ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized Cryptocurrencies Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
ENEE 457: Computer Systems Security11/30/16
Lecture 24Bitcoin and Decentralized Cryptocurrencies
Charalampos (Babis) Papamanthou
Department of Electrical and Computer EngineeringUniversity of Maryland, College Park
WhatisBitcoin?
• Bitcoinisae-cashsystemenablingastomovefromcurrency(eitherpaperordigital)basedandregulatedoncentralizedbankstofully-decentralizedcurrency• Bitcoinisnotthefirstattempttodigitizecash
• Lotsofworkone-cashinthepast(beginningwiththeworkofDavidChaum)• Alle-cashworksareusingacentralizedpartytopreventdouble-spending
• Bitcoinworksbecauseitofferstherightincentives• Ifyouhelpmaintainthecorrectnessofthesystem,youwillearnsomeBitcoins• “Help”meansofferingsomeofyourcomputationalpowertoverifytransactions(moreonthatlater)
• Bitcoinwasfirstdescribedinaseminalpaper byanonymousSatoshiNakamoto
InterestingpropertiesofBitcoin
• Transparent• AllthetransactionmadebyBitcoinusersarerecordedinapublicledger• Seewww.blockchain.info• Problemwithprivacy?
• Finite• Thereisanupperboundonthetotalamountofbitcoinsthatwilleverbespent(thereisnoFederalReserveherethatcanarbitrarily“printBitcoins”)
• Simulatesthegoldstandard• Basedoncryptoanddistributedalgorithms
• Owningmoneyisequivalenttoknowingasecret(inparticularthesecretkeyofdigitalsignature)
• Makingsurethatnodoublespendingoccursisbasedonnoveldistributedalgorithms(consensus)
OtherpropertiesofBitcoin
• Global• Canbeusedtosendmoneyallacrosstheworldwithverysmallfees(asopposedtofeeschargedbymajorbanks)
• Also,youcantradeBitcoinsfordollarsandvice-versa• TobuyandsellBitcoins,gotohttps://www.coinbase.com/• WhatdoyougetandwhenyoubuyBitcoins?
• CurrentpriceofBitcoin
WherecanIpaywithBitcoin?
HistoryofBitcoin
• 2009:SatoshiNakamoto’s paper• 2009-2011:• Pricelessthan1dollar• Communityofenthusiasts
• 2013-today• Substantialgrowth• InDecember2013,pricereached1000dollars• Mediacoverage• LotsofstartupsfacilitatingBitcoinadoption• Venturecapitalistsinvestment
Bitcoinprice
Howdoesitwork?
• Mainpurposeofbanksistomaintainbalancescorrectly• E.g.,ifIsendyou10dollars,thebankneedstosubtract10dollarsfrommyaccountandsend10dollarstoyouraccount• Thisisoneofthemostfundamentalbankoperations• Thewholebankingsystemworksbecausewetrustthebankstodosocorrectly• Partlyforthisservice,wehavetopayallthesefeestothebanks• Bitcoinmainidea
• Doawaywithbankscompletelyandmaintainthisfileofbalancesinadistributedfashion
• Buthowdoyoupumpmoneyintothisneweconomy?• PaypeopleinBitcoinstohelpmaintainthisfileofbalances,called“ledger”
Bitcoinaddresses
• Bitcoinaddressesserveasthe“accountnumber”inyourbank• EveryindividualcanhaveasmanyBitcoinaddressesashewants• Veryeasytocreate• Nofeesatallforhavingone
• MyBitcoinaddress• 1Eq8hdVuGGii61QMhppNP5z27832dMwztG• Itnowhas0.01BTCassociatedwithit• Let’sverifythat
WhatisthisBitcoinaddress?
• IfyouwanttogetintoBitcoin• Youneedtogeneratea(SK,PK)pair
• Ofcourse,keepyourSKsecret• ThebitcoinaddressisanencodingofahashofPK• bitcoin_address =enc(hash(PK))
• MakeyourPKavailabletoeverybodysothatyoucanreceivepayments• Downloadingandinstallingcoinbase appwilltakecareofallthesesothatyouarereadytosendandacceptBitcoinpayments
Asimpletransaction
• Alicewantstopay3BitcoinstoBob• Aliceowns3BitcoinsataddressA• BobhasaddressB• TopayBob,Alicecreatesatransactionandbroadcastsittothewholenetwork• Thetransactioncontains
• AddressesAandB• ThepublickeyassociatedwithA• Amount3Bitcoins• Adigitalsignatureonthemessageofalltheabove,createdwithAlice’ssecretkey
Blockchain
• Therearecertainnodesonthenetworkcalledminers thatmaintainthecorrectledgeroftransactions• Minersputtransactionsintoblocks,andbroadcasttheirblockscontainingtransactionsthatareconsistent• E.g.,avalidblockcannotcontainthefollowingtwotransactions• AsentxBitcoinstoB(sayBhad0Bitcoinsbefore)• Bsent2xBitcoinstoC
• Onceaclaimedcorrectblockisbroadcast,itneedstobeverifiedbyotherminersbeforeitgetsaddedintotheBlockchain• Eventually,allminerswillgettoseethesameblockchain• Thisistheblockchain weseeatblockchain.info• Onaverage,anewblockiscreatedevery10minutes
Whatdominersdo?
• Distributedcomputingconsensus• Nplayers(maliciousandhonest)startwithinputvaluesx_1,x_2,…,x_N andsomepreviouslyagreedstate• Goaloftheprotocol• Allhonestplayersoutputeventuallyonevaluex_i andthenewstate’=f(state,x_i)• Thisvaluemusthavebeengeneratedbyanhonestnode
• Thislooksquiteeasy!• Isit?
Distributedalgorithmtoreachconsensus
• Allplayersstoretheinitialstate andtheirinputxi• Pickaplayerq uniformlyatrandom• Step1:Theplayerqgetsitsinputxqtoallothernodesproposingittobethenewextensiontostate• (iftheplayerishonestitsendsthesamecorrectinputstoallothernodes,otherwiseitcanbehavearbitrarity)
• Step2:Allhonestplayersverifyx_q andcomputethenewstate’• Theorem(informal):Ifmajorityofplayersishonest,theneventuallythesystemwillreachconsensus
Bitcoinconsensus
• Itisaninstantiationofwhatwedescribedbefore• Playersareminers• stateistheblockchain,containingblocksthatcontainvalidtransactions• Theinputsarethenewblocksthatarebeinggenerated
• Sowhatisthedifference?• RememberanimportantrequirementoftheconsensusprotocolisthateverytimeIshouldpicksomeoneuniformlyatrandom.• HowdoIpicksomeoneuniformlyatrandominBitcoin?• Inparticular,howdoIpicksomeoneuniformlyatrandominadistributedfashion?• ProofsofWork!!!
Howdoesaminerprepareablock
• Aminerreceivesabunchoftransactionsfromusers• Hecheckstoseethatthetransactionshehasarevalid• Heorganizesthetransactionsintoablockb• Nowheisreadytobroadcasthisblockandupdatethestateofthesystem• Wait,thetheoremsaysheneedstobechosenatrandom• Well,tobeeligibleforbroadcasting,heneedstosolveacomputationalpuzzleandsubmititssolution• Basically,thecomputationalpuzzlerequireshimtoinvertahash
BitcoinBlocksandTransactions
Whatisthenonceineachblock?
• Eachblocksubmittedbyaminerhasanonce• Thisnonceisthesolutiontothefollowingpuzzle
• H(nonce||previous_block_hash||hash_current_transactions)<target_value• Theblockwillbeacceptedaftertheaboveischecked• Theabovemechanismservesforchoosingsomemineratrandom,makingsuretheledgerismaintainedcorrectly• Thesmallertarget_value is,thehigherthedifficultyofthepuzzle• AdjustedbytheBitcoinfoundationtomakesureoneblockisminedapproximatelyevery10minutes• Questions
• Whywouldyouinvestyourcomputationalpowertoprepareblocks?• Whataretheincentives?
Incentivesforminers
• Minershelpmaintainingthecorrectledger,butthereisanincentive• Everytimethemineablocksuccessfully,theycollecttransactionfeesfromthetransactionstheymine• E.g.,ImighthaveatransactionsayingwithInputsaddressAand20bitcoinsandoutputsaddressBand19bitcoins• 1bitcoinwillbethetransactionfeefortheminer
• Youarenotrequiredtoaddtransactionfeesinyourtransactions• Butifyoudo,youaremorelikelytohaveyourtransactionverified• Isthistheonlyrevenueforminers?
Howdoyouputmoneyintothesystem?
• Foreveryblockmined,thereisaspecialtransactioncalledcoinbase• Thistransaction“creates”money• E.g.,creatingasuccessfulblockcanrewardyou~35Bitcoins• Thatisaround$9,000USD• ConcerningtheCoinbase transaction• Startsat50BTC• Halvesevery210,000blocks(around4years)• Whenitwouldgoto0,itwouldnotbepossibletomineBitcoinsandaroundthattimealmost21millionBitcoinswillhavebeenproduced• THISISHARDCODEDINTOTHEBITCOINSOURCE
ForkingontheBlockchain
• Itmightbethecasethattwonodesgettomineadifferentblockaroundthesametime• Sotwonodescangetsolutionsofdifferentpuzzlesatthesametime• Sotheblockchain candegenerateintoatree• Twominerscanstoredifferentpathsofthistree
• Bitcoinconsensusalgorithmensuresthelongestblockchain willprevail• Thelongestchainwillalwayswin(itcontainsthemostcumulativehashpower)
Recap
• HowdoyoujoinBitcoin?• Whathappenswhenyouwanttosend4BitcoinstoAlice?• Howistheledgermaintained?• Whatisthepurposeoftheminers?• Howdotheminersgetpaid?• Whathappenswhentwodifferentblocksareminedaroundthesametime?
Bitcoinandprivacy
• IsBitcoinprivate?• Notreally.Itprovidespseudonimity,sincenorealnamesappearontheblockchain• Butyoucanlaunchlinkingattacksbyanalyzingthetransactiongraph• Proposedalternatives
• Zerocoin,Zerocash• Thesearenewcryptocurrencieswithprivacy
• IntuitivedifferencebetweenBitcoinandZerocash• AminerinBitcoinprovesthatasenderAhasthemoneytopayasenderB• AminerinZerocash provesthatthereisaninputtransactionfromthepastthatcanbesenttoB(breakslinkage)
• ComplicatedcryptoconstructioncalledSNARKsarerequired
BuildingapplicationswithBitcoin
• IownafilefbutIdonotwanttostoreit,soIgiveittoGoogleandIkeeponehashh(f)locally• Whentimescomestopaymysubscription,IwantGoogletoprovetomethatithasthefile• SoGooglesendsmethefile…• Atthatpoint,Icantakethefileandleaveandneverpay• Atthesametime,ifIpayfirst,Googlecancheatandnotprovetomethatithasthefile• CanBitcoinhelphere?
SecureStoragewithBitcoin
• Mainidea:MakeaBitcointransactionforGoogle,whichwillfireonlywhenGooglepostsatransactionwiththefile• Namely,foratransactiontogothrough,Bitcoinallowsthroughascriptinglanguagetoindicatevariousconditionsthatmustbesatisfied• ButwhatifGoogledoesnothavethefile?• Wherewillmymoneygo?WillIloseitforever?• MoreonthatnextWednesdaybyMohammadandIbrahim
Onestepfurther:Smartcontracts
• BitcoinscriptinglanguageisnotTuring-complete• Howaboutifmorecomplicatedconditionsshouldberesponsiblefortheflowofcashinthesystem?• E.g.,
• Playrock-paper-scissorsonBitcoinandmakesuremoneygoestothewinner,withouthavingatrustedthirdpartyoverseeingtheprocess
• Smartcontracts:YoucanwriteprogramsinaTuring-completelanguageandhaveminersverifytransactionsbyexecutingthesecontracts• Example:Ethereum• Research:Privacy-preservingsmartcontracts (talktomeifyouareinterested)
Related Documents
