Bitcoin Jeff Chase Duke University

Some sources [NBFMG15]

http://spectrum.ieee.org/img/06Bitcoin-1338412974774.jpg

Principles of Bitcoin What is Bitcoin? A digital currency. It is money: you can buy it for USD$, spend it for goods and services, or cash it in for USD$. A family of programs and protocols, running on IP-connected computers that form a P2P network to manage the currency. Who can join the Bitcoin network? Anyone with an IP-connected computer: just run a program. You can remain anonymous, but your IP address will be seen. Who controls Bitcoin? Nobody and everybody. It is a decentralized system with clever built-in incentives to maintain a balance of power, even when some participants (“miners”) may be large and powerful.

Bitcoin matters [NBFMG15]

The Bitcoin network Nodes cooperate to maintain a tamper-evident log (the “block chain”) with a history of all transfers of coin (“transactions”). There is no central repository for the log. Many nodes keep copies. Anyone can query for it. Nodes exchange pieces of the log (e.g., blocks of transactions) by passing them through the network in a peer-to-peer fashion. A Bitcoin client joins the network by querying well-known nodes (DNS seeds) for the IP addresses of other randomly selected nodes. Each node keeps a short list of randomly selected peers, and broadcasts the blocks and transactions it hears about to its peers. Soon everyone hears about everything. Nodes in the network play various roles ranging from simple clients (e.g., mobile) to large server clusters (miners) that build the log.

The Bitcoin network

Questions How can we keep money safe in a network of anonymous participants? How to reach consensus about who owns the money? Every atomic currency unit (a “satoshi”) must be owned by exactly one participant at any time. How to validate transactions to be sure that the spenders really own the money they are spending? Where does the money come from? There is no central trusted authority to mint currency (unlike “real” money). How to protect the network from attackers who might try to counterfeit or steal money, or disrupt the network?

Principals of Bitcoin Q: How to name/identify bitcoin “accounts” belonging to principal identities like Alice, Bob, etc.? We need an account address that enables anonymous proof of ownership. Anyone can make up an account/address. Nobody knows who owns the account. The owner (or the owner’s software) can prove on demand that it owns the account and the $$$. If the owner transfers $$$ to another account, others in the network can verify the owner’s intent.

Bitcoin addresses

Bitcoin addresses An address names a principal: an entity that can own bitcoin. It is the hash of a public key. The account owner is anyone with the matching private key. The owner may spend bitcoin by publishing a signed statement granting it to another address. #

Bitcoin transactions A record of a funds transfer is called a transaction. It specifies (at least) a source and destination address, and an amount. Each transaction has a globally unique ID. Transactions are published to a global tamper-evident log. They are public: anyone can see and validate the transaction. http://spectrum.ieee.org/img/06Bitcoin-1338412974774.jpg

Bitcoin transactions http://spectrum.ieee.org/img/06Bitcoin-1338412974774.jpg

Bitcoin transactions A transaction may have multiple inputs and outputs. Each output specifies an amount and a destination address. Inputs include a link to an earlier transaction (named by its hash), and a numbered output. A valid transaction must be signed under the destination address of the outputs linked to its inputs.

Bitcoin transactions Actually it’s a little more complicated… An output specifies a script to validate the transaction that spends it. But the simple/common case is just a signature check… https://bitcointalk.org/index.php?topic=279249.0

Block chain From Narayanan et. al.: Bitcoin and Cryptocurrency Technologies [NBFMG15]

Strawman #1: GoofyCoin [NBFMG15] explains bitcoin by two “straw man” designs. These motivate aspects of the design by illustrating problems that occur in designs that are “too simple”. In the first design, a central entity named “Goofy” issues special transactions to mint coins. The owner of coin can spend it by issuing a transaction record as described. What could go wrong?

Strawman #1: GoofyCoin The rules of GoofyCoin are: ● Goofy can create new coins by simply signing a statement that he’s making a new coin with a unique coin ID. ● Whoever owns a coin can pass it on to someone else by signing a statement that saying, “Pass on this coin to X” (where X is specified as a public key). ● Anyone can verify the validity of a coin by following the chain of hash pointers back to its creation by Goofy, verifying all of the signatures along the way. [NBFMG15]

Spending GoofyCoin If Alice wants to transfer some coin to Bob, she just presents Bob with: A signed transaction record to transfer the coin. A linked chain of supporting records to prove: The coin is real. Alice owns it. [figure: NBFMG15]

Double spending Of course, there’s a fundamental security problem with GoofyCoin. Let’s say Alice passed her coin on to Bob by sending her signed statement to Bob but didn’t tell anyone else. She could create another signed statement that pays the very same coin to Chuck. To Chuck, it would appear that it is perfectly valid transaction, and now he’s the owner of the coin. Bob and Chuck would both have valid-looking claims to be the owner of this coin. This is called a double-spending attack — Alice is spending the same coin twice. [NBFMG15]

Strawman #2: ScroogeCoin Partial solution: a central party verifies and publishes/signs a globally visible tamper-evident log (blockchain). Double spending attacks can be prevented because: There is a single global order of all transactions. Everyone agrees on the global order (consensus). Anyone can verify that coins are not double-spent by scanning the log. This leads us to strawman #2: “ScroogeCoin”. The central party who signs the log is this gentleman: Scrooge.

Who is Scrooge McDuck?

Strawman #2: ScroogeCoin Scrooge loves money, but deep down he is a good guy. We can trust him to build and publish the block chain. ? [NBFMG15]

Strawman #2: ScroogeCoin [NBFMG15]

[NBFMG15]

What if Scrooge goes rogue? How much damage can Scrooge do? Can we decentralize the functions assigned to Scrooge? Can we reach decentralized consensus about transaction order securely? Can we create coin in a decentralized way that everyone can agree is valid? "ScroogeFirst" by Apparent scan made by the original uploader User:Wikipedical.. Licensed under Fair use via Wikipedia - https://en.wikipedia.org/wiki/File:ScroogeFirst.jpg#/media/File:ScroogeFirst.jpg

Strawman #2: ScroogeCoin The problem here is centralization. Although Scrooge is happy with this system, we, as users of it, might not be. While ScroogeCoin may seem like an unrealistic proposal, much of the early research on cryptosystems assumed there would indeed be some central trusted authority, typically referred to as a bank. After all, most real-world currencies do have a trusted issuer (typically a government mint) responsible for creating currency and determining which notes are valid. However, cryptocurrencies with a central authority largely failed to take off in practice. There are many reasons for this, but in hindsight it appears that it’s difficult to get people to accept a cryptocurrency with a centralized authority. [NBFMG15]

Decentralized currency? Bitcoin works similarly to ScroogeCoin, but without Scrooge. Bitcoin nodes cooperate to build the block chain without any central trusted authority. They agree on history (the contents of the block chain) by checking up on one another and (in essence) voting on it. This is a real-world example of a difficult distributed systems problem: consensus. It is particularly difficult if there are attackers or participants who may lie, cheat, and steal: “Byzantine” consensus. The Bitcoin solution is innovative and works well (so far). Interesting features: proof-of-work puzzle for weighted random leader selection, financial incentives for faithful behavior.

Bitcoin: “Nakamoto consensus” [NBFMG15]

Miners Miners are nodes that hear transactions, validate them, group them into blocks, and add them to the block chain. They create/earn a bitcoin reward for each block published (“mined”). A miner must invest a large amount of compute power to solve a puzzle in order to find and publish a block. Miners race to solve the puzzle and obtain the reward: probabilistic proof of work The reward is valid and spendable only if other nodes accept the published block. Miners have an incentive to act faithfully and validate all transactions properly, so that other nodes “vote” to accept the block. bitcoinminer.net coincube.net

Proof of work In Bitcoin, each block in the chain hashes to a value with a zero prefix. The creator of the block must find a number to add to the block to generate a conforming hash. By presenting such a block, the creator proves that it has invested a great deal of computational power to produce the block. Image: http://www.ybrikman.com/writing/2014/04/24/bitcoin-by-analogy/

The miner’s puzzle The miner computes a secure hash over the block, and includes the hash in the block. The puzzle: the miner must find a nonce value to include in the block, such that the block’s hash has a prefix of N zero digits. N grows with time as computers get faster. probabilistic proof of work Finding a nonce such that the first hash bit is zero is like flipping a coin: the odds are 50% for any random trial. Each added zero bit reduces odds by a factor of 2. A miner’s win probability is proportional to its compute power. In this way, the next miner to publish is selected “randomly”. http://spectrum.ieee.org/img/06Bitcoin-1338412974774.jpg

Forks in the block chain? Anybody can be a miner. Anybody can produce a block, add it to the chain, and broadcast it. When a miner links to a block B, it accepts B as the head of the valid chain. If others disagree, then the miner’s block is worthless….so miners have an incentive to get it right! In this way Bitcoin achieves consensus on the block chain and the global history of transactions. Other peers check each block and “vote” on it. If block A is posted “too late” (e.g., block B is added first), or if block A is invalid, then other miners ignore it and build the chain in another direction. The longest chain wins.

Some details A participant requests a transaction by broadcasting it to random other nodes, who pass it along by gossip. Eventually the miners hear the request and include it in their blocks (if the request is valid). The miners publish their blocks in the same way. Transmission is similar to “anti-entropy” or “gossip”. Nodes exchange hashes for objects they have seen: the recipient requests/forwards the data if it has not seen it before. Some nodes (including other miners) check the blocks issued by the miners. A transaction can be considered to be cleared when it appears in the global blockchain.

https://www.cryptocoinsnews.com/bitcoin-transaction-malleability/

Double-spending revisited [NBFMG15]

Double-spending revisited [NBFMG15]

Why does consensus work? Majority compliance is an equilibrium with perfect information. Kroll et al. [64] analyzed a simplified model in which miners have perfect information about all discovered blocks (precluding any withholding). In this model, universal compliance is a Nash Equilibrium (although not unique), implying that Bitcoin is (weakly) stable. Stability is not known as mining rewards decline. All of these results have used a simplified model in which each block carries a constant, fixed reward fee. The planned transition of miner revenue from block rewards to transaction fees will negate this assumption …

How fragile is consensus? With a majority miner, stability is not guaranteed. It is well known that a single non-compliant miner which controls a majority of computational power could undermine fairness by collecting all of the mining rewards, simply by ignoring blocks found by others and building their own chain which by assumption will grow to become the longest chain. The majority miner could separately choose to undermine liveness by arbitrarily censoring transactions by refusing to include them and forking if they appear in any other block. Finally, the majority miner could undermine both convergence and eventual consensus by introducing arbitrarily long forks in the block chain, potentially to reverse and double-spend transactions for profit. In practice, the GHash.IO mining pool exceeded 50% of the network’s…capacity for an extended period in July 2014 and publicly promised to limit their capacity in the future in order to avoid damaging confidence in the system.

How to upgrade the protocol? What happens if we roll out a new version of software with new features, and some nodes don’t upgrade? Will nodes running the new software “play nice” with nodes running the old software? These can result in a consensus breakdown: a “fork” in the block chain, with diverging branches. Fork: different subsets of nodes consider different branches of the block chain to be valid. Hard fork. The new software enables a behavior that the old software considers invalid. Soft fork. The new software restricts behavior that the old software considers valid.

Case 1: Hard fork If the old nodes consider the main branch to be invalid, then they will ignore it and build their own block chain. Old nodes are ultimately cut out of the system. How to ensure that new nodes also ignore the “old” block chain candidates? [NBFMG15]

Case 2: Soft fork Soft forks introduce stricter validation rules. Example: pay-to-script-hash Looks like a valid pay-to-address transaction, but requires an extra validation step to check that the correct redeem script is used to validate the transaction. (I think) Need a majority to switch, so the new rules are enforced.