ENEE 457: Computer Systems Security 11/30/16 Lecture 24...
Transcript of ENEE 457: Computer Systems Security 11/30/16 Lecture 24...
ENEE 457: Computer Systems Security11/30/16
Lecture 24Bitcoin and Decentralized Cryptocurrencies
Charalampos (Babis) Papamanthou
Department of Electrical and Computer EngineeringUniversity of Maryland, College Park
WhatisBitcoin?
• Bitcoinisae-cashsystemenablingastomovefromcurrency(eitherpaperordigital)basedandregulatedoncentralizedbankstofully-decentralizedcurrency• Bitcoinisnotthefirstattempttodigitizecash
• Lotsofworkone-cashinthepast(beginningwiththeworkofDavidChaum)• Alle-cashworksareusingacentralizedpartytopreventdouble-spending
• Bitcoinworksbecauseitofferstherightincentives• Ifyouhelpmaintainthecorrectnessofthesystem,youwillearnsomeBitcoins• “Help”meansofferingsomeofyourcomputationalpowertoverifytransactions(moreonthatlater)
• Bitcoinwasfirstdescribedinaseminalpaper byanonymousSatoshiNakamoto
InterestingpropertiesofBitcoin
• Transparent• AllthetransactionmadebyBitcoinusersarerecordedinapublicledger• Seewww.blockchain.info• Problemwithprivacy?
• Finite• Thereisanupperboundonthetotalamountofbitcoinsthatwilleverbespent(thereisnoFederalReserveherethatcanarbitrarily“printBitcoins”)
• Simulatesthegoldstandard• Basedoncryptoanddistributedalgorithms
• Owningmoneyisequivalenttoknowingasecret(inparticularthesecretkeyofdigitalsignature)
• Makingsurethatnodoublespendingoccursisbasedonnoveldistributedalgorithms(consensus)
OtherpropertiesofBitcoin
• Global• Canbeusedtosendmoneyallacrosstheworldwithverysmallfees(asopposedtofeeschargedbymajorbanks)
• Also,youcantradeBitcoinsfordollarsandvice-versa• TobuyandsellBitcoins,gotohttps://www.coinbase.com/• WhatdoyougetandwhenyoubuyBitcoins?
• CurrentpriceofBitcoin
HistoryofBitcoin
• 2009:SatoshiNakamoto’s paper• 2009-2011:• Pricelessthan1dollar• Communityofenthusiasts
• 2013-today• Substantialgrowth• InDecember2013,pricereached1000dollars• Mediacoverage• LotsofstartupsfacilitatingBitcoinadoption• Venturecapitalistsinvestment
Howdoesitwork?
• Mainpurposeofbanksistomaintainbalancescorrectly• E.g.,ifIsendyou10dollars,thebankneedstosubtract10dollarsfrommyaccountandsend10dollarstoyouraccount• Thisisoneofthemostfundamentalbankoperations• Thewholebankingsystemworksbecausewetrustthebankstodosocorrectly• Partlyforthisservice,wehavetopayallthesefeestothebanks• Bitcoinmainidea
• Doawaywithbankscompletelyandmaintainthisfileofbalancesinadistributedfashion
• Buthowdoyoupumpmoneyintothisneweconomy?• PaypeopleinBitcoinstohelpmaintainthisfileofbalances,called“ledger”
Bitcoinaddresses
• Bitcoinaddressesserveasthe“accountnumber”inyourbank• EveryindividualcanhaveasmanyBitcoinaddressesashewants• Veryeasytocreate• Nofeesatallforhavingone
• MyBitcoinaddress• 1Eq8hdVuGGii61QMhppNP5z27832dMwztG• Itnowhas0.01BTCassociatedwithit• Let’sverifythat
WhatisthisBitcoinaddress?
• IfyouwanttogetintoBitcoin• Youneedtogeneratea(SK,PK)pair
• Ofcourse,keepyourSKsecret• ThebitcoinaddressisanencodingofahashofPK• bitcoin_address =enc(hash(PK))
• MakeyourPKavailabletoeverybodysothatyoucanreceivepayments• Downloadingandinstallingcoinbase appwilltakecareofallthesesothatyouarereadytosendandacceptBitcoinpayments
Asimpletransaction
• Alicewantstopay3BitcoinstoBob• Aliceowns3BitcoinsataddressA• BobhasaddressB• TopayBob,Alicecreatesatransactionandbroadcastsittothewholenetwork• Thetransactioncontains
• AddressesAandB• ThepublickeyassociatedwithA• Amount3Bitcoins• Adigitalsignatureonthemessageofalltheabove,createdwithAlice’ssecretkey
Blockchain
• Therearecertainnodesonthenetworkcalledminers thatmaintainthecorrectledgeroftransactions• Minersputtransactionsintoblocks,andbroadcasttheirblockscontainingtransactionsthatareconsistent• E.g.,avalidblockcannotcontainthefollowingtwotransactions• AsentxBitcoinstoB(sayBhad0Bitcoinsbefore)• Bsent2xBitcoinstoC
• Onceaclaimedcorrectblockisbroadcast,itneedstobeverifiedbyotherminersbeforeitgetsaddedintotheBlockchain• Eventually,allminerswillgettoseethesameblockchain• Thisistheblockchain weseeatblockchain.info• Onaverage,anewblockiscreatedevery10minutes
Whatdominersdo?
• Distributedcomputingconsensus• Nplayers(maliciousandhonest)startwithinputvaluesx_1,x_2,…,x_N andsomepreviouslyagreedstate• Goaloftheprotocol• Allhonestplayersoutputeventuallyonevaluex_i andthenewstate’=f(state,x_i)• Thisvaluemusthavebeengeneratedbyanhonestnode
• Thislooksquiteeasy!• Isit?
Distributedalgorithmtoreachconsensus
• Allplayersstoretheinitialstate andtheirinputxi• Pickaplayerq uniformlyatrandom• Step1:Theplayerqgetsitsinputxqtoallothernodesproposingittobethenewextensiontostate• (iftheplayerishonestitsendsthesamecorrectinputstoallothernodes,otherwiseitcanbehavearbitrarity)
• Step2:Allhonestplayersverifyx_q andcomputethenewstate’• Theorem(informal):Ifmajorityofplayersishonest,theneventuallythesystemwillreachconsensus
Bitcoinconsensus
• Itisaninstantiationofwhatwedescribedbefore• Playersareminers• stateistheblockchain,containingblocksthatcontainvalidtransactions• Theinputsarethenewblocksthatarebeinggenerated
• Sowhatisthedifference?• RememberanimportantrequirementoftheconsensusprotocolisthateverytimeIshouldpicksomeoneuniformlyatrandom.• HowdoIpicksomeoneuniformlyatrandominBitcoin?• Inparticular,howdoIpicksomeoneuniformlyatrandominadistributedfashion?• ProofsofWork!!!
Howdoesaminerprepareablock
• Aminerreceivesabunchoftransactionsfromusers• Hecheckstoseethatthetransactionshehasarevalid• Heorganizesthetransactionsintoablockb• Nowheisreadytobroadcasthisblockandupdatethestateofthesystem• Wait,thetheoremsaysheneedstobechosenatrandom• Well,tobeeligibleforbroadcasting,heneedstosolveacomputationalpuzzleandsubmititssolution• Basically,thecomputationalpuzzlerequireshimtoinvertahash
Whatisthenonceineachblock?
• Eachblocksubmittedbyaminerhasanonce• Thisnonceisthesolutiontothefollowingpuzzle
• H(nonce||previous_block_hash||hash_current_transactions)<target_value• Theblockwillbeacceptedaftertheaboveischecked• Theabovemechanismservesforchoosingsomemineratrandom,makingsuretheledgerismaintainedcorrectly• Thesmallertarget_value is,thehigherthedifficultyofthepuzzle• AdjustedbytheBitcoinfoundationtomakesureoneblockisminedapproximatelyevery10minutes• Questions
• Whywouldyouinvestyourcomputationalpowertoprepareblocks?• Whataretheincentives?
Incentivesforminers
• Minershelpmaintainingthecorrectledger,butthereisanincentive• Everytimethemineablocksuccessfully,theycollecttransactionfeesfromthetransactionstheymine• E.g.,ImighthaveatransactionsayingwithInputsaddressAand20bitcoinsandoutputsaddressBand19bitcoins• 1bitcoinwillbethetransactionfeefortheminer
• Youarenotrequiredtoaddtransactionfeesinyourtransactions• Butifyoudo,youaremorelikelytohaveyourtransactionverified• Isthistheonlyrevenueforminers?
Howdoyouputmoneyintothesystem?
• Foreveryblockmined,thereisaspecialtransactioncalledcoinbase• Thistransaction“creates”money• E.g.,creatingasuccessfulblockcanrewardyou~35Bitcoins• Thatisaround$9,000USD• ConcerningtheCoinbase transaction• Startsat50BTC• Halvesevery210,000blocks(around4years)• Whenitwouldgoto0,itwouldnotbepossibletomineBitcoinsandaroundthattimealmost21millionBitcoinswillhavebeenproduced• THISISHARDCODEDINTOTHEBITCOINSOURCE
ForkingontheBlockchain
• Itmightbethecasethattwonodesgettomineadifferentblockaroundthesametime• Sotwonodescangetsolutionsofdifferentpuzzlesatthesametime• Sotheblockchain candegenerateintoatree• Twominerscanstoredifferentpathsofthistree
• Bitcoinconsensusalgorithmensuresthelongestblockchain willprevail• Thelongestchainwillalwayswin(itcontainsthemostcumulativehashpower)
Recap
• HowdoyoujoinBitcoin?• Whathappenswhenyouwanttosend4BitcoinstoAlice?• Howistheledgermaintained?• Whatisthepurposeoftheminers?• Howdotheminersgetpaid?• Whathappenswhentwodifferentblocksareminedaroundthesametime?
Bitcoinandprivacy
• IsBitcoinprivate?• Notreally.Itprovidespseudonimity,sincenorealnamesappearontheblockchain• Butyoucanlaunchlinkingattacksbyanalyzingthetransactiongraph• Proposedalternatives
• Zerocoin,Zerocash• Thesearenewcryptocurrencieswithprivacy
• IntuitivedifferencebetweenBitcoinandZerocash• AminerinBitcoinprovesthatasenderAhasthemoneytopayasenderB• AminerinZerocash provesthatthereisaninputtransactionfromthepastthatcanbesenttoB(breakslinkage)
• ComplicatedcryptoconstructioncalledSNARKsarerequired
BuildingapplicationswithBitcoin
• IownafilefbutIdonotwanttostoreit,soIgiveittoGoogleandIkeeponehashh(f)locally• Whentimescomestopaymysubscription,IwantGoogletoprovetomethatithasthefile• SoGooglesendsmethefile…• Atthatpoint,Icantakethefileandleaveandneverpay• Atthesametime,ifIpayfirst,Googlecancheatandnotprovetomethatithasthefile• CanBitcoinhelphere?
SecureStoragewithBitcoin
• Mainidea:MakeaBitcointransactionforGoogle,whichwillfireonlywhenGooglepostsatransactionwiththefile• Namely,foratransactiontogothrough,Bitcoinallowsthroughascriptinglanguagetoindicatevariousconditionsthatmustbesatisfied• ButwhatifGoogledoesnothavethefile?• Wherewillmymoneygo?WillIloseitforever?• MoreonthatnextWednesdaybyMohammadandIbrahim
Onestepfurther:Smartcontracts
• BitcoinscriptinglanguageisnotTuring-complete• Howaboutifmorecomplicatedconditionsshouldberesponsiblefortheflowofcashinthesystem?• E.g.,
• Playrock-paper-scissorsonBitcoinandmakesuremoneygoestothewinner,withouthavingatrustedthirdpartyoverseeingtheprocess
• Smartcontracts:YoucanwriteprogramsinaTuring-completelanguageandhaveminersverifytransactionsbyexecutingthesecontracts• Example:Ethereum• Research:Privacy-preservingsmartcontracts (talktomeifyouareinterested)