Presentation on theme: "IS THERE A THEORY BEHIND BITCOIN? Thomas Holenstein ITS Science Colloquium, Nov 6, 2014."— Presentation transcript:
IS THERE A THEORY BEHIND BITCOIN? Thomas Holenstein ITS Science Colloquium, Nov 6, 2014
Goal of this Talk Part I: What is Bitcoin? Approach: technical Requires digital signatures and random oracles.
Goal of this Talk Part II: Bitcoin research What are researchers doing? What are the open problems? Disclaimer: I own some bitcoin.
Part I: What is Bitcoin?
What is Bitcoin? Analogies don’t help… Instead, we focus on the system: we explain how Bitcoin works. This means: we explain the protocol.
Basics: Digital Signatures
Digital Signature Verification Signing Key Generation Alice (Public) Alice (Secret) Alice Bob
Alice Alice (Public) Digital Signature Verification Signing Key Generation Alice (Secret)
Bob Alice (Public) Digital Signature Verification Key Generation Alice (Public) Alice (Secret) Goal: Bob should be sure that the message originates from Alice. Signing Alice Message
Digital Signature Key Generation Public Key Secret Key Security (informal): You cannot produce valid signatures without the secret key.
We now try to build bitcoin… Attempt #1 … but we will fail.
Goals We want some kind of “digital money”. Everyone can participate. No central instance – no bank.
Setting Every computer can send messages to some other computers. A network of computers.
Basic idea Every computer maintains a table: “who owns what?” Alice (Public) Bob (Public) Bob (Public) Charlie (Public) Charlie (Public) Dora (Public) Dora (Public) Eliza (Public) Eliza (Public) 10 BTC 0.2 BTC BTC 2 BTC 17 BTC We will need: all computers have the same table. Remark: The public keys are just bit strings.
Sending Bitcoins In “short”, transactions look like this: Alice (Public) Transfer 0.1 BTC from to Bob (Public) Bob (Public) A $ $ F F T T To send money, we use transactions. These are messages like this:
Main Transaction pic $ $ F F T T $ $ F F T T *
Sending Bitcoins I’LL send 0.1 Bitcoin to Bob. Alice $ $ F F T T Protocol: sending BTC 1. Craft a transaction. 2. Give it to your computer. Protocol: sending BTC 1. Craft a transaction. 2. Give it to your computer. Protocol: participating On valid transactions: 1. Update ledger 2. Relay transaction Protocol: participating On valid transactions: 1. Update ledger 2. Relay transaction
Double Spending I can exploit this! Black Hat Alice Bob : Give BTC from Black Hat to Alice : Give BTC from Black Hat to Bob Black Hat prepares two transactions: These transactions spend previously spent bitcoins! Thank s!
Double Spending The bad guy spends the same Bitcoins with two different transactions and. Computers receiving transaction will have a different ledger than computers receiving transaction.
We need a protocol to agree on a transaction. “Consensus protocols”. Studied since 1980, starting with Pease, Shostak, Lamport. Huge literature! Main idea for protocols: Consensus Protocols What transaction are you using? Protocols work if (say) > 70% of the computers follow the protocol.
This solution does not help us! Design goal: Everyone can participate. I will gladly participate… With virtual machines! By running a special program, a bad guy controls many virtual computers. Like this, he can make different participants believe different things.
Basics: Random Hashfunctions
Random Hash Functions (Random Oracles) RH
Random Hash Function
Bitcoin’s consensus protocol Step 1: How does the protocol look like? Step 2: What happens if people cheat?
If we have a block, we can find a “next block”:
Blocks If we have a block, we can find a “next block”:
A Tree of Blocks If we have a block, with a bit of work, we can find a “next block”…...and yet another “next block”… …or a block which continues here… … and so on.
A Tree of Blocks In general, we can build a tree of blocks like this. But only ever downwards!
The Protocol for Finding Blocks Protocol: finding blocks 1. Take the longest chain you can find. 2. Collect transactions. 3. Find a new valid block here. 4. Publish it. Protocol: finding blocks 1. Take the longest chain you can find. 2. Collect transactions. 3. Find a new valid block here. 4. Publish it.
The Protocol for Participants Protocol: To know who owns BTC 1. Take the longest chain you can find. 2. Process the transactions in this chain in order. Protocol: To know who owns BTC 1. Take the longest chain you can find. 2. Process the transactions in this chain in order.
Why work to find blocks? Many people are trying to find blocks, which uses a lot of resources… A real lot! This is called “mining”.
Block reward If you find a block, you get bitcoins as a reward. Alice (Public) Transfer 0.1 BTC from to Bob (Public) Bob (Public) A Fee: BTC Every transaction specifies a fee. It goes to the person who puts the transaction into a valid block. Alice (Public) Transfer 0.1 BTC from to Bob (Public) Bob (Public) A
Recap: The Bitcoin Protocol Protocol: participate Relay valid transactions. Relay valid blocks in the longest chain. Work with the longest chain. Protocol: participate Relay valid transactions. Relay valid blocks in the longest chain. Work with the longest chain. Protocol: miners Collect valid transactions. Publish valid blocks which extend the longest chain. Protocol: miners Collect valid transactions. Publish valid blocks which extend the longest chain.
Bitcoin’s consensus protocol Step 1: How does the protocol look like? Step 2: What happens if people cheat?
Double Spends I can exploit this! Black Hat Alice Bob I found a valid block! Once a block is found, the double spends vanish. Occasionally, two people find blocks at around the same time… but typically the problem disappears.
Build an Alternate Chain? Maybe I should build another chain?
Denial of Service If I cannot cheat bitcoin, maybe I can mess it up! Interesting idea… …and while Bitcoin incorporates many, many rules to handle this… …people still try!
Some Bitcoin History Bitcoin price on February 10, 2014 ~25% loss in 90 minutes What happened? A company (MtGox) blamed problems on a “bug in the Bitcoin software”.
Can we Exploit this? On bitfinex.com, some people lent others roughly 15’000 bitcoins (~4 Million CHF). The others then sell them, to buy them back later. On bitfinex.com, some people lent others roughly 15’000 bitcoins (~4 Million CHF). The others then sell them, to buy them back later. If I can make people believe that bitcoin is broken… I can make real money! Disclaimer: This could be illegal! Consult your lawyer first. Disclaimer: This could be illegal! Consult your lawyer first.
Before we move on… I simplified many (for the talk unimportant) things… Bitcoin doesn’t use SHA256(x), but SHA256(SHA256(x)), Currently, an “initial block reward of 25BTC” is given for every found block besides the fee, no the length, but the total difficulty of a chain is important, etc… but most of these are not important for the idea.
Before we move on… However, one warning: In real Bitcoin, transactions have many “inputs” and many “outputs”. If you don’t specify where a BTC goes, it is a miner fee.
Bad Software can Lead to… ca 14’000 CHF at the time of the transaction 40 CHF actually used Rest went to whoever found the block. Most Bitcoin clients do not let you do this. Description of an actual transaction (Dec 2013)
More Generally If you are not careful, misunderstandings can make you lose money… so please apply appropriate care when playing with Bitcoin (or use the “testnet”).
Part II: Bitcoin Research
Understanding Bitcoin Bitcoin was deployed with basically no theoretical foundation. Is the system secure? What gives it security? What will rational agents in the Bitcoin network do? What are possible attacks?
Understanding Bitcoin Ideally, we would want a model which captures the “important aspects”. We then want theorems which describe the results. Some of the following research goes into this direction.
Understanding Bitcoin: References Babaioff, Dobzinski, Oren, Zohar (2012). On Bitcoin and red balloons Bahack (2013). Theoretical Bitcoin attacks with less than half of the computational power Barber, Boyen, Shi, Uzun (2012). Bitter to better - how to make Bitcoin a better currency Becker, Breuker, Heide, Holler, Rauer, Bóhme (2012). Can we afford integrity by proof-of-work? Scenarios inspired by the Bitcoin currency Bonneau, Narayanan (2014). Better in practice than in theory: lessons from the rise of Bitcoin Courtois, Grajek, Naik (2013). The unreasonable fundamental incertitudes behind Bitcoin mining Eyal, Sirer (2014). Majority is not enough: Bitcoin mining is vulnerable Garay, Kiayias, Leonardos (2014). The Bitcoin backbone protocol: analysis and applications Karame, Androulaki, Capkun (2012). Two Bitcoins at the price of one? Double-spending attacks on fast payments in Bitcoin Kroll, Davey, Felten (2013). The economics of Bitcoin mining, or Bitcoin in the presence of adversaries Möser, Böhme, Breuker (2014). Towards risk scoring of Bitcoin transactions Nakamoto (2008). Bitcoin: a peer-to-peer electronic cash system Raulo (2011). Optimal pool abuse strategy Todd (2013). How a floating blocksize limit inevitably leads towards centralization … many more. I omit many references… also in the following!
Understanding Bitcoin: Open Problem There are some aspects of Bitcoin which will change: The initial block reward will vanish. I believe: the network will grow or go away. What are the effect of such changes? (There is previous work which studies this).
Improving Bitcoin New technology gives new choices. How do we choose? Try to make the system more powerful. Try to make the design: more secure, faster, less wasteful.
Improving Bitcoin: References Back, Corallo, Dashjr, Friedenbach, Maxwell, Miller, Poelstra, Timón, Wuille (2014). Enabling Blockchain Innovations with Pegged Sidechains Bamert, Decker, Elsen, Wattenhofer, Welten (2013). Have a Snack, Pay with Bitcoin Ben-Sasson, Chiesa, Genkin, Tromer, Virza (2013). SNARKs for C: Verifying Program Executions Succinctly and in ZK Bentov, Gabizon, Mizrahi (2014). Cryptocurrencies without Proof of Work Bonneau, Clark, Miller (2014). FawkesCoin: A cryptocurrency without public-key cryptography Buterin (2013). Ethereum White Paper. Dziembowski, Faust, Kolmogorov, Pietrzak (2013). Proofs of Space etotheipi, maaku, et al. (2012). Ultimate blockchain compression w/ trust-free […] Hearn (2013). Decentralised crime fighting using private set intersection protocols Heilman (2014). One Weird Trick to Stop Selfish Miners: Fresh Bitcoins […] King, Nadal (2012). PPCoin: Peer-to-Peer Crypto- Currency with Proof-of-Stake Lee (2013). Litecoin Maxwell (2013). Really Really ultimate blockchain compression: CoinWitness Miller, Shi, Kosba, Katz (2014). Nonoutsourceable Scratch-Off Puzzles to Discourage Bitcoin Mining Coalitions Sompolinsky, Zohar (2013). Accelerating Bitcoin's Transaction Processing: Fast Money Grows on Trees, Not Chains Todd (2014). Tree-chains preliminary summary.
Add Features Dmitrienko (2014). Offline Payments with Bitcoin Samid (2014). Reconciling Bitcoin with Central Banks Vandervort (2014). Challenges and Opportunities Associated with a Bitcoin-based Transaction Rating System
Improving Bitcoin: Open Problem
Anonymity Every transaction is broadcast and stored. On the other hand, a priori nobody knows who owns which public key. Is Bitcoin anonymous?
Anonymity: References Androulaki, Karame, Roeschlin, Scherer, Capkun (2013). Evaluating user privacy in Bitcoin Biryukov, Pustogarov (2014). Bitcoin over Tor isn't a good idea Gervais, Karame, Gruber, Capkun (2014). On the privacy provisions of Bloom filters in lightweight Bitcoin clients Koshy, Koshy, Mcdaniel (2014). An analysis of anonymity in Bitcoin using P2P network traffic Meiklejohn, Pomarole, Jordan, Levchenko, McCoy, Voelker, Savage (2013). A Fistful Of bitcoins: Characterizing payments among men with no names Ober, Katzenbeisser, Hamacher (2013). Structure and anonymity of the Bitcoin transaction graph Reid, Harrigan (2012). An analysis of anonymity in the Bitcoin system Ron, Shamir (2014). How did dread pirate Roberts acquire and protect his Bitcoin wealth? Ron, Shamir (2013). Quantitative analysis of the full Bitcoin transaction graph Spagnuolo, Maggi, Zanero (2014). BitIodine: Extracting intelligence from the Bitcoin network theymos (2010). Anonymity
Improve Anonymity: References Ben-Sasson, Chiesa, Garman, Green, Miers, Tromer, Virza (2014). Zerocash: decentralized anonymous payments from Bitcoin Bonneau, Clark, Kroll, Miller, Narayanan. Mixcoin (2014). Anonymity for Bitcoin with accountable mixes Danezis, Fournet, Kohlweiss, Parno (2013). Pinocchio Coin: building Zerocoin from a succinct pairing-based proof system Garman, Green, Miers, Rubin (2014). Rational zero: Economic security for Zerocoin with everlasting anonymity Ladd (2012). Blind signatures for Bitcoin transaction anonymity Maxwell (2013). CoinJoin: Bitcoin privacy for the real world Miers, Garman, Green, Rubin (2013). Zerocoin: Anonymous distributed e-cash from Bitcoin Saxena, Misra, Dhar (2014). Increasing anonymity in Bitcoin
Build on Top of Bitcoin If Bitcoin works, we can use the technology for other things. Use Bitcoin as a building block Use the blockchain technology for new applications.
Build on top of Bitcoin Andrychowicz, Dziembowski, Malinowski, Mazurek (2014). Secure Multiparty Computations on Bitcoin Back, Bentov (2014). Note on fair coin toss via Bitcoin. Bentov, Kumaresan (2014). How to Use Bitcoin to Design Fair Protocols Clark, Bonneau, Felten, Kroll, Miller, Narayanan (2014). On Decentralizing Prediction Markets and Order Books. Clark, Essex (2012). CommitCoin: Carbon Dating Commitments with Bitcoin Finney et al. (2010). Bitcoin overlay protocols Miller, Juels, Shi, Parno, Katz (2014). PermaCoin: Repurposing Bitcoin Work for Data Preservation
Study the behavior Another approach is look at the current system. What are people doing? What happens in the network?
Study the behavior Decker, Wattenhofer (2013). Information Propagation in the Bitcoin Network Decker, Wattenhofer (2014). Bitcoin Transaction Malleability and MtGox Donet Donet, Pérez-Solà, Herrera (2014). The Bitcoin P2P network Gandal, Halaburda (2014). Competition in the Crypto-Currency Market. Johnson, Laszka, Grossklags, Vasek, Moore (2014). Game-Theoretic Analysis of DDoS Attacks Against Bitcoin Mining Pools Plohmann, Gerhards-Padilla (2012). Case study of the miner botnet Vasek, Thornton, Moore (2014). Empirical Analysis of Denial-of-Service Attacks in the Bitcoin Ecosystem Moore, Christin (2013). Beware the Middleman: Empirical Analysis of Bitcoin-Exchange Risk
Economics and Policy What are the economic foundations behind Bitcoin? Does it make sense that Bitcoin has value? Do law makers have to react to Bitcoin?
Economics and Policy Ali, Barrdear, Clews, Southgate (2014). The economics of digital currencies Andolfatto (2014). Bitcoin and beyond: the possibilities and pitfalls of virtual currencies Boehm, Pesch (2014). Bitcoin: a first legal analysis - with reference […] Brito, Shadab, Castillo (2014). Bitcoin financial regulation: securities, derivatives, prediction markets, & gambling Brito, Castillo (2013). Bitcoin: A primer for policymakers. Dion (2014): Bitcoin, regulating fraud in the economy of Hacker-Cash Doguet (2013): The nature of the form: Legal and regulartory issues surounding the Bitcoin digital currency system Elwell, Murphy, Seitzinger (2014). Bitcoin: questions, answers, and analysis of legal issues European Central Bank (2012). Virtual currency schemes Grinberg (2011). Bitcoin: An innovative alternative digital currency Güring, Grigg (2011). Bitcoin & Gresham's Law - the economic inevitability of collapse Hileman (2014). From Bitcoin to the Brixton pound: history and prospects for alternative currencies Luther, White (2014). Can Bitcoin Become a Major Currency? Marian (2013). Are cryptocurrencies 'super' tax havens? Mimic (2014). Regulatory challenges of alternative e- currency; Comparative analysis of Bitcoin model in US and EU jurisdictions Möser, Böhme, Breuker (2013). An inquiry into money laundering tools in the Bitcoin ecosystem Sapuric, Kokkinaki (2014). Bitcoin is volatile! Isn't that right? Yermack, (2013). Is Bitcoin a real currency? [...]
More research Bergstra, Leeuw (2014). Bitcoin and beyond: exclusively informational monies Lo, Wang (2014). Bitcoin as money? Luther (2013). Cryptocurrencies, network effects, and switching costs Maurer, Nelms, Swartz (2013). "When perhaps the real problem is money itself!": the practical materiality of Bitcoin Rotman (2014). Bitcoin versus electronic money Graf (2014). Sidechained Bitcoin substitutes: A monetary commentary … many more! Apologies to everyone whose research I missed or forgot to list!
A specific problem: the future of Bitcoin In the future, transaction fees will pay for the Random- Oracle invocations. How much fees does a transaction need pay? When generating a transaction, we take as little fee as possible. Adding a transaction to a block costs (really?) almost nothing! So, miners will also include transactions with minimal fees. Solutions are suggested, but analyzing them properly requires a proper model!
Economic and Policy Implications How do law makers have to react to Bitcoin? What are the policy implications?
Open Problem 3: Scalability? Currently, there is roughly 1 transaction per second on the network. Can bitcoin handle 1000 transactions per second? Will it remain decentralized (“Anyone can participate?”)
More uses of blockchain? If the blockchain technology works, it gives a new consensus algorithm. What else can we use it for? Ideas: Multiparty computation protocols based on the blockchain. Timestamping Crowdfunding Have your shares in the blockchain Smart payments etc…
Lies and Omissions
Transactions are more complicated They can take more than one input and give output to more than one address. Instead of just the address, they need to specify what previous transaction is being spent. A transaction always needs to spend the full output. The conditions for when a transaction is spent can be made much more general using “Scripts”.
Lies and Omissions In this talk, I necessarily simplified some things, and omitted others. I said: “A block is valid if it starts with 5 zeros.” The number of zeros changes with time (difficulty). The check is just a threshold (more general than counting zeros).
Thanks to Alessandro Chiesa Sources xkcd.com blockchain.info bitcoincharts.com KnCMiner.com Christian Decker Everyone for listening!