Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital vs. paper currencies Paper: Digital: 16fab13fc6890 Very useful if is also digital.

Published byAda Madlyn Stone Modified over 7 years ago

Similar presentations

Presentation on theme: "Digital vs. paper currencies Paper: Digital: 16fab13fc6890 Very useful if is also digital."— Presentation transcript:

1

2 Digital vs. paper currencies Paper: Digital: 16fab13fc6890 Very useful if is also digital.

3 A traditional ways of paying “digitally” Alice’s credit card number Alice Bob Alice’s credit card number Alice Bob transfer money to Bob’s account transfer confirmation PROBLEMS 1. trusted server for each transaction is needed (money doesn’t “circulate”), 2. high transaction fees, 3. no anonymity.

4 Can we have a true “digital analogue” of the paper money? Yes: Bitcoin! A digital currency introduced by “Satoshi Nakamoto” in 2008. currency unit: Bitcoin (BTC). 1 BTC = 10 8 Satoshi as of 12.03.2014: Market cap = $7,990,451,275 1 BTC= $641.13

5 PROBLEMS WITH PREVIOUS APPROACHES 1. trusted server is needed (money doesn’t “circulate”), 2. high transaction fees, 3. no anonymity. Bitcoin in Bitcoin: low fees “pseudo-anonymity” no trusted server, money circulates

6 “No trusted server” nobody “controls the money”, and therefore: – The amount of money that will ever be “printer” is fixed (to around 21 mln BTC)  no inflation – The exchange rate fluctuates:

7 Bitcoin ¼ “real money”? Bitcoin value comes from the fact that: “people expect that other people will accept it in the future.” It’s like all the other currencies Bitcoin enthusiasts: Bitcoin sceptics: It’s an artificial “bubble”

8 Main problem with the digital money Double spending… 16fab13fc6890 Bits are easier to copy than paper!

9 Bitcoin idea (simplified): The users emulate a public trusted bulletin-board containing a list of transactions. A transaction is of a form: This prevents double spending. “User P 1 transfers a coin #16fab13fc6890 to user P 2 ” 16fab13fc6890 you’ve already spent this coin!

10 What needs to be discussed 1.How is the trusted bulletin-board maintained? 2.How are the users identified? 3.Where does the money come from? 4.What is the syntax of the transactions?

11 Trusted bulletin-board emulation Main difficulty: Some parties can cheat. Classical result: possible if the “majority is honest”. For example for 5 players we can tolerate at most 2 “cheaters”. the “ideal” world a protocol that emulates the ideal world

12 Problem How to define “majority” in a situation where everybody can join the network?

13 The BitCoin solution Define the “majority” as the majority of the computing power Now creating multiple identities does not help!

14 How is this verified? Main idea: use Proofs of Work incentivize honest users to constantly participate in the process The honest users can use their idle CPU cycles. Nowadays: often done on dedicated hardware.

15 Proofs of Work (PoWs) Introduced by Dwork and Naor [Crypto 1992] as a countermeasure against spam. Basic idea: Force users to do some computational work: solve a moderately difficult “puzzle” such that the solution can be easily checked. One of the simplest PoWs is based on the cryptographic hash functions.

16 Cryptographic hash functions A function H : {0,1}* ! {0,1} n is a cryptographic hash function if it “behaves as random”. Common examples: SHA1, SHA3, RIPEMD,… Informal property: the only way to find x such that H(x) has some property is to do a brute-force search. SHA1(Będlewo) = 6533a9b2ab79e57a555bc3a7cdbc58998d6000f0 SHA1(Bendlewo) = f2a5a0cb8b942fbcb472a4cf6d6699ff6f630c71 SHA1(Będlewo) = 6533a9b2ab79e57a555bc3a7cdbc58998d6000f0 SHA1(Bendlewo) = f2a5a0cb8b942fbcb472a4cf6d6699ff6f630c71

17 A simple hash-based PoW Verifier Prover random x finds s such that H(s,x) starts with n zeros (in binary) s s “salt” “hardness parameter checks if H(s,x) starts with n zeros takes time 2 n ¢ TIME(H) takes time TIME(H) H -- a hash function whose computation takes time TIME(H)

18 Main idea The users participating in the scheme are called the “miners”. They maintain a chain of blocks: block 0 block 1 block 2 block 3 transactions from period 1 transactions from period 2 transactions from period 3 the “genesis block” created by Satoshi on 03/Jan/2009 ¼ 10 min.

19 How to post on the board Just broadcast (over the internet) your transaction to the miners. And hope they will add it to the next block. transaction T the miners are incentivized to do it.

20 Main principles 1.It is computationally hard to extend the chain. 2.Once a miner finds an extension he broadcasts it to everybody. 3.The users will always accept “the longest chain” as the valid one. the system incentivizes them to do it

21 How are the PoWs used? Main idea: to extend it one needs to find salt such that H(salt, block i,transactions) starts with some number n of zeros block 0 block 1 block 2 block 3 transactions from period 1 transactions from period 2 transactions from period 3 H – hash function salt H H H H H H

22 The hardness parameter is periodically changed The computing power of the miners changes. The miners should generate the new block each 10 minutes (on average). Therefore the hardness parameter is periodically adjusted to the mining power This happens once each 2016 blocks. For example the block generated on 2014-03-17 18:52:10 looked like this: 00000000000000006d8733e03fa9f5e5 2ec912fa82c9adfed09fbca9563cb4ce 00000000000000006d8733e03fa9f5e5 2ec912fa82c9adfed09fbca9563cb4ce

23 How it looks in real life

24 What if there is a “fork”? block i block i+1 block 1+2 block’ 1+2 block i+3 block i+4 block’ 1+3 this chain is valid fork The “longest” chain counts.

25 Does it make sense to “work” on a shorter chain? No! block i+1 block 1+2 block’ 1+2 block i+3 block i+4 block’ 1+3 Because everybody else is working on extending the longest chain. Recall: we assumed that the majority follows the protocol.

26 How are the miners incentivized to participate in this game? Short answer: they are paid (in Bitcoins) for this. We will discuss it in detail later…

27 How long one should wait to be sure that the transaction is “confirmed”? block i block i+1 block 1+2 block i+3 block i+4 T = “Alice transfers 1 BTC to Bob” Alice Bob Bob waits a few block to be sure that there was no fork

28 What needs to be discussed 1.How is the trusted bulletin-board maintained? 2.How are the users identified? 3.Where does the money come from? 4.What is the syntax of the transactions?

29 User identification We use the digital signature schemes. secret key sk 1 public key pk 1 I am pk 1 The users are identified by their public keys.

30 Digital signature schemes A digital signature scheme consists of algorithms Gen, Sign and Vrfy, where: Gen (secret key sk, public key pk) Sign signature σ (sk, message M) Vrfy yes/no (pk, M, σ) input:output: Correctness: for every (sk,pk) := Gen() and every M we have Vrfy(pk,M,Sign(sk,M)) = yes Security: “without knowing sk it is infeasible to compute σ such that Vrfy(pk,M,σ) = yes”

31 Digital signature schemes are: publicly verifiable non-repudiable transferrable Gen P1P1 P1P1 secret key sk 1 public key of P 1 is pk 1 M M σ σ message M Vrfy(pk 1,M, σ) M M σ = Sign(sk 1, M) Vrfy(pk 1,M, σ)

32 What needs to be discussed 1.How is the trusted bulletin-board maintained? 2.How are the users identified? 3.Where does the money come from? 4.What is the syntax of the transactions?

33 Where does the money come from? A miner who finds a new block gets a “reward” in BTC: for the first 210,000 blocs: 50 BTC for the next 210,000 blocs: 25 BTC for the next 210,000 blocs: 12.5 BTC, and so on… Note: 210,000 ¢ (50 + 25 + 12.5 +  ) ! 21,000,000 ¼ 4 years current reward

34 This is how it looks in detail

35 More details Each block contains a transaction that transfers the reward to the miner. Advantages: 1.It provides incentives to be a miner. 2.It also makes the miners interested in broadcasting new block asap. this view was challenged in a recent paper: Ittay Eyal, Emin Gun Sirer Majority is not Enough: Bitcoin Mining is Vulnerable this view was challenged in a recent paper: Ittay Eyal, Emin Gun Sirer Majority is not Enough: Bitcoin Mining is Vulnerable

36 What needs to be discussed 1.How is the trusted bulletin-board maintained? 2.How are the users identified? 3.Where does the money come from? 4.What is the syntax of the transactions?

37 Transaction syntax – simplified view T 1 = (User P 1 creates 25 BTC) T 2 = (User P 1 sends 25 BTC from T 1 to P 2 signature of P 1 on [T 2 ]) T 3 = (User P 2 sends 25 BTC from T 2 to P 3 signature of P 2 on [T 3 ]) 25 BTC in the “mining process” P1P1 P1P1 P2P2 P2P2 P3P3 P3P3 [T2][T2] [T3][T3] “value of T 2 “ We say that T 3 redeems T 2

38 How to “divide money”? Multi-output transactions: T 2 = (User P 1 sends 10 BTC from T 1 to user P 2, User P 1 sends 7 BTC from T 1 to user P 3, User P 1 sends 8 BTC from T 1 to user P 4 (User P 1 sends 10 BTC from T 1 to user P 2, User P 1 sends 7 BTC from T 1 to user P 3, User P 1 sends 8 BTC from T 1 to user P 4 signature of P 1 on [T 2 ] ) 8 BTC 7 BTC 10 BTC [T2][T2] P1P1 P1P1 P2P2 P2P2 P3P3 P3P3 P4P4 P4P4

39 Multiple inputs all signatures need to be valid! 8 BTC 7 BTC 10 BTC T 2 = (User P 2 sends 10 BTC from T 1 to user P 1, User P 3 sends 7 BTC from T 1 to user P 1, User P 4 sends 8 BTC from T 1 to user P 1 (User P 2 sends 10 BTC from T 1 to user P 1, User P 3 sends 7 BTC from T 1 to user P 1, User P 4 sends 8 BTC from T 1 to user P 1 signature of P 2 on [T 2 ], signature of P 3 on [T 2 ], signature of P 4 on [T 2 ]) signature of P 2 on [T 2 ], signature of P 3 on [T 2 ], signature of P 4 on [T 2 ]) [T2][T2] P1P1 P1P1 P4P4 P4P4 P2P2 P2P2 P3P3 P3P3

40 Time-locks It is also possible to specify time t when a transaction becomes valid. T 2 = (User P 1 sends 25 BTC from T 1 to P 2 if time t has passed) signature of P 1 on [T 2 ]) [T2][T2] measured in: real time, or blocks. measured in: real time, or blocks.

41 Generalizations 1.All these features can be combined. 2.The total value of in-coming transactions can be larger that the value of the out-going transactions. (the difference is called a “fee” and goes to the miner) 1.The condition for redeeming a transaction can be more general (the so-called “strange transactions”)

42 Strange transactions: T 2 = (User P 1 sends 1 BTC from T 1 to P 2 signature of P 1 on [T 2 ]) T 3 = (User P 2 sends 1 BTC from T 2 to P 3 signature of P 2 on [T 3 ]) P2P2 P2P2 P3P3 P3P3 T 2 = a condition C 2 to spend T 2 a “witness W 2 ” T 3 = a “witness W 3 ” P2P2 P2P2 P3P3 P3P3 T1T1 T1T1 1 BTC T2T2 T2T2 a condition C 3 to spend T 2 a Boolean function

43 Redeeming condition T 3 redeems T 2 if C 2 evaluates to true on input ([T 3 ],W 3 ). Note: in the the standard transactions: C 2 ([T 3 ],W 3 ) = Vrfy(pk 2,[T 3 ],W 3 ) [T3][T3] T 2 = a condition C 2 to spend T 2 a “witness W 2 ” T 3 = a “witness W 3 ” P2P2 P2P2 P3P3 P3P3 T1T1 T1T1 1 BTC T2T2 T2T2 a condition C 3 to spend T 2

44 How are the conditions written? In Bitcoin scripting language (non-Turing complete stack-based) Example: OP_DUP OP_HASH160 02192cfd7508be5c2e6ce9f1b6312b7f268476d2 OP_EQUALVERIFY OP_CHECKSIG

45 Bitcoin contracts

46 The “strange transactions” can be used to create the “Bitcoin contracts”. Simple examples: Pay money to anyone who knows some password. Assurance contracts. Put a “deposit” to prove you are not a spammer.

47 More complicated examples Multiparty lottery [Andrychowicz, Dziembowski, Malinowski, and Mazurek Secure Multiparty Computations on BitCoin 2013, Back and Bentov Bitcointalk thread 2013] 1 BTC a random party earns 3 BTC

48 Paying for delivering secret information [Andrychowicz, Dziembowski, Malinowski, and Mazurek Fair Two-Party Computations via Bitcoin Deposits (2013), How to deal with malleability of BitCoin transactions (2014)] I will pay 100 BTC to anyone who provides information about secret accounts in Switzerland

49 Bitcoin risks 1.Organized crime

50 2. Since the transactions are irreversible it’s easy to steal the coins

51 Other crypto currencies see cryptmarketcap.com

52 Thank you!

Download ppt "Digital vs. paper currencies Paper: Digital: 16fab13fc6890 Very useful if is also digital."

Similar presentations

Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Bitcoin: A New Internet Currency Stephen Clayton Senior Economic Education Specialist Federal Reserve Bank of Dallas The opinions expressed are solely.

Bitcoin: A New Internet Currency Stephen Clayton Senior Economic Education Specialist Federal Reserve Bank of Dallas The opinions expressed are solely.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.

Recoverable and Untraceable E-Cash Dr. Joseph K. Liu The Chinese University of HongKong.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
COMS 486 Iowa State University Introduction to Bitcoin A P2P Electronic Cash System.

COMS 486 Iowa State University Introduction to Bitcoin A P2P Electronic Cash System.
Bitcoin. What is Bitcoin? A P2P network for electronic payments Benefits: – Low fees – No middlemen – No central authority – Can be anonymous – Each payment.

Bitcoin. What is Bitcoin? A P2P network for electronic payments Benefits: – Low fees – No middlemen – No central authority – Can be anonymous – Each payment.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
BITCOIN – 2014 John BlackSpring 2014. Digital Currency  Chaum’s ideas in the 1980’s  All ideas required a central bank or single point of trust  Chaum.

BITCOIN – 2014 John BlackSpring Digital Currency  Chaum’s ideas in the 1980’s  All ideas required a central bank or single point of trust  Chaum.
Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.

Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.
Stefan Dziembowski Why do the cryptographic currencies need a solid theory? Forum Informatyki Teoretycznej, Warsaw 30.1.2015.

Stefan Dziembowski Why do the cryptographic currencies need a solid theory? Forum Informatyki Teoretycznej, Warsaw
How to Use Bitcoin to Incentivize Correct Computations Ranjit Kumaresan (MIT) Iddo Bentov (Technion) Appeared at CCS 2014.

How to Use Bitcoin to Incentivize Correct Computations Ranjit Kumaresan (MIT) Iddo Bentov (Technion) Appeared at CCS 2014.
Advanced Computer Communications PROFESSOR:STUDENT: PROF. DR. ING. BRAD REMUS STEFAN FEILMEIER - 10.04.2014 - FACULTATEA DE INGINERIE HERRMANN OBERTH MASTER-PROGRAM.

Advanced Computer Communications PROFESSOR:STUDENT: PROF. DR. ING. BRAD REMUS STEFAN FEILMEIER FACULTATEA DE INGINERIE HERRMANN OBERTH MASTER-PROGRAM.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
BITCOIN An introduction to a decentralised and anonymous currency. By Andy Brodie.

BITCOIN An introduction to a decentralised and anonymous currency. By Andy Brodie.
The world’s first decentralized digital currency Meni Rosenfeld Bitcoil 29/11/2012Written by Meni Rosenfeld1.

The world’s first decentralized digital currency Meni Rosenfeld Bitcoil 29/11/2012Written by Meni Rosenfeld1.
On Power Splitting Games in Distributed Computation: The case of Bitcoin Pooled Mining Loi Luu, Ratul Saha, Inian Parameshwaran, Prateek Saxena & Aquinas.

On Power Splitting Games in Distributed Computation: The case of Bitcoin Pooled Mining Loi Luu, Ratul Saha, Inian Parameshwaran, Prateek Saxena & Aquinas.
Bitcoin (what, why and how?)

Bitcoin (what, why and how?)
Cryptography Lecture 9 Stefan Dziembowski

Cryptography Lecture 9 Stefan Dziembowski
1 Bitcoin A Digital Currency. Functions of Money.

1 Bitcoin A Digital Currency. Functions of Money.

Similar presentations

Ads by Google