Blockchains & Cryptocurrencies

Transcription

1 1 Blockchains & Cryptocurrencies A Technical Introduction Lorenz Breidenbach ETH Zürich Cornell Tech The Initiative for CryptoCurrencies & Contracts (IC3)

2 2 Cryptocurrency Mania Market cap as of yesterday: Bitcoin $137B Ethereum $35B Top 10 together: > $200B

3 Why blockchains? 3

4 4 Centralized Bank Owner Balance Alice $10.00 Bob $20.00 Charlie $5.00

5 5 Centralized Bank Send $5 to Bob Alice Alice Owner Balance Bob Alice $5.00 Bob $25.00 Charlie $5.00

6 6 Centralized Bank Alice User: Alice PW: Send mr_mittens $5 to Bob Send $5 Alice to Bob Owner Balance Password Alice $10.00 mr_mittens Bob $20.00 hunter2 Charlie $ Bob

7 7 Centralized Bank Alice User: Alice PW: Send mr_mittens $5 to Bob Send $5 Alice to Bob Owner Balance Password Alice $5.00 mr_mittens Bob $25.00 hunter2 Charlie $ Bob

8 8 Centralized Bank Alice Owner Balance Password Alice $5.00 mr_mittens Bob $25.00 hunter2 Charlie $ Bob

9 9 Centralized Bank Alice Owner Balance Password Alice $5.00 mr_mittens Bob $25.00 hunter2 Charlie $ Bob

10 10 Centralized Bank Alice Owner Balance Password Alice $0.00 mr_mittens Bob $25.00 hunter2 Charlie $ Bob Bank can fake transactions: I swear Alice told me to transfer $5 to Charlie.

11 11 Digital Signatures Suppose you had a perfect signet ring Public Key: Everyone knows what your seal looks like Secret Key: But it can only be produced by someone with your ring Signature: The seal pressed on paper

12 12 Secret Digital Signatures Public SK KeyGen PK

13 13 Secret Digital Signatures SK Sign (M, Sig) = M

14 14 Digital Signatures Public PK (M, Sig) Verify M was signed with SK or Bad signature

15 15 Secret Digital Signatures Public SK KeyGen PK Sign (M, Sig) Verify = M M was signed with SK or Bad signature

16 16 Digital Signatures Anybody can run KeyGen, Sign, Verify, so: Any entity X can generate unique key pair (SKX, PKX) X can sign any message M using secret key SKX Anyone can verify X s signature against public key PKX But PKX does not contain X s real-world identity

17 17 Digital Signatures Most cryptocurrencies: use ECDSA (Elliptic-Curve Digital Signature Algorithm) Curve secp256k1 SK is 256 bits PK (uncompressed) is 512 bits

18 18 Centralized Bank w/ Sigs Send $5 to Bob Alice Alice Owner Balance Bob PKAlice $10.00 PKBob $25.00 PKCharlie $5.00

19 19 Centralized Bank w/ Sigs Send $5 to Bob Alice Alice Owner Balance Bob PKAlice $5.00 PKBob $30.00 PKCharlie $5.00

20 20 Centralized Bank w/ Sigs Alice Owner Balance Bob PKAlice $5.00 PKBob $30.00 PKCharlie $5.00

21 21 Centralized Bank w/ Sigs Send $5 to Bob Alice Alice Owner Balance Bob PKAlice $0.00 PKBob $35.00 PKCharlie $5.00

22 22 Centralized Bank w/ Sigs Alice Owner Counter Balance PKAlice 0 $10.00 PKBob 0 $25.00 PKCharlie 0 $5.00 Bob

23 23 Centralized Bank w/ Sigs #1: Send $5 to Bob Alice Alice Owner Counter Balance PKAlice 0 $10.00 PKBob 0 $25.00 PKCharlie 0 $5.00 Bob

24 24 Centralized Bank w/ Sigs #1: Send $5 to Bob Alice Alice Owner Counter Balance PKAlice 1 $5.00 PKBob 0 $30.00 PKCharlie 0 $5.00 Bob

25 25 Centralized Bank w/ Sigs #1: Send $5 to Bob Alice Alice Owner Counter Balance PKAlice 1 $5.00 PKBob 0 $30.00 PKCharlie 0 $5.00 Bob

26 26 Centralized Bank w/ Sigs #1: Send $5 to Bob Alice Alice Owner Counter Balance PKAlice 1 $5.00 PKBob 0 $30.00 PKCharlie 0 $5.00 Bob

27 27 Centralized Bank w/ Sigs Alice Owner Counter Balance PKAlice 1 $5.00 PKBob 0 $30.00 PKCharlie 0 $5.00 Bob

28 28 Bank can still cheat Can fail to process a transaction Can go back and reorder or erase transactions Can show different subsets of transactions to different users We want an immutable record of all transactions

29 Blockchains! 29

30 30 Blockchain Aggregate transactions into blocks every 10 minutes Bank signs and publishes blocks #1: Send $10 to Bob Alice #7: Send $5 to Bob Charlie #4: Send $5 to Dora Bob

31 31 Blockchain Each block refers to its predecessor Send $10 to Bob Alice Send $5 to Bob Charlie Send $5 to Dora Bob

32 32 Blockchain Chain contains all transactions ever made Can trace entire history Height n n-1 Genesis Block 0

33 33 Blockchain How to link blocks? Height n n-1 0

34 34 Blockchain Include entire history in each new block? Height n n-1 0

35 35 Blockchain Include entire history in each new block? Impractical! Height n n-1 0

36 36 Blockchain How to link blocks? Use hash function! Height H( ) = n H( ) = n-1 H( ) = } constant length 0

37 Cryptographic Hash 37 Functions H : {0, 1}! {0, 1} k Preimage resistance: Hard to find x given H(x) Collision resistance: Hard to find x y such that H(x) = H(y) k typically between 160 and 256 Hard : Cryptographers have mathematical definition. For our purposes: Take all computing hardware in the world and run it for millions of years

38 38 Random Oracle Model H

39 39 Random Oracle Model H 0100

40 40 Random Oracle Model H

41 41 Random Oracle Model H

42 42 Random Oracle Model H

43 43 Random Oracle Model H

44 44 Random Oracle Model H

45 Cryptographic Hash 45 Functions H : {0, 1}! {0, 1} k Random Oracle Model: Just a model of our ideal functionality In practice: MD5, SHA1, SHA2, SHA3, RIPEMD, scrypt Bitcoin: SHA2 and RIPEMD Ethereum: SHA3

46 46 Blockchain Why is history tamperproof? Collision resistance: Hard to find x y such that H(x) = H(y) Height H( ) = n H( ) = n-1 H( ) = } 256 bits 0

47 47 Centralized Blockchain Alice Bob Compute Owner Counter Ba PKAlice 1 $

48 48 Centralized Blockchain Alice Bob

49 49 Centralized Blockchain #1: Send $5 to Bob Alice Alice Bob

50 50 Centralized Blockchain #1: Send $5 to Bob Alice Alice Bob Bank can censor transactions: I swear Alice never sent me any transactions. Bank can still cheat, it will just get caught

51 Real-world Examples 51

52 52 Real-world Examples

53 53 Real-world Examples

54 54 Real-world Examples

55 55 Real-world Examples

56 56 Decentralization We don t want to trust a single party We need to build a decentralized system Parties need to agree on ledger/state. Which transactions should be included? Distributed Consensus Permissioned (a.k.a. private/consortium) system vs Unpermissioned (a.k.a. public) system

57 Permissioned Blockchain 57

58 58 Permissioned Blockchain Please let me join?

59 59 Permissioned Blockchain Requirements: Banking license $10M yearly membership fee > $10B AUM

60 60 Byzantine Fault Tolerance Well studied problem from Distributed Systems As long as less than 1/3 of parties are malicious, honest parties can always come to agreement Practical algorithms exist: PBFT HoneyBadgerBFT Thousands of transactions per second, efficient,

61 61 Unpermissioned Blockchain Alice Charlie Bob Dora Participants don t know each other Anybody can join

62 62 Unpermissioned Blockchain Alice Charlie Bob Dora Participants don t know each other Anybody can join

63 63 Sybil Attack Alice Bob Charlie Dora

64 64 Sybil Attack Alice Charlie Dora Bob Dora2

65 65 Sybil Attack Alice Charlie Dora4 Dora Bob Dora3 Dora2

66 66 Sybil Attack Dora Dora Dora Dora Dora Dora Dora Dora Alice Charlie Dora Dora4 Dora Dora Dora Dora Bob Dora Dora Dora Dora Dora Dora Dora Dora3 Dora Dora Dora2 Dora

67 67 Unpermissioned Blockchain Anybody can create an arbitrary number of identities Byzantine fault tolerance won t work Solution: Nakamoto Consensus using Proof of Work

68 68 Proof of Work Alice Charlie Bob Dora

69 69 Proof of Work Alice Charlie Bob Dora

70 70 Proof of Work Who gets to propose next block? We cannot vote or use PBFT because of Sybil Attacks. Let s have a lottery!

71 71 Proof of Work Analogy Everyone repeatedly: Scratch off ticket If ticket is a winning ticket, get to send my block to everyone This process is called mining M a e in k c blo

72 72 Proof of Work X H(previous block) X can be freely chosen

73 73 Proof of Work H ( X ) = Y H(previous block) X can be freely chosen Y is number on scratch-off ticket Y is a winning number if it starts with 10 zeros Output of H uniformly random: 2-10 success probability

74 74 Proof of Work H ( X ) = Y H(previous block) Output of H uniformly random: 2-10 success probability Work: Need to try (in expectation) 2 10 different values of X Can verify that somebody did the work with a single computation of H

75 75 Proof of Work H ( X ) = Y H(previous block) What is motivation for doing work? Miner gets to propose new block Miner earns $$$

76 76 Proof of Work H (. Tip Miner 1$. Tip Miner.7$. Tip Miner.4$ X PKMiner ) = Y What is motivation for doing work? Miner gets to propose new block Miner earns $$$ H(previous block)

77 77 Proof of Work H (. Tip Miner 1$. Tip Miner.7$. Tip Miner.4$ X PKMiner ) = Y Mining is resistant to Sybil Attack: H(previous block) Computers & electricity cost real money! Economic rather than absolute protection: Attack is possible, but expensive

78 78 Proof of Work Alice Charlie Bob Dora

79 79 Proof of Work Alice Charlie Bob Dora PKDora

80 80 Proof of Work Alice Charlie Bob Dora PKDora

81 81 Proof of Work Alice Charlie Bob Dora PKDora

82 82 Proof of Work Owner Balance Counter PKDora $5 Owner Balance Counter PKDora $5 Alice Charlie Bob Owner Balance Counter PKDora $5 Dora PKDora

83 83 Proof of Work Owner Balance Counter PKDora $10 Owner Balance Counter PKDora $10 Alice Charlie Bob Owner Balance Counter PKDora $10 Dora PKDora

84 84 Forks PKAlice PKDora

85 85 Forks??? Bob PKAlice PKDora

86 86 Forks??? PKAlice PKDora Bob Choose longer fork If both forks have same length: Randomly choose one fork and work with that

87 87 Forks Bob Bob chooses Alice s fork PKAlice PKDora

88 88 Forks PKAlice PKDora Bob Bob chooses Alice s fork Others choose Dora s fork. Now Dora s fork grows faster Everyone switches to Dora s fork

89 89 Forks PKAlice PKDora Bob Bob chooses Alice s fork Others choose Dora s fork. Now Dora s fork grows faster Everyone switches to Dora s fork

90 90 Forks PKAlice PKDora Bob Transaction can be undone if it is in dead fork Need to wait for a few blocks to be sure that transaction was included

91 91 Nakamoto Consensus Assumption: At least 51% of the hash power (= work rate) is controlled by honest parties Honest chain grows fastest In practice: Need to adjust number of leading zeros required for winning ticket so that block interval doesn t change. Bitcoin as of yesterday: need 72 (!) leading zeros. In expectation, need to compute 4.7E21 hashes to find winner!

92 92 Censorship Resistance Assumption: At least 51% of the hash power (= work rate) is controlled by honest parties Honest chain grows fastest If Alice wants to censor Bob s transactions, she can. But Alice controls less than 51% of hash power. Other parties will mine Bob s transaction. Bob s transaction will be included after a few blocks with very high probability.

93 93 Proof of Waste? This averages out to a shocking 215 kilowatt-hours (KWh) of juice used by miners for each Bitcoin transaction (there are currently about 300,000 transactions per day). That means that, at a minimum, worldwide Bitcoin mining could power the daily needs of 821,940 average American homes. Source: One Bitcoin Transaction Now Uses as Much Energy as Your House in a Week, motherboard.vice.com, Nov 1

94 94 Summary Malicious Centralized Bank can claim unauthorized transactions were authorized Use digital signatures Malicious Centralized Bank can mess with history Use blockchain Malicious Centralized Bank can censor users Build decentralized blockchain

95 95 Summary Permissioned blockchain is resistant to sybil attack Can use highly efficient BFT protocols Process tens of thousands of transactions every second Not fully decentralized

96 96 Summary Unpermissioned blockchain suffers from sybil attack Use Nakamoto Consensus with Proof of Work Deal with forks Mining is wasteful, throughput is low

97 97 (Future) Improvements Better privacy zk-snarks (Zcash) Ring Signatures (Monero) Better programmability Smart Contracts (Ethereum) Less wasted energy Proof-of-Stake (Coming soon to a blockchain near you?)

98 98 Recommended Reading Bitcoin: A Peer-to-Peer Electronic Cash System by Satoshi Nakamoto Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction by Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller, and Steven Goldfeder