Distributed Algorithms Bitcoin

Transcription

1 Distributed Algorithms Bitcoin Alberto Montresor Università di Trento 2018/12/18 Acknowledgment: Joseph Bonneau, Ed Felten, Arvind Narayanan This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

2 Table of contents 1 Introduction 2 Preliminaries Hash function properties Hash-based data structures Signatures 3 Naive coins Goofy coin ScroogeCoin 4 Bitcoin Basics Ledger 5 Decentralization in Bitcoin BitCoin P2P Network Consensus basics Mining 6 Conclusions

3 Introduction What is Bitcoin? Blockchain An open, distributed ledger that can record transactions between multiple parties efficiently and in a verifiable and permanent way. Decentralization Blockchain may be built in a centralized way; Bitcoin was the first to realize one without a trusted third party. Cryptocurrency A digital asset designed to work as a medium of exchange that uses strong cryptography to secure financial transactions, control the creation of additional units, and verify the transfer of assets. Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 1 / 51

4 Introduction History 31/10/08: Satoshi Nakamoto sends a link to a paper titled "Bitcoin: A Peer-to-Peer Electronic Cash System" to a cryptography mailing list Released as an open-source project in January 2009 Nakamoto worked on the source until mid-2010, when he passed the control to prominent members of the Bitcoin community. Several incidents: 2010, exploit, large number of Bitcoins created and later reverted 2013, bug, fork in the chain - two independent chains were operating 2014, Mt.Gox repository filed for bankruptcy, 744K-B stolen Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 2 / 51

5 Introduction The original paper Bitcoin: A Peer-to-Peer Electronic Cash System Satoshi Nakamoto satoshin@gmx.com Abstract. A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone. Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 3 / 51

6 Introduction A clever combination of existing techniques 2001: SHA-256 finalized 1999-present: Byzantine fault tolerance 1999-present: P2P networks 1998: Wei Dai, B-money 1998: Nick Szabo, Bit Gold 1997: HashCash : Proof-of-work for spam 1991: cryptographic timestamp 1980: public key crypto algorithm Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 4 / 51

7 Introduction Many features in a single protocol Anonymity/privacy Protection against sybil attacks Distributed ledger (notarization) Leader election Consensus Currency, digital payments Smart contracts An incentive framework Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 5 / 51

8 Preliminaries Hash function properties Properties of Hash functions Collision-free Difficult to find x and y such that: x y and H(x) = H(y) Application: Message digest If we know that H(x) = H(y), it is safe to assume that x = y To recognize a message that we saw before, just remember its hash. Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 6 / 51

9 Preliminaries Hash function properties Properties of Hash functions Hiding Given H(x), it is infeasible to find x. Corollary: If r is chosen from a probability distribution that has high min-entropy, then given H(r x), it is infeasible to find x. A random variable X has min-entropy k if max x P r[x = x] = 2 k High min-entropy means that the distribution is very spread out No particular value is chosen with more than negligible probability. Application: Commitment Want to commit to a value, reveal it later seal a value in an envelope now, and open the envelope later. Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 7 / 51

10 Preliminaries Hash function properties Properties of Hash functions Commitment API (com, key) commit(msg) match verify(com, key, msg) Sealing the envelope (com, key) commit(msg) Publish com Opening the envelope Publish key, msg; com already published Anyone can use verify() to check validity Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 8 / 51

11 Preliminaries Hash function properties Properties of Hash functions Commitment API (com, key) commit(msg) match verify(com, key, msg) Implementation commit(msg) (H(msg key), key) where key is a random 256-bit value verify(com, key, msg) (H(msg key) = com) Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 8 / 51

12 Preliminaries Hash function properties Properties of Hash functions Commitment API (com, key) commit(msg) match verify(com, key, msg) Security properties Hiding: Given com, infeasible to find msg Binding: Infeasible to find msg msg such that verify(commit(msg), msg ) = true Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 8 / 51

13 Preliminaries Hash function properties Properties of Hash functions Puzzle-friendly For every possible output value y, if r is chosen from a distribution with high min-entropy, then it is infeasible to find x such that H(r x) = y Application: Search puzzle Given a puzzle k (from high min-entropy distribution) and a target set Y, try to find a solution x such that: H(k x) Y Puzzle-friendly property implies that no solving strategy is much better than trying random values of x Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 9 / 51

14 Preliminaries Hash-based data structures Hash pointer Hash pointer A pointer to where some info is stored, and a (cryptographic) hash of the info If we have a hash pointer, we can: ask to get the info back verify that it hasn t changed H( ) (data) will draw hash pointers like this Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 10 / 51

15 Preliminaries Hash-based data structures Blockchain Linked list with hashdetecting pointers (Blockchain) tampering H( ) prev: H( ) prev: H( ) prev: H( ) data data data use case: tamper-evident log Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 11 / 51

16 Preliminaries Hash-based data structures Merkle tree Binaryproving tree with hash membership pointers (Merkle in a tree) Merkle tree H( ) H( ) show O(log n) items H( ) H( ) H( ) H( ) (data) Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 12 / 51

17 Preliminaries Hash-based data structures Merkle tree Advantages of Merkle Trees Tree holds many items, but just need to remember the root hash Can verify membership in O(log n) time/space Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 13 / 51

18 Preliminaries Hash-based data structures Public/private signatures Objectives Only you can sign, but anyone can verify Signature is tied to a particular document Cannot be cut-and-pasted to another doc API for digital signatures (sk, pk) generatekeys(keysize) sk: secret signing key pk: public verification key sig sign(sk, message) isvalid verify(pk, message, sig) Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 14 / 51

19 Preliminaries Signatures Public/private signatures Requirements Valid signatures verify: verify(pk, message, sign(sk, message)) = true An adversary who: knows pk gets to see signatures on messages of his choice can t produce a verifiable signature on another message Bitcoin Uses ECDSA (Elliptic Curve Digital Signature Algorithm) Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 15 / 51

20 Preliminaries Signatures Public/private signatures Public keys identity If you see sig such that verify(pk, msg, sig) = true, think of it as pk says [msg] Decentralized identity management Anybody can make a new identity at any time No central point of coordination These identities are called addresses in Bitcoin Privacy Addresses not directly connected to real-world identity. But observer can link together an address s activity over time, make inferences Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 16 / 51

21 Naive coins Goofy coin GoofyCoin double-spending attack signed by pk Alice Pay to pk Bob : H( ) signed by pk Alice Pay to pk Chuck : H( ) signed by pk Goofy Pay to pk Alice : H( ) signed by pk Goofy CreateCoin [uniquecoinid] Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 17 / 51

22 Naive coins ScroogeCoin ScroogeCoin Don t worry, I m honest. Crucial question: Can we descroogify the currency, and operate without any central, trusted party? Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 18 / 51

23 Bitcoin Basics Definitions Transaction A transaction is a transfer of Bitcoin value that is broadcast to the network and collected into blocks. A transaction typically references previous transaction outputs as new transaction inputs and dedicates all input Bitcoin values to new outputs. Transactions are not encrypted, so it is possible to browse and view every transaction ever collected into a block. Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 19 / 51

24 Bitcoin Basics Ledger Blocks Transaction data is bundled together and recorded in files called blocks Single unit of work for miners Limit length of hash-chain of blocks Faster to verify history The real deal: a Bitco { "hash":" aad2...", "ver":2, "prev_block":" ", block header transaction data "time": , "bits": , "nonce": , "mrkl_root":" ", "n_tx":354, "size":181520, "tx":[... ], "mrkl_tree":[ "6bd5eb25...",... "89776cdb..." ] } Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 20 / 51

25 Bitcoin Basics Ledger Structure of the Blockchain Bitcoin block structure Hash chain of blocks prev: H( ) trans: H( ) prev: H( ) trans: H( ) prev: H( ) trans: H( ) H( ) H( ) Hash tree (Merkle tree) of transactions in each block H( ) H( ) H( ) H( ) transaction transaction transaction transaction Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 21 / 51

26 Bitcoin Basics Ledger 5/26/2016 Bitcoin Blockchain Size Blockchain size Home Charts Stats Wallet 80,000 Blockchain Size Source: blockchain.info 70,000 60,000 50,000 40,000 MB 30,000 20,000 10, Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 22 / 51

27 Bitcoin Basics Ledger An account-based ledger (not Bitcoin) An account-based ledger (not Bitcoin) time Create 25 coins and credit to Alice ASSERTED BY MINERS Transfer 17 coins from Alice to Bob SIGNED(Alice) Transfer 8 coins from Bob to Carol SIGNED(Bob) Transfer 5 coins from Carol to Alice SIGNED(Carol) Transfer 15 coins from Alice to David SIGNED(Alice) might need to scan backwards until genesis! is this valid? SIMPLIFICATION: only one transaction per block Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 23 / 51

28 Bitcoin Basics Ledger A transaction-based ledger (Bitcoin) A transaction-based ledger (Bitcoin) time Inputs: Ø Outputs: 25.0 Alice change address Inputs: 1[0] Outputs: 17.0 Bob, 8.0 Alice Inputs: 2[0] Outputs: 8.0 Carol, 7.0 Bob Inputs: 2[1] Outputs: 6.0 David, 2.0 Alice SIGNED(Alice) SIGNED(Bob) SIGNED(Alice) SIMPLIFICATION: only one transaction per block we implement this with hash pointers finite scan to check for validity is this valid? Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 24 / 51

29 Bitcoin Basics Ledger Merging value Merging value time 1... Inputs: Outputs: 17.0 Bob, 8.0 Alice SIGNED(Alice) 2... Inputs: Outputs: 6.0 Carol, 2.0 Bob SIGNED(Carol) 3 Inputs: 1[0], 2[1] Outputs: 19.0 Bob SIGNED(Bob) SIMPLIFICATION: only one transaction per block Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 25 / 51

30 Bitcoin Basics Ledger Joint payments Joint payments time 1... Inputs:... Outputs: 17.0 Bob, 8.0 Alice SIGNED(Alice) Inputs: 1[1] Outputs: 6.0 Carol, 2.0 Bob Inputs: 2[0], 2[1] Outputs: 8.0 David SIGNED(Carol) two signatures! SIGNED(Carol), SIGNED(Bob) SIMPLIFICATION: only one transaction per block Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 26 / 51

31 Decentralization in Bitcoin Aspects of decentralization in Bitcoin Technological aspects of decentralization in Bitcoin Who maintains the ledger? Who has authority over which transactions are valid? Who creates new Bitcoins? Socio-economical aspects of decentralization in Bitcoin Who determines how the rules of the system change? Who maintains the software How do Bitcoins acquire exchange value? Beyond the protocol exchanges, wallet software, service providers... Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 27 / 51

32 Decentralization in Bitcoin Decentralization in Bitcoin Peer-to-peer network Open to anyone, low barrier to entry Consensus Consensus is reached by waiting long enough to observe confirmations from most of the network Mining Open to anyone, but inevitable concentration of power often seen as undesirable Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 28 / 51

33 Decentralization in Bitcoin BitCoin P2P Network Bitcoin is a peer-to-peer system Bitcoin is a peer-to-peer system When Alice wants to pay Bob, she broadcasts the transaction to all Bitcoin nodes When Alice wants to pay Bob: she broadcasts the transaction to all Bitcoin nodes signed by Alice Pay to pk Bob : H( ) Note: Bob s computer is not in the picture Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 29 / 51

34 Decentralization in Bitcoin BitCoin P2P Network Bitcoin P2P network Ad-hoc protocol (runs on TCP port 8333) Ad-hoc network with random topology All nodes are equal New nodes can join at any time Forget non-responding nodes after 3 hr Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 30 / 51

35 Decentralization in Bitcoin BitCoin P2P Network Bitcoin P2P network getaddr() Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 31 / 51

36 Decentralization in Bitcoin BitCoin P2P Network Bitcoin P2P network , Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 31 / 51

37 Decentralization in Bitcoin BitCoin P2P Network Bitcoin P2P network 1 5 getaddr() 8 getaddr() Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 31 / 51

38 Decentralization in Bitcoin BitCoin P2P Network Bitcoin P2P network Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 31 / 51

39 Decentralization in Bitcoin BitCoin P2P Network Network characteristics How big is the network? Impossible to measure exactly Estimates-up to 1M IP addresses/month Only about 5-10k full nodes Full nodes Permanently connected Store entire block chain Forward every tx/block Tracking UTXO (Unspent Transaction Output) M UTXOs Can easily fit into RAM Thin clients Connected on-demand Store block headers only Request transactions as needed, to verify payment Trust full nodes 1000x cost savings! Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 32 / 51

40 Decentralization in Bitcoin BitCoin P2P Network Software diversity About 90% of nodes run Core Bitcoin (C++) Some are out of date versions Other implementations running successfully BitcoinJ (Java) Libbitcoin (C++) btcd (Go) Original Satoshi client Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 33 / 51

41 Decentralization in Bitcoin Consensus basics Bitcoin consensus Bitcoin s key challenge Key technical challenge of decentralized e-cash: distributed consensus or, how to decentralize ScroogeCoin Theory vs practice Remember the theoretical impossibility results Bitcoin consensus works better in practice than in theory Theory is still catching up Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 34 / 51

42 Decentralization in Bitcoin Consensus basics How consensus could work in BitCoin At any given time: All nodes have a sequence of blocks of transactions they ve reached consensus on Each node has a set of outstanding transactions it has heard about How consensus could work in Bitcoin Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Tx Consensus protocol Tx Tx Tx Tx Tx Tx OK to select any valid block, even if proposed by only one node Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 35 / 51

43 Decentralization in Bitcoin Consensus basics Consensus without identity Why identity? Pragmatic: some protocols need node IDs Security: assume less than 50% are malicious Why don t Bitcoin nodes have identities? Identity is hard in a P2P system Sybil attack Pseudo-anonymity is a goal of Bitcoin Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 36 / 51

44 Decentralization in Bitcoin Consensus basics Key idea: implicit consensus New transactions are sent to all nodes Each node collects new transactions into a block In each round a random node gets to broadcast its block This node proposes the next block in the chain Other nodes implicitly accept/reject this block by either extending it or ignoring it and extending chain from earlier block Every block contains hash of the block it extends Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 37 / 51

45 Decentralization in Bitcoin Consensus basics What can a malicious node do? Honest What nodes can will extend a malicious the longest validnode branch do? C A B signed by A Pay to pk B : H( ) Doublespending attack signed by A Pay to pk A : H( ) C A A Honest nodes will extend the longest valid branch Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 38 / 51

46 Decentralization in Bitcoin Consensus basics What can a malicious node do? From Bob the Bob merchant s the merchant s point of view point of view 1 confirmation 3 confirmations C A B C A A double-spend attempt Double-spend probability decreases exponentially with # of confirmations Hear about C A B transaction 0 confirmations Most common heuristic: 6 confirmations Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 39 / 51

47 Decentralization in Bitcoin Consensus basics Recap Protection against invalid transactions is cryptographic, but enforced by consensus Protection against double-spending is purely by consensus You re never 100% sure a transaction is in consensus branch. Guarantee is probabilistic Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 40 / 51

48 Decentralization in Bitcoin Mining Some things Bitcoin does differently Introduces incentives Possible only because it s a currency! Embraces randomness Does away with the notion of a specific end-point Consensus happens over long time scales about 1 hour Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 41 / 51

49 Decentralization in Bitcoin Mining Assumption of honesty is problematic Incentives for behaving honestly Block reward Can we give nodes incentives for behaving honestly? Can we penalize the node that created this block? Can we reward nodes that created these blocks? Everything Creator of so block far is gets just to a distributed consensus protocol But now we utilize the fact that the currency has value include special coin-creation transaction in the block choose recipient address of this transaction Value is fixed: currently 25 BTC, halves every 4 years (next: ) Block creator gets to collect the reward only if the block ends up on long-term consensus branch! Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 42 / 51

50 Decentralization in Bitcoin Mining Finite supply of Bitcoins Total supply: 21 million Block reward is how new Bitcoins are created Runs out in No new Bitcoins unless rules change Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 43 / 51

51 Decentralization in Bitcoin Mining Selecting the random node Problems How to pick a random node? How to avoid a free-for-all due to rewards? How to prevent Sybil attacks? Proof-of-work To approximate selecting a random node: select nodes in proportion to a resource that no one can monopolize (we hope) Equivalent views of proof of work Select nodes in proportion to computing power Let nodes compete for right to create block Make it moderately hard to create new identities Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 44 / 51

52 Decentralization in Bitcoin Mining Hash puzzles Hash puzzles To create block, find nonce s.t. H(nonce prev_hash tx tx) is very small nonce prev_h Tx Tx Output space of hash Target space If hash function is secure: only way to succeed is to try enough nonces until you get lucky Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 45 / 51

53 Decentralization in Bitcoin Mining Proof-of-work properties Property 1: Difficult to compute hash/s (EHash/s) (16/12/2018) 120 blocks/ 211k transactions per day (16/12/2018) TWh per year (2018) Property 2: Parameterizable cost Nodes automatically re-calculate the target every two weeks Goal: average time between blocks = 10 minutes Property 3: Trivial to verify Nonce must be published as part of block Other miners simply verify that H(nonce prev_hash tx... tx) < target Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 46 / 51

54 Decentralization in Bitcoin Mining Solving hash hash puzzles puzzles is probabilistic is probabilistic 10 minutes Probability density Time to next block (entire network) Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 47 / 51

55 Decentralization in Bitcoin Mining 51% Attacks Key security assumption Attacks infeasible if majority of miners weighted by hash power follow the protocol What can a 51% attacker do? Steal coins from existing address? NO Suppress some transactions From the blockchain? YES From the P2P network NO Change the block reward? NO Destroy confidence in Bitcoin? YES!!! Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 48 / 51

56 Conclusions Limits for Bitcoin Hard-coded limits for BitCoin 10 min. average creation time per block 1M bytes in a block 20,000 signature operations per block 21M total Bitcoins maximum 50,25, Bitcoin mining reward Throughput limits in Bitcoin 1 Mbytes/block every 10 minutes > 250 bytes/transaction 7 transactions/sec Compare to: VISA: 2,000-10,000 transactions/sec PayPal: transaction/sec Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 49 / 51

57 Conclusions There and back again: from Bitcoin and BFT Permissionless vs Permissioned Permissioned Hyperledger Fabric Tendermint Ripple Stellar IOTA Many others Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 50 / 51

58 Conclusions Extensions of BitCoin Beyond money Scripting 2-out-3 signatures Distributed Execution of derivatives-contracts-as-programs Ethereum Virtual Machine (EVM) Altcoins (1748 with market cap 1$) Alberto Montresor (UniTN) DS - Bitcoin 2018/12/18 51 / 51

59 Reading Material A. Narayanan, J. Bonneau, E. Felten, A. Miller, and S. Goldfeder. Bitcoin and Cryptocurrency Technologies. Princeton University Press, Feb In this presentation: Chapters 1-3 (77 pages) Warning: 300+ pages F. Tschorsch and B. Scheuermann. Bitcoin and beyond: A technical survey on decentralized digital currencies. IEEE Communications Surveys and Tutorials, 18(3): , (Suggested) 37 pages C. Cachin and M. Vukolic. Blockchain consensus protocols in the wild. CoRR, abs/ ,