Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on...
Transcript of Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on...
Bitcoin and Cryptocurrencies CharalamposPapamanthouUniversityofMaryland
ENEE459C
What is Bitcoin?
• Bitcoinisae-cashsystemenablingastomovefromcurrency(eitherpaperordigital)basedandregulatedoncentralizedbankstofully-decentralizedcurrency• BitcoinisnotthefirstaFempttodigiGzecash
• Lotsofworkone-cashinthepast(beginningwiththeworkofDavidChaum)• Alle-cashworksareusingacentralizedpartytopreventdouble-spending
• BitcoinworksbecauseitofferstherightincenGves• Ifyouhelpmaintainthecorrectnessofthesystem,youwillearnsomeBitcoins• “Help”meansofferingsomeofyourcomputaGonalpowertoverifytransacGons(moreonthatlater)
• BitcoinwasfirstdescribedinaseminalpaperbyanonymousSatoshiNakamoto
Interes6ng proper6es of Bitcoin
• Transparent• AllthetransacGonmadebyBitcoinusersarerecordedinapublicledger• Seewww.blockchain.info• Problemwithprivacy?
• Finite• Thereisanupperboundonthetotalamountofbitcoinsthatwilleverbespent(thereisnoFederalReserveherethatcanarbitrarily“printBitcoins”)
• Simulatesthegoldstandard• Basedoncryptoanddistributedalgorithms
• Owningmoneyisequivalenttoknowingasecret(inparGcularthesecretkeyofdigitalsignature)
• Makingsurethatnodoublespendingoccursisbasedonnoveldistributedalgorithms(consensus)
Other proper6es of Bitcoin
• Global• Canbeusedtosendmoneyallacrosstheworldwithverysmallfees(asopposedtofeeschargedbymajorbanks)
• Also,youcantradeBitcoinsfordollarsandvice-versa• TobuyandsellBitcoins,gotohFps://www.coinbase.com/• WhatdoyougetandwhenyoubuyBitcoins?
• CurrentpriceofBitcoin
Where can I pay with Bitcoin?
History of Bitcoin
• 2009:SatoshiNakamoto’spaper• 2009-2011:
• Pricelessthan1dollar• Communityofenthusiasts
• 2013-today• SubstanGalgrowth• InDecember2013,pricereached1000dollars• Mediacoverage• LotsofstartupsfacilitaGngBitcoinadopGon• Venturecapitalistsinvestment
Bitcoin price
How does it work?
• Mainpurposeofbanksistomaintainbalancescorrectly• E.g.,ifIsendyou10dollars,thebankneedstosubtract10dollarsfrommyaccountandsend10dollarstoyouraccount• ThisisoneofthemostfundamentalbankoperaGons• Thewholebankingsystemworksbecausewetrustthebankstodosocorrectly• Partlyforthisservice,wehavetopayallthesefeestothebanks• Bitcoinmainidea
• Doawaywithbankscompletelyandmaintainthisfileofbalancesinadistributedfashion
• Buthowdoyoupumpmoneyintothisneweconomy?• PaypeopleinBitcoinstohelpmaintainthisfileofbalances,called“ledger”
Bitcoin addresses
• Bitcoinaddressesserveasthe“accountnumber”inyourbank• EveryindividualcanhaveasmanyBitcoinaddressesashewants
• Veryeasytocreate• Nofeesatallforhavingone
• MyBitcoinaddress• 1Eq8hdVuGGii61QMhppNP5z27832dMwztG• Itnowhas0.01BTCassociatedwithit• Let’sverifythat
What is this Bitcoin address?
• IfyouwanttogetintoBitcoin• Youneedtogeneratea(SK,PK)pair
• Ofcourse,keepyourSKsecret• ThebitcoinaddressisanencodingofahashofPK
• bitcoin_address=enc(hash(PK))• MakeyourPKavailabletoeverybodysothatyoucanreceivepayments• DownloadingandinstallingcoinbaseappwilltakecareofallthesesothatyouarereadytosendandacceptBitcoinpayments
A simple transac6on
• Alicewantstopay3BitcoinstoBob• Aliceowns3BitcoinsataddressA• BobhasaddressB• TopayBob,AlicecreatesatransacGonandbroadcastsittothewholenetwork• ThetransacGoncontains
• AddressesAandB• ThepublickeyassociatedwithA• Amount3Bitcoins• Adigitalsignatureonthemessageofalltheabove,createdwithAlice’ssecretkey
Blockchain
• TherearecertainnodesonthenetworkcalledminersthatmaintainthecorrectledgeroftransacGons• MinersputtransacGonsintoblocks,andbroadcasttheirblockscontainingtransacGonsthatareconsistent• E.g.,avalidblockcannotcontainthefollowingtwotransacGons• AsentxBitcoinstoB(sayBhad0Bitcoinsbefore)• Bsent2xBitcoinstoB
• Onceaclaimedcorrectblockisbroadcast,itneedstobeverifiedbyotherminersbeforeitgetsaddedintotheBlockchain• Eventually,allminerswillgettoseethesameblockchain• Thisistheblockchainweseeatblockchain.info• Onaverage,anewblockiscreatedevery10minutes
How do miners reach consensus?
• DistributedcompuGngconsensus• NplayershavinginputsBooleanvaluesx_1,x_2,…,x_N.Theybeginwithsomecorrectstatestate• Thereisawell-definedfuncGonf(x_i,state)=state’decidingwhetherx_icanbeaddedtothestateornot• Variablestatecontainsonlyinputsthataretrue• HowcanIcomputeanewstatestate’?
• Easy!Sendallx_i’stoatrustedbank!ThenitcaneasilycomputethefuncGon• Wewantdistributed!Sendallx_i’stoaplayer,andaskhimtocompute• Doesnotwork:Someofthemcanbemalicious,compuGngawrongfuncGon(andyoudonotknowthisaheadofGme)
• Goal:Maintainthecorrectstateinthedistributedsystem(i.e.,ifsomeoneasksthesystemwhatitsstateis,hecangetareliableanswercontainingonlytruex_i’s)
Distributed algorithm to reach consensus
• AllplayersstoretheiniGalstateandtheirinputx_i• Pickaplayerjuniformlyatrandom• Theplayerbroadcastsitsinputx_j• Allplayersupdatetheirlocalstateusingstate’=f(state,x_j)• Theorem(informal):Ifyoukeepqueryingthesystem(namely,askforeveryplayertooutputtheirlocalstate),youwillbeeventuallybeabletodecidesomecorrectnewstatestate’≠stateofthesystemiffmajorityofplayersishonest.• Honestmeans:
• Myx_iistrue• Irunthefalgorithmcorrectly
• Whypickinguniformlyatrandomisimportant?(IfIalwayspickthebadguys,thesystemwillnevermoveontoanewstatestate’(thegoodguyswillalwaysrejectbadinputs!)andwewillbestuckwiththeoldstate
Bitcoin consensus
• ItisaninstanGaGonofwhatwedescribedbefore• Playersareminers• stateistheblockchain,containingblocksthatcontainvalidtransacGons
• Sowhatisthedifference?• RememberanimportantrequirementoftheconsensusprotocolisthateveryGmeIshouldpicksomeoneuniformlyatrandom.• HowdoIpicksomeoneuniformlyatrandominBitcoin?• InparGcular,howdoIpicksomeoneuniformlyatrandominadistributedfashion?• ProofsofWork!!!
How does a miner prepare a block
• AminerreceivesabunchoftransacGonsfromusers• HecheckstoseethatthetransacGonshehasarevalid• HeorganizesthetransacGonsintoablockb• Nowheisreadytobroadcasthisblockandupdatethestateofthesystem• Wait,thetheoremsaysheneedstobechosenatrandom• Well,tobeeligibleforbroadcasGng,heneedstosolveacomputaGonalpuzzleandsubmititssoluGon• Basically,thecomputaGonalpuzzlerequireshimtoinvertahash
Bitcoin Blocks and Transac6ons
What is the nonce in each block?
• EachblocksubmiFedbyaminerhasanonce• ThisnonceisthesoluGontothefollowingpuzzle
• H(nonce||previous_block_hash||hash_current_transacGons)<target_value• Theblockwillbeacceptedarertheaboveischecked• Thesmallertarget_valueis,thehigherthedifficulty• Theabovemechanismservesforchoosingsomemineratrandom,makingsuretheledgerismaintainedcorrect
• Thesmallertarget_valueis,thehigherthedifficultyofthepuzzle• AdjustedbytheBitcoinfoundaGontomakesureoneblockisminedapproximatelyevery10minutes
• QuesGons• WhywouldyouinvestyourcomputaGonalpowertoprepareblocks?• WhataretheincenGves?
Incen6ves for miners
• Minershelpmaintainingthecorrectledger,butthereisanincenGve• EveryGmethemineablocksuccessfully,theycollecttransacGonfeesfromthetransacGonstheymine• E.g.,ImighthaveatransacGonsayingwithInputsaddressAand20bitcoinsandoutputsaddressBand19bitcoins• 1bitcoinwillbethetransacGonfeefortheminer
• YouarenotrequiredtoaddtransacGonfeesinyourtransacGons• Butifyoudo,youaremorelikelytohaveyourtransacGonverified• Isthistheonlyrevenueforminers?
How do you put money into the system?
• Foreveryblockmined,thereisaspecialtransacGoncalledcoinbase• ThistransacGon“creates”money• E.g.,creaGngasuccessfulblockcanrewardyou~35Bitcoins• Thatisaround$9,000USD• ConcerningtheCoinbasetransacGon
• Startsat50BTC• Halvesevery210,000blocks(around4years)• Whenitwouldgoto0,itwouldnotbepossibletomineBitcoinsandaroundthatGmealmost21millionBitcoinswillhavebeenproduces• THISISHARDCODEDINTOTHEBITCOINSOURCE
Forking on the Blockchain
• ItmightbethecasethattwonodesgettomineadifferentblockaroundthesameGme• SotwonodescangetsoluGonsofdifferentpuzzlesatthesameGme• Sotheblockchaincandegenerateintoatree
• Twominerscanstoredifferentpathsofthistree
• Bitcoinconsensusalgorithmensuresthelongestblockchainwillprevail• Thelongestchainwillalwayswin(itcontainsthemostcumulaGvehashpower)
Recap
• HowdoyoujoinBitcoin?• Whathappenswhenyouwanttosend4BitcoinstoAlice?• Howistheledgermaintained?• Whatisthepurposeoftheminers?• Howdotheminersgetpaid?• WhathappenswhentwodifferentblocksareminedaroundthesameGme?• WhydoesBitcoinissimilartothewaypeopleusedtodobusinessinthepast(i.e.,usinggold)
Bitcoin and privacy
• IsBitcoinprivate?• Notreally.Itprovidespseudonimity,sincenorealnamesappearontheblockchain• ButyoucanlaunchlinkingaFacksbyanalyzingthetransacGongraph• ProposedalternaGves
• Zerocoin,Zerocash• Thesearenewcryptocurrencieswithprivacy
• IntuiGvedifferencebetweenBitcoinandZerocash• AminerinBitcoinprovesthatasenderAhasthemoneytopayasenderB• AminerinZerocashprovesthatthereisaninputtransacGonfromthepastthatcanbesenttoB(breakslinkage)
• ComplicatedcryptoconstrucGoncalledSNARKsarerequired
Building applica6ons with Bitcoin
• ImplemenGngacommitmentoverBitcoin• IclaimIknowthesoluGonxtoaproblembbutIdonotwanttorevealittoyou;Icommittoc(x)andIsendc=c(x)toyou• Yousolvetheproblem• ThenIrevealxtoyou.HowdoyouknowIknewxbackthen.Youcheckifc(x)=candthatxisacorrectsoluGon(Icouldnothavefoundadifferentinput)• ButifIliedtoyou,Icouldjustrunawayandneverrevealxtoyou• SoIwouldhavebetrayedyou
Implement 6med commitment with bitcoin
• IniGally,thepartyAthatknowsthesecretx,postsatransacGoncontainingc(x)andcarryingalargeamountofmoney.• ThebodyofthetransacGonismorecomplicated
• Informally,itsaysthatifthepartydoesnotpostanothertransacGonwithinGmetrevealingthecorrectx,thenalldepositgoestotheotherparty,otherwisehegetsthemoneyback
• Sothepartyknowingxmustrevealitotherwiseheloosesthewholedeposit!• Ingeneral,BitcoinhasascripGnglanguageallowingyoutospecifymorecomplicatedcondiGonsforatransacGontobeverified
One step further: Smart contracts
• BitcoinscripGnglanguageisnotTuring-complete• HowaboutifmorecomplicatedcondiGonsshouldberesponsiblefortheflowofcashinthesystem?• E.g.,
• Playrock-paper-scissorsonBitcoinandmakesuremoneygoestothewinner,withouthavingatrustedthirdpartyoverseeingtheprocess
• Smartcontracts:YoucanwriteprogramsinaTuring-completelanguageandhaveminersverifytransacGonsbyexecuGngthesecontracts• Example:Ethereum• Research:Privacy-preservingsmartcontracts(talktomeifyouareinterested)