ENEE 457: E-Cash and Bitcoin

Transcription

1 ENEE 457: E-Cash and Bitcoin Charalampos (Babis) Papamanthou

2 Money today

3 Any problems? Cash is cumbersome and can be forged Credit card transactions require centralized online bank are not secure can reveal private information to the bank charge arbitrary fees

4 First attempt: E-cash, 1982 Addressed mainly the privacy issue Still centralized Not that secure: Double spending could still take place but the attacker would be caught later

5 Main idea Unforgeability of cash via unforgeability of signatures To withdraw one e-coin Alice picks a serial number x, asks the bank to sign x, and the e-coin is coin = (sig_sk(x),x) Bank registers that that x has been issued for Alice To pay Bob one e-coin to buy coffee Alice sends coin to Bob To accept payment Bob verifies signature in coin To deposit Bob sends coin to the bank Bank checks x and updates Bob s and Alice s $ amounts

6 What can go wrong? Bob can first deposit coin and then continue spending coin The coin that is propagated is useless Solution: When Bob deposits coin ask bank to sign x PK_bob where PK_bob is a one-time PK that only Bob knows the SK_bob When Bob needs to spend, it sends the coin sig_sk(x PK_A) and a sig under SK_bob that I, Bob, send this to Alice Note that this cannot be propagated anymore

7 But double-spending Bob can send coin to two different entities Double spending The only way to catch it is whenever you receive a payment, ask the bank whether the serial number is valid Oh you are reintroducing the bank again (Bitcoin will help here)

8 Privacy problems of the above approach The flow of money When you withdraw the bank associates you real identity with PK_A When someone deposits, bank sees PK_A, so bank knows who you are transacting with! Idea: Use blind signatures! Get the bank to sign something without knowing what is being signed After you receive the signature, retrieve the original signature Possible with RSA (send x * r ^ e, sig is x^d * r, retrieve by dividing with r)

9 HOW DO YOU SOLVE DOUBLE SPENDING WITHOUT USING THE CENTRALIZED BANK?

10 November 2008

11 January 2009 today

12 Exciting technology underlying Bitcoin: Blockchain Distributed algorithms Cryptography Distributed consensus in practice, for the first time! Many applications, beyond cryptocurrencies!

13 But what is this blockchain? Block 3 Block 2 message 1 message 2 message 3 message k Block 1

14 Rule 1: Global read & rule-based write Block 3 Block 2 message 1 message 2 message 3 message k Block 1

15 Rule 2: Strict ordering of messages Block 4 Block 3 Block 2 Block 1 message 1 message 2 message 3 message k TX1: Bob sends 5 to Alice TX2: Alice sends 5 to Amazon TX3: George sends 6 to Tim

16 Rule 3: No message can be modified Block 4 Block 3 Block 2 message 1 message 2 message 3 message k Block 1

17 How to implement this abstraction? Controlled by Amazon Potentially no global read Message modifications Failures (not always up) Peer-to-peer network with state replication Periodic consensus on a new block Lots of results from distributed computing theory To hack the system you need a lot of effort

18 What else can we do with blockchains? Smart contracts (e.g., Ethereum) Do away with lawyers, trusted parties and escrows to enforce contracts! Bitcoin is the simplest contract: Allow money flow from A to B only if A has enough balance But how about more complicated conditions?

19 Bitcoin

20 What is Bitcoin? It is a decentralized payment system that allows its users to transfer value to each other with no central authority or third party involved. It has units of value which can be exchanged for real money. Bitcoin -> the system bitcoins -> the units of value

21 Bitcoin value Bitcoin market capital: approx. 114 billion USD (September 2018) Current price: 1 BTC = 6,599 USD

22 Bitcoin value

23 Bitcoin users Anyone can participate in the Bitcoin network Users are not registered by any authority Address Alice PK: huk67h9fyg Bob PK: p2pknb7frt Address SK: z4pxc2kkn3 SK: n52hb9klp Bitcoin uses Elliptic Curve DSA signatures Looks like a random 257-bit number Easy to store/share as a QR code

24 Bitcoin transactions Alice PK: huk67h9fyg SK: z4pxc2kkn3 Alice sends 1 to Bob Bob PK: p2pknb7frt SK: n52hb9klp

25 Bitcoin transactions Alice PK: huk67h9fyg SK: z4pxc2kkn3 huk67h9fyg sends 1 Transaction to p2pknb7frt Bob PK: p2pknb7frt SK: n52hb9klp

26 Bitcoin transactions Alice PK: huk67h9fyg SK: z4pxc2kkn3 huk67h9fyg sends 1 Transaction to p2pknb7frt Bob PK: p2pknb7frt SK: n52hb9klp What if? huk67h9fyg sends 1 to p2pknb7frt

27 Bitcoin transactions Based on digital signatures Alice PK: huk67h9fyg SK: z4pxc2kkn3 huk67h9fyg sends 1 Transaction to p2pknb7frt Bob PK: p2pknb7frt SK: n52hb9klp Signed under Alice s SK! A transaction is accepted only if the signature verifies

28 Bitcoin s three main components Network: How can we share transactions? Transaction Ledger: How do we check validity of transactions Consensus: How can we agree on one global history of transactions?

29 Joining the Bitcoin P2P network 1 Hello World! I m ready to Bitcoin! 5 getaddr() 8 getaddr() 1, 7 getaddr()

30 Transaction propagation (flooding) 1 5 Already heard that! 8 A B 6 A B A B 7 A B A B 4 A B New tx! A B A B 3 A B A B 2 A B

31 Bitcoin s three main components Network: How can we share transactions? Transaction Ledger: How do we check validity of transactions Consensus: How can we agree on one global history of transactions?

32 Bitcoin s three main components Transaction Ledger: How do we check validity of transactions By storing a public history of all transactions ever!

33 Why do we need a transaction history? Bob Alice s account has 5

34 Why do we need a transaction history? Double-spending must be prevented! Bob Alice s account has 5 Charlie

35 Why do we need transaction history? Double-spending must be prevented! Traditional approach: ask the bank Bob Alice s account has 5

36 Why do we need transaction history? Double-spending must be prevented! Traditional approach: ask the bank Probably the most important problem with electronic currencies Bob Alice s account has 5 Who can we ask now?

37 Transaction Ledger Alice sends 1 Time t to Bob Stores every transaction and is used to check users balances Alice sends 0.7 to Chris Bob sends 1.2 to Dave Dave sends 0.2 to Chris Bob sends 1 Time t+1 to Carol

38 Transaction Ledger Alice sends 1 to Bob Alice sends 0.7 to Chris Bob sends 1.2 Time t to Dave Stores every transaction and is used to check users balances Example Time t Dave sends 0.2 to Chris Bob sends 1 Time t+1 to Carol Alice 2 5 Bob

39 Transaction Ledger Alice sends 1 to Bob Alice sends 0.7 to Chris Bob sends 1.2 Time t to Dave Stores every transaction and is used to check users balances Example Time t Time t+1 Dave sends 0.2 to Chris Bob sends 1 Time t+1 to Carol Alice Bob Alice Bob

40 Block Transaction Ledger: Blockchain Alice sends 1 to Bob Alice sends 0.7 to Chris Bob sends 1.2 Time t to Dave Required properties: 1) Append-only 2) Cannot revise existing blocks 3) Global Who maintains it? o The users themselves! 1 5 Dave sends 0.2 to Chris 8 7 Bob sends 1 Time t+1 to Carol

41 Block Transaction Ledger: Bitcoin Blockchain Alice sends 1 to Bob Alice sends 0.7 to Chris Bob sends 1.2 Time t to Dave Required properties: 1) Append only 2) Cannot revise existing blocks 3) Global Who maintains it? o The users themselves! 1 5 Dave sends 0.2 to Chris 8 7 Bob sends 1 Time t+1 to Carol 6 Miners: special types of users 4 3 2

42 Bitcoin s three main components Network: How can we share transactions? Transaction Ledger: How do we check validity of transactions Consensus: How can we agree on one global history of transactions?

43 Bitcoin s three main components Consensus: How can we agree on one global history of transactions?

44 Who chooses the next block? Every transaction is broadcast to all users

45 Who chooses the next block? Every transaction is broadcast to all users Jan sends 0.2 to Alice Do we agree on this block for time t+1? Miners voting majority wins Time t+1 Alice sends 1 to Bob Alice sends 0.7 to Chris Bob sends 1.2 Dave sends 0.2 to Dave to Chris Yes No Yes Yes Yes Works well if majority of miners is honest!

46 Majority of what? What does majority mean in a system where everyone can participate? Sybils: Multiple identities belonging to the same (malicious) user Bitcoin solution: Majority is defined as the majority of computational power!

47 Consensus based on computational power Proof-of-work To measure a user s computational power ask him to solve a puzzle: puzzle should be difficult to solve but a solution should be easily verifiable The puzzle used in Bitcoin is based on the cryptographic hash function SHA256

48 Consensus based on computational power Proof-of-work To measure a user s computational power ask him to solve a puzzle: puzzle should be difficult to solve but, a solution should be easily verifiable The puzzle used in Bitcoin is based on the cryptographic hash function SHA256 Puzzle: Given small y find x such that SHA256(x) < y Target

49 How is a new block added? 1) Payer announces transaction Puzzle: Given small y find x such that SHA256(x) < y 2) Miners receive & check transaction v 1 Dave sends 1 to Carol Alice Alice sends 1 to Bob Broadcast Miners v 2 v m Bob sends 1 to Eve Alice sends 1 to Bob 3) Miners compete to solve puzzle Pool of transactions not yet on the chain Block t-1 Alice sends 1 to Bob Alice sends 0.7 to Chris Bob sends 1.2 Dave sends 0.2 to Dave to Chris Find x such that SHA256(v 1,,v m, Block t, x) < y 4) New block announcement Block t Alice sends 1 to Bob Alice sends 0.7 to Chris I found a new block! Bob sends 1.2 Dave sends 0.2 to Dave to Chris Blockchain at time t v 1 Dave sends 1 v 2 v m to Carol Bob sends 1 to Eve Alice sends 1 to Bob Pool of transactions not yet on the chain Block B

50 What if multiple miners solve the puzzle? I found a new block! Block B Block B I found a new block! New block t+1 Time t+1 Time t-1 Time t Time t+1 Time t+2 Longest chain (eventually) wins Fork New block t+1

51 The rules of Nakamoto consensus All blocks must reference the previous blockchain header append-only All blocks must be well-formed all included transactions are valid Blocks must include a computational puzzle solution mining is difficult Longest chain is the true blockchain at any time New blocks mint X new Bitcoins that are awarded to the miner mining is rewarding Incentives should favor honest behavior

52 Transaction confirmation As a merchant, how long do you wait before you consider a transaction confirmed? Alice sends 5 to Bob Alice Bob Time t Time t+4 Time t+1 Time t+2

53 Transaction confirmation As a merchant, how long do you wait before you consider a transaction confirmed? Alice Bob Time t Time t+4 Time t+1 Time t+2 Fork Time t+2 Time t+3 Time t+5 This chain includes a different transaction from Alice Time t+3

54 Transaction confirmation As a merchant, how long do you wait before you consider a transaction confirmed? Alice sends 5 to Bob Alice Bob Time t Time t+4 Time t+1 Time t+2 Time t+3 Time t+5 Time t+6 Security property of Nakamoto consensus: Exponential Convegence o Probability of forking decreases exponentially with # of subsequent blocks Heuristic rule enforced in practice: 6 blocks is safe (1 hour in real-world)

55 Some numbers about Bitcoin 10 min. expected mining time per block o enforced by changing the target value y; currently 69+ leading 0 s 1 Mb size of each block Total blocks mined so far ~543, M satoshis per bitcoin (smallest possible denomination) Current bitcoin reward 12.5 BTC (~443,000 USD) o (halved every 210,000 blocks; originally 50 BTC) ~21M total bitcoins maximum o expected to exhaust by year 2040 o already mined ~80% of these

56