BLOCKCHAIN The foundation behind Bitcoin

Transcription

1 BLOCKCHAIN The foundation behind Bitcoin Sourav Sen Gupta Indian Statistical Institute, Kolkata

2 CRYPTOGRAPHY Backbone of Blockchain Technology

3 Component 1 : Cryptographic Hash Functions

4 HASH FUNCTIONS Map variable-length input to constant-length output. x h y

5 HASH FUNCTIONS Finding the pre-image of a given output is not easy.? h y

6 HASH FUNCTIONS Finding a colliding twin of a given input is not easy x1 x2 h y

7 HASH FUNCTIONS Finding any colliding pair of inputs is not easy x1 x2 h y It is of course possible, but not easy.

8 HASH FUNCTIONS Minor input-mismatch to major output-mismatch x1 y h x2 y

9 CONSTRUCTIONS m1 m2 mn IV f f f h Merkle-Damgard Construction Example : SHA 256 used in Bitcoin

10 CONSTRUCTIONS m1 m2 mn h1 r c f f f f Sponge Construction Example : SHA 3 used in Ethereum

11 APPLICATIONS r x h y commit(x) : c = h(r x) verify(c,r,x) : h(r x) == c Provably secure scheme for Commitment Random nonce r must have a high min-entropy for this scheme to be secure.

12 APPLICATIONS x h y record(x) : c = h(x) verify(c,x) : h(x) == c Provably secure scheme for tamper-detection

13 DATA STRUCTURES data h addr(data) hash(data) Hash Pointer Tamper-evident data pointer = Hash Pointer

14 DATA STRUCTURES data data HP(block) timestamp Block h HP(block) timestamp Block Tamper-evident linked data structure = Block

15 DATA STRUCTURES data data data data data HP(block) HP(block) HP(block) HP(block) HP(block) timestamp timestamp timestamp timestamp timestamp Block Block Block Block Block Tamper-evident linked-list = Blockchain

16 DATA STRUCTURES data data data data data HP(block) HP(block) HP(block) HP(block) HP(block) timestamp timestamp timestamp timestamp timestamp Block Block Block Block Block data data data data data HP(block) HP(block) HP(block) HP(block) HP(block) timestamp timestamp timestamp timestamp timestamp Block Block Block Block Block Tamper-evident linked-list = Blockchain

17 DATA STRUCTURES HP(root) data HP(left) HP(right) data timestamp Node data HP(left) HP(right) HP(left) HP(right) timestamp timestamp Node data Node data HP(left) HP(right) HP(left) HP(right) timestamp Node timestamp Node Tamper-evident binary-tree = Merkle Tree

18 DATA STRUCTURES HP(root) data HP(left) HP(right) data timestamp Node data HP(left) HP(right) HP(left) HP(right) timestamp timestamp Node data Node data HP(left) HP(right) HP(left) HP(right) timestamp Node timestamp Node Tamper-evident binary-tree = Merkle Tree

19 DATA STRUCTURES Properties Blockchain Merkle Tree Merkle Trie Size of Commitment O(1) O(1) O(1) Append a Block/Node O(1) O(log n) O(k) Update a Block/Node O(n) O(log n) O(k) Proof of Membership O(n) O(log n) O(k) Structural Abstraction List of Objects Set of Objects Set of (key, value) Used for Construction Bitcoin Bitcoin Ethereum

20 QUESTIONS Can any pointer-based data structure be efficiently converted into a Hash-Pointer based data structure? Will such an exercise be at all useful in any use case? Do these structures provide any additional advantage?

21 Component 2 : Digital Signature Schemes

22 DIGITAL SIGNATURE? s = sign(sk,m) sk keygen(n) pk verify(pk,m,s) Digital signature as a set of three algorithms

23 DIGITAL SIGNATURE? s = sign(sk,m) sk keygen(n) pk verify(pk,m,s) (sk, pk) = keygen(n) verify(pk,m,sign(sk,m)) = True

24 DIGITAL SIGNATURE? s = sign(sk,m) sk keygen(n) pk verify(pk,m,s) Given pk and access to sign(mi) as an oracle, an adversary should not be able to create a valid fresh message-signature pair (m,s)

25 CONSTRUCTION Q Fp Elliptic Curve Digital Signature Algorithm (ECDSA) ECDSA on curve E(Fp) : { (x,y) in Fp x Fp y 2 = x } with base prime p =

26 CONSTRUCTION Elliptic Curve group of size E(Fp) = q ~ p ~ Parameters Format Range Bit-size sk random Zq 256 pk sk x G E(Fp) 512 m hash(m) Zq 256 Signature (r, s) Zq x Zq 512 ECDSA on curve E(Fp) : { (x,y) in Fp x Fp y 2 = x } with base prime p =

27 APPLICATION pk sk sk? sk verify(pk,m,sign(sk,m)) Publish the public key pk as your Identity Use the secret key sk to prove your identity

28 BITCOIN Blockchain in Practice

29 BITCOIN Ledger of Transactions between Pseudonymous Identities Semi-Decentralised Publicly-Verifiable Tamper-Resistant Eventually-Consistent

30 NOT BITCOIN Economic Transaction that we are familiar with Tx

31 NOT BITCOIN Tx Centralised Account-based Ledger

32 NOT BITCOIN Tx Decentralised Account-based Ledger

33 NOT BITCOIN YET Tx Tx Tx Tx Tx Tx Tx Tx Decentralised Transaction-based Ledger

34 TRANSACTION Tx Tx Signed by Network verifies the Signature

35 TRANSACTION Tx pk Tx pk Signed by sk Network verifies the Signature

36 TRANSACTION Input : Array of previous Transactions Output : Array of recipient Addresses pk1 Tx R1 pk Sender(s) pk2 Tx pk3 Tx sk1 Tx sk2 sk3 R2 R3 pk pk Recipient(s) Network verifies the Signature(s)

37 TRANSACTION Input : Array of previous Transactions Output : Array of recipient Addresses Input Transactions pk1 Tx pk2 Tx pk3 Tx R1 pk sk1 Tx pk R2 sk2 sk3 R3 pk Recipients Signatures Network verifies the Signature(s)

38 Metadata TRANSACTION Input(s) Output(s) Data obtained from blockchain.info

39 LEDGER Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Decentralised Transaction-based Ledger

40 BLOCK Data obtained from blockchain.info

41 BLOCK Data obtained from blockchain.info

42 BLOCK Data obtained from blockchain.info

43 BLOCK Data obtained from blockchain.info

44 BLOCK Data obtained from blockchain.info

45 BITCOIN Tx Tx Tx Tx Transaction Mining

46 MINING Tx Tx Tx Tx Transaction Computational Lottery (Puzzle) Find r such that hash(r m) < C Existing blocks at a given time Winner writes the next block

47 MINING Data obtained from blockchain.info

48 MINING Data obtained from blockchain.info

49 MINING Data obtained from blockchain.info

50 MINING Data obtained from blockchain.info

51 MINING Data obtained from blockchain.info

52 BITCOIN Tx Tx Tx Tx Transaction Mining

53 BITCOIN Framework Decentralised peer-to-peer collaborative network Goal : All peers should agree on a sequence of transactions

54 BITCOIN Publicly-Verifiable as the complete ledger and the hash function is public

55 BITCOIN Tamper-Evident / Tamper-Resistant as the ledger is connected through a chain of hash pointers X X X X X X X

56 BITCOIN Eventually-Consistent as the longest chain eventually sustains as the main chain

57 BITCOIN Data obtained from blockchain.info

58 BITCOIN Data obtained from blockchain.info

59 BITCOIN Data obtained from blockchain.info

60 BITCOIN Semi-Decentralised as the mining is dominated by computational power

61 BITCOIN Data obtained from blockchain.info

62 BITCOIN Data obtained from blockchain.info

63 Robin Yao (BW), Wang Chun (F2Pool), Marshall Long (FinalHash), Pan Zhibiao (Bitmain) Liu Xiang Fu (Avalon), Sam Cole (KnCMiner) and Alex Petrov (BitFury)

64 BITCOIN Semi-Decentralised Tamper-Resistant Publicly-Verifiable Eventually-Consistent

65 ECONOMICS The success story of Bitcoin

66 BITCOIN Data obtained from blockchain.info

67 BITCOIN Data obtained from blockchain.info

68 BITCOIN Data obtained from blockchain.info

69 BITCOIN Data obtained from blockchain.info

70 BITCOIN Data obtained from blockchain.info

71 BITCOIN Data obtained from blockchain.info

72 SECURITY The threat from Bitcoin

73 BITCOIN Transactions : Completely transparent and public Identities : Opaque and pseudonymous addresses ~ 170 Million bitcoin addresses ~ 150 Million bitcoin transactions ~ 80 GB of compressed raw data ~ 80% of transactions have < 2 inputs ~ 90% of transactions have < 3 outputs

74 BITCOIN

75 BITCOIN Identities : Opaque and pseudonymous addresses Anyone can create arbitrarily many identities All identities look the same on the network ~ 170 Million bitcoin addresses ~ 150 Million bitcoin transactions Provides anonymity of Bitcoin transactions.

76 BITCOIN Data obtained from blockchain.info

77 BITCOIN Data obtained from blockchain.info

78 BITCOIN Data obtained from blockchain.info

79 Dark Marketplaces to buy-and-sell Drugs

80 Dark Marketplaces to buy-and-sell Guns and Fake ID

81 BITCOIN Identities : Opaque and pseudonymous addresses Anyone can create arbitrarily many identities All identities look the same on the network ~ 170 Million bitcoin addresses ~ 150 Million bitcoin transactions Is it still possible to trace transactions and identities?

82 DE-ANONYMIZATION Potential solution to the threat from Anonymity

83 TRANSACTION S1 R1 S2 Tx R2 Sn Rm

84 EXAMPLE #1 1FLa9NcXJPA2XvF34LRuB4zbXX4Ws32dpL S1 Tx R1 18rdKmjrg1EawxgiVT3ikLExj6GWS2MNCk Note : Single recipient with an exact match of input to output highly unlikely.

85 EXAMPLE #2 1Ao6mKMEXxCVNVAuGjfLXZ3Zf43hd3yAEq S1 Tx R1 1H3bY2Cv1pmn8ffTdyeRvZAUjNJC1giQHm R2 16pDB5bvoqRGvoH32GaJLfsEcaMc2T9xDr Note : Nice complete denomination along with a random change.

86 EXAMPLE #3 1PXzMrz8KBNEkTt3Wnuqy4axiWszbyQKyE S1 Tx R1 19onWuLmjXGVfc7oUAEVuy9Yd3jxqhsUbK R2 1AASWBCGveXH6H5yTCZW2x7uZrawDiqp4U Note : BTC = 6.50 USD at the time of transaction.

87 EXAMPLE #4 19SZcQ2CzJacQZE9rYwQjsfcBKMWDNwBWD S1 Tx R1 1PLjv1VzGEKxtM2FnRzg2FmDjen9trUBrh 13Zjnzx8VxtLUEiYcrVXKp5sLucLMvBqaG S2 Note : Two arbitrary inputs exactly match up to a desired output highly unlikely.

88 EXAMPLE # USD 4.10 USD 1Djvb34FNpNXtrbbjaQeERZf68cyUdWyzd S1 Tx R1 1AffmSG4tcNRjcgTWTnS6TM3cWPeeA9EVd 17atn5sagYRBUvzgFLd9bUjWF4yStkdokW S2 R2 1Nq612zwhEZDBNz2AeWKZxD6LvwiLm6cQU 6.03 USD 7.95 USD Note : Two input transactions coupled for a payment plus some random change.

89 CLUSTERING 1PXzMrz8KBNEkTt3Wnuqy4axiWszbyQKyE 1Djvb34FNpNXtrbbjaQeERZf68cyUdWyzd 1FLa9NcXJPA2XvF34LRuB4zbXX4Ws32dpL 17atn5sagYRBUvzgFLd9bUjWF4yStkdokW 19onWuLmjXGVfc7oUAEVuy9Yd3jxqhsUbK 1AASWBCGveXH6H5yTCZW2x7uZrawDiqp4U 1AffmSG4tcNRjcgTWTnS6TM3cWPeeA9EVd 18rdKmjrg1EawxgiVT3ikLExj6GWS2MNCk 1Ao6mKMEXxCVNVAuGjfLXZ3Zf43hd3yAEq 19SZcQ2CzJacQZE9rYwQjsfcBKMWDNwBWD 13Zjnzx8VxtLUEiYcrVXKp5sLucLMvBqaG 16pDB5bvoqRGvoH32GaJLfsEcaMc2T9xDr 1H3bY2Cv1pmn8ffTdyeRvZAUjNJC1giQHm 1PLjv1VzGEKxtM2FnRzg2FmDjen9trUBrh 1Nq612zwhEZDBNz2AeWKZxD6LvwiLm6cQU

90 IDENTIFICATION 1PXzMrz8KBNEkTt3Wnuqy4axiWszbyQKyE 1Djvb34FNpNXtrbbjaQeERZf68cyUdWyzd 1FLa9NcXJPA2XvF34LRuB4zbXX4Ws32dpL 17atn5sagYRBUvzgFLd9bUjWF4yStkdokW 19onWuLmjXGVfc7oUAEVuy9Yd3jxqhsUbK 1AASWBCGveXH6H5yTCZW2x7uZrawDiqp4U 1AffmSG4tcNRjcgTWTnS6TM3cWPeeA9EVd 18rdKmjrg1EawxgiVT3ikLExj6GWS2MNCk 1Ao6mKMEXxCVNVAuGjfLXZ3Zf43hd3yAEq 19SZcQ2CzJacQZE9rYwQjsfcBKMWDNwBWD 13Zjnzx8VxtLUEiYcrVXKp5sLucLMvBqaG 16pDB5bvoqRGvoH32GaJLfsEcaMc2T9xDr 1H3bY2Cv1pmn8ffTdyeRvZAUjNJC1giQHm 1PLjv1VzGEKxtM2FnRzg2FmDjen9trUBrh 1Nq612zwhEZDBNz2AeWKZxD6LvwiLm6cQU

91 CLUSTERING The Unreasonable Effectiveness of Address Clustering Harrigan and Fretter, May 2016

92 DE-ANONYMIZATION Passive : Analytics on 80 GB of Bitcoin blockchain data Clustering of Bitcoin Addresses with suitable definition of Metrics Identification of the Clusters using known and/or leaked Addresses Active : Injecting and tracking marked Bitcoin transactions Registering on Dark Marketplaces, Exchanges, and Mining Pools Using Addresses leaked from all these sources for Identification Elliptic ( does something similar in the UK. We should try to build our own tool for de-anonymization.

93 BLOCKCHAIN Versatile Toolkit for Protocols

94 TRANSACTION Input : Array of previous Transactions Output : Array of recipient Addresses Input Transactions pk1 Tx pk2 Tx pk3 Tx R1 pk sk1 Tx pk R2 sk2 sk3 R3 pk Recipients Signatures Network verifies the Signature(s)

95 Metadata TRANSACTION Input(s) Output(s) Data obtained from blockchain.info

96 BITCOIN SCRIPT Data obtained from blockchain.info

97 POTENTIAL With a powerful Scripting Language

98 Developing Smart Contracts on Blockchain

99 Smart Contracts BitShares Ripple BitGold Zcash ADePT Proof of Existence OneName Factom Retricoin Namecoin Proof of Space OpenBazaar Smart Properties BigchainDB BitHealth ZeroCoin Bitcoin-NG Proof of Commitment RSCoin Ethereum SpaceMint Proof of Stake BitNation GHOST Perma-Coin Proof of Retrievability

100 Bitcoin is an idea with disruptive ramifications. Thank you for listening!