Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on...

26
Bitcoin and Cryptocurrencies Charalampos Papamanthou University of Maryland ENEE 459C

Transcript of Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on...

Page 1: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

Bitcoin and Cryptocurrencies CharalamposPapamanthouUniversityofMaryland

ENEE459C

Page 2: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

What is Bitcoin?

•  Bitcoinisae-cashsystemenablingastomovefromcurrency(eitherpaperordigital)basedandregulatedoncentralizedbankstofully-decentralizedcurrency•  BitcoinisnotthefirstaFempttodigiGzecash

•  Lotsofworkone-cashinthepast(beginningwiththeworkofDavidChaum)•  Alle-cashworksareusingacentralizedpartytopreventdouble-spending

•  BitcoinworksbecauseitofferstherightincenGves•  Ifyouhelpmaintainthecorrectnessofthesystem,youwillearnsomeBitcoins•  “Help”meansofferingsomeofyourcomputaGonalpowertoverifytransacGons(moreonthatlater)

•  BitcoinwasfirstdescribedinaseminalpaperbyanonymousSatoshiNakamoto

Page 3: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

Interes6ng proper6es of Bitcoin

•  Transparent•  AllthetransacGonmadebyBitcoinusersarerecordedinapublicledger•  Seewww.blockchain.info•  Problemwithprivacy?

•  Finite•  Thereisanupperboundonthetotalamountofbitcoinsthatwilleverbespent(thereisnoFederalReserveherethatcanarbitrarily“printBitcoins”)

•  Simulatesthegoldstandard•  Basedoncryptoanddistributedalgorithms

•  Owningmoneyisequivalenttoknowingasecret(inparGcularthesecretkeyofdigitalsignature)

•  Makingsurethatnodoublespendingoccursisbasedonnoveldistributedalgorithms(consensus)

Page 4: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

Other proper6es of Bitcoin

• Global•  Canbeusedtosendmoneyallacrosstheworldwithverysmallfees(asopposedtofeeschargedbymajorbanks)

• Also,youcantradeBitcoinsfordollarsandvice-versa•  TobuyandsellBitcoins,gotohFps://www.coinbase.com/• WhatdoyougetandwhenyoubuyBitcoins?

• CurrentpriceofBitcoin

Page 5: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

Where can I pay with Bitcoin?

Page 6: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

History of Bitcoin

•  2009:SatoshiNakamoto’spaper•  2009-2011:

•  Pricelessthan1dollar•  Communityofenthusiasts

•  2013-today•  SubstanGalgrowth•  InDecember2013,pricereached1000dollars•  Mediacoverage•  LotsofstartupsfacilitaGngBitcoinadopGon•  Venturecapitalistsinvestment

Page 7: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

Bitcoin price

Page 8: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

How does it work?

• Mainpurposeofbanksistomaintainbalancescorrectly•  E.g.,ifIsendyou10dollars,thebankneedstosubtract10dollarsfrommyaccountandsend10dollarstoyouraccount•  ThisisoneofthemostfundamentalbankoperaGons•  Thewholebankingsystemworksbecausewetrustthebankstodosocorrectly•  Partlyforthisservice,wehavetopayallthesefeestothebanks•  Bitcoinmainidea

•  Doawaywithbankscompletelyandmaintainthisfileofbalancesinadistributedfashion

•  Buthowdoyoupumpmoneyintothisneweconomy?•  PaypeopleinBitcoinstohelpmaintainthisfileofbalances,called“ledger”

Page 9: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

Bitcoin addresses

• Bitcoinaddressesserveasthe“accountnumber”inyourbank•  EveryindividualcanhaveasmanyBitcoinaddressesashewants

•  Veryeasytocreate•  Nofeesatallforhavingone

• MyBitcoinaddress•  1Eq8hdVuGGii61QMhppNP5z27832dMwztG•  Itnowhas0.01BTCassociatedwithit•  Let’sverifythat

Page 10: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

What is this Bitcoin address?

•  IfyouwanttogetintoBitcoin•  Youneedtogeneratea(SK,PK)pair

•  Ofcourse,keepyourSKsecret•  ThebitcoinaddressisanencodingofahashofPK

•  bitcoin_address=enc(hash(PK))• MakeyourPKavailabletoeverybodysothatyoucanreceivepayments• DownloadingandinstallingcoinbaseappwilltakecareofallthesesothatyouarereadytosendandacceptBitcoinpayments

Page 11: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

A simple transac6on

•  Alicewantstopay3BitcoinstoBob•  Aliceowns3BitcoinsataddressA•  BobhasaddressB•  TopayBob,AlicecreatesatransacGonandbroadcastsittothewholenetwork•  ThetransacGoncontains

•  AddressesAandB•  ThepublickeyassociatedwithA•  Amount3Bitcoins•  Adigitalsignatureonthemessageofalltheabove,createdwithAlice’ssecretkey

Page 12: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

Blockchain

•  TherearecertainnodesonthenetworkcalledminersthatmaintainthecorrectledgeroftransacGons• MinersputtransacGonsintoblocks,andbroadcasttheirblockscontainingtransacGonsthatareconsistent•  E.g.,avalidblockcannotcontainthefollowingtwotransacGons•  AsentxBitcoinstoB(sayBhad0Bitcoinsbefore)•  Bsent2xBitcoinstoB

•  Onceaclaimedcorrectblockisbroadcast,itneedstobeverifiedbyotherminersbeforeitgetsaddedintotheBlockchain•  Eventually,allminerswillgettoseethesameblockchain•  Thisistheblockchainweseeatblockchain.info•  Onaverage,anewblockiscreatedevery10minutes

Page 13: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

How do miners reach consensus?

•  DistributedcompuGngconsensus•  NplayershavinginputsBooleanvaluesx_1,x_2,…,x_N.Theybeginwithsomecorrectstatestate•  Thereisawell-definedfuncGonf(x_i,state)=state’decidingwhetherx_icanbeaddedtothestateornot•  Variablestatecontainsonlyinputsthataretrue•  HowcanIcomputeanewstatestate’?

•  Easy!Sendallx_i’stoatrustedbank!ThenitcaneasilycomputethefuncGon•  Wewantdistributed!Sendallx_i’stoaplayer,andaskhimtocompute•  Doesnotwork:Someofthemcanbemalicious,compuGngawrongfuncGon(andyoudonotknowthisaheadofGme)

•  Goal:Maintainthecorrectstateinthedistributedsystem(i.e.,ifsomeoneasksthesystemwhatitsstateis,hecangetareliableanswercontainingonlytruex_i’s)

Page 14: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

Distributed algorithm to reach consensus

•  AllplayersstoretheiniGalstateandtheirinputx_i•  Pickaplayerjuniformlyatrandom•  Theplayerbroadcastsitsinputx_j•  Allplayersupdatetheirlocalstateusingstate’=f(state,x_j)•  Theorem(informal):Ifyoukeepqueryingthesystem(namely,askforeveryplayertooutputtheirlocalstate),youwillbeeventuallybeabletodecidesomecorrectnewstatestate’≠stateofthesystemiffmajorityofplayersishonest.•  Honestmeans:

•  Myx_iistrue•  Irunthefalgorithmcorrectly

•  Whypickinguniformlyatrandomisimportant?(IfIalwayspickthebadguys,thesystemwillnevermoveontoanewstatestate’(thegoodguyswillalwaysrejectbadinputs!)andwewillbestuckwiththeoldstate

Page 15: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

Bitcoin consensus

•  ItisaninstanGaGonofwhatwedescribedbefore•  Playersareminers•  stateistheblockchain,containingblocksthatcontainvalidtransacGons

•  Sowhatisthedifference?• RememberanimportantrequirementoftheconsensusprotocolisthateveryGmeIshouldpicksomeoneuniformlyatrandom.•  HowdoIpicksomeoneuniformlyatrandominBitcoin?•  InparGcular,howdoIpicksomeoneuniformlyatrandominadistributedfashion?•  ProofsofWork!!!

Page 16: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

How does a miner prepare a block

• AminerreceivesabunchoftransacGonsfromusers• HecheckstoseethatthetransacGonshehasarevalid• HeorganizesthetransacGonsintoablockb• Nowheisreadytobroadcasthisblockandupdatethestateofthesystem• Wait,thetheoremsaysheneedstobechosenatrandom• Well,tobeeligibleforbroadcasGng,heneedstosolveacomputaGonalpuzzleandsubmititssoluGon• Basically,thecomputaGonalpuzzlerequireshimtoinvertahash

Page 17: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

Bitcoin Blocks and Transac6ons

Page 18: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

What is the nonce in each block?

•  EachblocksubmiFedbyaminerhasanonce•  ThisnonceisthesoluGontothefollowingpuzzle

•  H(nonce||previous_block_hash||hash_current_transacGons)<target_value•  Theblockwillbeacceptedarertheaboveischecked•  Thesmallertarget_valueis,thehigherthedifficulty•  Theabovemechanismservesforchoosingsomemineratrandom,makingsuretheledgerismaintainedcorrect

•  Thesmallertarget_valueis,thehigherthedifficultyofthepuzzle•  AdjustedbytheBitcoinfoundaGontomakesureoneblockisminedapproximatelyevery10minutes

•  QuesGons•  WhywouldyouinvestyourcomputaGonalpowertoprepareblocks?•  WhataretheincenGves?

Page 19: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

Incen6ves for miners

• Minershelpmaintainingthecorrectledger,butthereisanincenGve•  EveryGmethemineablocksuccessfully,theycollecttransacGonfeesfromthetransacGonstheymine•  E.g.,ImighthaveatransacGonsayingwithInputsaddressAand20bitcoinsandoutputsaddressBand19bitcoins•  1bitcoinwillbethetransacGonfeefortheminer

•  YouarenotrequiredtoaddtransacGonfeesinyourtransacGons• Butifyoudo,youaremorelikelytohaveyourtransacGonverified•  Isthistheonlyrevenueforminers?

Page 20: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

How do you put money into the system?

•  Foreveryblockmined,thereisaspecialtransacGoncalledcoinbase•  ThistransacGon“creates”money•  E.g.,creaGngasuccessfulblockcanrewardyou~35Bitcoins•  Thatisaround$9,000USD• ConcerningtheCoinbasetransacGon

•  Startsat50BTC•  Halvesevery210,000blocks(around4years)• Whenitwouldgoto0,itwouldnotbepossibletomineBitcoinsandaroundthatGmealmost21millionBitcoinswillhavebeenproduces•  THISISHARDCODEDINTOTHEBITCOINSOURCE

Page 21: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

Forking on the Blockchain

•  ItmightbethecasethattwonodesgettomineadifferentblockaroundthesameGme•  SotwonodescangetsoluGonsofdifferentpuzzlesatthesameGme•  Sotheblockchaincandegenerateintoatree

•  Twominerscanstoredifferentpathsofthistree

• Bitcoinconsensusalgorithmensuresthelongestblockchainwillprevail•  Thelongestchainwillalwayswin(itcontainsthemostcumulaGvehashpower)

Page 22: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

Recap

• HowdoyoujoinBitcoin?• Whathappenswhenyouwanttosend4BitcoinstoAlice?• Howistheledgermaintained?• Whatisthepurposeoftheminers?• Howdotheminersgetpaid?• WhathappenswhentwodifferentblocksareminedaroundthesameGme?• WhydoesBitcoinissimilartothewaypeopleusedtodobusinessinthepast(i.e.,usinggold)

Page 23: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

Bitcoin and privacy

•  IsBitcoinprivate?•  Notreally.Itprovidespseudonimity,sincenorealnamesappearontheblockchain•  ButyoucanlaunchlinkingaFacksbyanalyzingthetransacGongraph•  ProposedalternaGves

•  Zerocoin,Zerocash•  Thesearenewcryptocurrencieswithprivacy

•  IntuiGvedifferencebetweenBitcoinandZerocash•  AminerinBitcoinprovesthatasenderAhasthemoneytopayasenderB•  AminerinZerocashprovesthatthereisaninputtransacGonfromthepastthatcanbesenttoB(breakslinkage)

•  ComplicatedcryptoconstrucGoncalledSNARKsarerequired

Page 24: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

Building applica6ons with Bitcoin

•  ImplemenGngacommitmentoverBitcoin•  IclaimIknowthesoluGonxtoaproblembbutIdonotwanttorevealittoyou;Icommittoc(x)andIsendc=c(x)toyou•  Yousolvetheproblem•  ThenIrevealxtoyou.HowdoyouknowIknewxbackthen.Youcheckifc(x)=candthatxisacorrectsoluGon(Icouldnothavefoundadifferentinput)• ButifIliedtoyou,Icouldjustrunawayandneverrevealxtoyou•  SoIwouldhavebetrayedyou

Page 25: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

Implement 6med commitment with bitcoin

•  IniGally,thepartyAthatknowsthesecretx,postsatransacGoncontainingc(x)andcarryingalargeamountofmoney.•  ThebodyofthetransacGonismorecomplicated

•  Informally,itsaysthatifthepartydoesnotpostanothertransacGonwithinGmetrevealingthecorrectx,thenalldepositgoestotheotherparty,otherwisehegetsthemoneyback

•  Sothepartyknowingxmustrevealitotherwiseheloosesthewholedeposit!•  Ingeneral,BitcoinhasascripGnglanguageallowingyoutospecifymorecomplicatedcondiGonsforatransacGontobeverified

Page 26: Bitcoin and Cryptocurrenciesenee457.github.io/lectures/week13/Bitcoin.pdf · A simple transac6on • Alice wants to pay 3 Bitcoins to Bob • Alice owns 3 Bitcoins at address A •

One step further: Smart contracts

•  BitcoinscripGnglanguageisnotTuring-complete•  HowaboutifmorecomplicatedcondiGonsshouldberesponsiblefortheflowofcashinthesystem?•  E.g.,

•  Playrock-paper-scissorsonBitcoinandmakesuremoneygoestothewinner,withouthavingatrustedthirdpartyoverseeingtheprocess

•  Smartcontracts:YoucanwriteprogramsinaTuring-completelanguageandhaveminersverifytransacGonsbyexecuGngthesecontracts•  Example:Ethereum•  Research:Privacy-preservingsmartcontracts(talktomeifyouareinterested)