactions.
Find a new valid block here.
Publish it.
The Protocol for Participants
Protocol: To know who owns BTC
1.
2.
Take the longest chain you can
find.
Process the transactions in this
chain in order.
Why work to find blocks?
Many people are trying to find blocks, which uses a
lot of resources…
A real lot!
This is called “mining”.
Block reward
If you find a block, you get bitcoins as a reward.
Transfer
0.1 BTC
from
Alice
(Public)
to
Bob
(Public)
Fee:
Every transaction
specifies a fee. It goes
to the person who puts
the transaction into a
valid block.
0.001A
BTC
A
Recap: The Bitcoin Protocol
Protocol: participate
 Relay
valid transactions.
 Relay valid blocks in the longest chain.
 Work with the longest chain.
Protocol: miners
 Collect
valid transactions.
 Publish valid blocks which extend the longest
chain.
Bitcoin’s consensus protocol
Step 1: How does the protocol look like?
Step 2: What happens if people cheat?
Double Spends
I found a valid block!
I can exploit this!
Bob
Black Hat
Once a block is found, the
double spends vanish.
Alice
Occasionally, two people find blocks at around the same
time… but typically the problem disappears.
Build an Alternate Chain?
Maybe I should
build another
chain?
The more RH-calls are
devoted to a chain, the
faster it grows.
Thus, intuitively: to build
a chain as fast as the
rest, you need as many
RH-calls as the rest.
Part II: Bitcoin Research
Understanding Bitcoin
Bitcoin was deployed with basically no
theoretical foundation.
 Is the system secure? What gives it security?
 What will rational agents in the Bitcoin network
do?
 What are possible attacks?

Understanding Bitcoin



Ideally, we would want a model which captures
the “important aspects”.
We then want theorems which describe the
results.
Some of the following research goes into this
direction.
Understanding Bitcoin: References

Babaioff, Dobzinski, Oren, Zohar (2012). On

Bitcoin and red balloons



the price of one? Double-spending attacks on fast
payments in Bitcoin
Bahack (2013). Theoretical Bitcoin attacks with less
I omit many references…
also
Kroll, Davey,
Felten (2013). The economics of Bitcoin
mining, or Bitcoin in the presence of adversaries
the -following!
Barber, Boyen, Shi, Uzun (2012). Bitter in
to better
than half of the computational power

how to make Bitcoin a better currency

Becker, Breuker, Heide, Holler, Rauer, Bóhme
(2012). Can we afford integrity by proof-of-work?
http://bitcointalk.org
Bonneau, Narayanan (2014). Better in practice than
in theory: lessons from the rise of Bitcoin



Eyal, Sirer (2014). Majority is not enough: Bitcoin
mining is vulnerable

Garay, Kiayias, Leonardos (2014). The Bitcoin
backbone protocol: analysis and applications
Nakamoto (2008). Bitcoin: a peer-to-peer electronic
cash system

Raulo (2011). Optimal pool abuse strategy

Todd (2013). How a floating blocksize limit inevitably
leads towards centralization
Courtois, Grajek, Naik (2013). The unreasonable
fundamental incertitudes behind Bitcoin mining
Möser, Böhme, Breuker (2014). Towards risk scoring
of Bitcoin transactions
Scenarios inspired by the Bitcoin currency

Karame, Androulaki, Capkun (2012). Two Bitcoins at

… many more.
Understanding Bitcoin:
Open Problem
There are some aspects of Bitcoin which will change:
 The initial block reward will vanish.
 I believe: the network will grow or go away.
What are the effect of such changes?
(There is previous work which studies this).
Improving Bitcoin
New technology gives new choices. How do we
choose?
 Try to make the system more powerful.
 Try to make the design:
 more
secure,
 faster,
 less wasteful.
Improving Bitcoin: References

Back, Corallo, Dashjr, Friedenbach, Maxwell,
Miller, Poelstra, Timón, Wuille (2014). Enabling
Blockchain Innovations with Pegged Sidechains



Miners: Fresh Bitcoins […]
Ben-Sasson, Chiesa, Genkin, Tromer, Virza (2013).

Lee (2013). Litecoin
SNARKs for C: Verifying Program Executions Succinctly
and in ZK

Maxwell (2013). Really Really ultimate blockchain
Bentov, Gabizon, Mizrahi (2014). Cryptocurrencies
Buterin (2013). Ethereum White Paper.

Dziembowski, Faust, Kolmogorov, Pietrzak (2013).
Proofs of Space
etotheipi, maaku, et al. (2012). Ultimate blockchain
compression w/ trust-free […]
Hearn (2013). Decentralised crime fighting using
King, Nadal (2012). PPCoin: Peer-to-Peer CryptoCurrency with Proof-of-Stake
compression: CoinWitness

Miller, Shi, Kosba, Katz (2014). Nonoutsourceable
Scratch-Off Puzzles to Discourage Bitcoin Mining
Coalitions
Bonneau, Clark, Miller (2014). FawkesCoin: A


Heilman (2014). One Weird Trick to Stop Selfish

cryptocurrency without public-key cryptography


Bamert, Decker, Elsen, Wattenhofer, Welten
(2013). Have a Snack, Pay with Bitcoin
without Proof of Work

private set intersection protocols

Sompolinsky, Zohar (2013). Accelerating Bitcoin's
Transaction Processing: Fast Money Grows on Trees, Not
Chains

Todd (2014). Tree-chains preliminary summary.
Improving Bitcoin: Open Problem



Computing SHA256 around 2 × 1017 times per
second seems like a big waste of energy.
Back of the envelope calculation gives a daily
energy use of 5’000’000+ kWh (~ 500’000+ CHF)
Can we improve the situation?
(There is previous work which studies this).
Anonymity



Every transaction is broadcast and stored.
On the other hand, a priori nobody knows who
owns which public key.
Is Bitcoin anonymous?
Anonymity: References






Androulaki, Karame, Roeschlin, Scherer,
Capkun (2013). Evaluating user privacy in
Bitcoin
Biryukov, Pustogarov (2014). Bitcoin over Tor
isn't a good idea
Gervais, Karame, Gruber, Capkun (2014).
On the privacy provisions of Bloom filters in
lightweight Bitcoin clients
Koshy, Koshy, Mcdaniel (2014). An analysis
of anonymity in Bitcoin using P2P network
traffic
Meiklejohn, Pomarole, Jordan, Levchenko,
McCoy, Voelker, Savage (2013). A Fistful Of
bitcoins: Characterizing payments among
men with no names
Ober, Katzenbeisser, Hamacher (2013).
Structure and anonymity of the Bitcoin
transaction graph





Reid, Harrigan (2012). An analysis of
anonymity in the Bitcoin system
Ron, Shamir (2014). How did dread pirate
Roberts acquire and protect his Bitcoin
wealth?
Ron, Shamir (2013). Quantitative analysis of
the full Bitcoin transaction graph
Spagnuolo, Maggi, Zanero (2014). BitIodine:
Extracting intelligence from the Bitcoin
network
theymos (2010). Anonymity
Improve Anonymity: References




Ben-Sasson, Chiesa, Garman, Green,
Miers, Tromer, Virza (2014). Zerocash:
decentralized anonymous payments
from Bitcoin
Bonneau, Clark, Kroll, Miller,
Narayanan. Mixcoin (2014).
Anonymity for Bitcoin with accountable
mixes
Danezis, Fournet, Kohlweiss, Parno
(2013). Pinocchio Coin: building
Zerocoin from a succinct pairing-based
proof system
Garman, Green, Miers, Rubin (2014).
Rational zero: Economic security for
Zerocoin with everlasting anonymity




Ladd (2012). Blind signatures for
Bitcoin transaction anonymity
Maxwell (2013). CoinJoin: Bitcoin
privacy for the real world
Miers, Garman, Green, Rubin (2013).
Zerocoin: Anonymous distributed e-cash
from Bitcoin
Saxena, Misra, Dhar (2014). Increasing
anonymity in Bitcoin
Build on Top of Bitcoin
If Bitcoin works, we can use the technology for other
things.

Use Bitcoin as a building block

Use the blockchain technology for new applications.
Build on top of Bitcoin





Andrychowicz, Dziembowski,
Malinowski, Mazurek (2014).
Secure Multiparty Computations on
Bitcoin
Back, Bentov (2014). Note on fair
coin toss via Bitcoin.
Bentov, Kumaresan (2014). How to
Use Bitcoin to Design Fair Protocols
Clark, Bonneau, Felten, Kroll, Miller,
Narayanan (2014). On
Decentralizing Prediction Markets
and Order Books.
Clark, Essex (2012). CommitCoin:
Carbon Dating Commitments with
Bitcoin


Finney et al. (2010). Bitcoin overlay
protocols
Miller, Juels, Shi, Parno, Katz
(2014). PermaCoin: Repurposing
Bitcoin Work for Data Preservation
Study the behavior
Another approach is look at the current system.

What are people doing?

What happens in the network?
Study the behavior






Decker, Wattenhofer (2013).
Information Propagation in the Bitcoin
Network
Decker, Wattenhofer (2014). Bitcoin
Transaction Malleability and MtGox
Donet Donet, Pérez-Solà, Herrera
(2014). The Bitcoin P2P network
Gandal, Halaburda (2014).
Competition in the Crypto-Currency
Market.
Johnson, Laszka, Grossklags, Vasek,
Moore (2014). Game-Theoretic
Analysis of DDoS Attacks Against
Bitcoin Mining Pools
Plohmann, Gerhards-Padilla (2012).
Case study of the miner botnet


Vasek, Thornton, Moore (2014).
Empirical Analysis of Denial-of-Service
Attacks in the Bitcoin Ecosystem
Moore, Christin (2013). Beware the
Middleman: Empirical Analysis of
Bitcoin-Exchange Risk
Economics and Policy

What are the economic foundations behind
Bitcoin?

Does it make sense that Bitcoin has value?

Do law makers have to react to Bitcoin?
Economics and Policy

economics of digital currencies


Brito, Castillo (2013). Bitcoin: A primer for
policymakers.


Dion (2014): Bitcoin, regulating fraud in the economy of

Doguet (2013): The nature of the form: Legal and
regulartory issues surounding the Bitcoin digital currency
system

Elwell, Murphy, Seitzinger (2014). Bitcoin: questions,

European Central Bank (2012). Virtual currency
Luther, White (2014). Can Bitcoin Become a Major
Currency?

Marian (2013). Are cryptocurrencies 'super' tax havens?

Mimic (2014). Regulatory challenges of alternative ecurrency; Comparative analysis of Bitcoin model in US
and EU jurisdictions

Möser, Böhme, Breuker (2013). An inquiry into money
laundering tools in the Bitcoin ecosystem

Sapuric, Kokkinaki (2014). Bitcoin is volatile! Isn't that
right?
answers, and analysis of legal issues

Hileman (2014). From Bitcoin to the Brixton pound:
history and prospects for alternative currencies
Hacker-Cash

Güring, Grigg (2011). Bitcoin & Gresham's Law - the
economic inevitability of collapse
Brito, Shadab, Castillo (2014). Bitcoin financial
regulation: securities, derivatives, prediction markets, &
gambling
Grinberg (2011). Bitcoin: An innovative alternative
digital currency
Boehm, Pesch (2014). Bitcoin: a first legal analysis with reference […]


Andolfatto (2014). Bitcoin and beyond: the possibilities
and pitfalls of virtual currencies

schemes
Ali, Barrdear, Clews, Southgate (2014). The

Yermack, (2013). Is Bitcoin a real currency? [...]
More research






Bergstra, Leeuw (2014). Bitcoin and beyond:
exclusively informational monies
Lo, Wang (2014). Bitcoin as money?
Luther (2013). Cryptocurrencies, network
effects, and switching costs
Maurer, Nelms, Swartz (2013). "When
perhaps the real problem is money itself!":
the practical materiality of Bitcoin
Rotman (2014). Bitcoin versus electronic
money
Graf (2014). Sidechained Bitcoin substitutes:
A monetary commentary
… many more! Apologies to
everyone whose research I
missed or forgot to list!
Thanks to

Alessandro Chiesa

Christian Decker
Everyone for listening!
Sources
blockchain.info
xkcd.com
bitcoincharts.com
KnCMiner.com

similar documents