Top Banner
ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized Cryptocurrencies Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park
26

ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

Jan 05, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

ENEE 457: Computer Systems Security11/30/16

Lecture 24Bitcoin and Decentralized Cryptocurrencies

Charalampos (Babis) Papamanthou

Department of Electrical and Computer EngineeringUniversity of Maryland, College Park

Page 2: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

WhatisBitcoin?

• Bitcoinisae-cashsystemenablingastomovefromcurrency(eitherpaperordigital)basedandregulatedoncentralizedbankstofully-decentralizedcurrency• Bitcoinisnotthefirstattempttodigitizecash

• Lotsofworkone-cashinthepast(beginningwiththeworkofDavidChaum)• Alle-cashworksareusingacentralizedpartytopreventdouble-spending

• Bitcoinworksbecauseitofferstherightincentives• Ifyouhelpmaintainthecorrectnessofthesystem,youwillearnsomeBitcoins• “Help”meansofferingsomeofyourcomputationalpowertoverifytransactions(moreonthatlater)

• Bitcoinwasfirstdescribedinaseminalpaper byanonymousSatoshiNakamoto

Page 3: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

InterestingpropertiesofBitcoin

• Transparent• AllthetransactionmadebyBitcoinusersarerecordedinapublicledger• Seewww.blockchain.info• Problemwithprivacy?

• Finite• Thereisanupperboundonthetotalamountofbitcoinsthatwilleverbespent(thereisnoFederalReserveherethatcanarbitrarily“printBitcoins”)

• Simulatesthegoldstandard• Basedoncryptoanddistributedalgorithms

• Owningmoneyisequivalenttoknowingasecret(inparticularthesecretkeyofdigitalsignature)

• Makingsurethatnodoublespendingoccursisbasedonnoveldistributedalgorithms(consensus)

Page 4: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

OtherpropertiesofBitcoin

• Global• Canbeusedtosendmoneyallacrosstheworldwithverysmallfees(asopposedtofeeschargedbymajorbanks)

• Also,youcantradeBitcoinsfordollarsandvice-versa• TobuyandsellBitcoins,gotohttps://www.coinbase.com/• WhatdoyougetandwhenyoubuyBitcoins?

• CurrentpriceofBitcoin

Page 5: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

WherecanIpaywithBitcoin?

Page 6: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

HistoryofBitcoin

• 2009:SatoshiNakamoto’s paper• 2009-2011:• Pricelessthan1dollar• Communityofenthusiasts

• 2013-today• Substantialgrowth• InDecember2013,pricereached1000dollars• Mediacoverage• LotsofstartupsfacilitatingBitcoinadoption• Venturecapitalistsinvestment

Page 7: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

Bitcoinprice

Page 8: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

Howdoesitwork?

• Mainpurposeofbanksistomaintainbalancescorrectly• E.g.,ifIsendyou10dollars,thebankneedstosubtract10dollarsfrommyaccountandsend10dollarstoyouraccount• Thisisoneofthemostfundamentalbankoperations• Thewholebankingsystemworksbecausewetrustthebankstodosocorrectly• Partlyforthisservice,wehavetopayallthesefeestothebanks• Bitcoinmainidea

• Doawaywithbankscompletelyandmaintainthisfileofbalancesinadistributedfashion

• Buthowdoyoupumpmoneyintothisneweconomy?• PaypeopleinBitcoinstohelpmaintainthisfileofbalances,called“ledger”

Page 9: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

Bitcoinaddresses

• Bitcoinaddressesserveasthe“accountnumber”inyourbank• EveryindividualcanhaveasmanyBitcoinaddressesashewants• Veryeasytocreate• Nofeesatallforhavingone

• MyBitcoinaddress• 1Eq8hdVuGGii61QMhppNP5z27832dMwztG• Itnowhas0.01BTCassociatedwithit• Let’sverifythat

Page 10: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

WhatisthisBitcoinaddress?

• IfyouwanttogetintoBitcoin• Youneedtogeneratea(SK,PK)pair

• Ofcourse,keepyourSKsecret• ThebitcoinaddressisanencodingofahashofPK• bitcoin_address =enc(hash(PK))

• MakeyourPKavailabletoeverybodysothatyoucanreceivepayments• Downloadingandinstallingcoinbase appwilltakecareofallthesesothatyouarereadytosendandacceptBitcoinpayments

Page 11: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

Asimpletransaction

• Alicewantstopay3BitcoinstoBob• Aliceowns3BitcoinsataddressA• BobhasaddressB• TopayBob,Alicecreatesatransactionandbroadcastsittothewholenetwork• Thetransactioncontains

• AddressesAandB• ThepublickeyassociatedwithA• Amount3Bitcoins• Adigitalsignatureonthemessageofalltheabove,createdwithAlice’ssecretkey

Page 12: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

Blockchain

• Therearecertainnodesonthenetworkcalledminers thatmaintainthecorrectledgeroftransactions• Minersputtransactionsintoblocks,andbroadcasttheirblockscontainingtransactionsthatareconsistent• E.g.,avalidblockcannotcontainthefollowingtwotransactions• AsentxBitcoinstoB(sayBhad0Bitcoinsbefore)• Bsent2xBitcoinstoC

• Onceaclaimedcorrectblockisbroadcast,itneedstobeverifiedbyotherminersbeforeitgetsaddedintotheBlockchain• Eventually,allminerswillgettoseethesameblockchain• Thisistheblockchain weseeatblockchain.info• Onaverage,anewblockiscreatedevery10minutes

Page 13: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

Whatdominersdo?

• Distributedcomputingconsensus• Nplayers(maliciousandhonest)startwithinputvaluesx_1,x_2,…,x_N andsomepreviouslyagreedstate• Goaloftheprotocol• Allhonestplayersoutputeventuallyonevaluex_i andthenewstate’=f(state,x_i)• Thisvaluemusthavebeengeneratedbyanhonestnode

• Thislooksquiteeasy!• Isit?

Page 14: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

Distributedalgorithmtoreachconsensus

• Allplayersstoretheinitialstate andtheirinputxi• Pickaplayerq uniformlyatrandom• Step1:Theplayerqgetsitsinputxqtoallothernodesproposingittobethenewextensiontostate• (iftheplayerishonestitsendsthesamecorrectinputstoallothernodes,otherwiseitcanbehavearbitrarity)

• Step2:Allhonestplayersverifyx_q andcomputethenewstate’• Theorem(informal):Ifmajorityofplayersishonest,theneventuallythesystemwillreachconsensus

Page 15: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

Bitcoinconsensus

• Itisaninstantiationofwhatwedescribedbefore• Playersareminers• stateistheblockchain,containingblocksthatcontainvalidtransactions• Theinputsarethenewblocksthatarebeinggenerated

• Sowhatisthedifference?• RememberanimportantrequirementoftheconsensusprotocolisthateverytimeIshouldpicksomeoneuniformlyatrandom.• HowdoIpicksomeoneuniformlyatrandominBitcoin?• Inparticular,howdoIpicksomeoneuniformlyatrandominadistributedfashion?• ProofsofWork!!!

Page 16: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

Howdoesaminerprepareablock

• Aminerreceivesabunchoftransactionsfromusers• Hecheckstoseethatthetransactionshehasarevalid• Heorganizesthetransactionsintoablockb• Nowheisreadytobroadcasthisblockandupdatethestateofthesystem• Wait,thetheoremsaysheneedstobechosenatrandom• Well,tobeeligibleforbroadcasting,heneedstosolveacomputationalpuzzleandsubmititssolution• Basically,thecomputationalpuzzlerequireshimtoinvertahash

Page 17: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

BitcoinBlocksandTransactions

Page 18: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

Whatisthenonceineachblock?

• Eachblocksubmittedbyaminerhasanonce• Thisnonceisthesolutiontothefollowingpuzzle

• H(nonce||previous_block_hash||hash_current_transactions)<target_value• Theblockwillbeacceptedaftertheaboveischecked• Theabovemechanismservesforchoosingsomemineratrandom,makingsuretheledgerismaintainedcorrectly• Thesmallertarget_value is,thehigherthedifficultyofthepuzzle• AdjustedbytheBitcoinfoundationtomakesureoneblockisminedapproximatelyevery10minutes• Questions

• Whywouldyouinvestyourcomputationalpowertoprepareblocks?• Whataretheincentives?

Page 19: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

Incentivesforminers

• Minershelpmaintainingthecorrectledger,butthereisanincentive• Everytimethemineablocksuccessfully,theycollecttransactionfeesfromthetransactionstheymine• E.g.,ImighthaveatransactionsayingwithInputsaddressAand20bitcoinsandoutputsaddressBand19bitcoins• 1bitcoinwillbethetransactionfeefortheminer

• Youarenotrequiredtoaddtransactionfeesinyourtransactions• Butifyoudo,youaremorelikelytohaveyourtransactionverified• Isthistheonlyrevenueforminers?

Page 20: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

Howdoyouputmoneyintothesystem?

• Foreveryblockmined,thereisaspecialtransactioncalledcoinbase• Thistransaction“creates”money• E.g.,creatingasuccessfulblockcanrewardyou~35Bitcoins• Thatisaround$9,000USD• ConcerningtheCoinbase transaction• Startsat50BTC• Halvesevery210,000blocks(around4years)• Whenitwouldgoto0,itwouldnotbepossibletomineBitcoinsandaroundthattimealmost21millionBitcoinswillhavebeenproduced• THISISHARDCODEDINTOTHEBITCOINSOURCE

Page 21: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

ForkingontheBlockchain

• Itmightbethecasethattwonodesgettomineadifferentblockaroundthesametime• Sotwonodescangetsolutionsofdifferentpuzzlesatthesametime• Sotheblockchain candegenerateintoatree• Twominerscanstoredifferentpathsofthistree

• Bitcoinconsensusalgorithmensuresthelongestblockchain willprevail• Thelongestchainwillalwayswin(itcontainsthemostcumulativehashpower)

Page 22: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

Recap

• HowdoyoujoinBitcoin?• Whathappenswhenyouwanttosend4BitcoinstoAlice?• Howistheledgermaintained?• Whatisthepurposeoftheminers?• Howdotheminersgetpaid?• Whathappenswhentwodifferentblocksareminedaroundthesametime?

Page 23: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

Bitcoinandprivacy

• IsBitcoinprivate?• Notreally.Itprovidespseudonimity,sincenorealnamesappearontheblockchain• Butyoucanlaunchlinkingattacksbyanalyzingthetransactiongraph• Proposedalternatives

• Zerocoin,Zerocash• Thesearenewcryptocurrencieswithprivacy

• IntuitivedifferencebetweenBitcoinandZerocash• AminerinBitcoinprovesthatasenderAhasthemoneytopayasenderB• AminerinZerocash provesthatthereisaninputtransactionfromthepastthatcanbesenttoB(breakslinkage)

• ComplicatedcryptoconstructioncalledSNARKsarerequired

Page 24: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

BuildingapplicationswithBitcoin

• IownafilefbutIdonotwanttostoreit,soIgiveittoGoogleandIkeeponehashh(f)locally• Whentimescomestopaymysubscription,IwantGoogletoprovetomethatithasthefile• SoGooglesendsmethefile…• Atthatpoint,Icantakethefileandleaveandneverpay• Atthesametime,ifIpayfirst,Googlecancheatandnotprovetomethatithasthefile• CanBitcoinhelphere?

Page 25: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

SecureStoragewithBitcoin

• Mainidea:MakeaBitcointransactionforGoogle,whichwillfireonlywhenGooglepostsatransactionwiththefile• Namely,foratransactiontogothrough,Bitcoinallowsthroughascriptinglanguagetoindicatevariousconditionsthatmustbesatisfied• ButwhatifGoogledoesnothavethefile?• Wherewillmymoneygo?WillIloseitforever?• MoreonthatnextWednesdaybyMohammadandIbrahim

Page 26: ENEE 457: Computer Systems Security 11/30/16 Lecture 24 ...enee457.github.io/lectures/week14/11_30_16.pdf · ENEE 457: Computer Systems Security 11/30/16 Lecture 24 Bitcoin and Decentralized

Onestepfurther:Smartcontracts

• BitcoinscriptinglanguageisnotTuring-complete• Howaboutifmorecomplicatedconditionsshouldberesponsiblefortheflowofcashinthesystem?• E.g.,

• Playrock-paper-scissorsonBitcoinandmakesuremoneygoestothewinner,withouthavingatrustedthirdpartyoverseeingtheprocess

• Smartcontracts:YoucanwriteprogramsinaTuring-completelanguageandhaveminersverifytransactionsbyexecutingthesecontracts• Example:Ethereum• Research:Privacy-preservingsmartcontracts (talktomeifyouareinterested)