Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS THERE A THEORY BEHIND BITCOIN? Thomas Holenstein ITS Science Colloquium, Nov 6, 2014.

Similar presentations


Presentation on theme: "IS THERE A THEORY BEHIND BITCOIN? Thomas Holenstein ITS Science Colloquium, Nov 6, 2014."— Presentation transcript:

1 IS THERE A THEORY BEHIND BITCOIN? Thomas Holenstein ITS Science Colloquium, Nov 6, 2014

2 Goal of this Talk Part I: What is Bitcoin?  Approach: technical  Requires digital signatures and random oracles.

3 Goal of this Talk Part II: Bitcoin research  What are researchers doing?  What are the open problems? Disclaimer: I own some bitcoin.

4 Part I: What is Bitcoin?

5 What is Bitcoin?  Analogies don’t help…  Instead, we focus on the system: we explain how Bitcoin works.  This means: we explain the protocol.

6 Basics: Digital Signatures

7 Digital Signature Verification Signing Key Generation Alice (Public) Alice (Secret) Alice Bob

8 Alice Alice (Public) Digital Signature Verification Signing Key Generation Alice (Secret)

9 Bob Alice (Public) Digital Signature Verification Key Generation Alice (Public) Alice (Secret) Goal: Bob should be sure that the message originates from Alice. Signing Alice Message

10 Digital Signature Key Generation Public Key Secret Key Security (informal): You cannot produce valid signatures without the secret key.

11 We now try to build bitcoin… Attempt #1 … but we will fail.

12 Goals  We want some kind of “digital money”.  Everyone can participate.  No central instance – no bank.

13 Setting  Every computer can send messages to some other computers.  A network of computers.

14 Basic idea  Every computer maintains a table: “who owns what?” Alice (Public) Bob (Public) Bob (Public) Charlie (Public) Charlie (Public) Dora (Public) Dora (Public) Eliza (Public) Eliza (Public) 10 BTC 0.2 BTC BTC 2 BTC 17 BTC  We will need: all computers have the same table. Remark: The public keys are just bit strings.

15 Sending Bitcoins In “short”, transactions look like this: Alice (Public) Transfer 0.1 BTC from to Bob (Public) Bob (Public) A $ $ F F T T To send money, we use transactions. These are messages like this:

16 Main Transaction pic $ $ F F T T $ $ F F T T *

17 Sending Bitcoins I’LL send 0.1 Bitcoin to Bob. Alice $ $ F F T T Protocol: sending BTC 1. Craft a transaction. 2. Give it to your computer. Protocol: sending BTC 1. Craft a transaction. 2. Give it to your computer. Protocol: participating On valid transactions: 1. Update ledger 2. Relay transaction Protocol: participating On valid transactions: 1. Update ledger 2. Relay transaction

18 Double Spending I can exploit this! Black Hat Alice Bob : Give BTC from Black Hat to Alice : Give BTC from Black Hat to Bob Black Hat prepares two transactions: These transactions spend previously spent bitcoins! Thank s!

19 Double Spending  The bad guy spends the same Bitcoins with two different transactions and.  Computers receiving transaction will have a different ledger than computers receiving transaction.

20  We need a protocol to agree on a transaction.  “Consensus protocols”. Studied since 1980, starting with Pease, Shostak, Lamport.  Huge literature!  Main idea for protocols: Consensus Protocols What transaction are you using? Protocols work if (say) > 70% of the computers follow the protocol.

21 This solution does not help us! Design goal:  Everyone can participate. I will gladly participate… With virtual machines! By running a special program, a bad guy controls many virtual computers. Like this, he can make different participants believe different things.

22 Basics: Random Hashfunctions

23 Random Hash Functions (Random Oracles) RH

24 Random Hash Function

25 Bitcoin’s consensus protocol Step 1: How does the protocol look like? Step 2: What happens if people cheat?

26 Blocks RH

27 Blocks

28 If we have a block, we can find a “next block”:

29 Blocks If we have a block, we can find a “next block”:

30 RO

31 A Tree of Blocks If we have a block, with a bit of work, we can find a “next block”…...and yet another “next block”… …or a block which continues here… … and so on.

32 A Tree of Blocks In general, we can build a tree of blocks like this. But only ever downwards!

33 The Protocol for Finding Blocks Protocol: finding blocks 1. Take the longest chain you can find. 2. Collect transactions. 3. Find a new valid block here. 4. Publish it. Protocol: finding blocks 1. Take the longest chain you can find. 2. Collect transactions. 3. Find a new valid block here. 4. Publish it.

34 The Protocol for Participants Protocol: To know who owns BTC 1. Take the longest chain you can find. 2. Process the transactions in this chain in order. Protocol: To know who owns BTC 1. Take the longest chain you can find. 2. Process the transactions in this chain in order.

35 Why work to find blocks? Many people are trying to find blocks, which uses a lot of resources… A real lot! This is called “mining”.

36 Block reward If you find a block, you get bitcoins as a reward. Alice (Public) Transfer 0.1 BTC from to Bob (Public) Bob (Public) A Fee: BTC Every transaction specifies a fee. It goes to the person who puts the transaction into a valid block. Alice (Public) Transfer 0.1 BTC from to Bob (Public) Bob (Public) A

37 Recap: The Bitcoin Protocol Protocol: participate  Relay valid transactions.  Relay valid blocks in the longest chain.  Work with the longest chain. Protocol: participate  Relay valid transactions.  Relay valid blocks in the longest chain.  Work with the longest chain. Protocol: miners  Collect valid transactions.  Publish valid blocks which extend the longest chain. Protocol: miners  Collect valid transactions.  Publish valid blocks which extend the longest chain.

38 Bitcoin’s consensus protocol Step 1: How does the protocol look like? Step 2: What happens if people cheat?

39 Double Spends I can exploit this! Black Hat Alice Bob I found a valid block! Once a block is found, the double spends vanish. Occasionally, two people find blocks at around the same time… but typically the problem disappears.

40 Build an Alternate Chain? Maybe I should build another chain?

41 Denial of Service If I cannot cheat bitcoin, maybe I can mess it up! Interesting idea… …and while Bitcoin incorporates many, many rules to handle this… …people still try!

42 Some Bitcoin History Bitcoin price on February 10, 2014 ~25% loss in 90 minutes What happened? A company (MtGox) blamed problems on a “bug in the Bitcoin software”.

43 Can we Exploit this? On bitfinex.com, some people lent others roughly 15’000 bitcoins (~4 Million CHF). The others then sell them, to buy them back later. On bitfinex.com, some people lent others roughly 15’000 bitcoins (~4 Million CHF). The others then sell them, to buy them back later. If I can make people believe that bitcoin is broken… I can make real money! Disclaimer: This could be illegal! Consult your lawyer first. Disclaimer: This could be illegal! Consult your lawyer first.

44 Before we move on… I simplified many (for the talk unimportant) things…  Bitcoin doesn’t use SHA256(x), but SHA256(SHA256(x)),  Currently, an “initial block reward of 25BTC” is given for every found block besides the fee,  no the length, but the total difficulty of a chain is important, etc… but most of these are not important for the idea.

45 Before we move on… However, one warning: In real Bitcoin, transactions have many “inputs” and many “outputs”. If you don’t specify where a BTC goes, it is a miner fee.

46 Bad Software can Lead to… ca 14’000 CHF at the time of the transaction 40 CHF actually used Rest went to whoever found the block. Most Bitcoin clients do not let you do this. Description of an actual transaction (Dec 2013)

47 More Generally If you are not careful, misunderstandings can make you lose money… so please apply appropriate care when playing with Bitcoin (or use the “testnet”).

48 Part II: Bitcoin Research

49 Understanding Bitcoin  Bitcoin was deployed with basically no theoretical foundation.  Is the system secure? What gives it security?  What will rational agents in the Bitcoin network do?  What are possible attacks?

50 Understanding Bitcoin  Ideally, we would want a model which captures the “important aspects”.  We then want theorems which describe the results.  Some of the following research goes into this direction.

51 Understanding Bitcoin: References  Babaioff, Dobzinski, Oren, Zohar (2012). On Bitcoin and red balloons  Bahack (2013). Theoretical Bitcoin attacks with less than half of the computational power  Barber, Boyen, Shi, Uzun (2012). Bitter to better - how to make Bitcoin a better currency  Becker, Breuker, Heide, Holler, Rauer, Bóhme (2012). Can we afford integrity by proof-of-work? Scenarios inspired by the Bitcoin currency  Bonneau, Narayanan (2014). Better in practice than in theory: lessons from the rise of Bitcoin  Courtois, Grajek, Naik (2013). The unreasonable fundamental incertitudes behind Bitcoin mining  Eyal, Sirer (2014). Majority is not enough: Bitcoin mining is vulnerable  Garay, Kiayias, Leonardos (2014). The Bitcoin backbone protocol: analysis and applications  Karame, Androulaki, Capkun (2012). Two Bitcoins at the price of one? Double-spending attacks on fast payments in Bitcoin  Kroll, Davey, Felten (2013). The economics of Bitcoin mining, or Bitcoin in the presence of adversaries  Möser, Böhme, Breuker (2014). Towards risk scoring of Bitcoin transactions  Nakamoto (2008). Bitcoin: a peer-to-peer electronic cash system  Raulo (2011). Optimal pool abuse strategy  Todd (2013). How a floating blocksize limit inevitably leads towards centralization  … many more. I omit many references… also in the following!

52 Understanding Bitcoin: Open Problem There are some aspects of Bitcoin which will change:  The initial block reward will vanish.  I believe: the network will grow or go away. What are the effect of such changes? (There is previous work which studies this).

53 Improving Bitcoin New technology gives new choices. How do we choose?  Try to make the system more powerful.  Try to make the design:  more secure,  faster,  less wasteful.

54 Improving Bitcoin: References  Back, Corallo, Dashjr, Friedenbach, Maxwell, Miller, Poelstra, Timón, Wuille (2014). Enabling Blockchain Innovations with Pegged Sidechains  Bamert, Decker, Elsen, Wattenhofer, Welten (2013). Have a Snack, Pay with Bitcoin  Ben-Sasson, Chiesa, Genkin, Tromer, Virza (2013). SNARKs for C: Verifying Program Executions Succinctly and in ZK  Bentov, Gabizon, Mizrahi (2014). Cryptocurrencies without Proof of Work  Bonneau, Clark, Miller (2014). FawkesCoin: A cryptocurrency without public-key cryptography  Buterin (2013). Ethereum White Paper.  Dziembowski, Faust, Kolmogorov, Pietrzak (2013). Proofs of Space  etotheipi, maaku, et al. (2012). Ultimate blockchain compression w/ trust-free […]  Hearn (2013). Decentralised crime fighting using private set intersection protocols  Heilman (2014). One Weird Trick to Stop Selfish Miners: Fresh Bitcoins […]  King, Nadal (2012). PPCoin: Peer-to-Peer Crypto- Currency with Proof-of-Stake  Lee (2013). Litecoin  Maxwell (2013). Really Really ultimate blockchain compression: CoinWitness  Miller, Shi, Kosba, Katz (2014). Nonoutsourceable Scratch-Off Puzzles to Discourage Bitcoin Mining Coalitions  Sompolinsky, Zohar (2013). Accelerating Bitcoin's Transaction Processing: Fast Money Grows on Trees, Not Chains  Todd (2014). Tree-chains preliminary summary.

55 Add Features  Dmitrienko (2014). Offline Payments with Bitcoin  Samid (2014). Reconciling Bitcoin with Central Banks  Vandervort (2014). Challenges and Opportunities Associated with a Bitcoin-based Transaction Rating System

56 Improving Bitcoin: Open Problem

57 Anonymity  Every transaction is broadcast and stored.  On the other hand, a priori nobody knows who owns which public key.  Is Bitcoin anonymous?

58 Anonymity: References  Androulaki, Karame, Roeschlin, Scherer, Capkun (2013). Evaluating user privacy in Bitcoin  Biryukov, Pustogarov (2014). Bitcoin over Tor isn't a good idea  Gervais, Karame, Gruber, Capkun (2014). On the privacy provisions of Bloom filters in lightweight Bitcoin clients  Koshy, Koshy, Mcdaniel (2014). An analysis of anonymity in Bitcoin using P2P network traffic  Meiklejohn, Pomarole, Jordan, Levchenko, McCoy, Voelker, Savage (2013). A Fistful Of bitcoins: Characterizing payments among men with no names  Ober, Katzenbeisser, Hamacher (2013). Structure and anonymity of the Bitcoin transaction graph  Reid, Harrigan (2012). An analysis of anonymity in the Bitcoin system  Ron, Shamir (2014). How did dread pirate Roberts acquire and protect his Bitcoin wealth?  Ron, Shamir (2013). Quantitative analysis of the full Bitcoin transaction graph  Spagnuolo, Maggi, Zanero (2014). BitIodine: Extracting intelligence from the Bitcoin network  theymos (2010). Anonymity

59 Improve Anonymity: References  Ben-Sasson, Chiesa, Garman, Green, Miers, Tromer, Virza (2014). Zerocash: decentralized anonymous payments from Bitcoin  Bonneau, Clark, Kroll, Miller, Narayanan. Mixcoin (2014). Anonymity for Bitcoin with accountable mixes  Danezis, Fournet, Kohlweiss, Parno (2013). Pinocchio Coin: building Zerocoin from a succinct pairing-based proof system  Garman, Green, Miers, Rubin (2014). Rational zero: Economic security for Zerocoin with everlasting anonymity  Ladd (2012). Blind signatures for Bitcoin transaction anonymity  Maxwell (2013). CoinJoin: Bitcoin privacy for the real world  Miers, Garman, Green, Rubin (2013). Zerocoin: Anonymous distributed e-cash from Bitcoin  Saxena, Misra, Dhar (2014). Increasing anonymity in Bitcoin

60 Build on Top of Bitcoin If Bitcoin works, we can use the technology for other things.  Use Bitcoin as a building block  Use the blockchain technology for new applications.

61 Build on top of Bitcoin  Andrychowicz, Dziembowski, Malinowski, Mazurek (2014). Secure Multiparty Computations on Bitcoin  Back, Bentov (2014). Note on fair coin toss via Bitcoin.  Bentov, Kumaresan (2014). How to Use Bitcoin to Design Fair Protocols  Clark, Bonneau, Felten, Kroll, Miller, Narayanan (2014). On Decentralizing Prediction Markets and Order Books.  Clark, Essex (2012). CommitCoin: Carbon Dating Commitments with Bitcoin  Finney et al. (2010). Bitcoin overlay protocols  Miller, Juels, Shi, Parno, Katz (2014). PermaCoin: Repurposing Bitcoin Work for Data Preservation

62 Study the behavior Another approach is look at the current system.  What are people doing?  What happens in the network?

63 Study the behavior  Decker, Wattenhofer (2013). Information Propagation in the Bitcoin Network  Decker, Wattenhofer (2014). Bitcoin Transaction Malleability and MtGox  Donet Donet, Pérez-Solà, Herrera (2014). The Bitcoin P2P network  Gandal, Halaburda (2014). Competition in the Crypto-Currency Market.  Johnson, Laszka, Grossklags, Vasek, Moore (2014). Game-Theoretic Analysis of DDoS Attacks Against Bitcoin Mining Pools  Plohmann, Gerhards-Padilla (2012). Case study of the miner botnet  Vasek, Thornton, Moore (2014). Empirical Analysis of Denial-of-Service Attacks in the Bitcoin Ecosystem  Moore, Christin (2013). Beware the Middleman: Empirical Analysis of Bitcoin-Exchange Risk

64 Economics and Policy  What are the economic foundations behind Bitcoin?  Does it make sense that Bitcoin has value?  Do law makers have to react to Bitcoin?

65 Economics and Policy  Ali, Barrdear, Clews, Southgate (2014). The economics of digital currencies  Andolfatto (2014). Bitcoin and beyond: the possibilities and pitfalls of virtual currencies  Boehm, Pesch (2014). Bitcoin: a first legal analysis - with reference […]  Brito, Shadab, Castillo (2014). Bitcoin financial regulation: securities, derivatives, prediction markets, & gambling  Brito, Castillo (2013). Bitcoin: A primer for policymakers.  Dion (2014): Bitcoin, regulating fraud in the economy of Hacker-Cash  Doguet (2013): The nature of the form: Legal and regulartory issues surounding the Bitcoin digital currency system  Elwell, Murphy, Seitzinger (2014). Bitcoin: questions, answers, and analysis of legal issues  European Central Bank (2012). Virtual currency schemes  Grinberg (2011). Bitcoin: An innovative alternative digital currency  Güring, Grigg (2011). Bitcoin & Gresham's Law - the economic inevitability of collapse  Hileman (2014). From Bitcoin to the Brixton pound: history and prospects for alternative currencies  Luther, White (2014). Can Bitcoin Become a Major Currency?  Marian (2013). Are cryptocurrencies 'super' tax havens?  Mimic (2014). Regulatory challenges of alternative e- currency; Comparative analysis of Bitcoin model in US and EU jurisdictions  Möser, Böhme, Breuker (2013). An inquiry into money laundering tools in the Bitcoin ecosystem  Sapuric, Kokkinaki (2014). Bitcoin is volatile! Isn't that right?  Yermack, (2013). Is Bitcoin a real currency? [...]

66 More research  Bergstra, Leeuw (2014). Bitcoin and beyond: exclusively informational monies  Lo, Wang (2014). Bitcoin as money?  Luther (2013). Cryptocurrencies, network effects, and switching costs  Maurer, Nelms, Swartz (2013). "When perhaps the real problem is money itself!": the practical materiality of Bitcoin  Rotman (2014). Bitcoin versus electronic money  Graf (2014). Sidechained Bitcoin substitutes: A monetary commentary … many more! Apologies to everyone whose research I missed or forgot to list!

67 A specific problem: the future of Bitcoin  In the future, transaction fees will pay for the Random- Oracle invocations. How much fees does a transaction need pay?  When generating a transaction, we take as little fee as possible.  Adding a transaction to a block costs (really?) almost nothing! So, miners will also include transactions with minimal fees.  Solutions are suggested, but analyzing them properly requires a proper model!

68 Economic and Policy Implications How do law makers have to react to Bitcoin? What are the policy implications?

69 Open Problem 3: Scalability?  Currently, there is roughly 1 transaction per second on the network.  Can bitcoin handle 1000 transactions per second?  Will it remain decentralized (“Anyone can participate?”)

70 More uses of blockchain?  If the blockchain technology works, it gives a new consensus algorithm. What else can we use it for?  Ideas:  Multiparty computation protocols based on the blockchain.  Timestamping  Crowdfunding  Have your shares in the blockchain  Smart payments  etc…

71 Lies and Omissions

72  Transactions are more complicated  They can take more than one input and give output to more than one address.  Instead of just the address, they need to specify what previous transaction is being spent.  A transaction always needs to spend the full output.  The conditions for when a transaction is spent can be made much more general using “Scripts”.

73 Lies and Omissions In this talk, I necessarily simplified some things, and omitted others.  I said: “A block is valid if it starts with 5 zeros.”  The number of zeros changes with time (difficulty).  The check is just a threshold (more general than counting zeros).

74 Thanks to  Alessandro Chiesa Sources xkcd.com blockchain.info bitcoincharts.com KnCMiner.com  Christian Decker Everyone for listening!


Download ppt "IS THERE A THEORY BEHIND BITCOIN? Thomas Holenstein ITS Science Colloquium, Nov 6, 2014."

Similar presentations


Ads by Google