Is there a Theory behind Bitcoin?

Presentation on theme: "Is there a Theory behind Bitcoin?"— Presentation transcript:

Is there a Theory behind Bitcoin?
Thomas Holenstein ITS Science Colloquium, Nov 6, 2014

Goal of this Talk Part I: What is Bitcoin? Approach: technical
Requires digital signatures and random oracles.

Disclaimer: I own some bitcoin.
Goal of this Talk Part II: Bitcoin research What are researchers doing? What are the open problems? Disclaimer: I own some bitcoin.

Part I: What is Bitcoin?

What is Bitcoin? Analogies don’t help…
Instead, we focus on the system: we explain how Bitcoin works. This means: we explain the protocol.

Basics: Digital Signatures

Digital Signature Signing Verification Key Generation Bob Alice
Alice (Public) Alice (Secret)

Digital Signature Signing Verification Key Generation Bob Alice
Alice (Public) Alice (Public) Alice (Secret)

Goal: Bob should be sure that the message originates from Alice.
Digital Signature Signing Verification Key Generation Bob Alice (Public) Message Alice Alice (Public) Alice (Secret) A

Digital Signature Key Generation Public Key Secret Key A Signing Secret Key Message A Verification Public Key Message Security (informal): You cannot produce valid signatures without the secret key.

Attempt #1 We now try to build bitcoin… … but we will fail.

Goals We want some kind of “digital money”. Everyone can participate.
No central instance – no bank. 10 min so far.

Setting A network of computers.
Every computer can send messages to some other computers.

Remark: The public keys are just bit strings.
Basic idea Every computer maintains a table: “who owns what?” Alice (Public) 10 BTC Bob (Public) 0.2 BTC We will need: all computers have the same table. Charlie (Public) 17 BTC Dora (Public) 0.001 BTC Eliza (Public) 2 BTC Remark: The public keys are just bit strings.

Sending Bitcoins To send money, we use transactions. These are messages like this: Alice (Public) Transfer 0.1 BTC from to Bob (Public) In “short”, transactions look like this: \$ F T A

Main Transaction pic \$ F T \$ F T *

Sending Bitcoins Craft a transaction. Give it to your computer.
I’LL send 0.1 Bitcoin to Bob. Alice \$ F T Protocol: sending BTC Craft a transaction. Give it to your computer. Protocol: participating On valid transactions: Update ledger Relay transaction

These transactions spend previously spent bitcoins!
Double Spending Thanks! Bob I can exploit this! These transactions spend previously spent bitcoins! Thanks! Black Hat Alice Black Hat prepares two transactions: : Give BTC from Black Hat to Alice : Give BTC from Black Hat to Bob

Double Spending The bad guy spends the same Bitcoins with two different transactions and Computers receiving transaction will have a different ledger than computers receiving transaction

Protocols work if (say) > 70% of the computers follow the protocol.
Consensus Protocols We need a protocol to agree on a transaction. “Consensus protocols”. Studied since 1980, starting with Pease, Shostak, Lamport. Huge literature! Main idea for protocols: What transaction are you using? Protocols work if (say) > 70% of the computers follow the protocol.

This solution does not help us!
Design goal: Everyone can participate. By running a special program, a bad guy controls many virtual computers. Like this, he can make different participants believe different things. I will gladly participate… With virtual machines!

Basics: Random Hashfunctions
RO: Enables to “redefine majority”. You cannot “invent virtual machines”

Random Hash Functions (Random Oracles)
A random hash function is RH:TextFile→{0,…, 2 𝑘 −1} where all outputs are chosen uniformly at random, independent of each other. RH Example: 𝑥 ≔RH "text" // x = 𝑥 ≔RH "next" // x = On my friends computer in the US: 𝑥 ≔RH "text" // x =

Random Hash Function In practice, we hope that SHA256 behaves “like a random oracle”. SHA256:TextFiles→ 0,…, −1 Calculation: If we made all computers on the world compute SHA256… It takes ~“40×14⋅ years” to find 𝑥 1 ≠ 𝑥 2 s.t. SHA256 𝑥 1 =SHA256 𝑥 2 .

Bitcoin’s consensus protocol
Step 1: How does the protocol look like? Step 2: What happens if people cheat?

Blocks A block 𝐵 contains RH(𝐵′) for another block 𝐵′,
A block 𝐵 contains RH(𝐵′) for another block 𝐵′, a list of transactions, and an arbitrary number “nonce”. Block 𝐵 is valid if the first 𝑑=5 digits of the hash of 𝐵 are all zero. RH

Blocks To find a valid block, we try different values for this string (“nonce”). On average, after 10 𝑑 = tries, we find a valid block. Bitcoin chooses 𝑑 on the fly such that this takes about 10 minutes. Block 𝐵 is valid if the first 𝑑=5 digits of RO 𝐵 are all zero.

Blocks If we have a block, we can find a “next block”:
Take RH(𝐵′) from the previous block 𝐵′. Add transactions. = Try different values for this string until the hash starts with 𝑑 zeros. Remark: same color: same string (but should be clear even if you can’t see the color)

Blocks If we have a block, we can find a “next block”:
Take RH(𝐵′) from the previous block 𝐵′. Add transactions. = Try different values for this string until the hash starts with 𝑑 zeros. Remark: same color: same string (but should be clear even if you can’t see the color) Bitcoin chooses 𝑑 such that this takes ~10 minutes.

RO

A Tree of Blocks If we have a block, with a bit of work, we can find a “next block”… = ...and yet another “next block”… Remark: same color: same string (but should be clear even if you can’t see the color) …or a block which continues here… … and so on.

A Tree of Blocks In general, we can build a tree of blocks like this.
But only ever downwards!

The Protocol for Finding Blocks
Protocol: finding blocks Take the longest chain you can find. Collect transactions. Find a new valid block here. Publish it.

The Protocol for Participants
Protocol: To know who owns BTC Take the longest chain you can find. Process the transactions in this chain in order.

Why work to find blocks? Many people are trying to find blocks, which uses a lot of resources… A real lot! This is called “mining”.

Block reward If you find a block, you get bitcoins as a reward.
Alice (Public) Transfer 0.1 BTC from to Bob (Public) A Alice (Public) Transfer 0.1 BTC from to Bob (Public) A Fee: 0.001 BTC Every transaction specifies a fee. It goes to the person who puts the transaction into a valid block.

Recap: The Bitcoin Protocol
Protocol: participate Relay valid transactions. Relay valid blocks in the longest chain. Work with the longest chain. Protocol: miners Collect valid transactions. Publish valid blocks which extend the longest chain.

Bitcoin’s consensus protocol
Step 1: How does the protocol look like? Step 2: What happens if people cheat?

Double Spends Once a block is found, the double spends vanish.
I found a valid block! Bob I can exploit this! Black Hat Alice Once a block is found, the double spends vanish. Mention: block finding time ~10m -> we can distribute before a new block is found Occasionally, two people find blocks at around the same time… but typically the problem disappears.

Build an Alternate Chain?
The more RH-calls are devoted to a chain, the faster it grows. Thus, intuitively: to build a chain as fast as the rest, you need as many RH-calls as the rest. Maybe I should build another chain? Mention: if most people are honest, it should mean that good things happen. Mention: Theorem due to Garay, Kiayias, Leonardos (Oct 2014) shows: if most hashpower is devoted to honest parties, good things happen. USE MOUSE FOR NEXT SLIDE

Denial of Service Use Mouse to get to next slide
Interesting idea… …and while Bitcoin incorporates many, many rules to handle this… …people still try! If I cannot cheat bitcoin, maybe I can mess it up! Use Mouse to get to next slide

Some Bitcoin History ~25% loss in 90 minutes
Bitcoin price on February 10, 2014 Mention: later MtGox went bankrupt, Decker and Wattenhofer show evidence that the bug had nothing to do with their problems. What happened? A company (MtGox) blamed problems on a “bug in the Bitcoin software”.

Can we Exploit this? Disclaimer: This could be illegal!
On bitfinex.com, some people lent others roughly 15’000 bitcoins (~4 Million CHF). The others then sell them, to buy them back later. Disclaimer: This could be illegal! Consult your lawyer first. If I can make people believe that bitcoin is broken… I can make real money!

Before we move on… I simplified many (for the talk unimportant) things… Bitcoin doesn’t use SHA256(x), but SHA256(SHA256(x)), Currently, an “initial block reward of 25BTC” is given for every found block besides the fee, no the length, but the total difficulty of a chain is important, etc… but most of these are not important for the idea.

Before we move on… However, one warning: In real Bitcoin, transactions have many “inputs” and many “outputs”. If you don’t specify where a BTC goes, it is a miner fee.

ca 14’000 CHF at the time of the transaction Description of an actual transaction (Dec 2013) 40 CHF actually used Note: used a website which “helps” creating transactions. The owner seems to have gotten the BTC back; whoever mined it (actually, a bunch of people) paid the person back. Rest went to whoever found the block. Most Bitcoin clients do not let you do this.

More Generally If you are not careful, misunderstandings can make you lose money… so please apply appropriate care when playing with Bitcoin (or use the “testnet”).

Part II: Bitcoin Research

Understanding Bitcoin
Bitcoin was deployed with basically no theoretical foundation. Is the system secure? What gives it security? What will rational agents in the Bitcoin network do? What are possible attacks?

Understanding Bitcoin
Ideally, we would want a model which captures the “important aspects”. We then want theorems which describe the results. Some of the following research goes into this direction.

Understanding Bitcoin: References
Babaioff, Dobzinski, Oren, Zohar (2012). On Bitcoin and red balloons Karame, Androulaki, Capkun (2012). Two Bitcoins at the price of one? Double-spending attacks on fast payments in Bitcoin Bahack (2013). Theoretical Bitcoin attacks with less than half of the computational power Kroll, Davey, Felten (2013). The economics of Bitcoin mining, or Bitcoin in the presence of adversaries Barber, Boyen, Shi, Uzun (2012). Bitter to better - how to make Bitcoin a better currency Möser, Böhme, Breuker (2014). Towards risk scoring of Bitcoin transactions Becker, Breuker, Heide, Holler, Rauer, Bóhme (2012). Can we afford integrity by proof-of-work? Scenarios inspired by the Bitcoin currency Nakamoto (2008). Bitcoin: a peer-to-peer electronic cash system Bonneau, Narayanan (2014). Better in practice than in theory: lessons from the rise of Bitcoin Raulo (2011). Optimal pool abuse strategy Todd (2013). How a floating blocksize limit inevitably leads towards centralization Courtois, Grajek, Naik (2013). The unreasonable fundamental incertitudes behind Bitcoin mining … many more. Eyal, Sirer (2014). Majority is not enough: Bitcoin mining is vulnerable Garay, Kiayias, Leonardos (2014). The Bitcoin backbone protocol: analysis and applications I omit many references… also in the following!

Understanding Bitcoin: Open Problem
There are some aspects of Bitcoin which will change: The initial block reward will vanish. I believe: the network will grow or go away. What are the effect of such changes? (There is previous work which studies this).

Improving Bitcoin New technology gives new choices. How do we choose?
Try to make the system more powerful. Try to make the design: more secure, faster, less wasteful. Mention: altcoins, ethereum, zerocash

Improving Bitcoin: References
Hearn (2013). Decentralised crime fighting using private set intersection protocols Back, Corallo, Dashjr, Friedenbach, Maxwell, Miller, Poelstra, Timón, Wuille (2014). Enabling Blockchain Innovations with Pegged Sidechains Heilman (2014). One Weird Trick to Stop Selfish Miners: Fresh Bitcoins […] Bamert, Decker, Elsen, Wattenhofer, Welten (2013). Have a Snack, Pay with Bitcoin King, Nadal (2012). PPCoin: Peer-to-Peer Crypto- Currency with Proof-of-Stake Ben-Sasson, Chiesa, Genkin, Tromer, Virza (2013). SNARKs for C: Verifying Program Executions Succinctly and in ZK Lee (2013). Litecoin Maxwell (2013). Really Really ultimate blockchain compression: CoinWitness Bentov, Gabizon, Mizrahi (2014). Cryptocurrencies without Proof of Work Miller, Shi, Kosba, Katz (2014). Nonoutsourceable Scratch-Off Puzzles to Discourage Bitcoin Mining Coalitions Bonneau, Clark, Miller (2014). FawkesCoin: A cryptocurrency without public-key cryptography Sompolinsky, Zohar (2013). Accelerating Bitcoin's Transaction Processing: Fast Money Grows on Trees, Not Chains Buterin (2013). Ethereum White Paper. Dziembowski, Faust, Kolmogorov, Pietrzak (2013). Proofs of Space Todd (2014). Tree-chains preliminary summary. etotheipi, maaku, et al. (2012). Ultimate blockchain compression w/ trust-free […]

Add Features Dmitrienko (2014). Offline Payments with Bitcoin
Samid (2014). Reconciling Bitcoin with Central Banks Vandervort (2014). Challenges and Opportunities Associated with a Bitcoin-based Transaction Rating System

Improving Bitcoin: Open Problem
Computing SHA256 around 2× times per second seems like a big waste of energy. Back of the envelope calculation gives a daily energy use of 5’000’000+ kWh (~ 500’000+ CHF) Can we improve the situation? (There is previous work which studies this).

Anonymity Every transaction is broadcast and stored.
On the other hand, a priori nobody knows who owns which public key. Is Bitcoin anonymous?

Anonymity: References
Androulaki, Karame, Roeschlin, Scherer, Capkun (2013). Evaluating user privacy in Bitcoin Ober, Katzenbeisser, Hamacher (2013). Structure and anonymity of the Bitcoin transaction graph Reid, Harrigan (2012). An analysis of anonymity in the Bitcoin system Biryukov, Pustogarov (2014). Bitcoin over Tor isn't a good idea Ron, Shamir (2014). How did dread pirate Roberts acquire and protect his Bitcoin wealth? Gervais, Karame, Gruber, Capkun (2014). On the privacy provisions of Bloom filters in lightweight Bitcoin clients Ron, Shamir (2013). Quantitative analysis of the full Bitcoin transaction graph Koshy, Koshy, Mcdaniel (2014). An analysis of anonymity in Bitcoin using P2P network traffic Spagnuolo, Maggi, Zanero (2014). BitIodine: Extracting intelligence from the Bitcoin network Meiklejohn, Pomarole, Jordan, Levchenko, McCoy, Voelker, Savage (2013). A Fistful Of bitcoins: Characterizing payments among men with no names theymos (2010). Anonymity

Improve Anonymity: References
Ben-Sasson, Chiesa, Garman, Green, Miers, Tromer, Virza (2014). Zerocash: decentralized anonymous payments from Bitcoin Ladd (2012). Blind signatures for Bitcoin transaction anonymity Maxwell (2013). CoinJoin: Bitcoin privacy for the real world Bonneau, Clark, Kroll, Miller, Narayanan. Mixcoin (2014). Anonymity for Bitcoin with accountable mixes Miers, Garman, Green, Rubin (2013). Zerocoin: Anonymous distributed e-cash from Bitcoin Saxena, Misra, Dhar (2014). Increasing anonymity in Bitcoin Danezis, Fournet, Kohlweiss, Parno (2013). Pinocchio Coin: building Zerocoin from a succinct pairing-based proof system Garman, Green, Miers, Rubin (2014). Rational zero: Economic security for Zerocoin with everlasting anonymity

Build on Top of Bitcoin If Bitcoin works, we can use the technology for other things. Use Bitcoin as a building block Use the blockchain technology for new applications.

Build on top of Bitcoin Andrychowicz, Dziembowski, Malinowski, Mazurek (2014). Secure Multiparty Computations on Bitcoin Clark, Essex (2012). CommitCoin: Carbon Dating Commitments with Bitcoin Finney et al. (2010). Bitcoin overlay protocols Miller, Juels, Shi, Parno, Katz (2014). PermaCoin: Repurposing Bitcoin Work for Data Preservation Back, Bentov (2014). Note on fair coin toss via Bitcoin. Bentov, Kumaresan (2014). How to Use Bitcoin to Design Fair Protocols Clark, Bonneau, Felten, Kroll, Miller, Narayanan (2014). On Decentralizing Prediction Markets and Order Books.

Study the behavior Another approach is look at the current system.
What are people doing? What happens in the network?

Study the behavior Decker, Wattenhofer (2013). Information Propagation in the Bitcoin Network Plohmann, Gerhards-Padilla (2012). Case study of the miner botnet Vasek, Thornton, Moore (2014). Empirical Analysis of Denial-of-Service Attacks in the Bitcoin Ecosystem Decker, Wattenhofer (2014). Bitcoin Transaction Malleability and MtGox Moore, Christin (2013). Beware the Middleman: Empirical Analysis of Bitcoin-Exchange Risk Donet Donet, Pérez-Solà, Herrera (2014). The Bitcoin P2P network Gandal, Halaburda (2014). Competition in the Crypto-Currency Market. Johnson, Laszka, Grossklags, Vasek, Moore (2014). Game-Theoretic Analysis of DDoS Attacks Against Bitcoin Mining Pools

Economics and Policy What are the economic foundations behind Bitcoin?
Does it make sense that Bitcoin has value? Do law makers have to react to Bitcoin?

Economics and Policy Ali, Barrdear, Clews, Southgate (2014). The economics of digital currencies European Central Bank (2012). Virtual currency schemes Grinberg (2011). Bitcoin: An innovative alternative digital currency Andolfatto (2014). Bitcoin and beyond: the possibilities and pitfalls of virtual currencies Güring, Grigg (2011). Bitcoin & Gresham's Law - the economic inevitability of collapse Boehm, Pesch (2014). Bitcoin: a first legal analysis - with reference […] Hileman (2014). From Bitcoin to the Brixton pound: history and prospects for alternative currencies Brito, Shadab, Castillo (2014). Bitcoin financial regulation: securities, derivatives, prediction markets, & gambling Luther, White (2014). Can Bitcoin Become a Major Currency? Brito, Castillo (2013). Bitcoin: A primer for policymakers. Marian (2013). Are cryptocurrencies 'super' tax havens? Mimic (2014). Regulatory challenges of alternative e- currency; Comparative analysis of Bitcoin model in US and EU jurisdictions Dion (2014): Bitcoin, regulating fraud in the economy of Hacker-Cash Doguet (2013): The nature of the form: Legal and regulartory issues surounding the Bitcoin digital currency system Möser, Böhme, Breuker (2013). An inquiry into money laundering tools in the Bitcoin ecosystem Sapuric, Kokkinaki (2014). Bitcoin is volatile! Isn't that right? Elwell, Murphy, Seitzinger (2014). Bitcoin: questions, answers, and analysis of legal issues Yermack, (2013). Is Bitcoin a real currency? [...]

More research Bergstra, Leeuw (2014). Bitcoin and beyond: exclusively informational monies … many more! Apologies to everyone whose research I missed or forgot to list! Lo, Wang (2014). Bitcoin as money? Luther (2013). Cryptocurrencies, network effects, and switching costs Maurer, Nelms, Swartz (2013). "When perhaps the real problem is money itself!": the practical materiality of Bitcoin Rotman (2014). Bitcoin versus electronic money Graf (2014). Sidechained Bitcoin substitutes: A monetary commentary

A specific problem: the future of Bitcoin
In the future, transaction fees will pay for the Random- Oracle invocations. How much fees does a transaction need pay? When generating a transaction, we take as little fee as possible. Adding a transaction to a block costs (really?) almost nothing! So, miners will also include transactions with minimal fees. Solutions are suggested, but analyzing them properly requires a proper model!

Economic and Policy Implications
How do law makers have to react to Bitcoin? What are the policy implications?

Open Problem 3: Scalability?
Currently, there is roughly 1 transaction per second on the network. Can bitcoin handle 1000 transactions per second? Will it remain decentralized (“Anyone can participate?”)

More uses of blockchain?
If the blockchain technology works, it gives a new consensus algorithm. What else can we use it for? Ideas: Multiparty computation protocols based on the blockchain. Timestamping Crowdfunding Have your shares in the blockchain Smart payments etc… Lots of ideas from

Lies and Omissions

Lies and Omissions Transactions are more complicated
They can take more than one input and give output to more than one address. Instead of just the address, they need to specify what previous transaction is being spent. A transaction always needs to spend the full output. The conditions for when a transaction is spent can be made much more general using “Scripts”.

Lies and Omissions In this talk, I necessarily simplified some things, and omitted others. I said: “A block is valid if it starts with 5 zeros.” The number of zeros changes with time (difficulty). The check is just a threshold (more general than counting zeros).

Everyone for listening!
Thanks to Alessandro Chiesa Christian Decker Everyone for listening! Sources blockchain.info bitcoincharts.com xkcd.com KnCMiner.com

Similar presentations