IS THERE A THEORY BEHIND BITCOIN? Thomas Holenstein ITS Science Colloquium, Nov 6, 2014.
-
Upload
ashlyn-backer -
Category
Documents
-
view
224 -
download
4
Transcript of IS THERE A THEORY BEHIND BITCOIN? Thomas Holenstein ITS Science Colloquium, Nov 6, 2014.
IS THERE A THEORY BEHIND BITCOIN?Thomas Holenstein
ITS Science Colloquium, Nov 6, 2014
Goal of this Talk
Part I: What is Bitcoin? Approach: technical Requires digital signatures and
random oracles.
Goal of this Talk
Part II: Bitcoin research What are researchers doing? What are the open problems?
Disclaimer: I own some bitcoin.
Part I: What is Bitcoin?
What is Bitcoin?
Analogies don’t help…
Instead, we focus on the system: we explain how Bitcoin works.
This means: we explain the protocol.
Basics: Digital Signatures
Digital Signature
VerificationSigningKey Generation
Alice(Public)
Alice(Secret)
Alice
Bob
Bob Alice
Alice(Public)
Alice(Public)
Digital Signature
VerificationSigningKey Generation
Alice(Secret)
Bob
Alice(Public)
Digital Signature
VerificationKey Generation
Alice(Public)
Alice(Secret)
Goal: Bob should be sure that the
message originates from Alice.
Signing
Alice A
Message
Digital Signature
Key Generation
Public Key
Secret Key
A
Signing
Secret Key
Message
A
Verification
Public Key
Message
Security (informal): You cannot produce valid signatures without the secret key.
We now try to build bitcoin…
Attempt #1
… but we will fail.
Goals
We want some kind of “digital money”.
Everyone can participate.
No central instance – no bank.
Setting
Every computer can send messages to some other computers.
A network of computers.
Basic idea
Every computer maintains a table: “who owns what?”
Alice (Public)
Bob(Public)
Charlie(Public)
Dora(Public)
Eliza(Public)
10 BTC
0.2 BTC
0.001 BTC
2 BTC
17 BTC We will need: all computers have the same table.
Remark: The public keys are just bit
strings.
Sending Bitcoins
In “short”, transactions look like this:
Alice (Public)
Transfer 0.1 BTC
from
to Bob(Public)
A
$ F T
To send money, we use transactions. These are messages like this:
Sending Bitcoins
I’LL send 0.1 Bitcoin to Bob.
Alice
$ F T
Protocol: sending BTC
1. Craft a transaction.
2. Give it to your computer.
Protocol: participating
On valid transactions:1. Update ledger2. Relay transaction
Double Spending
I can exploit this!
Black Hat
Alice
Bob
: Give BTC from Black Hat to Alice: Give BTC from Black Hat to Bob
Black Hat prepares two transactions:
These transactions
spend previously spent bitcoins!
Thanks!
Thanks!
Double Spending
The bad guy spends the same Bitcoins with two different transactions and .
Computers receiving transaction will have a different ledger than computers receiving transaction .
We need a protocol to agree on a transaction. “Consensus protocols”. Studied since 1980,
starting with Pease, Shostak, Lamport. Huge literature! Main idea for protocols:
Consensus Protocols
What transaction are you using?
Protocols work if (say) > 70% of the computers
follow the protocol.
This solution does not help us!
Design goal: Everyone can participate.
I will gladly participate…With 1 000 virtual machines!
By running a special program, a bad guy controls many virtual computers.
Like this, he can make different participants believe different things.
Basics: Random Hashfunctions
Random Hash Functions (Random Oracles)
A random hash function is
where all outputs are chosen uniformly at random, independent of each other.
RH
Example: // x = 44709335 // x = 53639915 // x = 44709335
On my friends computer in the US: // x = 44709335
Random Hash Function
In practice, we hope that SHA256 behaves “like a random oracle”.
Calculation: If we made all computers on the world compute …
It takes ~“ years” to find s.t.
Bitcoin’s consensus protocol
Step 1: How does the protocol look like?
Step 2: What happens if people cheat?
Blocks
A block contains for another block , a list of transactions, and an arbitrary number
“nonce”.Block is valid if the first digits of the hash of are all zero.
8046465385222
0000031105830
0000077326777
RH
Blocks
If we have a block, we can find a “next block”:
Take from the previous block. Add transactions.
Try different values for this string until the hash starts with zeros.
¿
Blocks
If we have a block, we can find a “next block”:
Take from the previous block . Add transactions.
Try different values for this string until the hash starts with zeros.
Bitcoin chooses such that this takes ~10 minutes.
¿
¿
A Tree of Blocks
If we have a block, with a bit of work, we can find a “next block”…...and yet another “next block”…
…or a block which continues here…
… and so on.
A Tree of Blocks
In general, we can build a tree of blocks like this.
But only ever downwards!
The Protocol for Finding Blocks
Protocol: finding blocks
1. Take the longest chain you can find.
2. Collect transactions.3. Find a new valid block
here.4. Publish it.
The Protocol for Participants
Protocol: To know who owns BTC
1. Take the longest chain you can find.
2. Process the transactions in this chain in order.
Why work to find blocks?
Many people are trying to find blocks, which uses a lot of resources…
A real lot!
This is called “mining”.
Block reward
If you find a block, you get bitcoins as a reward.
Alice (Public)
Transfer 0.1 BTC
from
to Bob(Public)
A
Fee:0.001 BTC
Every transaction specifies a fee. It goes to the person who puts the transaction into a valid block.
Alice (Public)
Transfer 0.1 BTC
from
to Bob(Public)
A
Recap: The Bitcoin Protocol
Protocol: participate
Relay valid transactions. Relay valid blocks in the longest
chain. Work with the longest chain.
Protocol: miners
Collect valid transactions. Publish valid blocks which extend
the longest chain.
Bitcoin’s consensus protocol
Step 1: How does the protocol look like?
Step 2: What happens if people cheat?
Double Spends
I can exploit this!
Black Hat
Alice
Bob
I found a valid block!
Once a block is found, the double spends vanish.
Occasionally, two people find blocks at around the same time… but typically the problem disappears.
Build an Alternate Chain?
The more -calls are devoted to a chain, the faster it grows.
Thus, intuitively: to build a chain as fast as the rest, you need as many -calls as the rest.
Maybe I should build another chain?
Part II: Bitcoin Research
Understanding Bitcoin
Bitcoin was deployed with basically no theoretical foundation.
Is the system secure? What gives it security?
What will rational agents in the Bitcoin network do?
What are possible attacks?
Understanding Bitcoin
Ideally, we would want a model which captures the “important aspects”.
We then want theorems which describe the results.
Some of the following research goes into this direction.
Understanding Bitcoin: References
Babaioff, Dobzinski, Oren, Zohar (2012). On Bitcoin and red balloons
Bahack (2013). Theoretical Bitcoin attacks with less than half of the computational power
Barber, Boyen, Shi, Uzun (2012). Bitter to better - how to make Bitcoin a better currency
Becker, Breuker, Heide, Holler, Rauer, Bóhme (2012). Can we afford integrity by proof-of-work? Scenarios inspired by the Bitcoin currency
Bonneau, Narayanan (2014). Better in practice than in theory: lessons from the rise of Bitcoin
Courtois, Grajek, Naik (2013). The unreasonable fundamental incertitudes behind Bitcoin mining
Eyal, Sirer (2014). Majority is not enough: Bitcoin mining is vulnerable
Garay, Kiayias, Leonardos (2014). The Bitcoin backbone protocol: analysis and applications
Karame, Androulaki, Capkun (2012). Two Bitcoins at the price of one? Double-spending attacks on fast payments in Bitcoin
Kroll, Davey, Felten (2013). The economics of Bitcoin mining, or Bitcoin in the presence of adversaries
Möser, Böhme, Breuker (2014). Towards risk scoring of Bitcoin transactions
Nakamoto (2008). Bitcoin: a peer-to-peer electronic cash system
Raulo (2011). Optimal pool abuse strategy
Todd (2013). How a floating blocksize limit inevitably leads towards centralization
… many more.
http://bitcointalk.org
I omit many references… also in the
following!
Understanding Bitcoin: Open Problem
There are some aspects of Bitcoin which will change: The initial block reward will vanish. I believe: the network will grow or go
away. What are the effect of such changes?
(There is previous work which studies this).
Improving Bitcoin
New technology gives new choices. How do we choose? Try to make the system more
powerful. Try to make the design:
more secure, faster, less wasteful.
Improving Bitcoin: References
Back, Corallo, Dashjr, Friedenbach, Maxwell, Miller, Poelstra, Timón, Wuille (2014). Enabling Blockchain Innovations with Pegged Sidechains
Bamert, Decker, Elsen, Wattenhofer, Welten (2013). Have a Snack, Pay with Bitcoin
Ben-Sasson, Chiesa, Genkin, Tromer, Virza (2013). SNARKs for C: Verifying Program Executions Succinctly and in ZK
Bentov, Gabizon, Mizrahi (2014). Cryptocurrencies without Proof of Work
Bonneau, Clark, Miller (2014). FawkesCoin: A cryptocurrency without public-key cryptography
Buterin (2013). Ethereum White Paper. Dziembowski, Faust, Kolmogorov,
Pietrzak (2013). Proofs of Space
etotheipi, maaku, et al. (2012). Ultimate blockchain compression w/ trust-free […]
Hearn (2013). Decentralised crime fighting using private set intersection protocols
Heilman (2014). One Weird Trick to Stop Selfish Miners: Fresh Bitcoins […]
King, Nadal (2012). PPCoin: Peer-to-Peer Crypto-Currency with Proof-of-Stake
Lee (2013). Litecoin
Maxwell (2013). Really Really ultimate blockchain compression: CoinWitness
Miller, Shi, Kosba, Katz (2014). Nonoutsourceable Scratch-Off Puzzles to Discourage Bitcoin Mining Coalitions
Sompolinsky, Zohar (2013). Accelerating Bitcoin's Transaction Processing: Fast Money Grows on Trees, Not Chains
Todd (2014). Tree-chains preliminary summary.
Improving Bitcoin: Open Problem
Computing SHA256 around times per second seems like a big waste of energy.
Back of the envelope calculation gives a daily energy use of 5’000’000+ kWh (~ 500’000+ CHF)
Can we improve the situation?
(There is previous work which studies this).
Anonymity
Every transaction is broadcast and stored.
On the other hand, a priori nobody knows who owns which public key.
Is Bitcoin anonymous?
Anonymity: References
Androulaki, Karame, Roeschlin, Scherer, Capkun (2013). Evaluating user privacy in Bitcoin
Biryukov, Pustogarov (2014). Bitcoin over Tor isn't a good idea
Gervais, Karame, Gruber, Capkun (2014). On the privacy provisions of Bloom filters in lightweight Bitcoin clients
Koshy, Koshy, Mcdaniel (2014). An analysis of anonymity in Bitcoin using P2P network traffic
Meiklejohn, Pomarole, Jordan, Levchenko, McCoy, Voelker, Savage (2013). A Fistful Of bitcoins: Characterizing payments among men with no names
Ober, Katzenbeisser, Hamacher (2013). Structure and anonymity of the Bitcoin transaction graph
Reid, Harrigan (2012). An analysis of anonymity in the Bitcoin system
Ron, Shamir (2014). How did dread pirate Roberts acquire and protect his Bitcoin wealth?
Ron, Shamir (2013). Quantitative analysis of the full Bitcoin transaction graph
Spagnuolo, Maggi, Zanero (2014). BitIodine: Extracting intelligence from the Bitcoin network
theymos (2010). Anonymity
Improve Anonymity: References
Ben-Sasson, Chiesa, Garman, Green, Miers, Tromer, Virza (2014). Zerocash: decentralized anonymous payments from Bitcoin
Bonneau, Clark, Kroll, Miller, Narayanan. Mixcoin (2014). Anonymity for Bitcoin with accountable mixes
Danezis, Fournet, Kohlweiss, Parno (2013). Pinocchio Coin: building Zerocoin from a succinct pairing-based proof system
Garman, Green, Miers, Rubin (2014). Rational zero:
Economic security for Zerocoin with everlasting anonymity
Ladd (2012). Blind signatures for Bitcoin transaction anonymity
Maxwell (2013). CoinJoin: Bitcoin privacy for the real world
Miers, Garman, Green, Rubin (2013). Zerocoin: Anonymous distributed e-cash from Bitcoin
Saxena, Misra, Dhar (2014). Increasing anonymity in Bitcoin
Build on Top of Bitcoin
If Bitcoin works, we can use the technology for other things.
Use Bitcoin as a building block
Use the blockchain technology for new applications.
Build on top of Bitcoin
Andrychowicz, Dziembowski, Malinowski, Mazurek (2014). Secure Multiparty Computations on Bitcoin
Back, Bentov (2014). Note on fair coin toss via Bitcoin.
Bentov, Kumaresan (2014). How to Use Bitcoin to Design Fair Protocols
Clark, Bonneau, Felten, Kroll, Miller, Narayanan (2014). On Decentralizing Prediction Markets and Order Books.
Clark, Essex (2012). CommitCoin: Carbon Dating Commitments with Bitcoin
Finney et al. (2010). Bitcoin overlay protocols
Miller, Juels, Shi, Parno, Katz (2014). PermaCoin: Repurposing Bitcoin Work for Data Preservation
Study the behavior
Another approach is look at the current system.
What are people doing?
What happens in the network?
Study the behavior
Decker, Wattenhofer (2013). Information Propagation in the Bitcoin Network
Decker, Wattenhofer (2014). Bitcoin Transaction Malleability and MtGox
Donet Donet, Pérez-Solà, Herrera (2014). The Bitcoin P2P network
Gandal, Halaburda (2014). Competition in the Crypto-Currency Market.
Johnson, Laszka, Grossklags, Vasek, Moore (2014). Game-Theoretic Analysis of DDoS
Attacks Against Bitcoin Mining Pools
Plohmann, Gerhards-Padilla (2012). Case study of the miner botnet
Vasek, Thornton, Moore (2014). Empirical Analysis of Denial-of-Service Attacks in the Bitcoin Ecosystem
Moore, Christin (2013). Beware the Middleman: Empirical Analysis of Bitcoin-Exchange Risk
Economics and Policy
What are the economic foundations behind Bitcoin?
Does it make sense that Bitcoin has value?
Do law makers have to react to Bitcoin?
Economics and Policy
Ali, Barrdear, Clews, Southgate (2014). The economics of digital currencies
Andolfatto (2014). Bitcoin and beyond: the possibilities and pitfalls of virtual currencies
Boehm, Pesch (2014). Bitcoin: a first legal analysis - with reference […]
Brito, Shadab, Castillo (2014). Bitcoin financial regulation: securities, derivatives, prediction markets, & gambling
Brito, Castillo (2013). Bitcoin: A primer for policymakers.
Dion (2014): Bitcoin, regulating fraud in the economy of Hacker-Cash
Doguet (2013): The nature of the form: Legal and regulartory issues surounding the Bitcoin digital currency system
Elwell, Murphy, Seitzinger (2014). Bitcoin: questions, answers, and analysis of legal issues
European Central Bank (2012). Virtual currency schemes
Grinberg (2011). Bitcoin: An innovative alternative digital currency
Güring, Grigg (2011). Bitcoin & Gresham's Law - the economic inevitability of collapse
Hileman (2014). From Bitcoin to the Brixton pound: history and prospects for alternative currencies
Luther, White (2014). Can Bitcoin Become a Major Currency?
Marian (2013). Are cryptocurrencies 'super' tax havens?
Mimic (2014). Regulatory challenges of alternative e-currency; Comparative analysis of Bitcoin model in US and EU jurisdictions
Möser, Böhme, Breuker (2013). An inquiry into money laundering tools in the Bitcoin ecosystem
Sapuric, Kokkinaki (2014). Bitcoin is volatile! Isn't that right?
Yermack, (2013). Is Bitcoin a real currency? [...]
More research
Bergstra, Leeuw (2014). Bitcoin and beyond: exclusively informational monies
Lo, Wang (2014). Bitcoin as money?
Luther (2013). Cryptocurrencies, network effects, and switching costs
Maurer, Nelms, Swartz (2013). "When perhaps the real problem is money itself!": the practical materiality of Bitcoin
Rotman (2014). Bitcoin versus electronic money
Graf (2014). Sidechained Bitcoin substitutes: A monetary
commentary
… many more! Apologies to everyone whose research I missed or forgot to list!
Thanks to
Alessandro Chiesa
Sources
xkcd.com
blockchain.info
bitcoincharts.com KnCMiner.com
Christian Decker
Everyone for listening!