Crypto Currencies And Bitcoin - Nicolas Courtois · Crypto Currencies “Fiat Money” Def:...
Transcript of Crypto Currencies And Bitcoin - Nicolas Courtois · Crypto Currencies “Fiat Money” Def:...
Crypto Currencies And Bitcoin
Nicolas T. Courtois
- University College London, UK
Crypto Currencies
UCL Bitcoin Seminar
UCL crypto currency seminar and special interest group.THUR 30/01 12h-14h Chandler G10, Wakefield street, Chandler house. THUR 06/02 12h-14h Chandler G10, Wakefield street, Chandler house.Thur 13 FEB 2014 12h00-14h00 Gordon Square (25) 107then days and rooms might change…
2 Nicolas T. Courtois 2009-2014
keep in touch: UCL Moodle or ask me [email protected] Moodle page: moodle.ucl.ac.uk/course/view.php?id=26219pwd= ???
Public page: www.want2pay.com => redirection
Crypto Currencies
This Seminar
This is a university research seminar. With talks, demos, discussions, etc.Our goals are:• Learn non-trivial facts about bitcoin, highly technical maths and crypto.• Discover many “facts” we have been told about bitcoin are… NOT true.
– break bitcoin: will require serious effort.
• Improve bitcoin - so that it would be resistant to cybercriminals / NSA.
3 Nicolas T. Courtois 2009-2014
– write our own software and apps, looking for developers
• Develop methods to investigate what is going on in these networks: – for example undoing the anonymity, discovering statistically significant patterns, etc.
• Produce scientific works and Master/PhD theses about bitcoin.
The seminar will run every week at UCL. Slides and other materials will be made available on a selective basis.
I will also invite external people as speakers and stake holders.
Crypto Currencies
Donations Policy
Address for donations: 1DsGj3NJKgFLGw9PUi2a7VDmwEF5bnaaq
Donations will be spent on:
4 Nicolas T. Courtois 2009-2014
Donations will be spent on:• Drinks and food for participants of this seminar• Student stipends• Research expenses
Crypto Currencies
Speakers Wanted!
Speakers are wanted, also from business startups, bankers, lawyers etc etc…
Send proposals of talks to: [email protected]• speaker and affiliation• title of your presentation• 2-5 lines executive summary
5 Nicolas T. Courtois 2009-2014
• 10+ pages of supporting material: sample slides, white paper, etc – to evaluate the quality/pertinence of your talk.
• time requested: 15 min / 30 min / 45 min.
Student s planning to do an M.Sc. Thesis on bitcoin are expected to deliver 2 short 15 min. talks before they are accepted to do their thesis on bitcoin.
Crypto Research at UCL
Dr. Nicolas T. Courtois1. cryptologist and
codebreaker
6
2. specialist of smart cards (e.g. bank cards, Oyster cards etc…)
Crypto Currencies
Our Works on Bitcoin
Nicolas Courtois, Marek Grajek, Rahul Naik:The Unreasonable Fundamental Incertitudes Behind Bitcoin Mining, http://arxiv.org/abs/1310.7935
Nicolas Courtois, Lear Bahack:On Subversive Miner Strategies and Block Withholding Attack
7 Nicolas T. Courtois 2009-2014
On Subversive Miner Strategies and Block Withholding Attackin Bitcoin Digital Currencyhttp://arxiv.org/abs/
more in preparation.
Crypto Currencies
Introducing Bitcoin
8 Nicolas T. Courtois 2009-2014
Crypto Currencies
Bitcoin In A Nutshell
• bitocoins are cryptographic tokens – stored by people on their PCs or mobile phones
• ownership is achieved through digital signatures: – you have a certain cryptographic key, you have the money. Publicly verifiable.
• it is a distributed system which has no central authority – but I will not claim it is decentralized, this is simply not true!– a major innovation is that financial transactions CAN be executed and policed without
9 Nicolas T. Courtois 2009-2014
– a major innovation is that financial transactions CAN be executed and policed without trusted authorities. Bitcoin is a sort of financial cooperative or a distributed business.
• based on self-interest: – a group of some 100 K people called bitcoin miners own the bitcoin “infrastructure” – they make money from newly created bitcoins and fees – at the same time they approve and check the transactions. – a distributed electronic notary system
Crypto Currencies
In Practice
10 Nicolas T. Courtois 2009-2014
Payment and Crypto Currencies
Who AcceptsBitcoin?
11 Nicolas T. Courtois 2009-2014
Crypto Currencies
Full P2P Clienthttp://bitcoin.org/en/download
14 giga, 24 hours…
12 Nicolas T. Courtois 2009-2014
Crypto Currencies
Mobile Apps - Android
13 Nicolas T. Courtois 2009-2014
Crypto Currencies
Is Bitcoin Money?
14 Nicolas T. Courtois 2009-2014
Payment and Crypto Currencies
Money
Key invention in human history:
15 Nicolas T. Courtois 2009-2014
money
- here is some money for your research
Crypto Currencies
Is Bitcoin Money?
• We will NOT claim it has all the characteristics of money. – it definitely has some!– they are traded against traditional currencies at a number of exchanges.– bitcoins are “legal” by default, – there were some attempts to regulate them and even ban them by governments.
16 Nicolas T. Courtois 2009-2014
Crypto Currencies
Two Main Functions of Money
1. Store Value2. Allow Payment
⇒possible and frequent separation
(3. Unit of Account)
17 Nicolas T. Courtois 2009-2014
⇒possible and frequent separation of these two functions 1. 2.
⇒both money and payments becomes more “virtual”…
Crypto Currencies
Evolution of Money – Store Value
• Precious natural resources: salt etc• Gold, Silver, Other Metals => Coins• Paper Money
• Money as Electronic Record
18 Nicolas T. Courtois 2009-2014
• Money as Electronic Record + Legal Protection + Government Guarantee
• 21st century: Cryptographic E-Cash
Crypto Currencies
Evolution of Payments
• Physical Cash (Bank Notes, Coins) = M0
• Cheques• Electronic Bank Transfer 20 days => 15 min…
19 Nicolas T. Courtois 2009-2014
• E-Purse Systems: geldkarte, London Oyster• Bank Cards• Contact-less Bank Cards, e.g. MasterCard PayPass:
• 21st century: Cryptographic E-Cash.
difference?
Crypto Currencies
Gold = “Global Single Currency”??
Most countries abandoned the gold standard during the Great Depression, – one of the earliest was the Bank of England [1931].
Much later, in 1971: the United States abandons it.Nixon Shock
20 Nicolas T. Courtois 2009-2014
Crypto Currencies
“Fiat Money”Def:Government-issued money not convertible for anything particular
(E.g; gold, goods etc).
Its value is controlled by the monetary policy and managed by the central bank.
21 Nicolas T. Courtois 2009-2014
.
Crypto Currencies
BOTTOM LINE
1. Store Value2. Allow Payment
CAN BE IMPLEMENTED DIFFERENTLY!
22 Nicolas T. Courtois 2009-2014
CAN BE IMPLEMENTED DIFFERENTLY!
SEPARATION IS NOT FORBIDDEN
Bitcoin Mining
Bitcoin
Bitcoin =… the most popular peer-to-peer
payment and virtual currency system as of today
23 Nicolas T. Courtois 2013
system as of today
belongs to no one, anarchy
=>
Crypto Currencies
Crypto Currencies
24 Nicolas T. Courtois 2009-2014
Crypto Currencies
BitcoinDecentralized peer to peer payment system
which works as currency: => has units of value which can be exchanged
for “real money”. Currently 1BTC= 950 USD.
Based on cryptography and network effects.
25 Nicolas T. Courtois 2009-2014
Based on cryptography and network effects.
Anarchy, not supported by any government and not issued by any bank.
Crypto Currencies
*Disruption?Disruptive Technology:
def:
Allows to do things which just could not be done before…
26 Nicolas T. Courtois 2009-2014
done before…
Crypto Currencies
**CitationsBitcoin is:• Wild West of our time [Anderson-Rosenberg]• There is no “undo” button for sth. like bitcoin
[Mike Gogulski]
27 Nicolas T. Courtois 2009-2014
• “Just thinking about bitcoin makes you a better person” – Max Keiser
Crypto Currencies
Krugman vs. Bitcoin Community• What’s wrong with Bitcoin? [title] • Bitcoin is …
– just one of possible ways to pay electronically [irony ☺]
• “the anti-social network”• “the anti-social network”• “Bitcoin is evil” (he later claimed it was a joke)
– Paul Krugman, Nobel price in economics
Crypto Currencies
Another Noble Price:In Davos Jan 2014:“It is a bubble, there is no question about it. …
It’s just an amazing example of a bubble.”
– Robert Shiller, Nobel price in economics, – Robert Shiller, Nobel price in economics, awarded specifically for work on asset bubbles.
Crypto Currencies
13 April 2013HOWEVER
Crypto Currencies
Cyprus vs. Bitcoin – April 2013correlation in Google searches
31 Nicolas T. Courtois 2009-2014
Crypto Currencies
Before April 2013surprised that bitcoin could rise…• then there was a Cyprus banking crisis…• opinions about how crazy it was that bitcoin
could rise
32 Nicolas T. Courtois 2009-2014
crazy??????????they have seen nothing yet!
Crypto Currencies
13 April 2013Bitcoin is:• Digital Gold! - The Economist
33 Nicolas T. Courtois 2009-201413 April 2013 – “Digital Gold”
10-11 April 2013 – MtGox 24h shutdown
Crypto Currencies
Jan 2013-Jan 2014
34 Nicolas T. Courtois 2009-2014
14 => 1000 USD
Crypto Currencies
Miracle Of BitcoinRemoves two pillars of money:
• “trust” => Peer 2 Peer self-regulation
based on self-interest?
35 Nicolas T. Courtois 2009-2014
based on self-interest?
• legal/government protection and policing=> anarchy!
Crypto Currencies
Is Bitcoin Money?
A Currency?
36 Nicolas T. Courtois 2009-2014
Crypto Currencies
*Recall: Two Main Functions of Money
1. Store Value2. Allow Payment(3. Unit of Account)
37 Nicolas T. Courtois 2009-2014
Crypto Currencies
Are They Crazy?Anything can be “money” if sufficiently many people
accept it… (e.g. salt).
Question of: • popularity
38 Nicolas T. Courtois 2009-2014
• popularitylegal tender, government standardization and regulation <= recently thousands of press reports about bitcoin
• trusttrustworthy authority
<= assumption that majority of people are “honest”MUCH WEAKER…NO NEED TO TRUST ANYONE
Crypto Currencies
Is Bitcoin Money?
Legal Side
39 Nicolas T. Courtois 2009-2014
Crypto Currencies
Timely Denial
40 Nicolas T. Courtois 2009-2014
Crypto Currencies
**Can Bitcoin Circumvent Laws? Like “this is not money”=>
therefore we don’t do anything which falls within remit of existing laws
(securities trading, gambling etc..)
Maybe.
41 Nicolas T. Courtois 2009-2014
Maybe. Not so easy: judge Amos Mazzant issued a memorandum arguing that bitcoin was “a currency or a form of money” (FinCEN has said otherwise that virtual currencies were not ‘currency’ such as legal tender or fiat currencies).
Then SEC clearly stated that transactions in bitcoins are financial transactions like any other, and are within their remit.
Crypto Currencies
Bitcoin Is Subject To Laws! Governments judges and regulators will apply the
rules which they think applicable, they are emerging and they are being clarified.
Bitcoin laundry question: • If I mix bitcoins with other people.
42 Nicolas T. Courtois 2009-2014
• If I mix bitcoins with other people.• UK: Proceeds of the Crime Act, If I have assisted
sb. in money laundering, I must report it to the Police or I can be prosecuted and go to prison.
Crypto Currencies
*UKOverheard: UK FCA has (for now?) classified Bitcoin as not being “money”
Strange: UK HMRC have suggested that bitcoins are “VAT taxable
vouchers” – however if bitcoin is regarded as a good, when
43 Nicolas T. Courtois 2009-2014
vouchers” – however if bitcoin is regarded as a good, when you buy it you should pay 20% VAT
⇒ totally inappropriate classification, huge problem, and heavily criticised so far,
⇒under re-evaluation now
Crypto Currencies
Is Bitcoin “Electronic Money”?Directive 2009/110/EC of the European Parliament
and of the Council defines the concept of “electronic money”,
Article 2: electronic money “means electronically, including magnetically, stored monetary value as
44 Nicolas T. Courtois 2009-2014
including magnetically, stored monetary value as represented by a claim on the issuer which is issued on receipt of funds for the purpose of making payment transactions […], and which is accepted by a natural or legal person other than the electronic money issuer”.
Crypto Currencies
Is Bitcoin “Electronic Money”?This has been disputed; • YES, electronically stored monetary value YES but stored in a diffused distributed way and valid
if not spent and with regard to a majority of ASIC votes…
• NO as represented by a claim on the issuer
45 Nicolas T. Courtois 2009-2014
• NO as represented by a claim on the issuer• there is no “LEGAL” entity acting as issuer• however
– there is no legal obligation but a technical and practical claim which works, not a debt though,
– and YES there exist issuers: miners, – or a collective issuer… “the bitcoin community”
Crypto Currencies
Bitcoin in GermanyBitcoin is “private money” in Germany.
46 Nicolas T. Courtois 2009-2014
Crypto Currencies
SwedenSweden:Bitcoin = method of payment.
Finland: detailed rules, closer to a commodity.
47 Nicolas T. Courtois 2009-2014
closer to a commodity.
Crypto Currencies
CanadaVery good environment, ATMs, start-ups
48 Nicolas T. Courtois 2009-2014
Crypto Currencies
Bitcoin is…“a low-cost replacement for credit cards and other
payment mechanisms”
Very close to the business of
49 Nicolas T. Courtois 2009-2014
Very close to the business of • PayPal• Mastercard• CurrencyFairBitcoin is direct threat to all these companies.
Crypto Currencies
Slow Adoption?plastic cards:it took 100 years to get people to use them
50 Nicolas T. Courtois 2009-2014
Crypto Currencies
Adoption:BTW: plastic cards? In recent news:
51 Nicolas T. Courtois 2009-2014
Crypto Currencies
**Blacklisting Bitcoin By Banks
52 Nicolas T. Courtois 2009-2014
Crypto Currencies
P2P Payment
53 Nicolas T. Courtois 2009-2014
Crypto Currencies
Bitcoin Network• Peer to peer, decentralized, no central
authority, one ASIC one vote, => no third party risk [no need to trust the banker!]
• Knows no limits, borders, laws, etc…• Computers connected into a P2P network…
54 Nicolas T. Courtois 2009-2014
• Computers connected into a P2P network…• Every transaction can be downloaded by anyone…
1 client app
Crypto Currencies
Network Properties• Bitcoin is also a network • And a community: adopters, developers,
miners, speculators, etc…• Upgrade the software, change the spec:
– people vote with their feet
55 Nicolas T. Courtois 2009-2014
– people vote with their feet– Bitcoin belongs to no one
Crypto Currencies
Network Properties• homogenous nodes: they do the same job
– true only for the “full nodes”: • Satoshi client a.k.a. bitcoind, • currently at version 0.8.6. for PC
• it appears that the current network resembles
56 Nicolas T. Courtois 2009-2014
• it appears that the current network resembles “a random graph”
Crypto Currencies
Key Properties of Bitcoin• Pseudonymous, NOT anonymous• Ledger-based. Ledger is entirely public.• Notion of account:
– has a balance in BTC.
• Wallet:
57 Nicolas T. Courtois 2009-2014
• Wallet: – computer file which stores "the money".
• Based on Digital Signatures
Crypto Currencies
Wallets• Wallet: file which stores your “money".• A Bitcoin client App
is also called a wallet• Four types:
1. Decent PC, full P2P node, stores ALL history -
58 Nicolas T. Courtois 2009-2014
1. Decent PC, full P2P node, stores ALL history -14 Gbytes, trusts no one.
2. Mobile apps: trust and rely on servers for DB and authenticity; but stores money locally.
3. Cloud apps: all is stored in the cloud!4. Offline systems: protect your assets from
cybercriminals
Crypto Currencies
More Properties of Bitcoin• Scarce, like gold (in fact worse than gold)
• Divisible into small pieces – 10 nBTC = 1 Satoshi = 1 / 100 million BTC
59 Nicolas T. Courtois 2009-2014
Crypto Currencies
Digital Currency
60 Nicolas T. Courtois 2009-2014
Crypto Currencies
Digital Currency1. Sth. that we know… String of Bits.
+ additional layers of security:
2. Sth that we can do (capability): BETTER.– can be used without loss of confidentiality…
61 Nicolas T. Courtois 2009-2014
– can be used without loss of confidentiality…– in bitcoin money = a certain private ECDSA key…
=>PK-based Currency, an important modern application of Digital Signatures!
Crypto Currencies
Main Problem?
The string of bits can be “spent twice”.
“PK Capability”: can be used twice as well…
62 Nicolas T. Courtois 2009-2014
Avoiding this “Double Spending” is the main problem when designing a digital currency system.
Crypto Currencies
Crypto
63 Nicolas T. Courtois 2009-2014
Crypto Currencies
**Crypto CitationsAbout Bitcoin:• Security depends on maths, not people.• The accuracy of past transactions is
guaranteed by cryptography, which is a special type of mathematics ☺
64 Nicolas T. Courtois 2009-2014
which is a special type of mathematics ☺
Crypto Currencies
**Crypto MisconceptionsTHIS IS WRONG:• SHA-256 is a cipher and provides
confidentiality.– Not it is a hash function and provides
integrity of everything
65 Nicolas T. Courtois 2009-2014
integrity of everything [hard to modify./cheat]
• "Bitcoins are encrypted": WRONG– ONLY if you encrypt your wallet, not everybody does.– Also could use SSL in P2P connections…
• not done as far as I can see.
Crypto Currencies
Bitcoin and PKI
66 Nicolas T. Courtois 2009-2014
Security of Bank Cards
NOT like thisHere we se the EMV bank card PKI
67 Nicolas T. Courtois 2006-2011
2 private keys, Pin Encryption key can be different4x 3DES ICC Master Key
Ic
ATC = Application Transaction CounterSAD = Static Authentication Data = PAN +Exp + …
Crypto Currencies
**Elliptic CurvePhD-level maths used to provide
Digital Signature functionality .
O
68 Nicolas T. Courtois 2009-2014
io
OWF
Crypto Currencies
BitcoinHigh level:
– not PKI, – approval by majority « one ASIC, one vote »
69 Nicolas T. Courtois 2009-2014
Low level : – Traditional digital signatures, ECDSA 256 bits.
– Problem: public keys are hashed on 160 bits,• The NSA can create colliding hashes!
– Two addresses, each will be able to take the money.– We see no practical attack scenario however. Why would they do this?
Crypto Currencies
Cost of Bitcoin?
70 Nicolas T. Courtois 2009-2014
Crypto Currencies
Who Makes Bitcoins?Most users of bitcoin cannot manufacture them
anymore [expensive, invest 10,000 USD]• violation of the original idea of Satoshi Nakamoto
[he postulaled in his paper that everybody should be mining]
71 Nicolas T. Courtois 2009-2014
⇒buy them
Crypto Currencies
Buy Bitcoins From Miners!⇒higher cost, ⇒buy them at market price…
why people don’t manufacture their own digital currency?• they do: Chinacoin etc… Small popularity…• more interesting to use bitcoin:
72 Nicolas T. Courtois 2009-2014
• more interesting to use bitcoin: – network effects, positive externalities (more merchants accept it)
• A digital currency could be more democratic: see CPU coins.
Crypto Currencies
Cost of Ownership?Problem:• Exchange many small bitcoins against one larger
sum can sometimes have a non-zero cost…
Anonymity:
73 Nicolas T. Courtois 2009-2014
Anonymity: • Tricks used to obtain relative anonymity will have a
certain cost… – and will take a lot of time:
• large multiple of 10 minutes…
Crypto Currencies
Costs of Running the Cash Money System
Paper money • 0.05 $ / note in the US. So maybe 5%.
• cannot be less => there would be more fraud!
Cost of bitcoin = cost of electricity (ignoring fixed costs).Cost is similar: high profitability of mining,
74 Nicolas T. Courtois 2009-2014
Cost is similar: high profitability of mining, which however decreases every day…
Paper money: zero transaction costs? – State-sponsored fiction.
Bitcoin: zero transaction costs? There are fees. – However expected to be less than many bank “monopoly fees.
Crypto Currencies
Block Chain(and Mining - expanded much later)
75 Nicolas T. Courtois 2009-2014
(and Mining - expanded much later)
Crypto Currencies
Bitcoin Mining
• Minting: creation of new currency.Creation+re-confirmation
of older transactions
Random Oracle – like mechanism
data from previoustransactions RNG
miner’s public key
76 Nicolas T. Courtois 2009-2014
Ownership:– “policed by majority of miners”: – only the owner can transfer [a part of] 25 BTC produced.
HASH
must start with 60 zeros
Crypto Currencies
Block Chain
Def: A transaction database
shared by everyone.
Also a ledger.
77 Nicolas T. Courtois 2009-2014
Every transaction since ever is public.
Each bitcoin “piece” is a union of things uniquely traced
to their origin in time
(cf. same as for several banknotes due to SN)
Crypto Currencies
Fork – Hard To Avoid, 1% of the time
78 Nicolas T. Courtois 2009-2014
Crypto Currencies
Fork – Miners Choose Their Version
79 Nicolas T. Courtois 2009-2014
Crypto Currencies
Longest Chain Rule
“1 ASIC 1 vote”
80 Nicolas T. Courtois 2009-2014
Crypto Currencies
Insight
If 2 solutions happens with proba 1/100
The chance that both will be extended before one of them reaches the miner of the other (making him stop) will be about
81 Nicolas T. Courtois 2009-2014
(1/100)^2Etc..
Negligible chance to go on forever, one branch is longer and wins.
Crypto Currencies
Can Sb. Cancel His Transaction?
Yes if he produces a longer chain with another version of the history.
Very expensive, race against the whole network (the whole planet).
82 Nicolas T. Courtois 2009-2014
Crypto Currencies
Bitcoin Address
83 Nicolas T. Courtois 2009-2014
Crypto Currencies
Ledger-Based Currency
A “Bitcoin Address” = a sort of equivalent of a bank account.Three formats.
– First format like full Pkey 2*32 byte points, redundant! "scriptPubKey":"04a39b9e4fbd213ef24bb9be69de4a118dd0644082e47c01fd9159d38637b83fbcdc115a5d6e970586a012d1cfe3e3a8b1a3d04e763bdc5a071c0e827c0bd834a5 OP_CHECKSIG“
– Hash it on 160 bits, conceals the PK key! (NSA: attacks possible!).
• e.g. 0568015a9facccfd09d70d409b6fc1a5546cecc6
84 Nicolas T. Courtois 2009-2014
• e.g. 0568015a9facccfd09d70d409b6fc1a5546cecc6
– Recode with checksum on 1+20+4 bytes checksum, 160+32 bits, • Base58: 1VayNert3x1KzbpzMGt2qdqrAThiRovi8 27-34 chars
PK itself remains confidential until some part is spent.SK = private key is always kept private, allows transfer of funds.
Crypto Currencies
Step 1: Hash
85 Nicolas T. Courtois 2009-2014
40 chars (nibbles)
Crypto Currencies
Step 2: checksum / convert
86 Nicolas T. Courtois 2009-2014
27-34 charsBase_58 O0I1
Crypto Currencies
87 Nicolas T. Courtois 2009-2014
*****On 1 Slide
Crypto Currencies
Bitcoin Ownership
Amounts of money are attributed to public keys. Owner of a certain “Attribution to PK” can at any moment
transfer it to some other PK addresses.
not spentDestructive, cannot spend twice: spent
Crypto Currencies
Bitcoin Circulation
89 Nicolas T. Courtois 2009-2014
Crypto Currencies
Transfer
90 Nicolas T. Courtois 2009-2014
Crypto Currencies
In / Out
Owner of a certain “Attribution to PK” can at any moment transfer it to some other PK addresses.
=> 0 inputs possible if minting transaction… new money.
=> Several outputs are a norm for bitcoin transactions, never seen a transaction with one output [possible].
Crypto Currencies
Bitcoin Transfer
Owner of a certain “Attribution to PK” can at any moment transfer it to any other PK address.
“Attribution to PK”= digital signature by an owner of previous attribution which transfers a certain amount to the new PK.
Caveat: Each attribution can be traced back to the initial mining event.
Crypto Currencies
Bitcoin Myths (not true)“Transactions are irreversible,” • really???? The opposite can be argued:
– The Longest Chain Rule means probabilistic certitude,
• HOWEVER in theory EVERY TRANSACTION CAN
93 Nicolas T. Courtois 2009-2014
• HOWEVER in theory EVERY TRANSACTION CAN BE INVALIDATED, (at a large expense),
⇒possible even 100 years later⇒if there is a longer chain!
“No intermediary in transactions?”– Not true (unless one of the parties is a miner)
Crypto Currencies
Bitcoin Transactions:• between any two addresses [and any two
network nodes], – at any time [no market closing hours].– validated within 10-60 minutes.
• should wait longer for larger transactions, beware of
94 Nicolas T. Courtois 2009-2014
• should wait longer for larger transactions, beware of “cheating miners”…
• many websites accept instantly, – they trust your application not to double spend – and trust miners to reject the second spent based on later
time, easy!
Crypto Currencies
Bitcoin Transfer
Transactions have multiple inputs and multiple outputs.
Input Bitcoin Addresses
95 Nicolas T. Courtois 2009-2014
Transaction Signed by All Owners with their SK
Output Bitcoin Addresses
Input Bitcoin Addresses0.2 BTC 1.3 BTC
0.001 BTC
0.499 BTC1.0 BTC + Fees
Crypto Currencies
Bitcoin Transfer
Transactions have multiple inputs and multiple outputs.– helps for anonymity.– destroys all current attributions, – requires everybody’s signature
Input Bitcoin Addressescan repeat, specifies
tx origin + index of each!
96 Nicolas T. Courtois 2009-2014
Transaction Signed by All Owners with their SK
Output Bitcoin Addresses
Input Bitcoin Addresses
The transaction is signed but invalid to start with , it becomes valid only when confirmed many times by other people (embedded in many new blocks)
0.2 BTC 1.3 BTC
0.001 BTC
0.499 BTC1.0 BTC + Fees
frequently repeat some input addressescould all belong to the same person
0 1
Crypto Currencies
Example 1
can repeat, tx origin + index of each is can repeat input addresses
97 Nicolas T. Courtois 2009-2014
tx origin + index of each is included in the rawtx
Crypto Currencies
Example 2 = Raw Transaction
list of input attributions: origin tx, index n , ECDSA signature
unique ID on 256 bits = the hash of the whole
98 Nicolas T. Courtois 2009-2014
list of output attributions
0
1
H(recipient PK)
amount BTC
Crypto Currencies
***Scripts
Another attribution is spent here = Signature Scrip t
99 Nicolas T. Courtois 2009-2014
list of output attributions
0
1 H(recipient PK)
amount BTC
SCRIPT = a “method” on how to spend this money, a set of instructions for the receiver of the money
Another attribution is spent here = Signature Scrip t
Crypto Currencies
Remarks:
About 20 million transactions ever made.
To know the balance of one account, we must “in theory” store ALL the transactions which send money for this address and then check ALL transactions made since then to see some of these are not already spent. these are not already spent.
Full bitcoin network nodes stored all transactions ever made and checks their correctness (all the digital signatures).
About 14 Gbytes data, 24 hours full check.In practice one could skip check for things confirmed by many miners…
dangerous though. There is no absolute proof that miners have already checked them (maybe they forgot, a bug).
Crypto Currencies
Huge Problems:
Do they KNOW what are they signing? Who signs first? What if one signs and other refuse or manipulates the
transaction on the fly? What if some other inputs in this transaction are involved in
illegal activity? illegal activity? Etc…
Crypto Currencies
Bitcoin Transfer
Each PK has a balance, say 1.3 BTC current balance = sum(unspent attributions).
Attributions are ALWAYS destroyed when used, • Change: return some money to ourselves inside the same transaction
– this implies most transactions have 2 or more outputs – this implies most transactions have 2 or more outputs – can use another fresh address for better anonymity
same owner?no way to know for sure…
Crypto Currencies
Bitcoin Circulation
103 Nicolas T. Courtois 2009-2014
Sometimes IP addresses known, rare cases
Crypto Currencies
*Fees => Miner
Crypto Currencies
Anonymity
105 Nicolas T. Courtois 2009-2014
Crypto Currencies
**Anonymity Citations• Bitcoin is NOT particularly anonymous BUT it
is SUPER DENIABLE – Dan Kaminsky=>about creation of unlimited new identities, I can
claim it was not me… one person becomes many pseudonyms…
106 Nicolas T. Courtois 2009-2014
Crypto Currencies
Anonymity???Transactions: ≥0 inputs, ≥1 inputsDue to practical and risk management questions, most of the time (???)
ALL inputs belong to the same person or to people who know each other.
Crypto Currencies
Anonymity??? - IP Address Reporting
© Bissessar Shiva and Nicolas Courtois, UCL 2013
108 Nicolas T. Courtois 2009-2014
Crypto Currencies
Anonymity??? - Currency Circulation
© Bissessar Shiva and Nicolas Courtois, UCL 2013
109 Nicolas T. Courtois 2009-2014
Crypto Currencies
Anonymity??? - Following 3.7 M$ For 24h
© Bissessar Shiva and Nicolas Courtois, UCL 2013
110 Nicolas T. Courtois 2009-2014
Crypto Currencies
Anonymity with PK-based Currency
For unspent money: hide any of– the owner’s ID (btw. his Public Key can be a secret, technicality!) – the “spending” location can be hidden with TOR
=> potentially with state of the art countermeasures, the potential thief has no way to locate the money!
111 Nicolas T. Courtois 2009-2014
Bad anonymity when you spend, • can split larger amounts in many pieces to avoid being seen
when you spend.• still hard to do…
Crypto Currencies
**Anonymity?
Goal: return some money to itself inside the same transaction– use another fresh address for better anonymity– transactions also have multiple input addresses,
• allows perfect mixing in theory…
⇒ in practice we expect that “most of the time” most input addresses belong to the same person as one of the output addresses. ⇒ some geographical / side channel information could link them in pairs⇒ unless money is pre-split in standardized amounts like 0.01 BTC and always used as such.
⇒ Then no change is ever returned.
Due to practical and risk management questions, most of the time (?) ALL inputs belong to the same person or to people who know each other.
Crypto Currencies
AlsoThe secret billionaire syndrome:– in bitcoin the PK can be secret forever in practice (technicality)! – (also the payer location can be hidden very well, TOR). – potentially with state of the art countermeasures,
the potential thief has no way to locate the money!
– not so good anonymity when you spend, • can split in many pieces to avoid being seen when you spend.
113 Nicolas T. Courtois 2009-2014
• can split in many pieces to avoid being seen when you spend.
Crypto Currencies
Anonymity Tips / Counter Arguments• use multiple addresses,
new address for each transaction
• create dummy movements• play lottery, buy/sell shares, exchange against
EUR/USD
• use mixing services, mix small amount at a
•no evidence that this helps, these addresses “meet” in the graph of transactions which is not a random graph
•must pay fees
•PERFECT if we cant trust these companies, nobody will now know which
114 Nicolas T. Courtois 2009-2014
• use mixing services, mix small amount at a time
• avoid EVER connecting your name with any of your Bitcoin addresses
• Hide you IP address with TOR
companies, nobody will now know which addresses belong to you
•impossible in practice, exp. probability
•Not a silver bullet
Crypto Currencies
Misconceptions / Counter Arguments• Bitcoin eliminates identity theft, there is no
identity to be stolen [Rosenberg-Anderson]•On the contrary, it creates new insidious forms of identity theft for the pseudonymous identity: •Example: steal someone’s private keys by a cyber attack, use for money laundering, this creates serious criminal justice problems against which there is no insurance
115 Nicolas T. Courtois 2009-2014
Crypto Currencies
Transparency
116 Nicolas T. Courtois 2009-2014
Crypto Currencies
Non-Anonymity Is Valuable:
Charity, political party, any publicly managed organization:
• Everybody knows how much money is donated.
117 Nicolas T. Courtois 2009-2014
• Everybody knows how much money is donated.
• Everybody knows how money was spent.
Crypto Currencies
What If FAQ
118 Nicolas T. Courtois 2009-2014
Crypto Currencies
What If / Answer• My private key or password is lost.
• I have an older backup for my wallet
119 Nicolas T. Courtois 2009-2014
Crypto Currencies
What If / Answer• My private key or password is lost.
• I have an older backup for my wallet•All money is lost, NOBODY can recover it•Some money will be recovered, not all.
120 Nicolas T. Courtois 2009-2014
Crypto Currencies
What If / Answer• My private key or password is lost.
• I have an older backup for my wallet
• Password is easy guess• RNG is faulty
•All money is lost, NOBODY can recover it•Some money will be recovered, not all.
121 Nicolas T. Courtois 2009-2014
Crypto Currencies
What If / Answer• My private key or password is lost.
• I have an older backup for my wallet
• Password is easy guess• RNG is faulty
•All money is lost, NOBODY can recover it•Some money will be recovered, not all.
•My money will be stolen by an anonymous person ASAP.
122 Nicolas T. Courtois 2009-2014
Crypto Currencies
Bitcoin Mining
123 Nicolas T. Courtois 2009-2014
Mining
Crypto Currencies
Money Out of Thin Air
124 Nicolas T. Courtois 2009-2014
Crypto Currencies
Bitcoin Mining
• Minting: creation of new currency.Creation of “money”
+re-confirmation of older transactions
data from previoustransactions
125 Nicolas T. Courtois 2009-2014
HASH
Crypto Currencies
*Quiz Question
• What is wrong here?
data from previoustransactions RNG
miner’s public key
126 Nicolas T. Courtois 2009-2014
HASH
must start with 60 zeros
Crypto Currencies
Block Chain
Def: The bitcoin transaction
database shared by everyone.
127 Nicolas T. Courtois 2009-2014
Crypto Currencies
Bitcoin Ownership
Ownership:– “policed by everyone”: – only the owner of the ………
can transfer [a part of] 25 BTC produced.
data from previoustransactions RNG
miner’s public key
128 Nicolas T. Courtois 2009-2014
produced.
HASH
must start with 60 zeros
Crypto Currencies
Bitcoin Randomization
Nonce = def?
Which arrow?
data from previoustransactions RNG
miner’s public key
129 Nicolas T. Courtois 2009-2014
HASH
must start with 60 zeros
Crypto Currencies
Bitcoin Randomization
Nonce = Number Used Only Once
Strange: it repeats in the main bitcoin block chain.
data from previoustransactions nonce
miner’s public key
130 Nicolas T. Courtois 2009-2014
Example: 0x04111A63 x 2
What is responsible for that? What else can be randomized here?Why this is necessary?
HASH
must start with 60 zeros
Crypto Currencies
Bitcoin Mining
• Minting: creation of new currency.Creation+re-confirmation
of older transactions
Random Oracle – like mechanism.
data from previoustransactions RNG
miner’s public key
131 Nicolas T. Courtois 2009-2014
What????????????????HASH
must start with 60 zeros
Crypto Currencies
Bitcoin Mining
• Minting: creation of new currency.Creation+re-confirmation
of older transactions
Random Oracle – like mechanism
data from previoustransactions RNG
miner’s public key
132 Nicolas T. Courtois 2009-2014
Means: treat as a DETERMINISTIC black box which answers at random.
YES it is… However now I’m going to show it isn’t.
HASH
must start with 60 zeros
Crypto Currencies
Bitcoin Mining
• Minting: creation of new currency.Creation+re-confirmation
of older transactions
Random Oracle – like mechanism
data from previoustransactions RNG
miner’s public key
133 Nicolas T. Courtois 2009-2014
Means: treat as a DETERMINISTIC black box which answers at random.
YES it is, However now I’m going to show it isn’t.Marginal improvement (a constant factor) .
HASH
must start with 60 zeros
Crypto Currencies
Five Generations of Miners
1. CPU Mining
Example: Core i5 2600K, 17.3 Mh/s, 8 threads, 75W
134 Nicolas T. Courtois 2009-2014
CPU = about 4000 W / Gh/s
Crypto Currencies
Four Generations
135 Nicolas T. Courtois 2009-2014
Crypto Currencies
Four Generations of Miners
2. GPU Mining
Example: NVIDIA Quadro NVS 3100M, 16 cores, 3.6 Mh/s, 14W
136 Nicolas T. Courtois 2009-2014
CPU = about 4000 W / Gh/s, in this caseGPU = about 4000 W / Gh/s, in this case
Who said GPU was better than CPU?Not always.
Crypto Currencies
Four Generations of Miners
3. FPGA Mining
Example: ModMiner Quad, 4 FPGA chips, 800 Mh/s, 40W
137 Nicolas T. Courtois 2009-2014
CPU,GPU = about 4000 W / Gh/sFPGA = about 50 W / Gh/s, in this case
Crypto Currencies
Four Generations of Miners
3. FPGA Mining
Example: ModMiner Quad, 4 FPGA chips, 800 Mh/s, 40W
138 Nicolas T. Courtois 2009-2014
CPU,GPU = about 4000 W / Gh/sFPGA = about 50 W / Gh/s
100x less energy.
Crypto Currencies
*Why Negative?
139 Nicolas T. Courtois 2009-201413 April 2013 – “Digital Gold”
(now stopped )
Crypto Currencies
Five Generations of Miners
FPGA: 100x less energy.
Still much less with ASIC: Good points: asynchronous logic, arbitrary gates, etc..Drawback: hard to update!
140 Nicolas T. Courtois 2009-2014
Another 10 – 100 times improvement.(100x is cheating:
I was comparing one 28 nm ASIC to one 45 nm FPGA)
Crypto Currencies
Five Generations of Miners
4. ASIC Miners
CPU,GPU = about 4000 W / Gh/s
141 Nicolas T. Courtois 2009-2014
CPU,GPU = about 4000 W / Gh/sFPGA = about 50 W / Gh/sASIC = now down to 0.35 W / Gh/s
Overall we have improved the efficiency 10,000 times since Satoshi started mining in early 2009…
Like 1000% per year improvement.
Crypto Currencies
Today
142 Nicolas T. Courtois 2009-201413 April 2013 – “Digital Gold”
Crypto Currencies
Five Generations of Miners!
5. Quantum Miners?
Business Law:
Every technology
143 Nicolas T. Courtois 2009-2014
Every technology improved by 30%, 67%, 1000%
each year???????????????
Crypto Currencies
and their angry customers
“Bad-Fly” Labs
144
1 W per GH/s????????????????????
3.2 W !!!!!!!!!!!!!!!
Crypto Currencies
BitFury vs. Butterfly
Better Miners: less nm
145 65 nm28 nm?
Crypto Currencies
By power / Gh/s
ASICs Comparison
0.35 W in low power mode
3.2 W
146 Nicolas T. Courtois 2009-2014
0.35 W in low power mode
1.4 W
1 W
cf.https://en.bitcoin.it/wiki/Mining_hardware_comparis on
Crypto Currencies
BitcoinAnd Hash Functions
147 Nicolas T. Courtois 2009-2014
And Hash Functions
Crypto Currencies
Our Paper:arxiv.org/abs/1310.7935
148
Crypto Currencies
Mining Overviewhashed data from previous transactions
3x SHA-256 compression
149 Nicolas T. Courtois 2009-2014
Goal: find a valid pair (merkle_root, nonce)which gives 60 bits at 0 in H2
CISO Problem : Constrained Input Small Output
Crypto Currencies
Mining Internalshashed data from previous transactions
Crypto Currencies
Bitcoin Hash Functions
151 Nicolas T. Courtois 2009-2014
Hash FunctionsAnd Block Ciphers (!)
Crypto Currencies
SHA-256 Compression Function
cf. Pieprzyk, Matusiewicz et al.
block cipher
Davies-Meyer
Crypto Currencies
Fact:
The process of BitCoin Mining is no different than a brute force attack on a block cipher:
– Apply the same box many times, with different keys…– Here the block cipher is a part of a hash function but it does NOT
matter.• 98% of computational effort is
evaluating this block cipher box with various keys and various inputs
153 Nicolas T. Courtois 2009-2014
evaluating this block cipher box with various keys and various inputs• Like a random oracle.
BLOCK
CIPHER
PLAIN
KEY
Transforms a block cipher into a hash function.In SHA-256 we have: block size=256, 64 rounds, key size=256 expanded 4x.
Crypto Currencies
Davies-Meyer
M_imessage block
154 Nicolas T. Courtois 2009-2014
KEYCIPHER
PLAIN
IV or last hash
HASH
M_i
Crypto Currencies
***One Round of SHA-256cf. Pieprzyk, Matusiewicz et al.
Crypto Currencies
Optimising Mining (38% gain)
156 Nicolas T. Courtois 2009-2014
(38% gain) Like Generation 4.1.
Crypto Currencies
Hashing Block of 300+ Bits
cf. Pieprzyk, Matusiewicz et al.
padding added
Crypto Currencies
Hashing Block of 300+ Bits
cf. Pieprzyk, Matusiewicz et al.
padding added
Crypto Currencies
Padding
Crypto Currencies
+ Second Hash
Crypto Currencies
Inputs
Crypto Currencies
Davies-Meyer
Crypto Currencies
Mining Internalshashed data from previous transactions
Crypto Currencies
Improvement 1 – Amortized Cost(H0)=0
Crypto Currencies
Improvement 2 – Gains 3 Rounds At the End
Crypto Currencies
Improvement 3 –
Gains 3 Rounds
At the Beginning Beginning
–they do NOT depend
on the nonce
Crypto Currencies
Improvement 4 –
Incremental Incremental Computation
Crypto Currencies
Improvement 4 - contd
–Incremental Computation
1 increment instead of 400 gates.
Crypto Currencies
Improvement 5 –
Gains Gains 18 Additions ≈ 3600 gates
Crypto Currencies
Improvement 6 –
Saving 2 More Additions ≈ 400 gates
with Hard Codingwith Hard Coding
AND SAVE LIKE HALF of the next addition!
(addition with a constant = cheaper, depends on the constant, needs a sort of
‘compiler’, slowly changing)
Crypto Currencies
Message Schedule
=> just copy for 16 R
non-trivial part
Crypto Currencies
Message Schedule
Crypto Currencies
Improvement 7 - Fact:
Some early values do NOT yet depend on the nonce. In H1 computation only (left column).
Crypto Currencies
Improvement 7 – 3 more
2 more 32-bit additions are saved by hard coding, and more for the next addition
(again, adding a constant, depends on the constant, average cost maybe saving another 1? addition).
Some 600 extra gates saved. Some 600 extra gates saved.
Crypto Currencies
Improvement 8 – 1 More Incremental
We have: nonce
Crypto Currencies
Optimising The Mining
Crypto Currencies
Future – Dan Kaminsky
177 Nicolas T. Courtois 2009-2014
Crypto Currencies
San Diego Bitcoin Conference May 2013
Earlier he said that he has no stakes in ‘this game’. Then at minute 40 he claims that the current Bitcoin Proof of Work function based on SHA-256 will not survive “the year” (to be replaced before end of 2013). He says that assigns zero percent probability that “we” will continue with the present POW function”. Back to CPU mining.
https://www.youtube.com/watch?v=si-2niFDgtI
Crypto Currencies
SHA-256 to be phased out?
https://www.youtube.com/watch?v=si-2niFDgtI
HOWEVER:
NOBODY OWNS BITCOINWe claim the contrary: any attempt to change the POW is close
to impossible to enforce AND if mandated by some group of people, it will lead to a SPLIT IN THE BITCOIN COMMUNITY.
An organised divorce of people and software developers who will be running two separate block chain versions.
Crypto Currencies
Mining In Pools
180 Nicolas T. Courtois 2009-2014
Crypto Currencies
Why Pools?
Reason 1. To smooth the gains: Instead of waiting 1 year to get 25 BTC, why not get a little money every day?
Reason 2. Huge Incertitudes: Law Of Bitcoin Minining: It follows the Poisson Distribution: – If for example in 1 month the miner expect to find 4 blocks, the
standard deviation is about √4=2.standard deviation is about √4=2.– In one month he will find 6 is some months he will find 2, sometimes
he will find 0.
VERY STRESSFUL. Cannot sleep at night. • Does my miner work correctly??? Wait for 10 years to see…• Are other miners cheating? Am I getting a fair share???
– [YES, as we will see later miners can cheat and earn more than other miners]
Crypto Currencies
What Are Pools?
• A group of small to average miners who work together. Also protects their anonymity, also a social dimension:
• Effectively a cooperative: can provide support, mentoring, shared hosting, stats, management apps etc…
• Beware: single point of failure: pool servers.– can break down, miners will lose millions of dollars.– can break down, miners will lose millions of dollars.– can attack the network (for example filter transactions which are
accepted).
Crypto Currencies
Major Pools In Existence
Miners tend to flock to the largest pools.One pool has in early 2014 reached 50%. They have publicly said: please leave, do not join.• 50% attack = total control of bitcoin by one single entity.
Crypto Currencies
Pools Operation
Question: but is there a “fair and secure” implementation?
Answer: Probably There Isn’t. There is already ample literature on this.
Crypto Currencies
Bitcoin Share
A proof of effort: allows one to be paid.=def= A hash starting with 32 zeros (one in 232 hashes).
B063 zeros
32 zerosreward paid
Crypto Currencies
Bitcoin Share
A proof of effort: allows one to be paid.=def= A hash starting with 32 zeros (one in 232 hashes).
B063 zeros
32 zerosreward paid
B0 B163 zeros63 zeros
much later, after 2 41 shares have been found…
new block
Crypto Currencies
Trouble With Mining Management
Q: How to prevent people from hiding their “winning ticket” from the pool? Maybe embed information about “the pool“ inside each potential block data. Not enough:
*Solution 1: Mine with a private key known to individual miners?
⇒Allows all miners to cheat. ⇒We would need to trust the network (e.g. other miners) not to accept
this block outside of the pool. Seems impossible.
Solution 2: Mine with a private key not known to individual miners!
⇒Allows the pool manager to steal the money. Must be trusted.⇒BTW. This risk is mitigated by frequent pay-outs
⇒The only plausible solution in existence.
Crypto Currencies
*Stale/Rejected Shares
No precise definition, Used when large quantities of shares out of date are produced,
problem in a pool where miners have not been notified that their work is out of date.
(it might however re-become good later) due to fork situations.
B0 B1
32 zerosuseless share…
63 zeros63 zeros
32 zerosreward granted
Crypto Currencies
**Dupe Shares
Apparently in certain pools it does happen that 2 people produced the same share.
Short answer: Pools should be designed in such a way that it does not happen…
Crypto Currencies
Attacks: Pool Hopping Attack
190 Nicolas T. Courtois 2009-2014
Crypto Currencies
Pool Hopping
The ``Pool Hopping Attack'' was amply studied by RosenfeldIt allows malicious miners to obtain gains which are in
proportion higher than their fair share.How?
Remember the pools work like a lottery, a group of people plays together for up to 1 winning ticket to share.
Crypto Currencies
Pool Hopping – Main Idea
If a miner mines in a pool in which a lot of shares have already been submitted and no block has yet been found, he will gain less in expectation because the reward will be shared with the miners who have contributed to this pool.
Therefore at a certain moment it may be profitable to stop Therefore at a certain moment it may be profitable to stop mining in this pool and contribute elsewhere (reward will be shared with less people).
This remains valid even if the pools penalize leavers and refuse to pay for their contribution if they do not mine for a complete ``shift''. It is still profitable for miners to quit and mine for another pool (or mine independently).
Crypto Currencies
Pool Hopping – Defenses
This attack works more or less well depending on how exactly pools are managed and also depending on the actions of other miners.
It can be shown that hoppers will earn more than normal ``continuous'' miners.
Various reward and pool management methods have been Various reward and pool management methods have been proposed in order to discourage pool hopping and some reward methods can be shown to be immune to this attack.
[cf. Rosenfeld works]
Crypto Currencies
Attacks: - Mining Cartel Attack
194 Nicolas T. Courtois 2009-2014
Crypto Currencies
Mining Cartel Attack
50% of miners decide to totally ignore blocks mined by other people. Likely to always succeed.
Only subversive miners make money from mining.
(there is no need to cheat on transactions, would also be possible for 50% of miners).
Crypto Currencies
Attacks: - Difficulty Raising Attack
196 Nicolas T. Courtois 2009-2014
Crypto Currencies
*Difficulty Raising Attack
Very theoretical, powerful adversary.[Lear Bahack 2013] A powerful attacker is secretly preparing an alternative version
of the blockchain.At the same time he is manipulating the automatic difficulty
adjustment mechanism in his secret chain in order to adjustment mechanism in his secret chain in order to increase the probability of eventually that his chain will be recognized as surpassing the public honest chain.
If this happens, the attacker reveals his secret chain.This can be used to commit double-spending or to cancel some
transactions.
Crypto Currencies
Confidential Crypto Optimisation Attack
198 Nicolas T. Courtois 2009-2014
Crypto Currencies
Confidential Crypto Optimization Attack
A group of miners hire cryptologists to develop a secret method to mine more efficiently.
Similar but better than 38% gain of:
Nicolas Courtois, Marek Grajek, Rahul Naik:The Unreasonable Fundamental Incertitudes Behind Bitcoin
Mining, http://arxiv.org/abs/1310.7935
Crypto Currencies
Selfish Mining and Block Discarding Attacks [2013]
200 Nicolas T. Courtois 2009-2014
Crypto Currencies
Selfish Mining Attacks
Proposed independently by Eyal-Sirer [Cornell] and also by Bahack [Open Univ. of Israel] in 2013.
Very famous, “bitcoin is broken” etc…
In fact this is a very theoretical attack, most probably without a lot of practical importance…
Crypto Currencies
**Large Scale Attacks
202 Nicolas T. Courtois 2009-2014
Attacks
Crypto Currencies
**Buying a Fork
A fork in the main chain can be created retroactively…
Imagine that at any moment in history we want to re-create the past 18M of transactions.
⇒ In order to cheat: roll-back a large transaction from 18M ago.⇒ In order to cheat: roll-back a large transaction from 18M ago.⇒Let’s imagine that this transaction was 20% of all money in
the Bitcoin network. May pay for our ASICs.⇒CAN this operation be profitable (?).
Crypto Currencies
**Paradox of Waiting – Saves Money
A fork created retroactively… Thought experiment.
WARNING: THIS THOUGHT EXPERIMENT ASSUMES THAT THE DIFFICULTY IS ASSUMES THAT THE DIFFICULTY IS CONSTANT.
In reality in bitcoin network the difficulty increases. However it could be constant if there is no progress
in producing new better miners.
Crypto Currencies
**Paradox of Waiting – Saves Money
A fork created retroactively… Thought experiment.
– Imagine today is time = M18. – Imagine I can today pay for last 18M of fork to
roll-back on all trans. • For 18M at the (high) price of X billion USD. • For 18M at the (high) price of X billion USD.
– With Moore’s law wait for 18M longer, at M36 all will be twice cheaper,
• better do it 2x18M for the same price.• For the next 18M spend lots of money within bitcoin
network, all expenses will be cancelled 18 months later!
Crypto Currencies
– With Moore’s law wait for 36M longer, at M54 all will be 4 times cheaper,
• better do it 3x18M for the price of 3/4.
– With Moore’s law wait for 48M longer, at M72 all will be 8 times cheaper,
**Paradox– contd.
will be 8 times cheaper, • better do it 4x18M for the price of 4/8.
– Etc… the longer you wait the less it will cost to buy EVERYTHING BACK TO -18M from today + forgive all our expenses in the meantime.
– WICKED! Total price tends to zero.
Crypto Currencies
Reward Halving
207 Nicolas T. Courtois 2009-2014
Crypto Currencies
Built-in Deflationary Scarcity
Crypto Currencies
AltCoins
209 Nicolas T. Courtois 2009-2014
Crypto Currencies
Alt - CoinsSome examples
210 Nicolas T. Courtois 2009-2014
Crypto Currencies
“Stupid Coin” syndrome.
Exact clones are UNBELIEVABLY stupid.• just stupid copy and paste of open source code• they have tiny chances of survival:
– network effects make ALL stupid clones highly problematic because a currency cannot exist without having a large community of adopters…
211 Nicolas T. Courtois 2009-2014
Crypto Currencies
“Stupid Coin”?
More serious contenders must have 1+2:1. Have a number of adopters (or pay for promotion/advertising)
– have operational wallet software like android…
212 Nicolas T. Courtois 2009-2014
– be traded on exchanges…
2. Display some sort “competitive advantage”, must be different or better than bitcoin in some aspect– actually should by like substantially better,
• adoption barriers: small improvements are just NOT enough
Crypto Currencies
Review
For each contender we look at strong and weak points.
We start with weak points of bitcoin itself because altcoins can only claim to exist if they do sth that bitcoin does not do. Or not well enough.
213 Nicolas T. Courtois 2009-2014
Crypto Currencies
BitCoin
Cons:• Bad anonymity• No longer democratic, monopolized by cartels
214 Nicolas T. Courtois 2009-2014
• No longer democratic, monopolized by cartels• Performance
– Slow transactions– Important hard drive usage by clients (12 G)– Takes ages to synchronize (like 1 day on a good PC)
Crypto Currencies
Scam Coins
Avoid, listed at
http://altcoins.com/scamcoins
215 Nicolas T. Courtois 2009-2014
Crypto Currencies
LiteCoin = LTCPros:• Number 2 = “digital silver”, >1 Billion USD Market Cap. • Exchanged at BTC-e and elsewhere.• Android client, >10 000 downloads.• MORE DEMOCRATIC. SCRYPT. Mined with GPUs.
– many people will mine LTC just because they have nothing to do with their GPUs.
• Went up from like 1 USD to 40 USD in Dec 2012.
216 Nicolas T. Courtois 2009-2014
• Went up from like 1 USD to 40 USD in Dec 2012.
Cons: • Clearly appreciation went a lot upwards just due to the rising price of
bitcoins, NOT because Litecoin is used or exchanged more. Bad sign for all altcoins.
• World is full of recycled GPUs no longer profitable for bitcoins, owners have no choice, they just mine litecoins even if profitability is very low.
Crypto Currencies
PeerCoin = PPCoin = PPC
Pros:• Number 3, 100 M USD market cap.• Exchanged at BTC-e.• POW+POS (Proof of Stake), even more democratic, green• Unlimited monetary supply
217 Nicolas T. Courtois 2009-2014
• Unlimited monetary supply– adding at most 1% more coins each year, – similar to gold itself or better!.
Cons: • Does not promise to go through the roof for savers.• Partly centralized: check pointing•
Crypto Currencies
**QuarkCoin = QRK
Pros:• Some 20 M USD market cap...• Multiple hashing • New block every 30 seconds• Again linearly growing monetary supply
218 Nicolas T. Courtois 2009-2014
• Again linearly growing monetary supply– adding at most 0.5% more coins each year, – again similar to gold itself
Cons: • Not better than Peercoin?
Crypto Currencies
DevCoin = DVC
Pros:• Pays developers, artists etc..• Super ethical: “Devcoins provide an income for everyone who
wants to work”, even if they are not very competitive.
219 Nicolas T. Courtois 2009-2014
Cons: • small adoption….
Crypto Currencies
NameCoin = NMC
Brilliant :• coins are generated for free when mining bitcoins (“merge mined”)• key/value registration and transfer system like DNS
Cons: Cyber squatters buying pairs to re-sell them later
220 Nicolas T. Courtois 2009-2014
Cyber squatters buying pairs to re-sell them later
Crypto Currencies
PrimeCoin = XPM
Pros:• Does sth. Interesting for cryptologists and mathematicians.• Traded on BTC-e.
Cons: • Not widely known yet, little press coverage.
221 Nicolas T. Courtois 2009-2014
• Not widely known yet, little press coverage.
Crypto Currencies
*TerraCoin = TRC
Cons: one of these stupid-coins without a single distinctive feature.
222 Nicolas T. Courtois 2009-2014
Crypto Currencies
*FeatherCoin = FTC
A fork in litecoin blockchain.
• Minor differences
223 Nicolas T. Courtois 2009-2014
Crypto Currencies
*NovaCoin = NVC
A descendant and sort of clone of peercoin
Pros:• Same as PPC• Variable inflation: depends on popularity. How?
224 Nicolas T. Courtois 2009-2014
Cons: • Same as PPC
Crypto Currencies
CPU coins
Def. Coins designed to be mined with CPUs.
PGC – Pangucoin –China - based on scrypt-janeMEG – MemoryCoin – super-ethical? = aims to empower the economically
and financially marginalized
225 Nicolas T. Courtois 2009-2014
PTS – ProtoShares – claimed GPU resistant