Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS425/CSE424/ECE428 — Distributed Systems — Fall 2011 2011-12-01Nikita Borisov - UIUC1.

Published byRandall Park Modified over 9 years ago

Similar presentations

Presentation on theme: "CS425/CSE424/ECE428 — Distributed Systems — Fall 2011 2011-12-01Nikita Borisov - UIUC1."— Presentation transcript:

1 CS425/CSE424/ECE428 — Distributed Systems — Fall 2011 2011-12-01Nikita Borisov - UIUC1

2  Two problems  Unforgeable electronic currency  Secure, globally unique names  Same underlying principle  Decentralized global timestamping service 2011-12-01Nikita Borisov - UIUC2

3  Create a digital currency that is  Unforgeable  Transferrable  Secure  Decentralized  `Traditional’ e-cash:  Coin = Token + signature of bank  BitCoin: eliminate the bank! 2011-12-01Nikita Borisov - UIUC3

4  Computational puzzle  Find x such that f(x) = y  f is easy to compute, hard to invert  f is many-to-one s.t. f(x) = y with probability p  Find solution:  Try random choices for x  Expected running time – O(1/p)  Verify solution  Compute f(x)  Expected running time – O(1)  Example: f = cryptographic hash function H  Find x such that H(x) has k leading 0’s ▪ f(x) = first k bits of H [H k ], y = 0  Difficulty: 2 k 2011-12-01Nikita Borisov - UIUC4

5  Coin: puzzle solution  Forgeable, but only with computational effort  “Value” proportional to puzzle difficulty (2 k )  E.g., cost of electricity needed to “mint” new coin  Payment protocol:  Alice->Bob: coin x  Bob: compute H k (x), verify = 0  Bob->Alice: goods or services 2011-12-01Nikita Borisov - UIUC5

6  Alice still has coin x after giving it to Bob!  Alice->Bob: coin x  Alice->Carol: coin x  Alice->David: coin x  Traditional e-cash solution: detection after the fact  Bob, Carol, David deposit x into the bank  Bank realizes x has been double-spent, punishes Alice 2011-12-01Nikita Borisov - UIUC6

7  Transaction log  For each coin x, lists who has it  When coin first “minted”, claim it  Append: “Alice found x”  During a transaction, log transfer  Bob verifies that Alice currently owns x  Appends “Alice transfers x to Bob” ▪ (with proper signatures from Alice, Bob)  Now Bob is owner of x 2011-12-01Nikita Borisov - UIUC7

8 LOG 1 1. Alice mints x 2. Alice transfers x to Bob 3. Bob transfer x to Carol 4. Alice transfer x to David — INVALID Most recent owner: Carol LOG 2 1. Alice mints x 2. Alice transfers x to David 3. Alice transfers x to Bob — INVALID 4. Bob transfers x to Carol — INVALID Most recent owner: David 2011-12-01Nikita Borisov - UIUC8

9  Centralized: single log  Maintained by trusted bank  Decentralized  Run Paxos on a global scale??  Bitcoin  Proof of work, chains 2011-12-01Nikita Borisov - UIUC9

10  Can incorporate data (z) into puzzle  Find x such that H(x || z) has k 0 bits  To append to log, must solve puzzle based on existing log  Format of log “line” n: L n = M, x, where  M: new message appended to log  x: number such that H k (x || M || L n-1 ) = 0 2011-12-01Nikita Borisov - UIUC10

11  Each line’s puzzle depends on the previous one  L n -> L n-1 -> … -> L 1 -> L 0  To add m lines, must solve m puzzles  Longest chain wins 2011-12-01Nikita Borisov - UIUC11 1 1 2 2 3 3 4’ 4 4 5 5 6 6 6’ 7 7

12  Suppose r people try to append to a log  Each person j has own message M j  Each tries to solve H k (x || M j || L n-1 ) = 0  As soon a someone finds a solution, broadcasts † solution (L n ) to everyone  Everyone else switches to searching for L n+1  I.e., solve H k (x || M j || L n ) = 0  (why?) † we’ll return to this later 2011-12-01Nikita Borisov - UIUC12

13  Each person expects to solve puzzle/generate new line in time t  Among the r processes, log grows at the speed of t/r per line  Why?  As more people participate  r grows  Log grows faster  More difficult to revise history! 2011-12-01Nikita Borisov - UIUC13

14  Security better if more people participated in logging  Incentivize users to log others’ transactions  Transaction fees: pay me x% to log your data  Mining: each log line creates bitcoins ▪ Replace “Alice minted x” entries with “Alice logged line L n ”  Payment protocol:  Alice->Bob: here’s coin x  Broadcast to everyone: Alice transfers x to Bob  Bob: wait until transfer appears in a new log line ▪ Optionally wait until a few more lines follow it 2011-12-01Nikita Borisov - UIUC14

15 2011-12-01Nikita Borisov - UIUC15 Alice generated 50 BTC Nonce: 1234 Alice generated 50 BTC Nonce: 1234 Bob generated 50 BTC Nonce: 5678 Bob generated 50 BTC Nonce: 5678 Carol generated 50 BTC Alice transferred 10 BTC to Bob + 1 BTC to Carol (fee) Nonce: 9932 Carol generated 50 BTC Alice transferred 10 BTC to Bob + 1 BTC to Carol (fee) Nonce: 9932 AccountBalance Alice39 BTC Bob60 BTC Carol51 BTC Hash

16  How to set k?  Too short: wasted effort due to broadcast delays & chain splits  Too long: slows down transactions  Periodically adjust difficulty k such that one line gets added every 10 minutes  Determined algorithmically based on timestamps of previous log entries  Current difficulty  p = 0.00000000000000021346267886168755062437085712190 31000509  4684659657288133 expected hash computations to win (4.7 quadrillion!) 2011-12-01Nikita Borisov - UIUC16

17  All-to-all broadcast  Every transaction (for logging)  Every block (for chain growth)  How do you implement this?  DHT (e.g., Chord)  Gossip 2011-12-01Nikita Borisov - UIUC17

18  Data volume  VISA network: 2000 tps  Transaction: 0.5 – 1KB  A single block (10 mins): 1.14 GB  Total volume ~160 GB / day ▪ Or twice that if you include transaction broadcasts  Bandwidth per node?  On average, each node downloads / uploads each block once  ~160 GB/day = 15 Mbps  (only ~$50/month at EC2 prices!)  Storage & CPU costs dominate 2011-12-01Nikita Borisov - UIUC18

19  “Mining” not profitable  Unless you have some expensive, special-purpose rigs “the bulk of mining is now concentrated in a handful of huge mining pools, which theoretically could hijack the entire network if they worked in concert.”  Coins must be kept safe  From loss  From theft  [Economics] 2011-12-01Nikita Borisov - UIUC19

20  Problem: How to assign names to processes?  Solutions:  IP addresses  DNS  Web certificates  … 2011-12-01Nikita Borisov - UIUC20

21  Secure  Can “claim” a name, and prove this claim to others  Meaningful  Name needs to be “Nikita Borisov” or “Amazon,” not “ 1Na7VPBzpwP5QNJk3zG9jMYXvaSzzGS3mn ”  Sometimes called “memorable”  Decentralized  Context-free: “Amazon” means the same to you as to me 2011-12-01Nikita Borisov - UIUC21

22  Conjecture: cannot have all three  But can have any two!  E.g.:  Secure & decentralized: public keys ▪ 1Na7VPBzpwP5QNJk3zG9jMYXvaSzzGS3mn uniquely, globally identifies someone, who can prove the right to have that name  Meaningful & decentralized: domain names ▪ Not secure  Secure & meaningful: nicknames / petnames ▪ Local mapping of names to identities ▪ Can be translated to secure & decentralized names 2011-12-01Nikita Borisov - UIUC22

23  Two definitions of decentralized  Globally meaningful  No central authority  Turns out you can have one of the two  E.g., X.509 certificates used for Web Browsing  E.g., DNSSEC 2011-12-01Nikita Borisov - UIUC23

24  Can solve triangle with distributed global timestamping  I “claim” a name by saying “Nikita Borisov” belongs to public key 1Na7VPBzpwP5QNJk3zG9jMYXvaSzzGS3mn  First claim wins  Sound familiar? 2011-12-01Nikita Borisov - UIUC24

25  Mine names instead of coins!  New block includes any names you want to register  Your own + any others you care about  Name ownership verified by the longest chain  Can implement transfers, too [originally proposed by Aaron Swartz] 2011-12-01Nikita Borisov - UIUC25

26  WWW: use public key certificates  Issued by certificate authorities  Ensure uniqueness, trademarks, etc.  Use multiple authorities  100+ in existence!  Good: encourages competition, lowers prices  Bad: Any single authority can compromise security  E.g.: “comodogate”  Comodo compromised issued new certificates for “mail.google.com”, “login.skype.com”, etc.  Other compromises have happened 2011-12-01Nikita Borisov - UIUC26

27  Solution: add a new global decentralized distributed log  All new certificates added to log  Can be monitored by domain owners  Log servers run an agreement algorithm  E.g., Paxos or BFT  Cryptographic evidence of correct behavior  Must compromise all log servers  Proposals  Sovereign Keys (EFF)  Certificate Transparency (Google) 2011-12-01Nikita Borisov - UIUC27

28  Global, distributed consensus useful for many applications  Electronic cash  Naming  Global, decentralized consensus may be possible  With some assumptions on computation, communication, …  Centralized distributed consensus may be a good alternative 2011-12-01Nikita Borisov - UIUC28

Download ppt "CS425/CSE424/ECE428 — Distributed Systems — Fall 2011 2011-12-01Nikita Borisov - UIUC1."

Similar presentations

Bitcoin: A New Internet Currency Stephen Clayton Senior Economic Education Specialist Federal Reserve Bank of Dallas The opinions expressed are solely.

Bitcoin: A New Internet Currency Stephen Clayton Senior Economic Education Specialist Federal Reserve Bank of Dallas The opinions expressed are solely.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.

Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
COMS 486 Iowa State University Introduction to Bitcoin A P2P Electronic Cash System.

COMS 486 Iowa State University Introduction to Bitcoin A P2P Electronic Cash System.
Bitcoin. What is Bitcoin? A P2P network for electronic payments Benefits: – Low fees – No middlemen – No central authority – Can be anonymous – Each payment.

Bitcoin. What is Bitcoin? A P2P network for electronic payments Benefits: – Low fees – No middlemen – No central authority – Can be anonymous – Each payment.
Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.

Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.
Stefan Dziembowski Why do the cryptographic currencies need a solid theory? Forum Informatyki Teoretycznej, Warsaw 30.1.2015.

Stefan Dziembowski Why do the cryptographic currencies need a solid theory? Forum Informatyki Teoretycznej, Warsaw
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Advanced Computer Communications PROFESSOR:STUDENT: PROF. DR. ING. BRAD REMUS STEFAN FEILMEIER - 10.04.2014 - FACULTATEA DE INGINERIE HERRMANN OBERTH MASTER-PROGRAM.

Advanced Computer Communications PROFESSOR:STUDENT: PROF. DR. ING. BRAD REMUS STEFAN FEILMEIER FACULTATEA DE INGINERIE HERRMANN OBERTH MASTER-PROGRAM.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
BITCOIN An introduction to a decentralised and anonymous currency. By Andy Brodie.

BITCOIN An introduction to a decentralised and anonymous currency. By Andy Brodie.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
The world’s first decentralized digital currency Meni Rosenfeld Bitcoil 29/11/2012Written by Meni Rosenfeld1.

The world’s first decentralized digital currency Meni Rosenfeld Bitcoil 29/11/2012Written by Meni Rosenfeld1.
On Power Splitting Games in Distributed Computation: The case of Bitcoin Pooled Mining Loi Luu, Ratul Saha, Inian Parameshwaran, Prateek Saxena & Aquinas.

On Power Splitting Games in Distributed Computation: The case of Bitcoin Pooled Mining Loi Luu, Ratul Saha, Inian Parameshwaran, Prateek Saxena & Aquinas.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
Bitcoin (what, why and how?)

Bitcoin (what, why and how?)
Key Management and Diffie- Hellman Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther.

Key Management and Diffie- Hellman Dr. Monther Aldwairi New York Institute of Technology- Amman Campus 12/3/2009 INCS 741: Cryptography 12/3/20091Dr. Monther.
8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.

8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.

Similar presentations

Ads by Google